Compliance is not Security

From: https://www.armor.com/blog/achieving-security-compliance-healthcare-world/

A few compliance and security factors to consider in your environment:

Compliance:

  • Do you know your scope?
  • Do you know your data within that scope?
  • Is compliance your baseline or objective?
  • Do you understand the compliance requirements?
  • Have you mapped to external requirements?
  • Are you following audit best practices?
  • Do you have the right security partner?

Security:

  • Do you know your adversaries?
  • Do you have the visibility you need?
  • Is your Operations appropriately configured and staffed?
  • Have you built a culture of security across your business?
  • Have you combined people + processes + technology?
  • Do you have appropriate measures in place?
  • Do you have trusted partners?

The guys at Armor are solid, btw. Enjoyed meeting them a few times in 2018 at their CTF events. And very recently at the Dallas Cyber Security conference.

\\ JMM

InfoSec Governance: What Success Looks Like

“If you spend more time on coffee than on IT security, you will be hacked.  What’s more, you deserve to be hacked.”

Richard Clarke, Whitehouse Cyber Security Advisor

Six Outcomes

#6.  Integration.  When all InfoSec processes work as intended from end to end.

#5.  Measuring Performance.  When all InfoSec processes are monitored and measured to make sure they acheive their goals.

#4.  Optomized Resources.  All InfoSec knowledge and infrastructure are being effectively used as designed.

#3.  Delivered Value.  When security investments support business goals.

#2.  Managing Risk.  Consciously deciding to act.

#1.  Strategic Alignment.  When InfoSec and business strategy align, creates three achievements:

  • The enterprise defines what good strategy looks like.
  • Security matches the company’s DNA, instead of trying to rewrite it.
  • The amount of money spent on InfoSec reflects how important security is to the organization.

\\ JMM

SOC2 vs. ISO 27001 vs. COBIT

It truly is a interesting time to be in Information Technology. Especially on the information security front. Although hacks and breaches consume the media, audit and controls run the IT hallways. This article contains a random sampling of notes acquired on this topic as leaders unpack what to measure and what not to measure.

“SOC2 audit is required to do business with us.” – Prospective Client

SOC2:  https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/cpas.html

Not all auditors charge the same and, just like everything else, many times you get what you pay for. I’ve found quality and consulting come at a higher price, so selecting the right auditor is a key success point.

Found this article from Linford & Co, LLP CPA firm about SOC2 pricing:

Price estimates differ between firms as each will:

  • Estimate the effort / cost required to do the work
  • Have related overhead expenses allocated to the audit
  • Require a certain level of profit from the engagement

Typically, our SOC 1 audits start at $17,500 and our SOC 2 audits start at $19,500 for small, non-complex organizations. And, since everyone needs one, we include a readiness or gap assessment as part of every first time SOC audit. These are starting points and the price of a specific SOC audit may go up or down as we customize proposals to our clients’ specific needs.

“ISO 27001 certification is required to do business with us.” – Prospective Client

ISO 27001:  https://www.iso.org/isoiec-27001-information-security.html

Any idea how much an ISO 27001 certification costs?   Found this article from Pivot Point Security:

  • Precertification Phase I: $20,000 (e.g., Scope Definition, Risk Assessment, Risk Treatment Plan, Gap Assessment, Phase II Remediation Plan)
  • Precertification Phase II: $18,000 (e.g., Gap closure (collaboratively), registrar selection, ISMS Artifact development, Risk Management Committee, Incident Response, Internal ISMS Audit, On-site Certification Audit Support)
  • Certification Audit: $10,000
  • Total cost for ISO 27001 certificate: $48,000

Once you have your certificate you will require a “surveillance” audit in years 2 and 3 to maintain your certificate. You will also need to conduct an Internal ISMS Audit each year – which the “average” company usually outsources to a third party. So figure your year 2 and year 3 costs are likely to be as follows:

  • Surveillance Audit: $7,500
  • Internal ISMS Audit: $7,000

“COBIT as an emphasis for IT governance, control, and risk management” – Prospective Customer

COBIT:  http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx

\\ JMM