Today, we see a trend of compromising vendors, service providers, and supply chains to gain access to their customers through the “unlocked window.”
You may be secure, but how can your company evaluate the security of your business associates and what should you look for and expect?
This is certainly a case of “trust but verify,” and as a service provider, Critical Insight is challenged many times per year to demonstrate our security controls. In our case, those are audited controls.
Let me explain.
Since Critical Insight does not process cardholder data, we are not regulated by the payment card industry data security standard. We do not house protected health information, so HIPAA is not in scope, same with criminal justice data, consumer privacy information, etc.
We're not regulated and will not be audited against those standards, but we do understand our role in this ecosystem, so we have, for the last 5 years, voluntarily brought in the auditors to assess us against the SSAE-18 (SOC2) trust principles.
Here's how that process works:
- First, we choose the trust principles against which we will be examined. These can include security, confidentiality, processing integrity, privacy, and availability. As our focus is the protection of customer data and the infrastructure used to manage the data, we choose security.
- Next, the scope is defined. Again, because our focus is the security of customer data, we do not include parts of the company that are not relevant to that goal.
- Then, auditors review a standard set of controls drawn from the common criteria, a set of controls that have been agreed upon by more than a dozen countries. On attestation (your word), these controls are documented in a SOC2 Type 1 report, which means the controls have not been audited, just claimed.
- Following a period to collect artifacts (proof the controls are in place and effective), the auditors come back, but this time you'll be required to show evidence of your controls being effective. The auditors will sample the organization, for example given the list of all employees they will pick 7 for which we need to produce proof that the onboarding checklist was followed, or that we are in possession of their annual security awareness training attestation. Any exceptions (missing audit artifacts/ineffective controls) are documented in the report.
While the explanation of all the moving parts of Critical Insight's security program would be a lengthy conversation, the SOC2 Type 2 report is a single document that describes not only the controls, but the scope to which they apply and their effectiveness. It is important to note that the SOC2 examination is backward-looking, since it is not possible to request an artifact that will be created in the future.
A SOC2 Type 2 report always covers the preceding year, with an assurance that no significant changes have been made in the environment that would cause any of the audited controls to be questioned.
Of course, our controls include having our own Security Operations Center monitor us.I
If you’d like to see a copy of our SOC2 Type 2, we’ll have you sign a MNDA first.
At RSI, our mission is to provide world-class IT solutions and that means making sure we’re providing excellent cybersecurity, We chose Critical Insight as a key partner because they provide MDR and much more, which truly fulfills our commitment to customers.
Vice President Sales, Right! Systems, Inc.