If you are handling sensitive data in your business, sooner or later you will be asked to “validate” your cyber security program. This can happen for several reasons. A large customer or prospect may need to assess the cyber risk of your organization. You may try to purchase Cyber Breach Insurance. Or maybe you are part of the rare organization that is being “proactive” to earn more business. In this article we discuss three ways you can validate your cyber security program.
What is Cyber Security “Validation”?
A cyber program validation is a formal assessment (by an objective third party) that your organization is functioning according to established cyber security best practices. The process has three essential steps:
- You define a list of “controls” that make up your cyber program, and have them formally documented with written information security policies;
- You gather evidence to support that your “controls” are functioning adequately over a period of time;
- You have a formal examination (either internal or external) of the Controls and supporting evidence to determine that the Controls are being followed by the organization. The final result is a Written Assessment Report where both management and the auditors declare that the results are accurate.
All of the methods described here are a variation of these basic steps.
Example Control Assessment
Here is real-life example of a cyber “control” that can be validated.
Control: All access to information is limited based on a “need-to-know”.
This foundational control is designed to allow people to only access the information they need to do their jobs. The first piece of “evidence” for this control would be an Access Control Policy that includes this specific control as a policy statement. The “policy” is the written agreement that a control is in place and supported by management.
The next piece of evidence may be an examination of the Active Directory system to determine if Groups are setup properly to restrict access. This is an example of a “Technical Control” – meaning one that can be implemented with a specific technology such as access control systems.
So let’s look at three methods to validate your cyber security program.
SOC II Audits (SSAE 18 SOC II Type 2)
One of the most common methods of validation is a “SOC II Type 2” report. A SOC II Type 2 is an examination of controls that management has declared according to Trust Principles. A “SOC II” refers to a report that examines controls over time, typically more than 90 days. The organization must first have a Type 1 report which defines the controls in written policies.
To issue a SOC II Type 2, the assessment organization must also be a Certified Public Accounting (CPA) firm. This is because the SSAE 18 SOC II (which came from the SAS 70) was developed by the AICPA. The requirement for a CPA as auditors can generate make a SOC 2 more expensive than a traditional audit.
One the main challenges with the SOC 2 audit is that the results can vary dramatically from organization to organization. The SOC II does not declare that management is following any specific standard, such as ISO 27002 or FTC Safeguards. It only verifies that management is following the controls established in the report.
The ISO 27001 Certification
Another type of certification is an ISO 27001 Certification. People familiar with ISO Quality Certification in manufacturing will understand the translation. An ISO 27001 Certification is validation that an organization is following certain cyber practices. There are essentially two major characteristics that set the ISO 27001 Certification apart. First, the list of “control objectives” follows the international standard ISO/IEC 27002 (updated in 2022). The ISO 27002 standard is very in depth and covers hundreds of topics. Second, and ISO Certification requires an audit from a qualified ISO 27001 Certified Auditor.
The ISO Certification originated in Europe as BS 7799. It is far more common in the EU, but is gaining some ground in the US as the need for cyber validation grows.
The Information Shield Certification
The Information Shield Certification is formal audit by a qualified third party that an organization is followed an established set of cyber security controls. Unlike the SOC II, which can include any number of controls, the Information Shield Certification is a validation against a fixed set of Common Controls that reduce risk and validate management governance. For example, an organization wanting to validate that a specific set of best-practices is being followed by all of the companies in the supply chain can use the Information Shield Certification.
Like the SOC II and ISO 27001 certification, the Information Shield Certification validates activities of a cyber program over time. However, since it includes a defined set of controls, it can be much more robust and efficient than a SOC II or ISO Certification. Also, since the Certification uses a standard set of controls and protocols, audits can be faster and less costly. The Certification results can also be shared more easily across the supply chain because the controls and audit protocols are consistent.
Industry Specific Validations
Some vertical industries have developed their own validation methods. For example, in healthcare, organizations can receive a HiTRUST Certification. This is a very specific healthcare validation that was developed by a private company and supported by several large players in the healthcare market. Within the US Federal Government, organizations than handle data for the Department of Defense (DoD) can receive a CMMC “certification”. Similar to the ISO certification, there is a list of qualified CMMC auditors that are allowed to declare an organization as “certified”. Despite these specific validation programs, a vast majority of businesses will not be able to leverage these in their own supply chain.
Choosing the right validation method
Which validation type should you choose? Today there is no universally accepted “validation” that can guarantee an organization is following a specific set of best practices. Probably the most common is the SOC II Type 2, but it can be too expensive for smaller organizations.
No matter which method you choose, eventually your organization is going to be asked to validate. Management must decide which method is more suited to the business environment and the resources of the organization. For example, large multi-nationals may determine that an ISO 27001 is best to engage is business overseas. Some organization are required to get a SOC II Audit because it is the only option they are given by a large customer. Some organizations may want to consider the Information Shield Certification, which is generally less expensive and produces consistent results.