FISMA, or the Federal Information Security Management Act of 2002, assesses the controls outlined in NIST 800-53. You can review those requirements in Figure 1, below.

One of the benefits of FISMA is that it provides different implementation options depending on the levels of potential impact for an organization or individual if there were a security breach. A breach of security could be a loss of confidentiality, integrity, or availability. The three FISMA implementation levels are: low, moderate and high.FISMA established security guidance for federal entities and their agencies to adhere to, and thus organizations looking to win government contracts must adhere to the standards. The focus of this program is to improve the security of information through the creation of clear standards that can be used by all deferral agencies, in order to protect the security of information and information systems.

Low

Low-impact systems are systems that, if compromised in some way, would only have limited adverse effects on the organization or individuals.

Moderate

Moderate-impact systems with a breach in security result in a serious adverse effect on an organization’s operations, organizational assets or individuals.

High

High-impact systems are of critical importance to a government entity. A breach of any kind would result in severe or catastrophic amounts of damage to the organization, and could potentially result in a shutdown of operations, significant fiscal loss, physical damage to individuals, or a severe loss of intellectual property.

Achieving FISMA Certification

For organizations looking to win government contracts, FISMA compliance provides clear requirements for the development, documentation and implementation of an information security system for its data and infrastructure.

We want to ensure that your organization does not fall victim to these common ISO 27001 pitfalls so that your information security management system (ISMS) continues to operate as designed and subsequent audits flow smoothly. Becoming ISO 27001 certified is a rigorous process for most organizations but the work should not stop after receiving the sought after certification. Take a look at the four most common problems to help your company stay on track after certification.

Failing to schedule the internal audit and management review

The completion of the internal audit and management review are critical to the success of the ISMS. A-LIGN reviews these activities during each audit activity and looks to ensure the quality-level and completeness are in line with the requirements. These activities build on each other as the internal audit feeds into the management review, and then both feed into the continuous improvement cycle.

You should ensure that the internal audit is scheduled well in advance of the surveillance audit, so the management review and continuous improvement activities have time to be performed. We start the surveillance audit approximately nine months after initial certification is received, so a typical timeline would be to start the internal audit six to seven months after certification.

Changes in key personnel

Many times the ISMS is implemented by an individual who fields many of the questions during an audit and has overall responsibility for the ISMS.  If that person leaves the company, the ISMS can fall apart.  In order to help prevent this, we recommend that all companies designate a back-up person who has a general understanding of the ISMS. If your primary ISMS manager moves into a different position or to another company, ensure that the designated backup steps in to ensure that the ISMS continues to function.

Failing to be vigilant

It is common for organizations to breathe a sigh of relief upon receiving the initial certification, but at times they may go too far into “relaxation mode” and could still fall victim to common ISO 27001 pitfalls. ISO 27001 defines the ongoing processes that should be in place throughout the year, not just during the audit. The management controls, including periodic meetings, documented approvals for decision, meeting minutes of oversite committees, etc., must be maintained to evidence that the ISMS continues to function.  This is also true of controls defined in the statement of applicability.

Companies should ensure the ISMS is a living process that is built into the culture of the organization so that it continues to function as designed after certification is received.

Not considering environmental changes

ISO 27001 requires that any changes in the environment be considered through the risk assessment process and any new or modified controls flow in to the statement of applicability. It also requires that A-LIGN be notified and a new certificate issued if there are changes to the scope or statement of applicability.  When changes are considered in the environment that may impact the scope of certification, it is important to review and update the ISMS documentation to ensure it correctly reflects the environment post-change.

These top ISO 27001 pitfalls are all easily remedied through management oversight and following the controls as defined in your ISMS. Establishing a long-term ISMS framework can help to create an ongoing culture of security in your organization and help to ensure smooth surveillance audit cycles.

As the global usage of cloud technology continues to grow, businesses must strategically consider the risk of storing protected information and explore security options in order to protect their information systems. There are multiple security standards for cloud services providers and users to utilize in order to secure the cloud-based environment and minimize potential risk of a security incident.

Because of the way in which cloud services operate across different locations, an international standard is necessary in order to satisfy the security requirements of clients. ISO, or the International Standardization Organization, has created a standard specialized for cloud companies. That is where ISO/IEC 27017 and 27018, cloud-based compliance frameworks are able to assist cloud organizations.

ISO 27017

ISO 27017 is designed to assist in the recommendation and implementation of controls for cloud-based organizations. This is relevant to organizations who store information in the cloud, but also for organizations who provide cloud-based services to other organizations who may have sensitive information.

This standard is built upon the ISO 27002 standard, but allows for specific controls to be added for the needs of cloud organizations and their end-users.

ISO 27018

ISO 27018 is, again, designed for cloud computing organizations but specifically is designed to protect personally identifiable information stored and/or processed in the cloud. In addition, this standard is primarily focused on the standards relevant to cloud providers, not customers.

This standard creates an additional level of customer confidence, specifically when working with organizations who handle sensitive information. This standard provides for the practical application of minimum protection standards that should be implemented to maximize client and end-user assurance.

Why Get Certified?

For cloud providers, ensuring the safety of consumer information is the number one priority. In light of recent breaches that have compromised user data, receiving certification through an international standard provides an organization with the globally accepted security controls. It also demonstrates to the cloud provider’s customers the importance they place on protecting consumer data. This provides a unique marketing advantage to firms that are able to tout their ability to confidently secure customer information.

While some organizations seek certification to conform to their unique regulatory needs or the needs of their clients, other organizations should consider ISO 27017 or ISO 27018 in order to minimize both the risk inherent to cloud-services organizations, and the potential cost of a breach. Adhering to the rigid guidelines of ISO 27017 and 27018 allows your organization to operate with confidence and build a reputation of trust with your clients.

The hacking industry was alive and well in 2015, and it’s funny how the majority of attack vectors haven’t changed in the past five years. I thought it would be interesting to share information gathered from expert pen testers regarding the top three vulnerabilities uncovered in 2015 as well as insight into prevention.

The winner… drum roll please… for the most commonly exploitable vulnerability in 2015 penetration tests:

1. SQL Injection
2. Cross-site Scripting (XSS)
3. Misconfigured Server Settings

No surprises there, right? I have seen these same vulnerabilities since I started interfacing with security clients in 2006. I’ve categorized prevention and insight into these vulnerabilities as follows:

SQL Injection (SQLi)

If in 20 penetration tests, you are able to successfully exploit an SQLi vulnerability on 2 of them, that means for 10% of the companies assessed, one could steal their ENTIRE database via their web portal. If these numbers are reflective of websites as a whole, that means that 10% of the companies across the world have either already lost or will lose all of their sensitive data to attackers, which is a staggering thought. No wonder it still ranks as #1 on the Open Web Application Security Project (OWASP) top 10. This makes it #1 on our list too due to the possible damage done and the ease of exploitation.

SQLi is easy to fix too. The best way to do this is to use a safe API that provides a parameterized interface or just completely avoids the use of the interpreter. If a parameterized API isn’t available, then escape the special characters that are inputted and put in a whitelist of acceptable input. Not a blacklist though, that is too easy to get around.

Cross-site Scripting (XSS)

19 of the 20 penetration performed had one (or many) XSS vulnerabilities – either reflected XSS or stored XSS. These are easy to exploit for hackers, just an email/blog post/clicked link away from compromising a client machine. When a clever hacker pairs an XSS vulnerability with a well-crafted phishing email, he is almost guaranteed to compromise some client PCs and accounts.

Regarding prevention, the recommendation is to escape all untrusted input from a webpage. If your users can input something into a page, then so can a hacker.

The escaped input should also be paired with another whitelist of acceptable input.

Misconfigured Server Settings

This one is so easy to prevent and yet can cause a lot of damage if in place. Many of the websites I looked at allowed me to “retrieve” sensitive information through custom-crafted URL queries. I had one site that allowed me to browse protected web content just by inputting some special characters after the URL. Another site allowed me to see who was logged into the server at the time.

Misconfigured server settings are also a quick fix. A repeatable hardening process for all web servers usually catches any problem. The OWASP has some great guides to configuring a server correctly here.

Final Recommendations

These top three security fixes, as you can see, are almost banal. They don’t involve expensive hardware or strategies, but they do involve a culture of security, policies, and best practices. In fact, many of these findings come from point-in-time test environments, such as those complying with PCI, vs. organizations trying to establish a long-term information security management system framework or ISMS, like the ISO 27001 standard seeks to do. At least the entities tested had a pen test and fixed the vulnerabilities.

An ongoing culture of security and establishing and updating/improving InfoSec policies can help to avoid these vulnerabilities in your organization.

As a provider of managed services, your customers are entrusting you with the responsibility for some of the controls that could impact the integrity, availability and confidentiality of their data. Although they transfer the responsibility for the controls, the ultimate accountability remains with your customers and in most cases, they will request evidence that appropriate controls are in place to protect their data. As a managed services provider there are several options that you can pursue to provide this evidence.

The first is to work directly with every customer and answer their audit questionnaires, provide them detailed evidence of the controls and possibly undergo on-site visits from each of your customers or their auditors. This is typically not an efficient method and can cause a significant impact on your daily operations due to the continual barrage of audit-related tasks.

The second option is to undergo a SOC 2 examination. SOC 2 is built on the Trust Principles of Security, Availability, Confidentially, Processing Integrity and Privacy. Depending upon the services provided and the level of access you have to your customers’ data you can choose one principle or all five. The SOC 2 report can be distributed to your customers as evidence of the controls in place to protect their data. In addition to the reduced audit impact the SOC 2 can bring to your organization, it also demonstrates your commitment to security and controls in your environment. At the conclusion of the examination, the AICPA provides a logo to display on your website.

The SOC 2 report addresses general controls for the protection of data but is it sufficient for your customers in specific industries such as healthcare or payment card processing? For your customers in these industries they may require additional controls as defined by the HIPAA/HITECH Acts or the PCI Data Security Standards. As with the SOC 2 examination, in order to keep from responding to each customer’s audit requests, as a managed service provider you can undergo an audit against the HIPAA/HITECH or PCI DSS security assessment and provide evidence of compliance to your customers.

These audits are not mutually exclusive. Many of our clients undergo multiple examinations/audits to meet the requirements of their customer base. A-LIGN assists our managed services client by bundling these projects and performing them together. By bundling these projects A-LIGN is able to reduce the time it takes to perform the fieldwork thereby reducing the overall fees.

From ISO 27001 to PCI DSS to SOC 1 and SOC 2, there is no shortage of security assessments for organizations to pursue. While some audits can be more time intensive than others, the value they provide can benefit your organization in multiple ways.

This is especially true with SOC 2, which has become one of the most popular security assessments available. In this post, we’ll share how SOC 2 audits add value for organizations across all industries, along with how you can get started on your own SOC 2 journey. 

What is a SOC 2 Audit?  

A Service Organization Controls (SOC) 2 audit examines an organization’s internal controls, determining the controls’ design and effectiveness at providing security of the data within the in-scope systems.  

A SOC 2 is beneficial for organizations who want to demonstrate that security measures have been properly implemented within their environment. These measures, the 5 Trust Services Criteria, include security, availability, confidentiality, privacy, and data processing integrity. 

The first category, Security, is required to be in scope for every SOC 2 audit and is therefore frequently referred to as the Common Criteria. While the Security criteria is required, the rest are optional.  

How SOC 2 Audits Add Value  

There’s a reason why SOC 2 has seen a rise in popularity: it’s because a SOC 2 report adds value. Organizations who undergo the SOC 2 audit process benefit from:  

1. Increased insight into their security posture 
2. An understanding of opportunities for control improvements  
3. More competitive positioning within their market (prospects love to know that your organization takes security seriously and often require a SOC 2 report) 

Increased Insight Into Security Posture 

By undergoing a SOC 2 examination, an organization gains valuable insight into their overall environment and controls in place. The resulting SOC 2 report details processes specific to risk management, change management, vendor management, access controls, and much more. The SOC 2 report serves as a comprehensive overview of the effectiveness of those processes, and areas of opportunity. 

Understanding Opportunities for Control Improvements 

Organizations can use a SOC 2 report as a strategic roadmap for future security investments and initiatives. It’s an invaluable tool — created by an expert third-party — that serves as a guide against industry best practices.   

SOC 2 as a Competitive Differentiator 

A SOC 2 is a valuable resource to help organizations stand out amongst the competition as it demonstrates to prospective clients how much your organization values the security of client data. Having a SOC 2 report on-hand will set you apart from competitors during conversations with prospects, offering  an advantage that other organizations in your industry may not have.  

How to Complete a SOC 2 Audit  

Prior to undergoing a SOC 2 audit, it’s important to understand what is involved and how your organization’s resources will need to take an active role in the process. 

Step 1: Define the Scope. First, your organization should understand what in-scope systems need to be included in the audit. Typically, it will be limited to any applications, systems, or technologies that interact and store client data.  

Step 2: Plan for the Audit. After evaluating your needs, your organization will then need to identify if you should undergo either a Type 1 or a Type 2 audit. The SOC 2 Type 1 audit will cover a single point in time and focus on the design of the controls at that point in time. The SOC 2 Type 2 audit will cover a period of time and focus on the design and operating effectiveness of the controls over the defined review period. A third-party assessor will help you with both the scoping of the audit and determining what type of audit (Type 1 or Type 2) would be most beneficial to your organization. 

Step 3: Establish Deadlines. Your organization should define key deadlines and work with your auditor to ensure they can be met within a certain time frame. 

Step 4: Collect Evidence. During this phase, your organization will gather all of the information that will be used for the audit.   

Step 5: Perform Audit. While the collection of evidence is in progress, the third-party auditor will conduct walkthroughs of the procedures and processes of the environment for the in scope systems.  Once testing is completed, the reporting phase begins and the SOC 2 report is generated based on the test results identified. 

Step 6: If Wanted, Pursue a SOC 3 Report. Once your organization undergoes a SOC 2 Type 2 audit, you can then obtain a SOC 3 report. A SOC 3 is a public-facing report that highlights your organization’s commitment to security. This report is a great tool, as it can be distributed to current and prospective clients to show opinion, assertion, and system description, without revealing sensitive information around the controls and testing. A SOC 3 report can be issued for most SOC 2 Type 2 reports. 

Getting Started With Your SOC 2 Audit   

As a licensed CPA firm, and the top issuer of SOC 2 reports in the world, A-LIGN is ready to help your organization reach its compliance potential, drive revenue and unlock new business opportunities. Our experts work alongside you to help position your company for success and guide you through every step of the SOC 2 process.  

The invaluable expertise of our auditors — combined with our A-SCEND compliance automation software, streamlines the entire audit process, providing you with  both the people and the technology you need to successfully complete a SOC 2 audit. 

Are you ready to start your SOC 2? Contact A-LIGN Below!