Are You Certifiable? (No, Really, Are You?)

At no other time in our history has it been so important to understand the cyber threat that exists in our midst today. As a print service provider, you should be working to plug up the gaps in your security posture.

In my last article: “Focus on Security: Cyber Safe Production Workflow” I talked about the benefits of attestation and certification, which can validate that your operation has provable and measurable security policies in place, including cyber and physical safeguards and disaster and recovery plans.

So I’ll ask again: are you certifiable? Let me explain.

There are two very prominent certifications and one underlying set of guidelines (see NIST 800 series) by the National Institute of Standards and Technology (NIST) that are driving legislators to consider the NIST Cybersecurity Framework as gospel for industries that are either bound by regulatory security criteria or take it upon themselves to wisely protect their greatest assets: their reputations and their customers.

Statement on Standards for Attestation Engagements

For most organizations, the Statement on Standards for Attestation Engagements (SSAE 16) Type 1 and/or Type 2 certifications work very well. Originally SSAE 16 (formerly known as SAS 70) was developed as a standard of measuring controls for publicly traded companies in their handling of financial data as mandated by Sarbanes Oxley (SOX). For privately held companies and non-financial entities, the American Institute of Certified Public Accountants (AICPA) issued an Interpretation under AT Section 101 of SOX permitting service auditors to issue reports. These reports are considered Service Organization Controls (SOC) audits and focus on controls at a service organization relevant to security, availability, processing integrity confidentiality or privacy.

A SOC 2 Type 1 report is an independent snapshot of the organization’s control landscape on a given day. The SOC 2 Type 2 report also adds a historical element showing that controls were managed successfully over time (typically six months). The audits are sometimes not cheap. It really depends how wide the gap is from the current state of cybersecurity readiness to the target state of cybersecurity readiness. The more work that the auditor has to do and the more resources have to be put in place, the more it costs.

However, for those organizations that have not addressed risk management and their security posture thoroughly, the average cost of a SOC 2 Type 1 report can range between $15,000 - $25,000, while a SOC 2 Type 2 report can cost upwards of $20,000 - $50,000.

Compare This to the Cost of a Data Breach

Too much you say? Consider the cost of a data breach (average cost per 1,000 records: approximately $225,000 ), or a penalty for a violation of HIPAA, FERPA PCI, SOX, etc. And that is just the tangible monetary loss potential. Reputational losses can cost an organization a bundle in the short term and reverberate for an extended time period, potentially pushing the offender out of business.

CEO Michael Kellogg from Century Direct, a print service provider in Long Island, N.Y., says, “We had to obtain a SSAE 16 certification in order to retain one of our largest financial industry clients. We had just acquired a new mailing operation that had the certification so we needed to maintain that certification to continue a relationship with that new [to us] client. The process was an eye opener to us.”

I asked Michael to tell me, other than the obvious, if there are other benefits of having an SSAE 16 certification? “Yes, frankly it has made us a better company, and not just from a marketing perspective, but also from an operational point of view. Our whole team has a keen awareness of being diligent in their handling of client data and they take pride in knowing that we run a tight and very secure ship. We do penetration testing twice a year, and any of our production staff that touches client data is subject to detailed background checks.”

So what’s next Michael, I asked? “We have plans to elevate our security status to DoD standards and to go after new health care and financial business.” Finally, I asked him about the cost. He had two words for me: “Shop around.”

ISO/IEC 27000 Series

This is the International Organization for Standardization/International Electrotechnical Commission standard for information security also known as ISO27K. Fundamentally it formally specifies an Information Security Management System (ISMS) as a series of activities concerning the management of information security risks. The ISMS is an overarching management framework through which the organization identifies, analyzes and addresses its information risks. The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts.

Similar to SSAE 16, the ISO does not directly certify, rather they develop and provide updates to the guidelines for certification. Certification is performed by accredited third-party organizations. You can find an accredited entity by searching the directory at the American National Standards Institute (ANSI) website at www.standardsportal.org. Also similar to SSAE 16 can be the cost of ISO/IEC 27000 Series certification. While in the same range, again the final cost depends on an organization’s current state of cybersecurity readiness versus the target state.

National Institute of Standards & Technology

The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity is the standard to aspire to. Although there is no “certification” as such for this standard, it is the basis of any certifiable security posture. Following these guidelines will help ready you to be certifiable. The NIST 800 Series of publications cover an entire broad scope of computing and most specifically cybersecurity, and you can find them at www.nist.gov.

The NIST Framework was born out of executive order 13636 in 2013 by President Obama which decrees: “It is the policy of the United States to enhance the security and resilience of the nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation and economic prosperity while promoting safety, security, business confidentiality, privacy and civil liberties.” In enacting this policy, the executive order calls for the development of a voluntary risk-based cybersecurity framework — a set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.

Attainable for Everyone

For those of you who are serious about facing the growing security challenges that exist today, I would encourage you to explore these vehicles of due care and due diligence. Cybersecurity and risk management done well are not just for IT experts. There are methodical processes that are attainable for everyone through support by third-party experts to help you.

Put bluntly, it’s the Wild West out there folks. Hackers are getting more sophisticated and emboldened with every passing day. Security is everyone’s responsibility. Help protect your business, your workplace and your customers by becoming certifiable.