{"id":634,"date":"2021-02-01T17:13:59","date_gmt":"2021-02-01T17:13:59","guid":{"rendered":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/?p=634"},"modified":"2022-02-14T23:13:03","modified_gmt":"2022-02-14T23:13:03","slug":"a-buyers-guide-to-security-and-privacy-certifications","status":"publish","type":"post","link":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/","title":{"rendered":"A Buyer\u2019s Guide to Security and Privacy Certifications"},"content":{"rendered":"\n<h2><em>Know\nwhat they are, why they matter, and which ones to look for in your provider.<\/em><\/h2>\n\n\n\n<p>Ten\nyears ago, it was common to evaluate a potential IT or hosting vendor with a\nseries of pointed questions in an Excel spreadsheet. At first, the questions\nwere simple and few, but over the years, these \u201csecurity questionnaires\u201d have\nexpanded to hundreds of questions covering everything from proximity to flood\nzones to the level of encryption on a hard drive. <\/p>\n\n\n\n<p>IT procurement teams now have difficulty asking the right\nquestions to shine a light on policies that govern their sensitive data and, perhaps\nmore importantly, verify the accuracy and ongoing adherence to those policies.<\/p>\n\n\n\n<p>In fact, this\nprocess has become so tedious and daunting for both sides, that everyone is looking\nfor a way out. The solution, of course, is to settle on the exact standards\nthat buyers are looking for and have third-party audits to ensure that the standards are actually in\nplace. Verifying standards can become complex for the buyer, but it\u2019s doable if\nyou know what to look for and what to ask.<\/p>\n\n\n\n<p>The following is a guide for using these\nstandards when evaluating vendors. To help organize, we broke it up into three\nsections: organizational certifications, compliance, and individual certifications.<\/p>\n\n\n\n<h3><strong>Organizational\nPrivacy &amp; Security Certifications<\/strong><\/h3>\n\n\n\n<p>For the reasons stated above, it\u2019s important to\nunderstand what each set of standards actually does (and does not) say about\nthe security posture of the provider. Some certifications aren\u2019t nearly as\nimpressive as they may sound but the below are solid certifications proving an\norganization\u2019s level of security.<\/p>\n\n\n\n<p><strong>ISO\n(International Organization for Standardization) <\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/www.iso.org\/standards.html\">ISO\nstandards<\/a> were born out\nof the question, \u201cwhat\u2019s the best way of doing things?\u201d They\nare created and agreed\nupon by independent subject matter experts all across the world. There are ISO standards for all\nsorts of things, like making sure kid\u2019s toys don\u2019t have sharp edges (ISO\n8124-1) and reducing environmental impacts (ISO 14000), but for our purposes\nhere, we\u2019ll focus on those applying directly to data security and privacy.&nbsp; <\/p>\n\n\n\n<p>All ISO certifications run on a three-year renewal cycle, so the organization needs to be audited again for their cert to stay valid. In the first year, ISO experts work with the organization to audit the controls (or \u201crequirements\u201d) listed in the specific certification. The second and third years include what\u2019s called a \u201csurveillance audit,\u201d where ISO monitors the security controls put in place to ensure they\u2019re being followed and carried out correctly. Overall, the goal here for the organization is continuous improvement.<\/p>\n\n\n\n<ul><li><strong>ISO 27001<\/strong> \u2013The organization has put in\nthe work to implement a comprehensive \u201cInformation Security Management System\u201d\nor ISMS. It focuses on protecting your information\u2019s confidentiality,\nintegrity, and availability. Basically, ensuring that only authorized persons\nhave access to your information, are able to make changes to the information,\nand can access the information any time it\u2019s needed.<\/li><li><strong>ISO 27017<\/strong> \u2013Specific to cloud service\nproviders. ISO 27017 adds cloud-specific security controls to the baseline set\nby ISO 27001, covering security techniques, risk management, access management,\nand beyond.<\/li><li><strong>ISO 27018<\/strong> \u2013 When it comes to personal\ninformation stored in the cloud, extra precautions to protect it should be in\nplace. That\u2019s what ISO 27018 is: additional controls to protect PII in cloud\nenvironments. It ensures the provider has identified potential risks and has\nmeasures in place to manage or reduce them. <\/li><li><strong>ISO 22301<\/strong> \u2013 Not only does this cert make an organization prove they have a\nbusiness continuity plan in place, but that it also has the appropriate security\nmeasures built into it. The ISO 22301 certifies that the organization\u2019s\nbusiness continuity plan has been evaluated thoroughly and works effectively.&nbsp; <\/li><\/ul>\n\n\n\n<p>ISO standards\nare working quietly in the background of our lives, making things safer,\nbetter, and more effective. When things don&#8217;t work as they should, it often\nmeans that the standards are absent. <\/p>\n\n\n\n<div style=\"height:60px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignleft size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-content\/uploads\/2021\/02\/smart-question2.jpg\" alt=\"\" class=\"wp-image-635\" width=\"273\" height=\"145\"\/><\/figure><\/div>\n\n\n\n<div class=\"is-layout-flow wp-block-group\"><div class=\"wp-block-group__inner-container\">\n<p>Ask the scope of the provider\u2019s certifications. Sometimes, the cert covers only a portion of the business (company data vs. client data, etc.) instead of <em>everything they touch. <\/em>Look for \u201call services provided by ISO partners,\u201d because it\u2019s demonstrable evidence that the entire business is certified, not just a portion of it. <\/p>\n<\/div><\/div>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>SOC (Systems and Organization Controls)<\/strong><\/p>\n\n\n\n<p>SOC was created by the <a href=\"https:\/\/www.aicpa.org\/\">AICPA<\/a> (American Institute of Certified Public Accountants) which represents the CPA profession nationally regarding rule-making and standard-setting. The certification examines controls to ensure \u201cTrust Services Criteria,\u201d or privacy, confidentiality, processing integrity, availability, and security. There are different levels and types of SOC, each for different purposes and different kinds of organizations.<\/p>\n\n\n\n<ul><li><strong>SOC 1 (Internal Control over Financial Reporting) <\/strong>\u2013 Provides guidance for auditors assessing financial statement controls at service organizations.<\/li><li><strong>SOC 2 (Trust Services Criteria)<\/strong> \u2013 Report on controls at a      service&nbsp;organization relevant to security, availability, processing integrity, confidentiality, or privacy. SOC 2 details the descriptions of the service auditor\u2019s tests of controls and results.<\/li><li><strong>SOC 3 (Trust Services Criteria for General Use)<\/strong> \u2013 Essentially the same as SOC 2 but doesn\u2019t include descriptions of the tests or results and is much less detailed. <br> <\/li><li><strong>Type I:<\/strong> confirms that the controls exist.<\/li><li><strong>Type II:<\/strong> confirms that the controls exist <em>and <\/em>that they actually work.<\/li><\/ul>\n\n\n\n<p>The\naudit process depends on which SOC you go for, but generally lasts six to\ntwelve weeks and is carried out by an accredited, independent third party hired\nby the AICPA. Over the review period, the third-party auditor works with the\nbusiness to assess their controls, while the business works exhaustively to get\ntheir controls up to SOC-status. <\/p>\n\n\n\n<div style=\"height:57px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignleft size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-content\/uploads\/2021\/02\/smart-question2.jpg\" alt=\"\" class=\"wp-image-635\" width=\"287\" height=\"153\"\/><\/figure><\/div>\n\n\n\n<p>SOC 2 Type II is the most important report an\nIT vendor can hold. It guarantees they\u2019re annually meeting (or exceeding) SOC\u2019s\nindustry-specific standards for privacy and security. Ask to see their SOC audit\nreport so you know where they fell short and if they\u2019ve since remedied those\nissues.<\/p>\n\n\n\n<div style=\"height:67px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>FedRAMP\n(Federal Risk and Authorization Management Program)<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/www.fedramp.gov\/\">FedRAMP<\/a> is one of the most rigorous certifications in the\nworld. It\u2019s the US government\u2019s standardized approach to security assessment,\nauthorization, and continuous monitoring for cloud products and services. It is\ngoverned by different Executive Branch entities like the Joint Authorization\nBoard and Department of Defense.<\/p>\n\n\n\n<p>There are three main parts to the FedRAMP process: <\/p>\n\n\n\n<ul><li>A RAR (Readiness Assessment Report) is done by a third-party auditing organization that reviews the provider\u2019s standards.<\/li><li>If their standards meet the requirements, the third-party auditing body then submits the RAR report to FedRAMP for review and consideration. If that\u2019s successful, the organization is then declared \u201cFedRAMP-ready.\u201d This places the organization inside a Federal Marketplace.<\/li><li>Any federal organization can select the provider from the Marketplace directory and then must hold a SAR (security assessment report) to ensure the provider meets the federal agency\u2019s specific security needs. If they do, the federal organization gives the provider \u201cAuthority to Operate,\u201d which means they have the ability and permission to work only with <em>that specific federal organization<\/em>. <\/li><\/ul>\n\n\n\n<p>Obviously, becoming a FedRAMP-authorized provider is not for the faint-hearted; the level of security required is mandated by the Federal Government. So, any provider with this authorization is solid\u2014they\u2019ve gained the approval and trust of the US Federal Government!<\/p>\n\n\n\n<h3><strong>Compliance\nStandards<\/strong><\/h3>\n\n\n\n<p>Compliance\nis different from any kind of certification because it\u2019s <em>required by law. <\/em>&nbsp;Failing to meet compliance requirements can\nland organizations with serious fines or even jail time. <\/p>\n\n\n\n<p>Mostly, self-attestation is all that\u2019s required here. There\u2019s no auditing by third parties\u2014only internal review and evidence gathering. <\/p>\n\n\n\n<ul><li><strong>HIPAA (Health Insurance Portability and Accountability Act)<\/strong> &#8211; HIPAA is a US healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to covered entities, doctors&#8217; offices, hospitals, health insurers, and other healthcare companies with access to patients&#8217; protected health information (PHI), as well as to business associates, such as cloud service and IT providers, that process PHI on their behalf.<\/li><\/ul>\n\n\n\n<ul><li><strong>ITAR (International Traffic in Arms Regulations) &#8211; <\/strong><a href=\"https:\/\/www.pmddtc.state.gov\/?id=ddtc_kb_article_page&amp;sys_id=24d528fddbfc930044f9ff621f961987\">ITAR<\/a> is a set of regulations ensuring the protection of government defense data, including articles and services on the United States Munitions List (USML) and all related technical data. This is required for any provider or subcontractor handling defense data.<\/li><\/ul>\n\n\n\n<ul><li><strong>PCI\/DSS (Payment Card Industry\/Data Security Standard)<\/strong> &#8211; Being <a href=\"https:\/\/www.pcisecuritystandards.org\/\">PCI compliant<\/a> means the organization follows all standards to safely and securely accept, store, and process cardholder data used in credit card transactions to prevent fraud and reduce the volume and impact of data breaches. Providers will usually have an official certification of their PCI compliance granted by the PCI Security Standards Council.<\/li><\/ul>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignleft size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-content\/uploads\/2021\/02\/smart-question2.jpg\" alt=\"\" class=\"wp-image-635\" width=\"305\" height=\"163\"\/><\/figure><\/div>\n\n\n\n<div class=\"is-layout-flow wp-block-group\"><div class=\"wp-block-group__inner-container\">\n<div class=\"is-layout-flow wp-block-group\"><div class=\"wp-block-group__inner-container\">\n<div class=\"is-layout-flow wp-block-group\"><div class=\"wp-block-group__inner-container\">\n<p>Ask how they keep track of the controls and\nprocesses in place for meeting compliance regulations. This ensures they are\nmaintaining compliance standards <em>and <\/em>tracking all updates to their\nsystem\u2014which any smart provider will keep in well-maintained logs.<\/p>\n<\/div><\/div>\n<\/div><\/div>\n<\/div><\/div>\n\n\n\n<div style=\"height:60px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3><strong>Individual\nCertifications<\/strong><\/h3>\n\n\n\n<p>Just like organizational certifications prove\na <em>system<\/em> has met certain standards, individual certifications do the\nsame on a <em>per-person<\/em> level. They guarantee certain people on the team\nhave tested, specific, and unique knowledge and experience to guide and add\nvalue to the organization and its clients. There are tons of individual\ncertifications available out there, but the below certs are the most common and\ntrusted by experts in the tech world.<\/p>\n\n\n\n<ul><li><strong>CISA (Certified Information Systems Auditor)<\/strong> &#8211; <a href=\"https:\/\/www.isaca.org\/credentialing\/cisa\">CISA<\/a> is the world-renowned standard for IS professionals managed by ISACA, an international membership community started in 1967 to provide guidance and research in the IT field. CISA proves expertise in auditing, controlling, monitoring, and assessing information systems. This is an essential certification for any IT\/IS professional.<\/li><\/ul>\n\n\n\n<ul><li><strong>CISM (Certified Information Security Manager)<\/strong> &#8211; Similar to CISA. Indicates expertise in <a href=\"https:\/\/www.isaca.org\/credentialing\/cism\">information security governance<\/a>, program development and management, incident management, and risk management.<\/li><\/ul>\n\n\n\n<ul><li><strong>CISSP (Certified Information Systems Security Professional)<\/strong> &#8211; Managed by (ISC)\u00b2, is an international nonprofit membership association. CISSP validates an information security professional\u2019s deep technical and managerial knowledge and experience to effectively design, engineer, and manage the overall security posture of an organization. Receiving a CISSP requires a combination of exams and five years of cumulative paid work experience in related fields. <br><\/li><li><strong>MCSE (Microsoft Certified Software Engineer) Core Infrastructure<\/strong> &#8211; MCSE validates that you have the skills needed to run a highly efficient and modern data center, identity management, systems management, virtualization, storage, and networking. To achieve the cert, you have to take multiple courses (held by Microsoft) on subjects like Windows servers, infrastructure, hybrid cloud, etc., and then pass three exams. Getting most Microsoft certifications takes time, money, and effort, but definitely proves you\u2019ve got the right skills.<\/li><\/ul>\n\n\n\n<p>There are thousands of individual\ncertifications available in the market. Again, finding which are important to\nyou and your organization depends on what kinds of technology you work with:\nLinux, Windows, VMware, etc. Seek out organizations with people on staff who\nhold certifications related to your technology and goals.<\/p>\n\n\n\n<h3><strong>The\nMost Valuable Question to Ask<\/strong><\/h3>\n\n\n\n<p>You may be asking, <em>\u2018How do big companies\nwith all the right certs get hacked?\u2019 <\/em>It\u2019s a fair question, and the answer\nis that nothing can guarantee safety from the possibility of human error, which\ncauses approximately 90% of all security incidents. Most of the &#8220;big hacks&#8221; we hear\nabout these days start with simple social engineering tactics (phishing, USB\ndrops, tailgating, etc.) and then advance in severity from there. These can\nonly be avoided when companies are providing employees with regular, effective,\nand engaging security education. <\/p>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignleft size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-content\/uploads\/2021\/02\/smart-question2.jpg\" alt=\"\" class=\"wp-image-635\" width=\"297\" height=\"159\"\/><\/figure><\/div>\n\n\n\n<div class=\"is-layout-flow wp-block-group\"><div class=\"wp-block-group__inner-container\">\n<p>Find out how the\nprovider educates its employees on security and privacy safety. Always, <em>always<\/em>\nunderstand the level of education that a company provides to its employees and\nwhat that training program includes. <\/p>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<\/div><\/div>\n\n\n\n<p>Employee\neducation is key: without it, it really doesn\u2019t matter <em>what<\/em>\ncertifications the organization has earned. They can all be brought down in a\nsingle moment of human error. While all security-based standards require (and\nwill be audited for) employee security education and awareness, the auditor\nisn\u2019t responsible for grading the quality or frequency of the training. That\u2019s\njust another aspect for you to verify by asking the right questions. <\/p>\n\n\n\n<p>Although concerns about data security and\nprivacy are nothing new, the process for evaluating IT service providers has\nevolved significantly over the last five years to meet the challenges posed by\nmodern threats. Certifications minimize the work involved in the procurement\nprocess, but they don\u2019t remove it. The remaining responsibility falls on the\nbuyer to understand the standards and ask questions to make sure their privacy\nand security needs are truly covered.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>IT procurement teams now have difficulty asking the right questions to shine a light on policies that govern their sensitive data and, perhaps more importantly, verify the accuracy and ongoing adherence to those policies.<\/p>\n","protected":false},"author":2,"featured_media":636,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":""},"categories":[4],"tags":[64,7,20,37,27,8,47,17],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.11 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>A Buyer\u2019s Guide to Security and Privacy Certifications | Oasis Blog Security<\/title>\n<meta name=\"description\" content=\"IT procurement teams now have difficulty asking the right questions to shine a light on policies that govern their sensitive data.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A Buyer\u2019s Guide to Security and Privacy Certifications | Oasis Blog Security\" \/>\n<meta property=\"og:description\" content=\"IT procurement teams now have difficulty asking the right questions to shine a light on policies that govern their sensitive data.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/\" \/>\n<meta property=\"og:site_name\" content=\"Oasis Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-02-01T17:13:59+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-02-14T23:13:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-content\/uploads\/2021\/02\/BUYERS.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"576\" \/>\n\t<meta property=\"og:image:height\" content=\"471\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Oasis Discovery\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-content\/uploads\/2021\/02\/BUYERS.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Oasis Discovery\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/\"},\"author\":{\"name\":\"Oasis Discovery\",\"@id\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/#\/schema\/person\/6ad672109da7d89fea903f4266ca8346\"},\"headline\":\"A Buyer\u2019s Guide to Security and Privacy Certifications\",\"datePublished\":\"2021-02-01T17:13:59+00:00\",\"dateModified\":\"2022-02-14T23:13:03+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/\"},\"wordCount\":2086,\"publisher\":{\"@id\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/#organization\"},\"keywords\":[\"Data Centers\",\"eDiscovery\",\"IaaS\",\"ISO\",\"Legal Industry\",\"Relativity\",\"SaaS\",\"Security\"],\"articleSection\":[\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/\",\"url\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/\",\"name\":\"A Buyer\u2019s Guide to Security and Privacy Certifications | Oasis Blog Security\",\"isPartOf\":{\"@id\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/#website\"},\"datePublished\":\"2021-02-01T17:13:59+00:00\",\"dateModified\":\"2022-02-14T23:13:03+00:00\",\"description\":\"IT procurement teams now have difficulty asking the right questions to shine a light on policies that govern their sensitive data.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"A Buyer\u2019s Guide to Security and Privacy Certifications\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/#website\",\"url\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/\",\"name\":\"Oasis Blog\",\"description\":\"eDiscovery, Cloud, and Legal Technology News from Oasis\",\"publisher\":{\"@id\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/#organization\",\"name\":\"Oasis Discovery\",\"url\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-content\/uploads\/2020\/04\/Oasis_Gradient_Blue_RGB.png\",\"contentUrl\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-content\/uploads\/2020\/04\/Oasis_Gradient_Blue_RGB.png\",\"width\":500,\"height\":205,\"caption\":\"Oasis Discovery\"},\"image\":{\"@id\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/oasis-discovery\",\"https:\/\/www.youtube.com\/channel\/UC3abuFo4hTfsGEdGqDzQiGA\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/#\/schema\/person\/6ad672109da7d89fea903f4266ca8346\",\"name\":\"Oasis Discovery\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/7fcd9dd8dd99cab0a4fb38f67b48d95a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/7fcd9dd8dd99cab0a4fb38f67b48d95a?s=96&d=mm&r=g\",\"caption\":\"Oasis Discovery\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A Buyer\u2019s Guide to Security and Privacy Certifications | Oasis Blog Security","description":"IT procurement teams now have difficulty asking the right questions to shine a light on policies that govern their sensitive data.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/","og_locale":"en_US","og_type":"article","og_title":"A Buyer\u2019s Guide to Security and Privacy Certifications | Oasis Blog Security","og_description":"IT procurement teams now have difficulty asking the right questions to shine a light on policies that govern their sensitive data.","og_url":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/","og_site_name":"Oasis Blog","article_published_time":"2021-02-01T17:13:59+00:00","article_modified_time":"2022-02-14T23:13:03+00:00","og_image":[{"width":576,"height":471,"url":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-content\/uploads\/2021\/02\/BUYERS.jpg","type":"image\/jpeg"}],"author":"Oasis Discovery","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-content\/uploads\/2021\/02\/BUYERS.jpg","twitter_misc":{"Written by":"Oasis Discovery","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/#article","isPartOf":{"@id":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/"},"author":{"name":"Oasis Discovery","@id":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/#\/schema\/person\/6ad672109da7d89fea903f4266ca8346"},"headline":"A Buyer\u2019s Guide to Security and Privacy Certifications","datePublished":"2021-02-01T17:13:59+00:00","dateModified":"2022-02-14T23:13:03+00:00","mainEntityOfPage":{"@id":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/"},"wordCount":2086,"publisher":{"@id":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/#organization"},"keywords":["Data Centers","eDiscovery","IaaS","ISO","Legal Industry","Relativity","SaaS","Security"],"articleSection":["Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/","url":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/","name":"A Buyer\u2019s Guide to Security and Privacy Certifications | Oasis Blog Security","isPartOf":{"@id":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/#website"},"datePublished":"2021-02-01T17:13:59+00:00","dateModified":"2022-02-14T23:13:03+00:00","description":"IT procurement teams now have difficulty asking the right questions to shine a light on policies that govern their sensitive data.","breadcrumb":{"@id":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/security\/a-buyers-guide-to-security-and-privacy-certifications\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/"},{"@type":"ListItem","position":2,"name":"A Buyer\u2019s Guide to Security and Privacy Certifications"}]},{"@type":"WebSite","@id":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/#website","url":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/","name":"Oasis Blog","description":"eDiscovery, Cloud, and Legal Technology News from Oasis","publisher":{"@id":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/#organization","name":"Oasis Discovery","url":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/#\/schema\/logo\/image\/","url":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-content\/uploads\/2020\/04\/Oasis_Gradient_Blue_RGB.png","contentUrl":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-content\/uploads\/2020\/04\/Oasis_Gradient_Blue_RGB.png","width":500,"height":205,"caption":"Oasis Discovery"},"image":{"@id":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/oasis-discovery","https:\/\/www.youtube.com\/channel\/UC3abuFo4hTfsGEdGqDzQiGA"]},{"@type":"Person","@id":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/#\/schema\/person\/6ad672109da7d89fea903f4266ca8346","name":"Oasis Discovery","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/7fcd9dd8dd99cab0a4fb38f67b48d95a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7fcd9dd8dd99cab0a4fb38f67b48d95a?s=96&d=mm&r=g","caption":"Oasis Discovery"}}]}},"_links":{"self":[{"href":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-json\/wp\/v2\/posts\/634"}],"collection":[{"href":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-json\/wp\/v2\/comments?post=634"}],"version-history":[{"count":12,"href":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-json\/wp\/v2\/posts\/634\/revisions"}],"predecessor-version":[{"id":648,"href":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-json\/wp\/v2\/posts\/634\/revisions\/648"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-json\/wp\/v2\/media\/636"}],"wp:attachment":[{"href":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-json\/wp\/v2\/media?parent=634"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-json\/wp\/v2\/categories?post=634"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.oasisdiscovery.com\/ediscovery-unredacted\/wp-json\/wp\/v2\/tags?post=634"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}