Data breaches and privacy compromises make everyone look bad: No matter how sophisticated the attacker, the company on the receiving end of such intrusions always looks woefully unprepared, if not worse — even if it could not possibly have controlled for every factor to which it was subjected and had the right talent at hand.
Intruders are getting far more savvy, persistent, and patient – and keeping up with the contours of new threats (the actors and technology) is almost impossible. Businesses also cannot control every move their employees and business partners make.
But businesses must help their employees create a more substantial barrier around the company’s data by following emerging information security standards.
Cybersecurity certification regimes can take many forms. Your organization can achieve certain international or U.S.-based standards that signify it uses certain best practices for an information security management system, which sends a strong message to the consuming public and other stakeholders.
This is where the International Organization for Standardization comes into play with its international standard for best practices relating to an information security management system (ISMS) called ISO/IEC 27001:2013.
An ISMS is a system of procedures, records, technology, and people that helps control, track, audit, and improve your organization’s information security. The system must be tailored to the specific characteristics and risk factors applicable to the business in question.
Along those lines, ISO 27001 offers a controls list that a company can use that is tailored to its digital configurations, regulatory requirements, etc. The controls outlined in the standard are safeguards that it can implement to protect its digital properties.
The 14 ISO 27001 controls list includes sections on organizational issues, legal and human resources issues, and physical security, among others.
The Cybersecurity Maturity Model Certification (CMMC) is a new certification regime from the Department of Defense (DoD) intended to serve as a verification mechanism to ensure that its contractors implement appropriate cybersecurity processes to protect federal contract information.
Whether a primary business, subcontractor or sub-tier supplier, every organization doing business with the DoD will need to be CMMC certified before being awarded a contract that has CMMC requirements.
Developed by the American Institute of CPAs, another certification regime is SOC 2, which defines the criteria for managing customer data based on five trust service principles — security, availability, processing integrity, confidentiality, and privacy. In line with specific business practices, each organization designs its controls to comply with one or more of the SOC 2 trust principles.
Information security departments often rely on SOC 2 reports to assess a vendor’s security risk.
Businesses would do well to tout their adherence to the certification regimes spelled out above (and others not named here) and describe their requirements for their main vendors. Amazon, for example, goes into some detail on its website about the compliance certifications and attestations that its business partners have claimed and how Amazon verifies these assertions.
Certification ≠ Perfection
An important note here is that having achieved a certification does not mean perfection and infallibility, particularly as time goes by, a company’s risk profile evolves, its technology and best practice strategies age, and its personnel changes.
Finally, training employees who are not cybersecurity experts is critical, and those certifications – like those described above for organizations – are plentiful. They help ensure employees have developed the cybersecurity hygiene critical to the organization’s sustenance, spot phishing emails and avoid ransomware downloads, and ask questions before clicking something even remotely suspicious.
Compliance officers have a role to play in assessing what their organization needs in terms of its security credentials and the ongoing training it offers its employees. And they should also seriously consider taking cybersecurity-based training designed specifically with them and their unique role in mind.