The world of compliance is filled with acronyms and abbreviations for some of its more complicated regulation systems and organizations. There is perhaps no better example than the long list of acronyms associated with federal compliance laws. Ensure you and your organization are up to speed on this important terminology by reviewing this list.

Federal Compliance Terms, A-Z

3PAO – Third-Party Assessment Organization

A Third-Party Assessment Organization (3PAO) is an organization that has been certified to help cloud service providers and government agencies meet FedRAMP compliance regulations. By utilizing FedRAMP approved templates, these organizations evaluate cloud-based providers’ systems to ensure transparency and consistency in data security strategies. Per the U.S. General Services Administration’s (GSA), a 3PAO must meet the following requirements:

1. Independence and quality management in accordance with International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 17020: 1998 standards.
2. Information assurance competence that includes experience with the Federal Information Security Management Act of 2002 (FISMA) and testing security controls.
3. Competence in the security assessment of cloud-based information systems.

ATO – Authority to Operate

As part of the Agency authorization process, a Cloud Service Provider (CSP) works directly with the Agency sponsor to review the cloud service’s security package. After the security assessment is completed, the head of the Agency—or their authorized designee—can grant an ATO. This process generally has four phases:

1. Partnership Establishment
2. Full Security Assessment
3. Authorization Process (during which the ATO status is approved)
4. Continuous Monitoring

CDI – Covered Defense Information

Covered Defense Information (CDI) is an umbrella term used to describe information that requires protection under DFARS Clause 252.204-7012. It is defined as unclassified Controlled Technical Information (CTI) or other information as described in the Controlled Unclassified Information (CUI) registry that requires safeguarding or dissemination controls. CDI will either be marked or otherwise identified in the contract and provided by DoD in support of the performance of the contract. Additionally, CDI may also be collected, developed, received, transmitted, used or stored by the contractor in the performance of the contract.

CSF – Cybersecurity Framework

A Cybersecurity Framework (CSF) is defined as “voluntary guidance, based on existing guidelines, and practices for organizations to better manage and reduce cybersecurity risk.” It should be organized, adaptable, repeatable and effective, to best ensure marginal risks to valuable company data and information. There are four common kinds of CSFs:

1. Payment Card Industry Data Security Standard (PCI DSS)
2. International Organization for Standardization (ISO 27001/27002)
3. CIS Critical Security Controls
4. NIST Framework

CSP – Cloud Service Provider

A Cloud Service Provider (CSP) is a company that offers some component of cloud computing to other businesses or individuals. CSPs make their offerings available as an on-demand, self-provisioning purchase or on a subscription basis. There are three types of CSPs:

1. Infrastructure as a Service (IaaS): In this model, the CSP delivers infrastructure components to an organization that would otherwise exist in an in-house data center. Examples include servers, storage and networking as well as the virtualization level, which the IaaS provider hosts in its own data center.
2. Software as a Service (SaaS): SaaS vendors offer an assortment of business technologies, including productivity suites, customer relationship management software, healthcare IT software and more.
3. Platform as a Service (PaaS): A PaaS service provider offers cloud infrastructure and services that users can access to perform various functions—this type of CSP is most commonly used in software development.

CUI – Controlled Unclassified Information

Controlled Unclassified Information (CUI) is defined as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations and government-wide policies—but is not classified under Executive Order 13526 or the Atomic Energy Act.”

FedRAMP – Federal Risk and Authorization Management Program

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.

FISMA – Federal Information Security Modernization Act of 2014

The Federal Information Security Modernization Act of 2014 (FISMA 2014) is legislation that directs federal government agencies to implement a cybersecurity program that includes independent assessments as well as NIST SP 800-37, Revision 2. FISMA assigns responsibilities to a variety of agencies to ensure the security of data in the federal government. The National Institute of Standards and Technology (NIST) outlines the nine steps towards compliance under FISMA:

1. Categorize the information to be protected.
2. Select minimum baseline controls.
3. Refine controls using a risk assessment procedure.
4. Document the controls in the system security plan.
5. Implement security controls in appropriate information systems.
6. Assess the effectiveness of the security controls once they’ve been implemented.
7. Determine agency-level risk to the mission or business case.
8. Authorize the information system for processing.
9. Monitor the security controls on a continuous basis.

JAB – Joint Authorization Board

The Joint Authorization Board (JAB) is the primary governance and decision-making body for the FedRAMP program. The JAB reviews and provides joint provisional security authorizations on cloud solutions using a standardized baseline approach. Its members include Chief Information Officers from the Department of Defense, the Department of Homeland Security and the General Services Administration. The defined duties for the JAB include:

1. Define FedRAMP security and authorization requirements.
2. Approve accreditation criteria for third-party assessment organizations (3PAO).
3. Establish a priority queue for authorization package reviews.
4. Review FedRAMP authorization packages.
5. Grant joint provisional authorizations.
6. Ensure that provisional authorizations are reviewed and updated regularly.

NIST 800-171 – National Institute of Standards and Technology

The National Institute of Standards in Technology is a physical science laboratory and a non-regulatory agency of the Department of Commerce. Founded in 1901, the agency was established to remove a second-rate measurement infrastructure that was causing the country to lag behind the industrial competitiveness of the UK, Germany and other economic rivals. Today, NIST measurements support the most innovative technology being developed ranging from microscopic medical monitoring devices to communication systems that span the globe.

One such measurement is the National Institute of Standards and Technology Special Publication 800-171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. Essentially, this standard defines how to safeguard and distribute material deemed sensitive, though not classified. Developed in a response to the passage of FISMA in 2003, NIST 800-171’s intent was to improve cybersecurity as the industry and the risks surrounding it continued to evolve.

P-ATO – Provisional Authorization to Operate

According to the FedRAMP website, a Provisional Authority to Operate (P-ATO) is permission given to an organization to operate at the Moderate impact level by the FedRAMP Joint Authorization Board (JAB). Essentially, a P-ATO is a preauthorization for an organization that then allows in-house monitoring and implementation of a cybersecurity system.

PMO – Program Management Office

A Program Management Office (PMO) is a group—either internal or external—that sets, maintains and ensures standards for project management across an organization. Their other responsibilities include ensuring that company procedures, practices and operations run smoothly—on time, on budget and all in the same way.

RMF – Risk Management Framework

Developed by NIST, a Risk Management Framework (RMF) is a set of information security policies and standards for organizations. A well-structured RMF provides an effective framework to facilitate decision-making to select appropriate security controls. There are seven recommended steps for implementing an RMF:

1. Prepare: The organization must examine its current security measures and identify areas of potential risk or weakness.
2. Categorize: Classify and label the information processed, stored and shared, as well as all of the systems the organization relies on.
3. Select: Review the categorization and select baseline security controls. Revise and add to the security control baseline as necessary, based on organization assessment of risk and local conditions.
4. Implement: Instill the security controls and integrate with legacy systems. Document how the controls are arranged within the system and their effects on the overall environment.
5. Assess: Evaluate the security controls to determine their quality and effectiveness.
6. Authorize: Top management tests and approves the secured system passed on the accepted risk appetite to operations and assets. Management should also consider the system’s overall impact on individuals and other organizations. Once the level of remaining risk has been identified, the framework can either be authorized or subjected to additional revisions.
7. Monitor: An organization should develop an ongoing monitoring and assessment schedule for the security controls. A thorough documentation of results is a must-have.

SSP – System Security Plan

A System Security Plan (SSP) documents the controls that have been selected to moderate the risk of a system. These controls are determined by the Risk Analysis and the FIPS 199. Federal systems—defined as any systems that are funded by federal money—fall into either a Low, Moderate or High category, per NIST’s guidelines. An SSP provides information regarding the system owner, name of the system and lists the security controls selected for the system. Each control listing includes a detailed description that allows the system owner or auditor to confirm the effectiveness of that control.

How A-LIGN Can Help

As a full-service security, compliance and privacy firm, A-LIGN provides organizations a variety of federal assessment services. Our team of assessors have experience in CMMC, FISMA, FedRAMP and NIST 800-171 assessments, and can help you determine which is vital for your organization. Together, we can determine the security requirements your organization needs for an ATO, as well as develop a holistic plan of action to protect your CDI and CUI.

Understanding the purpose and examination process of a SOC 2 audit an be confusing for first-time users and experienced customers alike. A simple Google search can give you the basics of a SOC 2 audit, but that generalized knowledge is only the beginning.

A-LIGN has taken numerous looks at what a SOC 2 is, what kind of organizations need one, and why this audit is important for security measures that meet today’s world’s exacting standards.

In our whitepaper, The SOC 2 Examination Process, we take an in-depth look at the SOC 2 audit and address topics including:

• Frequently asked questions regarding SOC 2
• The differences between a Type 1 SOC 2 audit and a Type 2 SOC 2 audit
• Why do organizations often benefit from a readiness assessment?
• The steps involved in a SOC 2 audit

The Types of SOC 2 Audits

• SOC 2 Readiness: Our readiness assessment provides your organization with the tools and confidence to prepare for the route ahead with the help of our experienced auditors.
• SOC 2 Type 1: A Type 1 report which delivers a description of your organization’s system and its ability to meet the relevant criteria set by the Trust Services Criteria at a specific date in time.
• SOC 2 Type 2: Type 2 reports include a description of your organization’s system along with the results of the auditor’s tests, as related to the Trust Services Criteria over a period of time. In addition, a Type 2 report gives a historical view of an organization’s environment to determine if the organization’s internal controls are designed and operating effectively

On September 3, 2019 HITRUST announced that they will be updating the HITRUST PRISMA Weights (HAA 2019-007) and the Scoring Rubrics (HAA 2019-009). These new guidelines will go into effect for any HITRUST certifications submitted and accepted on December 31, 2019 or later.

(more…)

Managed service providers (MSPs) provide a valuable service by enabling companies of all sizes to outsource their key information technology processes. Many of those companies who look to engage an MSP ask whether a SOC 1 or SOC 2 Examination has been completed to assess the MSP’s security posture.

Not sure where to start when a prospective customer asks you about a SOC report? Below are our top tips for determining if your MSP should complete a SOC 1 or a SOC 2 Examination – or both.

How Do I Know if My MSP Needs a SOC 1 or SOC 2?

Often, your clients will let you know which assessment they want your MSP to undergo. They might request a specific examination, such as SOC 1 or SOC 2, or they may be a little vaguer in their direction and ask for a third-party security audit to be completed by a CPA firm. If they’re less certain on which compliance assessment to complete, our SOC experts can review your MSP and its business practices to help determine the appropriate audit to undergo. Depending on the nature of your MSP, you might benefit from undergoing completing multiple compliance assessments concurrently in lieu of the overlap in process and requirements.

Who Should Get a SOC 1 Examination:

A SOC 1 audit is the ideal audit for MSPs that handle, process, store or transmit financial information. These industries may include:

• Payroll Processors
  • A payroll processor distributes an organization’s payroll funds amongst its employees per the terms of the employer’s agreements as a service. The services of a payroll processor directly impact the organization’s financial reporting, making a SOC 1 audit critically important.
• Collections Organizations
  • A collections firm collects money on behalf of another company as a service and records and transfers those funds back, reconciling the organization’s financial statements. Because of their direct impact on financial reporting, SOC 1 audits are vital for collections organizations.
• Data Centers
  • A data center allows systems and software to operate with maximum availability as a service for other firms. If those systems or software are used for functional finance transactions, then the loss of availability could impact those transactions and therefore impact financial reporting.
• SaaS MSPs
  • A software-as-a-service (SaaS) that offers a cloud service to an organization could be processing financial statements or reporting on statements that record to the general ledger, therefore impact financial reporting.

Who Should Get a SOC 2 Examination:

Organizations of all sizes and industries can benefit from a SOC 2 Examination, as the audit can be performed for an organization that provides a variety of services to its customers. A SOC 2 report highlights the controls in place that protect and secure an organization’s system or services used by its customers. Unlike a SOC 1, the scope of a SOC 2 Examination extends beyond the systems that have a financial impact, reaching all systems and tools used in support of the organization’s system or services. This assurance in the security of the environment can be provided thanks to the requirements within a SOC 2 Examination, known as the Trust Services Criteria (TSC). The TSC are based on upon the American Institute of Certified Public Accountants and consist of five categories:

• Common Criteria/Security (required)
• Availability (optional)
• Processing Integrity (optional)
• Confidentiality (optional)
• Privacy (optional)

MSPs that could benefit the most from SOC 2 Examinations include:

• Any Service Organization
  • Generally speaking, any MSP providing a service to a business, client or person should have a SOC 2 performed.
• Data Centers
  • A data center allows systems and software to operate with maximum availability as a service for other firms. Because of the critical role that data centers play, availability and physical security of the system is extremely important to the clients purchasing the infrastructure or platform. To confirm a certain degree of availability, a SOC 2 is often requested or recommended.
• SaaS MSPs
  • A cloud-based SaaS that is managed and hosted by a third party should complete a SOC 2 Examination to provide assurance on the security posture surrounding the in-scope system or service.

Read more: Leveraging a SOC 2 Examination to Differentiate Your MSP

Should Your MSP Conduct a SOC 1 and SOC 2?

As you may have noticed, some industries that MSPs serve recommend the completion of both a SOC 1 and SOC 2 Examination. Because the customer audience and value gained for a SOC 1 and a SOC 2 audit differ, it is often worth completing both a SOC 1 and SOC 2 Examination concurrently – especially considering a majority of the evidence and testing used in a SOC 1 can also be leveraged in the completion of a SOC 2 Examination. A-LIGN’s SOC experts will review the services offered to customers by your MSP in order to determine the best solution for you.

How A-LIGN Can Help

As customers begin to enhance their vendor management practices to secure their information, requests for compliance reports such as a SOC 1 or SOC 2 report will become more and more frequent. Working with a compliance service provider like A-LIGN, who has certified compliance professionals with extensive experience performing SOC 1 and SOC 2 audits, can set you on the right path in building credibility and trust with your customers. Moreover, A-LIGN is well-versed in meeting the requirements of a broad range of compliance standards and security frameworks including SOC, PCI, ISO, GDPR, FISMA and NIST to help you meet all compliance needs.

What is ISO 27701?

The ISO/IEC 27701:2019 standard was published on August 6, 2019, and provides the requirements and guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) as an extension of ISO/IEC 27001:2013 and ISO/IEC 27002:2013. This extension replaces the development standard ISO 27552.

This extension will be most relevant for personally identifiable information (PII) controllers and processors but can be used by organizations of any kind, size, and location. ISO 27701 allows these organizations to improve their PIMS by enhancing their Information Security Management System (ISMS). Since ISO 27701 is an extension of the ISO 27001 standard, there will not be a stand-alone certification for ISO 27701.

As privacy concerns and requirements continue to increase globally, the addition of ISO 27701 to ISO 27001 certifications will become increasingly important to organizations.

ISO 27701 Standard Structure:

• Clauses 5 and 6: Provide additional specific guidelines related to privacy for ISO 27001 and ISO 27002
• Clause 7: Provides 31 controls that will be relevant to PII controllers and includes the following controls objectives:
  • 7.2 Conditions for collection and processing: To determine and document the processing is lawful, with legal basis as per applicable jurisdictions, and with clearly defined and legitimate purposes
  • 7.3 Obligations to PII Principles: To ensure that PII principles are provided with appropriate information about the processing of their PII and to meet any other applicable obligations to PII principles related to the processing of their PII
  • 7.4 Privacy by design and privacy by default: To ensure that processes and systems are designed such that the collection and processing (including use, disclosure, retention, transmission and disposal) are limited to what is necessary for the identified purpose
  • 7.5 PII sharing, transfer, and disclosure: To determine whether and document when PII is shared, transferred to other jurisdictions or third parties and/or disclosed in accordance with applicable obligations
• Clause 8: Provides 18 controls that will be relevant to PII processors and includes the following control objectives:
  • 8.2 Conditions for collection and processing: To determine and document that processing is lawful, with legal bases as per applicable jurisdictions, and with clearly defined and legitimate purposes
  • 8.3 Obligations to PII principals: To ensure that PII principals are provided with the appropriate information about the processing of their PII, and to meet any other applicable obligations to PII principals related to the processing of their PII
  • 8.4 Privacy by design and privacy by default: To ensure that processes and systems are designed such that the collection and processing of PII (including use, disclosure, retention, transmission and disposal) are limited to what is necessary for the identified purpose
  • 8.5 PII sharing, transfer, and disclosure: To determine whether and document when PII is shared, transferred to other jurisdictions or third parties and/or disclosed in accordance with applicable obligations
• Annex A & Annex B: PIMS specific control objectives and controls for PII controllers and PII processors respectively
• Annex F: Informal guidance on practical applications of ISO 27701

Impact of ISO 27701:

A primary operational impact of ISO 27701 is the inclusion of privacy concepts and, in particular, the incorporation of many articles from the General Data Protection Regulation (GDPR) into the ISO framework. Similar to the focus of the GDPR on the controller and processors processing of personal data, ISO 27701 places the responsibility of compliance on the PII controllers (the person or agency who determines the purposes and means of the processing of personal data) and the PII processors (the person or agency who processes personal data on behalf of the controller).

Requirements applicable to and impacting both PII controllers and processors:

• Security: Physical, operational and administrative controls are required to protect PII.
• Confidentiality and Integrity: A confidentiality agreement must be executed by any individuals authorized to access PII and the integrity of the PII data must be maintained.
• Risk Assessments: To identify risks associated with new processing of PII or changes to the existing processing of PII, a privacy impact assessment must be conducted.
• Roles and Responsibilities: An individual should be appointed to develop, implement, monitor, and maintain the organization’s governance and privacy program.
• Training: Any personnel that will have access to PII will be required to complete privacy awareness training.
• Incident Management: Policies and procedures need to be established and adopted to respond to and document any incidents, including but not limited to data breaches.
• Records of Processing: Processing activities involving PII, including transfers and disclosures, must be documented and maintained by organizations.
• Transmission of PII Data: Controls must be implemented to govern the transmission of PII data.

Controller-Specific Requirements:

• PII Principals Notice: A privacy policy detailing the collection, use and processing of PII must be provided to the PII principals.
• PII Principal Rights: Mechanisms must be in place to accommodate individuals’ right to access, correct, erase, or object to and restrict the processing of their PII, among others.
• Processor Contract Requirements: Written contracts must be in place with their processors that address specific items, such as protecting PII, limiting processing to the specific purpose for which the PII was collected, and providing notification for breaches of PII.
• Data Minimization and Purpose Limitation: Limitations shall be placed on the PII collected to only include that which is relevant, proportional and necessary to the identified purpose, and limits the processing of PII to the purpose identified.

Processor-Specific Requirements:

• Processing Limitation: Processing of PII can only occur on the documented instructions of the controller or processor (depending on the role of the customer).
• Engagement of Subcontractors: In order to use a subcontractor to process PII, a written contract is required with the subcontractor authorizing the processing of PII and ensuring the implementation of appropriate controls.
• Infringing Instruction: Processing instructions received that are perceived to infringe on applicable legislation and/or regulation must be communicated to the customer.
• Assistance with Customer’s Obligations: Measures must be implemented that assist the customer in complying with the right of individuals.

Benefits of ISO 27701:

• Streamline compliance obligations for ISO 27001 and the GDPR by integrating privacy into your organizations ISMS
• Surpass the competition and attract new customers with a demonstration of increased security and privacy in your organization
• Maintain peace of mind for your current customers that their PII is protected
• Gain a better understanding of the Privacy Information Management Systems (PIMS) implementation process
• Avoid potential fines as the enforcement of privacy protection continues to increase

SOC 2 for startups may seem like a difficult endeavor given the moving parts involved in launching and maintaining a successful startup. From funding to revenue, it can be easy to neglect compliance examinations like a SOC 2 – or delay completing one until a future date. Since you cannot escape compliance requirements, the reality is that is no better time to undergo a SOC 2 examination, and it might help your startup reach new heights. Below are the top reasons why your startup should should consider SOC 2 compliance for startups.

It Builds Credibility With Banks and Investors

Startups and banks can have a complicated and challenging relationship: while startups are fast-paced, young and agile, banks can be slower, more regulated and have complicated approvals to fund startups. Often banks and startups find themselves clashing over processes and cultures – which is why it’s important for startups to eliminate any roadblocks. Completing a SOC 2 as a startup is a fantastic way to demonstrate your security and ease security-related concerns that a bank may have. You’ll also be better prepared to answer the bank’s questions relating to security and compliance, as well as stand out from other startups in your field.

It Gives You a Competitive Advantage

These days, it seems like major security breaches are striking organizations large and small across the globe. Launching a startup can be difficult enough without worrying if you’re a target for a major data breach – but being prepared can be enough to differentiate yourself from your competition. Undergoing a SOC 2 Examination demonstrates to your current and prospective customers that your organization maintains a strong security posture that includes the implementation of controls to protect and secure a customer’s confidential and personal data – building trust in the marketplace early.

You’ll Develop Strong Policies and Procedures

One of the benefits of SOC 2 compliance is formally defining policies and procedures that describe the key processes and controls surrounding your organization and business operations. Departments and employees will know where to look if they have questions regarding their job role and how to complete their job responsibilities.  Not only do strong, formally defined policies and procedures impress banks, investors, employees and customers, they also help employees better understand how to perform their day-to-day operations (such as building performance review systems or client contracts) and help mitigate risks resulting from data breaches and hacks.

[Read more: Top Policies and Procedures for SOC 2]

It’s Easier to Do at the Startup Stage

It may be tempting to delay completing a SOC 2 assessment at the infancy stage of your startup, but the reality is that you’ll likely need one in the future – and going through the audit process will only get more complicated as your organization grows. The reason why is simple: during the SOC 2 audit, various departments and personnel across the organization will be needed to assist in gathering the requested evidence for the examination. This is significantly easier when your team is in a small room together where the audit requests can be addressed quickly. As you build your startup, going through a SOC 2 Examination during the infancy stages will help strengthen the controls environment and help your organization be better prepared for future compliance assessments – no matter what size your organization has grown into. A little work now can save you countless headaches in the future.

A SOC 2 Is More Affordable Than Compliance Failure Fines

At the startup stage, assets can be tight, and organizations need to keep their costs to a minimum – this leaves little to no room for costly, yet easily avoidable, disruptions to business operations. While some disruptions to business operations are inevitable, completing a SOC assessment can help identify the major vulnerabilities and control gaps. Significant business disruption can cost your organization thousands of dollars a month, and the average cost of a data beach for an organization is $3.62 million. You wouldn’t rent an office space and leave the doors unlocked because not doing so could cost you everything. Undergoing a SOC 2 examination similarly helps protect your organization by bringing to focus potential vulnerabilities and control gaps that can potentially disrupt business operations. It might cost time and money now, but it’s a worthy investment – one that can save you even more time and money down the road, several times over.

Why SOC 2 for Startups?

With almost ten years of average experience, our team of certified compliance professionals have extensive experience performing SOC 2 for startups and can set you on the right path as you build your credibility with customers. Moreover, A-LIGN is well-versed in meeting the requirements of a broad range of compliance standards and security frameworks including SOC, PCI, ISO, GDPR, FISMA and NIST to help you meet all compliance needs.

It is easy to feel uninformed with the number of cybersecurity myths that are frequently shared. The world of cybersecurity can be convoluted and confusing, but it doesn’t have to be. Arm your organization and yourself with facts about cybersecurity that will help you protect your personal, private information.

Myth #1: If the Wi-Fi You Are on Has a Password, It Means You Are Secure

Two instances that make organizations susceptible to public Wi-Fi network woes are shared workspaces and remote employees. Despite the illusion of security, password-protected Wi-Fi networks are still dangerous. Just about anybody can get their hands on your password and attempt to access your valuable files and information. The good news is that VPNs can help. VPNs allow typically vulnerable computer users to simulate being at work on a secure platform – regardless of where they are. Avoid accessing important information on any public Wi-Fi platform, password or not.

Myth #2: Cyberattacks Only Happen to Large Businesses

Every company is susceptible to attacks, regardless of size. In fact, Verizon reported in the Data Breach Investigations Report that small businesses account for 58% of data breaches. No one is free and clear from the potential threat of cyberattacks and that is precisely why prevention is so important. Ensuring that your organization, your employees and you are cyber-literate is essential towards the well-being and future of your organization.

Myth #3: Security Is Static and the Controls We Implemented Last Year Will Work This Year

Concerns for data protection are rising and the only solution is to be innovative and adaptive with the way you approach cybersecurity. Cybersecurity needs are different for every organization and they are not static, they are ever-changing. 2019 has been filled with cybersecurity breaches, from Facebook to NASA. As a leading cybersecurity and compliance firm, we at A-LIGN help our partners stay up-to-date on the latest threats and advances in the security ecosystem. Hacking and security is a never-ending game of cat-and-mouse, which is why our penetration testers modify their hacks and techniques frequently based on the latest news regarding hacks and patches.

Myth #4: Cybersecurity is Only About Defense

Cybersecurity is about defense, but it is also a major revenue-generating and trust-building business move. The average cost of a malware attack on a company is $2.4 million, and the average cost of time of a malware attack is 50 days. In fact, 60% of small businesses that suffer a cyber attack are out of business within six months. More than ever, clients and potential clients are attracted to organizations and service providers with a strong cybersecurity and safety posture – not only to know that their data is safe but as assurance that the organization will be around for the long term.

Equifax had a huge data breach in 2017 that affected 125.5 million people. Addresses, birth dates, social security numbers and driver’s license numbers were leaked, alarming customers and putting the focus on cybersecurity.

Myth #5: Cybersecurity Attacks Come From the Outside

From human errors to baleful intent, cyberattacks are not just from the outside. McKinsey & Company reports that insider threat is present in 50% of cyber breaches. All situations need to be considered in order to have a complete cybersecurity plan. For example, implementing a thorough exit plan for employees leaving the company and ensuring that all employees are trained on basic cybersecurity measures are two protocols every organization should consider implementing.

Myth #6: Strong Passwords and/or Wireless Encryption Are Enough to Keep a Company Safe from Hackers

A strong password or using strong wireless encryption like WPA or WPA2 used to be sufficiently secure, but hackers are becoming more advanced in their techniques to hack into someone’s account. One way to help combat this issue is to enforce two-factor authentication on any device that allow the user to look at sensitive content. Password manager apps and websites are also an excellent way to allow users to use more complex passwords without the responsibility of remembering all of them. Lastly, enforcing a timeline on how long a user can use the same password can help keep private information secure.

Myth #7: Assessments Are Not Necessary

Having a third-party examine your company’s internal controls can help you take a hard look at what your organization is doing right and what needs improvement. Assessments provide third-party assurance that your organization has appropriate controls in place to help mitigate risk. Additionally, regular penetration tests allow you to test your organization’s maturity over time and find potential flaws in your security infrastructure – before the bad guys do.

Stay Secure

The world of cybersecurity can be overwhelming. A-LIGN’s experience and commitment to quality can help your business achieve the cybersecurity and compliance goals it is seeking. We offer an extensive list of compliance and  cybersecurity services that can arm your organization from the various threats that businesses face.

Phishing scams are a serious threat to an organization, and they’re increasing in scope, complexity and number – but that doesn’t mean you’re helpless to defend yourself. In fact, it’s easier than ever to proactively protect your organization from threats by following some simple tips.

Phishing Scams on the Rise

According to Wombat Security’s 2022 State of the Phish survey, 83% of survey respondents said they experienced a successful email-based phishing attack in 2021, up 57% from 2020, with 11% noting 10 or more of these attacks were successful.

With the threat of phishing scams on the rise and showing no sign of stopping, there has never been a better time to review your organization’s policies and remind yourself how you can stop an attack.

Types of Phishing Scams

Deceptive phishing: The most common phishing scam and the type most people think of when they heard the word “phishing.” Deceptive phishing strikes victims by taking over a recognized email address (or impersonating a recognized one) to get access to information. These emails typically request that you:

• Make a payment
• Re-enter information, such as logins or passwords
• Request that you change your password
• Verify account information

Spear phishing: In recent years, spear phishing attacks have been on the rise. A more sophisticated form of deceptive phishing, spear phishing is a personalized attack that tricks you into thinking you have a relationship with the sender by utilizing full names, position information, addresses, phone numbers or other semi-private information. Once the URL in a spear phishing email is clicked, hackers have access to your account.

Whaling: As the name implies, whaling is a form of phishing that targets the big game. With whaling, also known as CEO Fraud, hackers target and attempt to gain access to executive or director information to access their email accounts. Unfortunately, this kind of attack can be the most successful form of a phishing scam, as executives often don’t undergo the same security training as lower employees.

Phishing calls: Web-based attacks are the most common form of phishing scams, but phone-based phishing scams have increased over the last few years. In these scams, phishers call and attempt to present themselves as a legitimate organization, such as your bank or credit card company to gain information. Typically, the calls begin by volunteering easily-researched information like your name or address to build trust. From there, phishers will drill down further by asking for personal information such as passwords or bank account numbers for “verification purposes.”

Know That Protection is Everyone’s Responsibility

While phishing prevention is often laid at the feet of the IT department, protecting the organization from phishing attacks is the responsibility of every member at every level – from interns to IT to executives. And while you might think your organization has to focus on training for older employees, a recent study found that millennials and Gen Z (23%) have fallen victim to phishing scams than Gen X (19%) or Baby Boomers (9%).

Before you shrug off responsibly, know that 55% of business owners to take the 2022 State of Phish survey, report taking disciplinary action against employees who fall for real or simulated phishing attacks.

Be Wary of Suspicious Emails

Most organizations employ copywriters, editors and/or digital marketers to carefully craft marketing emails, so any email from a brand or company that is riddled with typos and errors should raise red flags. Cybercriminals often make mistakes in emails – sometimes intentionally to slip past your email’s spam filters. Another telltale sign of a suspicious email is one featuring an impersonal greeting, such as “Dear Customer.”

If you don’t know the entity sending the email, don’t interact with the message by clicking links, downloading files or opening attachments. Doing so could open your computer, and your organization’s servers, up to a data breach.

Finally, look closely at the address. Phishing hackers often create addresses similar to ones you might be familiar with to mimic someone else – and if you don’t take a closer look at the sender, you might fall for it. For instance, the CEO of an organization might have the email [email protected], but phishers will employ an address named [email protected] or [email protected] to mimic the CEO in an effort to steal data or money.

Stay Updated on Phishing Attacks

Like any kind of scammer, phishers are playing a massive game of cat-and-mouse. As soon as a new technique is deployed or successfully utilized, word spreads and the public is educated – forcing hackers to develop new tricks constantly. If you’re not staying updated on new techniques and developments or undergoing security awareness training regularly, you’re easy prey for a phishing scam.

Undergo Penetration Tests

Penetration tests are a great way to test your information security posture by simulating a phishing attack. Designed to test the information security of the technologies and systems in place at an organization, penetration testing identifies specific vulnerabilities before the bad guys do, mitigating the risk of a data breach or phishing scam.

How A-LIGN Can Help

At A-LIGN, our penetration testers emulate the techniques of hackers by developing scenarios and strategies to breach your organization’s information systems, attacking your networks and applications. A-LIGN’s penetration test encompasses:

• API Testing
• Network Layer Testing
• Mobile Application Testing
• Web Application Testing
• Wireless Network Testing
• Facility Penetration Testing

What are the steps to ISO 27001 certification? Our assessors have completed assessments against several International Organization for Standardization (ISO) standards, and can provide your organization on insights on the process for achieving ISO certification.

Choosing the appropriate assessor

A certification audit can be performed by any company that understands the ISO standard relevant to your company. When selecting a certification body (CB), it is important to understand the difference between an accredited and unaccredited certification to ensure that it meets your organization’s needs.

Accredited certification body

Accredited CBs must undergo a rigorous evaluation process to ensure that the certification audit is performed in accordance with the ISO audit requirements. The evaluation process assesses the competence of the audit team, audit methodology used by the CB, and the quality control procedures in place to ensure that the audit and report are completed properly.

As an accredited certification body, each certificate that A-LIGN issues contains the ANAB or UKAS seal, which will be accepted globally by your customer and potential clients to demonstrate conformity with the appropriate standard.

Unaccredited certification body

Organizations can also receive certification through an unaccredited assessor, however, these CBs are never audited for their compliance with ISO certification audit requirements. When ISO certification is something your organization is undergoing to meet a client requirement, it is important to determine if the client requires an accredited certificate or if they will accept a certificate from an unaccredited CB.

5 Steps to ISO Certification

Step 1: Pre-assessment

The ISO pre-assessment process is designed for companies that will undergo the certification process for the first time and is only performed as an as-needed basis. A-LIGN simulates the actual certification audit by performing a review of your company’s scope, policies, procedures, and processes to review any gaps that may need remediation before your company goes through the certification process.

The pre-assessment can give your organization a head-start on the certification process by revealing any oversights or potential weaknesses that your organization may have ahead of the actual audit so that you can act on areas that require remediation or attention.

Step 2: Stage 1 audit

During the stage 1 audit, A-LIGN reviews your company’s documentation to confirm that it follows the relevant ISO standard, as well as check to see if the required activities have been completed or are scheduled prior to beginning stage 2.

The conclusion of the stage 1 audit will determine if your company is ready to move forward to stage 2, or if modifications are required to its policies, procedures, and supporting documentation before proceeding. Once stage 1 is complete, your organization will have a better understanding of your organization’s ability to meet the requirements and areas of improvement.

Step 3: Stage 2 audit

The stage 2 audit is performed to test the conformance of your system with the relevant ISO standard. During A-LIGN’s on-site audit, we will perform testing procedures including interviews, inspection of documented evidence, and observation of your processes. Upon completion of stage 2, A-LIGN will determine if your organization is ready to be certified.

If there are any major nonconformities, they will need to be remediated before a certificate can be issued.

Stage 4: Surveillance audit

Once your organization has achieved certification, A-LIGN is dedicated to your continued success. Over the two years following certification, A-LIGN will conduct annual surveillance audits to ensure your ongoing conformity with the appropriate ISO standard to give you the assurance that your systems and processes continue to be compliant.

Stage 5: Recertification

Your certificate is valid for three years after the issue date. Your organization will need to recertify before the issue date, which will then begin the certification process again. The recertification process differs from initial certification, as organizations do not typically need to go through the stage 1 audit again. Instead, organizations begin with stage 2 in order to achieve recertification and continue to receive surveillance audits following certification.

Getting started with ISO

For organizations seeking an internationally recognized framework, the ISO standards can provide your organization with a certification that is scalable to your needs. With our experience in assessing an organization’s cybersecurity, compliance, and privacy, A-LIGN can provide your organization with the experience and guidance needed to achieve certification.