Questions to Ask
The following questions represent a solid starting point for examining your organizational information security risks and needs. We explain in the answers how each of these questions affect the security of your organization′s information and data.
- Have we put in the right security controls and what is our security risk exposure?
- If we were attacked or breached, would we know how to respond?
- What are our customer′s security concerns and how do we satisfy them?
- Are our service providers protecting our data adequately?
- Is the credit card data we process secure?
- How can we reduce the burden of security audits? What are SAS 70, SSAE 16, SOC1 & SOC2, CSAE 3416, PCI and ISO, and which standard should we be using?
- How do I help my employees understand security and what they should be doing?
Have we put in the right security controls? Is our critical data managed securely? What is our security risk exposure?
In order to have confidence that your information is safe and managed properly, you need to know what threatens the data in your organization, and understand the financial, legal and reputational risks. Security threat risk assessment, gap assessments and compliance reviews help to establish that understanding, so that you can allocate resources effectively.
Hopefully it never happens, but if your organization is attacked or you experience a security breach, having an incident response plan in place can make a significant difference in limiting the damage to your organization and containing the costs that will inevitably arise. The incident response plan is a key security process and an important part of an overall security program.
Both corporate and individual customers will naturally be concerned about how you are handling the data that they have entrusted to you, including their personal or proprietary information and whether you have secured it. Having a security program or an information security management system in place goes a long way in demonstrating that you take this responsibility seriously.
Doing business with vendors and service providers can involve the sharing of sensitive information. Outsourcing relationships will definitely mean putting your data in the control of others. When you share this information, you will want to make sure they are securing it appropriately, and performing adequate due diligence is an important part of getting that assurance. Make sure that you have put all your expectations in your contract, including security expectations, before it is finalized.
Is the credit card data we process secure? Are we meeting the security requirements of credit card companies?
The credit card companies are now requiring all organizations handling cardholder data to comply with the Payment Card Industry Data Security Standard (PCI DSS), and this standard has proven challenging for all organizations. Furthermore, there are other operating regulations outside the PCI DSS that the payment card companies have which can complicate your security requirements. Assistance from an expert, such as a Certified Payment Industry Security Manager (CPISM), can help you with your compliance efforts.
How can we reduce the burden of security audits? What are SAS 70, SSAE 16, SOC1 & SOC2, CSAE 3416, PCI and ISO, and which standard should we be using?
Some organizations have to undergo regular security audits, or need an audit to satisfy a business need or customer demand. However, there are many standards and it can be very confusing as to which is the most appropriate. Expert assistance can help you make this decision with the least cost and best benefit for your organization.
Employees are part of the flow of information and data within your organization, and where sensitive information is involved, it is important that they understand what they need to do. The only way to achieve this understanding is through security awareness and training.