If you do not perform reasonable due diligence before contracting with a service provider, you are just begging to become a statistic on the next breach report issued by some industry analyst. Every vendor risk assessment worth mentioning will have an examination and collection of third-party attestations, audit reports and other independent verification of security, privacy and compliance to industry established standards. Some of these you would look for are as an example, the SSAE 16, PCI, FedRAMP and ISO 27001.
For example, this is a statement taken directly from a service providers site I’ll use as the antithesis case for our dissection:
If you are handling personal information such as financial data or personal health information (PHI), we have the have the tools and technologies to ensure you are protected. [COMPANY NAME] currently hosts several platforms that are certified as PCI, HIPAA, SSAE-16 (SAS-70), and/or FISMA compliant. (PCI certified? Plausible, SSAE-16 certification? No such animal, SAS-70? defunct standard since 2010! HIPAA certified? No such animal! and FISMA compliant? Plausible.)
If your site or online application stores, processes or transmits credit card information, you need to comply with the Payment Card Industry Data Security Standard, commonly known as PCI. PCI combines the security standards of the five major credit card companies and is designed to protect payment account data security and prevent financial fraud. PCI compliance involves meeting 12 security requirement categories, including firewall configuration, encrypted transmissions, unique identifiers, monitoring and more. [COMPANY NAME]’s security experts can examine your current security set-up and help you take the next steps in your PCI compliance strategy. From hosting solutions to intrusion detection systems and more, we can provide everything you need to be compliant. (This section makes me especially rowdy because only a PCI QSA is qualified to certify a company on PCI DSS. The implication here is that they would be qualified to advise customers on the PCI DSS standard.)
The Health Insurance Portability and Accountability Act (HIPAA) is designed to ensure the security and privacy of health data and Personal Health Information as it is being transmitted electronically. The act requires physical and technical safeguards, including data confirmation, authentication, encryption, documentation and risk management, to name just a few. Our consultants can help you understand the labyrinth of HIPAA’s compliance standards and give you the tools and advice you need to make the appropriate changes, from electronic transmission to data storage and security procedures. (Hmmm … what happened to the security experts and what exactly makes this uber squad experts?)
The Federal Information Security Management Act (FISMA) of 2002 requires that every federal agency provide security for the information and systems that support the operations and assets of the agency. FISMA is essential to protecting the economic and national security interests of the United States, and as such all contractors or organizations working with or on behalf of federal agencies are required to meet FISMA’s compliance standards. Our security experts can work with your team to examine current security measures and design a plan to ensure you are meeting the standards set out by the federal government. (Ahh … there the security experts are again!)
The Statement on Standards for Attestation Engagement No. 16 (SSAE 16) replaced the Statement on Auditing Standards No. 70 (SAS 70) as of June 15, 2011. The SSAE 16 is an attestation standard put forth by the Auditing Standards Board of the American Institute that addresses engagements undertaken by a service auditor for reporting on controls at organizations.
You almost need to have a law degree to interpret the near sleight-of-hand these statements but fortunately for my clients, I do. Using data centers that are certified and suggesting that it extends to your company is a little like me sitting in my physician’s office and then referring to myself as doctor.
A company with the right security pedigree will not make a secret about it and will also freely share the third-party attestations and certification reports with current and prospective customers. They will also proudly advertise the fact in plain terms to everyone rather than the slippery language our case study uses and all others are just mutts.
Corporate cybersecurity breaches have risen by 27.5% in 2014 from 2013 and this year is already off to a big bang with the February 2015 Anthem breach. Security is a very complex endeavor. Your company and your career cannot risk a breach without suffering so why gamble? If you are uncertain what’s involved in vendor risk management, certifications, audits and assessments in the standards I’ve mentioned, feel free to contact me here or through Lazarus Alliance.