5 Strategies to Keep You From Wasting Time on Security Questionnaires

If you’re a start-up trying to win new clients, the dreaded security questionnaires are coming your way. Or, let’s say you’re a midsize business who’s been in business for years that’s bidding on an enterprise-level prospect – a security questionnaire request is in your future. Even we, as an information security auditing firm, are frequently asked about the security of our Online Audit Manager.

The questions may seem irrelevant, repetitive, and unreasonable. Or – maybe you know that you don’t have good answers. For start-ups, a security questionnaire may prompt the first time they’ve truly evaluated their security practices. For a midsize business, it may be a frustrating process to constantly fill out similar, but slightly custom questionnaires for every prospect. The intention behind security questionnaires, though, is a good one. Because so much responsibility lies in the hands of vendors and business partners, an organization has to complete its due diligence to protect its reputation, operability, and financial health.

Compliance from the Start

A client recently told us, “Compliance cannot be an afterthought. If you’re starting a business, please think about information security first.” We completely agree with this sentiment. A business that is driven by security and integrity will create a quality service or product.

One of our auditors, Shannon Lane, says it best. “A compliance program is usually viewed as a cost center, an impediment to business practices, and a headache that seems to get worse year after year. And yet as auditors, we know that a system built with compliance in mind isn’t usually more expensive than a faster, easier solution. A business process or IT solution is hard to change, especially once it becomes core to the enterprise and its operations. Every shortcut taken in the design process, technology solution, or internal system haunts the company forever. It’s always lurking there, waiting to interrupt just when you think you’re prepared. That’s why creating a culture of compliance throughout your organization is so important. A compliance program must be made a priority from the beginning.”

Security questionnaires are tedious, but they’re trying to determine whether you’re an organization that values security, availability, confidentiality, integrity, and privacy. Are you going to bring more risks into a prospect’s environment? Are you going to provide them with a secure service? Will you hinder their business objectives or facilitate more opportunities?

Saving Time on Security Questionnaires

It’s difficult to know whether the company sending you a security questionnaire will take stock in the answers and how much they will impact the outcome of the deal. Or – what if you refuse to answer the security questionnaire, and they still choose to work with your organization?

Many organizations adopt the approach of refusing to release any information about their security practices, even during an audit. They tend to think, “By not sharing information, we’ll be more secure. Just trust us.” It’s the ultimate security paradox. The truth is, the more you isolate yourself, the less secure you are. You never have the internal blinders removed to get a new perspective. You never get to hear new strategies based on your practices. Even AWS provides information on their compliance programspenetration testing practices, cloud security, and data privacy practices. AWS isn’t saying, “Just trust us.” They’re giving evidence of how they serve their customers best.

Alternative approaches to satisfy a security questionnaire request may include:

  • SOC 1 and SOC 2 reports contain an independent service auditor’s report, which states the auditor’s opinion regarding the description of a service organization’s systems, whether the systems were presented fairly, and whether the controls were suitably designed. As a result of the additional risks that vendors bring to their business partners, more and more organizations are asking for SOC 1 or SOC 2 attestations.
  • An FAQ on your organization’s internal security practices, summarizing your commitment to security and the actions you take to implement controls at your organization, could go a long way in demonstrating your “compliance from the start” attitude.
  • Allowing a potential business partner to review your breach notification policy, incident response plan, disaster recovery plan, or internal information security policy may be enough evidence to satisfy their request.
  • Formal risk assessments allow organizations to identify, assess, and prioritize organizational risk. By proactively undergoing a risk assessment, you may prove that you’ve evaluated the likelihood and impact of threats and have an effective defense mechanism against a malicious attack.
  • If your organization knows it’ll be filling out a lot of security questionnaires in the future, try filling out one of the many security questionnaire templates available online to formulate your answers and potentially see where your gaps are.

If you’d like more information on how to tackle security questionnaires, contact us today. We can provide many ways for your organization to demonstrate your commitment to secure practices.

More Resources

How to Read Your Vendor’s SOC 1 and SOC 2 Report

Getting Executives on Board with Information Security Needs

The First Step in Vendor Compliance Management: Risk Assessments

How Can a SOC 2 Bring Value to Your SaaS?

Getting the Most Out of Your Information Security and Cybersecurity Programs in 2019

As organizations plan their information security and cybersecurity efforts for 2019, we often hear a lot of confusion and frustration about things like frameworks modifying their requirements, the cost of audits and assessments rising, scopes getting bigger, and testing seeming to get more difficult.

The threats will do nothing but persist in 2019. You need to do more to protect your organization. When prices or scope or frequency increases, here’s what we’re going to ask you: don’t you want more in 2019 than you got in 2018?

Root Causes of Data Breaches and Security Incidents

Some things stay the same. The root causes of data breaches and security incidents center around three areas: malicious attackers, human error, and flaws in technology. Let’s dive into how these areas impact your organization’s information security and cybersecurity efforts.

  • Organized criminal groups aren’t stopping; they’re only getting more sophisticated. They’re using tried and true techniques that continue to work on victims. There’s obviously financial motivation, but a malicious attacker could also be motivated by a political agenda, social cause, convenience, or just for fun.  
  • Employees will continue to be your weakest link. Verizon’s 2018 Data Breach Investigations Report states that one in five breaches occurs because of human error.
  • As if human error wasn’t bad enough, malicious insiders are even worse. 28% of cyberattacks in 2018 involved insiders.
  • Technology is a blessing and curse. Systems glitch and cause major data breaches and security incidents.
  • It’s almost impossible to run a business without involving third parties. Inevitably, third parties cause data breaches and security incidents, and your organization must deal with the consequences.  
  • Timing is everything when it comes to data breaches and security incidents, and hackers are usually quicker than your team. Ponemon’s 2018 Cost of a Data Breach Study reports that the average time to identify a data breach was 197 days in 2018. To actually contain the breach? 69 days.

These root causes, all connected to malicious attackers, human error, and flaws in technology, impact your organization’s information security and cybersecurity efforts in a significant way. Did you experience a negative impact from these areas in 2018? How are you going to mitigate the risks in these areas for 2019?

Cost of a Data Breach

There’s no denying that information security and cybersecurity efforts require a financial investment, but so do data breaches and security incidents. According to Ponemon, the average total cost of a data breach was $3.86 million in 2018 – a 6.4% increase from 2017. You can bet that in 2019, that number will grow again.

Organizations are usually surprised that the following elements drive up the cost of a data breach:

  • Loss of customers
  • Size of the breach
  • Time it takes to identify and contain a data breach
  • Effective incident response team
  • Legal fees and fines
  • Public relation fees
  • Information security and cybersecurity program updates

Take the City of Atlanta, for instance. When the SamSam ransomware attack hit in March of 2018, it was initially estimated to cost $2.6 million in emergency response efforts. Incident response consulting, digital forensics, crisis communication, Microsoft expertise, remediation planning, new equipment, and the actual ransom cost added up quickly. It’s now speculated that this ransomware attack cost $17 million.

As the cost a of data breach rises, so does the cost of information security auditing and testing. The threats are pervasive – how can you make a smart investment to avoid the cost of a data breach?

Your Plan for 2019

Now that you’ve learned about the persistent root causes of data breaches and security incidents, plus the cost of a data breach, what are you going to do about it in 2019? How are you going to modify your information security and cybersecurity efforts? Here are a few areas to consider as we head into a new year:

  • When was the last time you performed a formal risk assessment? Risk assessments can provide you with what we call the three C’s: confidence, clear direction, and cost savings.
  • If your weakest link is employees, how will you hold them accountable to their security awareness training?
  • Ponemon reports that when an organization has an incident response team, they save $14 per compromised record. Has your incident response plan been tested recently?
  • What security automation tools would be a valuable investment for your organization? According to Ponemon, security automation is a way to decrease the cost of a data breach because you’re able to identify and contain the attack faster.
  • Ask your auditing firm to educate you on what new cybersecurity testing exists and which relevant requirements will be changing in 2019.

No defense is 100% effective. There are no guarantees that a data breach or security incident won’t occur. Organizations must be vigilant in doing what they can to prepare, detect, contain, and recover from persistent and sophisticated threats. Auditing firms must also commit to providing quality, thorough services that will empower organizations to meet their challenging compliance objectives. At KirkpatrickPrice, that’s our mission and our responsibility. Contact us today to discuss how we can prepare your organization for the threats of 2019.

More Data Breach and Incident Response Resources

What Is an Incident Response Plan? The Collection and Evaluation of Evidence

[24]7.ai Cyber Incident: How Your Vendors Can Impact Your Security

Rebuilding Trust After a Data Breach

Horror Stories: Million Dollar Malware Losses

Getting Executives on Board with Information Security Needs

For any information security audit, assessment, or testing that our firm performs, it’s incredibly important to us that C-level executives and stakeholders understand and support the organization’s information security needs. Without their support, how can any policies or procedures be implemented? Who will approve funding? Who will assist in building an information security team? Let’s talk about how to get executives on board with your information security needs.

Support Before Engaging in an Audit

When considering what kind of information security audit, assessment, or testing to undergo, it’s crucial to consider executives’ and management’s opinions and feedback. After all, they’re the ones approving the budget for this kind of engagement, assigning responsibilities, and empowering an information security program. Being engaged in the audit process will increase executives’ and management’s view of the value of the audit. Those who are not involved in the audit process are most likely to believe that the audit itself has limited value.

When approaching an executive for their support of an information security audit, assessment, or testing, we suggest you communicate the following benefits:

  • Your information security program will align with business objectives. It will help prevent breaches and incidents, mature their business practices, and help you operate more efficiently.
  • Data breaches can have a huge financial impact on the organizations that suffer one. Yes, you are asking them to fund an audit – but the spend now will be well-worth it if it prevents a costly data breach or a fine for non-compliance.
  • The ability to demonstrate your compliance and information security efforts is a valuable competitive advantage. Your clients want to know that you’re doing everything possible to keep their data and assets safe; they may be more loyal to you if you can demonstrate the information security program that you have in place.
  • Your information security program will protect your organization, but on a more personal level, it will help mitigate threats that target executives. Whaling is a type of phishing attempt that specifically goes after the most senior-level employees of an organization because of their authority and rights of access. It’s not uncommon for whaling attacks to work because so many executives aren’t actively engaged in information security programs and don’t participate in the same awareness training as other employees.

Support During an Audit

Executives are the link between the success of an audit and the organization. The quality of an audit is strengthened when they are involved. Executive support, insight, and awareness are invaluable to an organization.

From the very beginning of an engagement, executives and management have responsibility. The scope of the engagement, audit period, criteria, description of systems, description of vendors, risk assessments, internal auditor direction – all of this vital information can’t be given to the auditor without executive involvement. In a SOC 1 or SOC 2 engagement, management’s assertion is a major part of the report. During a PCI assessment, Requirement 12 is all about information security policies that management must set. HIPAA requires universal application of training requirements and securing PHI. In a HITRUST CSF engagement, the executive charter enables your information security policies to actually be policies. No matter which information security framework you are audited against, executives are ultimately held responsible for securing data and assets. Their involvement is crucial, which is why we require an executive sponsor to be nominated for any engagement we work on.

The Executive Sponsor

Who is considered an executive sponsor? For an audit or information security assessment, an appropriate executive sponsor must be assigned to the engagement. This person is generally a C-level executive, like a Chief Compliance Officer, Chief Technology Officer, CEO, COO, or CFO. An executive sponsor is the party that is ultimately responsible for an organization’s compliance programs. An executive sponsor isn’t usually a member of the IT staff or IT management because there needs to be an aspect of organizational responsibility to manage compliance at the executive level.

An executive sponsor should be present at any project kickoff or planning meetings and should go through any training that the auditing firm requests, like custom software or portal trainings. Most importantly, an executive sponsor of an audit or information security assessment must be available to the auditor or auditing firm. At KirkpatrickPrice, we always want to take questions or issues directly to the appropriate person at your organization, so an open line of communication is key.

Executives set the strategic direction for an organization, so they should be involved with information security strategy. If your organization’s C-level executives, stakeholders, or management are not involved in your information security program, don’t wait to start building their awareness and knowledge.

Want to learn more about choosing an audit firm, information security audits, or gaining executive buy-in? Contact us today.

More Resources

When Will You See the Benefit of an Audit?

Rebuilding Trust After a Data Breach

Making Sense of Regulatory Alphabet Soup

What to Look for in a Quality Vendor

Vendor Compliance

Most organizations utilize third-party vendors to assist them in fulfilling their business needs because they just can’t do it all themselves. These vendors play a critical role in allowing organizations to sustain their business, but they can also be a liability for a company. Why? Because if a third-party vendor isn’t properly vetted, they can pose a major risk to an organization.

Let’s say that your organization is a medical research lab. You’ve entered into a contract with a cloud service provider (CSP) to store the sensitive data that you’ve collected. The CSP was one of the first that you found during your research and you did not properly vet their security posture. After a few months of using the service, it’s discovered that someone with unauthorized access had access your sensitive data for weeks. You realize that the CSP did not use a proper logging management process that requires approval and logs for all changes to client data, and now years of ground-breaking research has been stolen.

If you’re a healthcare company, consider the sensitivity of the data that you handle and how your vendors could impact the security of that data. Let’s say you use a printing and mailing vendor who unintentionally revealed the HIV status of hundreds of recipients through a large windowed envelope. You receive complaint after complaint from recipients whose lives have now been changed by your vendor’s mistake.

Does your organization’s website have a customer service chatbot feature? Consider the consequences of a breach of this nature. If a hacker was to infiltrate your chatbot feature, they could obtain whatever information a user enters – name, phone number, email, location. How would you explain this security incident to your users?

Could these scenarios have been avoided? Absolutely. Let’s discuss what to look for in a quality vendor, no matter what industry you’re in.

What Makes a Quality Vendor?

When KirkpatrickPrice Information Security Specialists conduct an audit of a third-party or vendor, they are assessing and reporting on various controls that a quality vendor should have in place. Ensuring that your vendor has these controls implemented is crucial for strengthening your own security posture and protecting your consumers’ information. The following can act as a guideline of such controls as you work to determine if you’re working with a quality third-party vendor.

Physical Controls:

  • Does the vendor have a formal Physical Security Policy?
  • Does the vendor have requirements in place for visitors who enter sensitive facilities? Are visitors required to sign in? Do they need an ID? Are they being escorted? Is their information being logged?
  • Does the vendor use security measures (security guards, electronic/biometric access devices, etc.) to protect the facilities where sensitive data is stored, processed, or used?
  • Does the vendor have a monitored security alarm and a smoke/fire alarm system in place?
  • Does the vendor use a CCTV to monitor access to sensitive areas?
  • Does the vendor own or lease the facility where they are storing or processing sensitive data?

Organizational Controls:

  • Does the vendor have a risk assessment program?
  • Does the vendor have information security policies and procedures in place?
  • Does the vendor have incident response and business continuity plans?
  • Does the vendor retain regular audit reports from their service providers?
  • Does the vendor’s management monitor quality control, error-audit logs, and incident reporting?
  • Does the vendor own or lease the facility where they are storing or processing sensitive data?

Data Controls:

  • Does the vendor have an asset management program?
  • Does the vendor run backups regularly?
  • Does the vendor store backups separately from the system?
  • Does the vendor encrypt confidential data?
  • Does the vendor have a formal Access Control Policy?

Personnel Controls:

  • Does the vendor require newly hired employees to sign a Code of Ethics?
  • Does the vendor perform background screening of applicants?
  • Does the vendor offer information security awareness training to its employees?
  • Does the vendor have a formal Asset Return Policy?
  • Does the vendor conduct regular performance review?
  • Does the vendor maintain formal hiring and termination policies and procedures for both employees and contractors?

Network Controls:

  • Does the vendor have a formal change control/change management process?
  • Does the vendor have logging systems in place?
  • Does the vendor have network and server devices that are built according to a standard configuration process?
  • Does the vendor use encryption for all confidential data?
  • Does the vendor have a formal Wireless Network and Remote Access Policy?

As businesses increasingly look to outsource various components of their organization, ensuring that their strong security posture remains intact is crucial. By properly vetting a third-party vendor, an organization is much more likely to mitigate risk and prevent costly breaches from occurring.

Not sure if your third-party vendors are meeting these expectations? Let us help! Contact us today to learn more about our Third-Party Onsite Assessment and how KirkpatrickPrice can help you determine if you’re working with a quality vendor.

Data Center Physical Security Recommendations with Auditor Insights

Why is Data Center Physical Security Important?

Why is Physical Security at Data Centers Important?As we see more and more headlines of breaches, the focus on intruders accessing critical data has been heightened. What is the goal of those intruders? To access critical data stored by organizations.

This brings data centers into focus because the ultimate nexus of that critical data is in the data center. One of the top responsibility areas for data centers falls into that of physical security. Even with the shift to cloud-based infrastructure, data centers are still the critical physical bastion protecting critical data from physical theft.

Take video surveillance, for example. The video surveillance system is often seen as a “set it and forget it” system, but when something goes wrong, the first thing that pops into people’s minds is “check the cameras” so they can physically see what happened. Video surveillance is an integral part of data centers’ physical security posture, but it often gets neglected. Common issues are cloudy or obstructed cameras, clocks that are not accurate, systems running on end-of-life operating systems, and storage systems that are not retaining videos as long as expected.

There are so many aspects of physical security at data centers, but what are some best practices to embed physical security into the culture of your data center management?

4 Best Practices for Data Center Physical Security

The four best practices for physical security at data centers are controlling physical access, using multiple layers of security, training all personnel on the security procedures and why the procedures are important, and testing your physical security controls.

1. Monitor and track personnel through the data center.

Physical access management to data centers is a critical component of the overall physical security of the environment. Both providing access and understanding movement through the data center are key. The use of biometric readers, anti-tailgating systems, mantraps, and other physical access control systems to ensure access to spaces is authorized and monitored is critical.

2. Use multiple systems to provide layers of security.

Physical security is one of the classic examples of defense in depth. To provide comprehensive physical security, multiple systems and processes must work together, like perimeter security, access control, and process management.

3. Provide training on all physical security procedures.

Ensuring that all personnel adhere to physical security procedures and understand the importance of their responsibilities to a data center’s physical security program is a key concept. Intruders will always look for weak links, and it has been proven time and time again that weaknesses can often be on the human side of the equation.

4. Test your physical security controls.

Internal testing of physical security controls is an important concept in relation to physical security. Validating access grants, ensuring that video footage is recording, and verifying that anti-tailgate mechanisms are working as intended are three areas that I recommend you check. Testing of your physical controls a part of your normal operating procedures is one step that is often overlooked.

Auditor Insight on Physical Security Best Practices

As an auditor, one thing that I look for is how physical security is built into the culture of data center management.

Do operational personnel understand the reason why the policies and procedures are in place? Do they recognize the importance of physical security? If personnel fail at following and enforcing physical security policies, then there is a risk of a physical security breach.

A great example of this is the ubiquitous “no tailgating” sign. I have seen the “no tailgating” sign or policy in data centers blatantly ignored because employees think it’s not an issue or an important rule to follow. This cannot be farther from the truth; not following the no tailgating policy has a direct impact on the data center’s physical access control implementation.

The ability to track movements and insure security becomes at-risk, which can lead to unauthorized access and possible breaches. It’s examples such as this that give me insight into the culture of data center management at an organization.

Does your data center take physical security seriously? Is your critical data protected from physical threats? Contact us today to start learning more about information security for data centers.

About Mike Wise

Mike Wise of KirkpatrickPriceMike Wise has over 15 years of information security experience, specializing in data centers and distributed computing. He is passionate about helping clients grow their understanding of information security. As an Information Security Specialist at KirkpatrickPrice, Mike holds CISSP, QSA, and ITIL certifications.

More Data Center Resources

Overcoming Security Challenges at Your Data Center