Malware is ‘malicious software’ intended to damage, disable, or exploit computers or computer systems. It is a term most have become familiar with in the digital age because of its high presence and problematic consequences.

Furthermore, the use of malware continues to dramatically increase and evolve each year. G DATA Security reported that in 2016, about 127 million new malware emerged, which is approximately 1 per every 4.2 seconds. More recently, different types of malware have been specifically programmed with a specific function to generate profit for their creators through the theft of sensitive information, forced advertisements, extortion of money, and email spam. Due to the variety of malware, it is important to understand and recognize the different types of malware that your organization could come across.

Read more: The Ultimate Cybersecurity Guide

Spyware

Spyware is exactly what you would guess – malware designed to spy on and gather information about the user. It can be used to track and monitor Internet activity, discover and extract sensitive information, and log keystrokes.

If your system becomes infected with spyware, the hacker can access company information, payment card information, and the consumer profile of users. This stolen activity and information can be sold or used to harm the infected user.

Prevention tip: Don’t click embedded links within pop-up windows

Pop-up windows can include spyware just by clicking the link or window, accidentally installing spyware to the computer. Avoiding these links can prevent an accidental download.

Adware

Adware is a type of malware that automatically delivers advertisements to a user to generate revenue for its creator. This can be done through pop-up internet ads or ads embedded in the interface of a program. Adware is popularly used in conjunction with spyware.

Once personal information has been collected through spyware, advertisements can be catered to the user. This invades the privacy of users and causes disruption of computer functionality and productivity.

Prevention tip: Only download from known, credible websites

Unknown websites are common grounds for adware, therefore users should be vigilant about the locations from where they are downloading items.

Ransomware

Ransomware is a type of malware that can restrict users from accessing a system or data, and even delete or publish data if a ransom is not paid. It can restrict a user from access to files through encryption. There is still no guarantee that paying the desired ransom will restore systems or data.

Most ransomware today falls under two categories:

1. Locker ransomware: restricts access to the computer or infected device
2. Crypto ransomware: restricts access to files and stored data

Although malware is continually evolving, there are common strains of ransomware that have been discovered and identified including Cerber, CTB- Locker, TeslaCrypt, and CryptoWall.

Prevention tip: Back-up data offline daily

An infected system cannot compromise data that has been backed up offline. Thus, users who experience a ransomware attack will have a complete untouched backup of their files, and will not be forced to pay the ransom to receive access to their data.

Trojan Horse

The most common form of malware is a Trojan Horse. Attackers disguise this malware as something desirable such as a special offer or gift, to infiltrate a computer system they otherwise would not have access to. A Trojan Horse can often share the same competencies as other malware including, spyware and adware causing enormous problems for the user.

Once granted access, this malware can:

• Steal sensitive data
• Crash devices
• Block anti-virus software
• Control the system remotely
• Spy on users
• Take payment card information
• Delete or modify user data
• Use the computer as a proxy
• Spread itself across networks

Prevention tip: Carefully read licensing agreements before downloading

A Trojan Horse can only access a system if given permission by the user, therefore it uses deceptive communications in downloads during the agreement section. Use caution to avoid accidentally downloading something that could cause harm to your computer.

Virus

One of the most widely discussed types of malware is the virus. A virus is a malicious computer program used to alter the way the computer operates and is capable of replicating itself and spreading to other devices. These can infect documents, script files, web applications, and other various programs.

The consequences of a computer virus can vary widely from annoying and benign to severely damaging. The most common side effects include a drastic decrease in computer speed, modification of data files, and compromising software such as a firewall. Once infected, viruses can install ransomware and spyware leading to further damage. Viruses can reduce computer performance and permanently crash or disable computer systems. Some viruses can even remain dormant after being acquired, waiting for a specific trigger such as a date or the presence of another file to execute.

Prevention tip: Only join secure networks

Using an open Wi-Fi connection puts a system at risk of a virus by allowing unauthorized users and systems to access files. Only use secure networks or VPNs when in public locations.

Worm

A worm is like a virus in the way it can replicate itself to infect other computer systems. However, unlike a virus, a worm doesn’t need to be attached to an existing program or be prompted to execute. A virus requires human intervention to become attached to a file, attachment, or website link while a worm can attach itself and self-propagate.

A worm can slow bandwidth, install backdoor programs, and even “eat” data files and operating systems until the drive is empty. Because worms don’t require any action by the user to be released or spread, these are particularly tricky to defend against and rid of computer systems.

Prevention tip: Use the appropriate firewall

By implementing a firewall, a user can limit or restrict network traffic, especially unauthorized users.

Conclusion

Without protective and proactive measures, organizations can experience the costly and damaging effects of malware. According to Forbes, cybercrime costs are projected to reach $2 trillion by 2019. Amongst the increasing cybercrime landscape, organizations should be preparing for any potential danger including cyber-attacks. To mitigate the increased risks, A-LIGN can help you with the right strategy to prevent your organization from becoming another victim of malware attacks.

Operating in an environment that continually transforms can be challenging and sometimes system failure is inevitable. Although having proactive prevention programs is necessary, it is equally as important to have reactive disaster strategies.

Potential causes of downtime include:

• Natural risks: Hurricane, fire, earthquake, etc.
• Human-caused risks: Terrorism, crime, manmade structure failure, etc.
• Civil risk: Riots, labor disputes, local political instability, etc.
• Supplier risk: Power supplier failure, transportation vendor failure, etc.

Implementing a proper plan could mean the difference between your business surviving a disaster or going completely under. Business executives recognize that not all plans are created equal and that developing the right strategy depends on the organization and its distinct needs.

Strategizing for Your Plan

For the most effective design, the strategy should have two major sections:

1. Business continuity management (BCM) plan
2. Disaster recovery plan (DRP)

Since these two elements considerably overlap, it’s imperative that they are incorporated into a holistic approach.

Business Continuity Management

When a disaster strikes, businesses are tested in their ability to restore their operations in the most efficient and effective manner. To ensure that their infrastructure can endure and counteract various problems, executives develop, plan and test their organizational foundation using a BCM plan.

This process helps define the mission-critical processes, the duration to restore processes, the key personnel involvement, the notification workflows, and the logistics of continuing operations.

Based on several recommended and mandatory BCM procedures, there are specific steps that should be considered while developing a plan:

Due to the potential and considerable damages associated with disruptive events, BCM plans are a necessity for any business. Research indicates that only 13 percent of businesses with no BCM framework in place could recover all mission-critical processes per predefined recovery objectives.

Disruptions come in all shapes and sizes, from minor events with an average duration of 19 minutes, to substantial events lasting over 7 hours. Based on the duration and category, a disruptive event can cost a business between $32,000 to $53,000 per minute.

However, establishing a BCM plan isn’t enough; for the most effective outcomes, businesses should continue to develop their plan each year as the business grows. One of the largest success factors is the maturity of a business’s program. By 2019, Gartner predicts that 35 percent of organizations with BCM programs that lack maturity will endure major problems recovering one or more mission-critical business processes. 

Disaster Recovery Plan

Another critical element to include is a DRP. The DRP is the process a business uses to support the infrastructure and regain access to resources that are needed to resume normal, critical business functions, either through maintaining a vital workforce or by recovering critical services and applications such as email, trading, voice, file server, accounting, and mobility.

Due to the variety of disruptive events that can impact businesses, it’s significant that DRPs are designed with versatility and adaptivity. Key elements of a DRP include:

1. Policy statement and objective
2. Authentication tools (passwords)
3. Geographical risks and factors
4. Tips for dealing with media
5. Financial and legal information and steps
6. Plan’s history

Currently, only 30 percent of businesses reported having a fully documented disaster recovery strategy. Among those, approximately 33 percent revealed that their disaster recovery plan proved inadequate during a critical response to an outage.

Recovering for Disaster

Businesses continue to evolve, implementing new and improved strategies to help manage the risks that disasters provide. A-LIGN offers the following services to organizations seeking business continuity and disaster recovery services:

• Business Continuity and Disaster Recovery Services

A business’s success can heavily rely on strategic planning, therefore when it comes to mitigating the risks of a disruptive event, proactive and reactive plans are critical. Don’t just survive in the event of a disaster, plan to weather the storm and fortify your business. Take the first step towards establishing an indestructible plan for your business today.

What is the Limited Access Death Master File (LADMF)?

The LADMF, or Limited Access Death Master File, contains sensitive information that cannot be disclosed during the three-year period following an individual’s death, including:

• Social Security Number
• Name
• Date of Birth
• Date of Death

Effective November 28, 2016, organizations face a more stringent certification process to be granted access to the DMF. To access the DMF, an individual or entity must:

• Have a legitimate fraud prevention interest; or
• Have a legitimate business purpose to a law, government rule, regulation, or fiduciary duty

The main changes that organizations need to be prepared for are:

• Annual recertification by the organization seeking access
• Third-party conformity attestation every three years
• Agreement to schedule and unscheduled audits, conducted by National Technical Information Service (NTIS) or the Accredited Conformity Assessment Body (ACAB) at the request of NTIS
• Fines up to $250,000 per year for noncompliance

The entity wishing to access the DMF must submit written attestation from an ACAB to prove that the appropriate systems, facilities and procedures are in place to safeguard information and maintain the confidentiality, security, and appropriate use of the information.

To better understand the requirement, organizations can find the sample certification forms here:

• Subscriber Certification Form – Sample
• Accredited Conformity Assessment Body Systems Safeguards Attestation Form – Sample
• State or Local Government Auditor General or Inspector General Systems Safeguards Attestation Form – Sample

Subscriber Certification must be completed annually. The LADMF Systems Safeguards Attestation Form must be completed every three years.

The U.S. Department of Commerce’s National Technical Information Service (NTIS), the governing body behind the DMF, can conduct both scheduled and unscheduled compliance audits and fine organizations up to $250,000 for noncompliance, with even higher penalties for willful violations. Due to the potential for substantial fines, it is important that entities be able to implement the appropriate systems facilities and procedures to safeguard the information.

How A-LIGN Can Help

A-LIGN is an ACAB that can attest to organizations’ systems and procedures in place. A-LIGN utilizes various published information security standards, including the AICPA SOC 2 and ISO 27001 to satisfy the rule’s audit requirements.

Since 2015, A-LIGN has been working to help our clients meet their DMF audit requirements, and has successfully submitted the appropriate attestation forms to NTIS, resulting in certification for our clients. We have extensive experience testing the controls required by LADMF and understand the certification process and requirements.

ISO 27000 Family – Information Security Management Systems

The ISO 27000 family of standards is related to an organization’s information security management systems, or ISMS. This international standard helps organizations by providing a clear set of requirements that can be used to manage the security of the business’ assets. An ISMS is a systematic approach used to manage the overall information security program to ensure that it remains effective.

One of the benefits of ISO 27001 certification is that it assesses the entire scope of information security, including the technical controls as well as management’s oversight of information security. This all-encompassing approach secures people, processes, and technologies to minimize risk.

Read more: ISO 27001: The Four Most Common Post-Certification Pitfalls

ISO 27001

Organizations can achieve certification against ISO 27001 to demonstrate the maturity of the company’s information security environment. This standard provides a methodology for the establishment, implementation, operation, management, and maintenance of information security within an organization.

There are seven mandatory clauses including objectives for organizations seeking conformance to the ISO 27001 standard:

• Context of the organization
• Leadership
• Planning
• Support
• Operation
• Performance Evaluation
• Improvement

Additionally, there are 14 discretionary controls defined in the Annex:

• Information security policies
• Organization of information security
• Human resource security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development and maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
• Compliance

Benefits of ISO 27001 Certification

ISO 27001 can help organizations reduce risk, optimize operations within an organization due to clearly defined responsibilities and business processes, and build a culture of information security. The framework also helps organizations in reducing security incidents and meeting additional compliance requirements.

In addition, the standard helps organizations implement controls that are relevant to their unique risks and assets, instead of providing generalized guidance that isn’t applicable to the organization. This holistic, tailored approach makes the ISO 27001 standard functional for organizations of any size, in any industry.

How to Achieve ISO 27001 Certification

Certification should be conducted by an ISO 27001 accredited certification body. Certification will include the following audit activities:

• Pre-Assessment: Although not required to achieve certification, for organizations who have not undergone the ISO 27001 process before, the pre-assessment is conducted for organizations who need additional assistance in becoming ISO 27001 compliant. A-LIGN simulates the certification process by performing a review of the company’s scope, policies, procedures, and processes to identify any gaps that may need remediation prior to certification.
• Stage 1 Audit: A-LIGN reviews the organization’s scope, policies, procedures, and processes to confirm conformance with the documentation requirements of ISO 27001.
• Stage 2 Audit: Once organizations have completed stage 1, the stage 2 tests the conformance of the information security management system with ISO 27001 and the company’s internal policies and procedures. This includes interviews, inspections of documented evidence, and observations of organizational processes.
• Surveillance Audit: To ensure that the organization’s ISMS continues to conform to ISO 27001 standards, surveillance audits are performed for two years following certification.

ISO 27001 certifications are valid for three years.

ISO 27017

ISO 27017, or Code of Practice for Information Security Controls Based on ISO/IEC 27001 for Cloud Services, provides guidance based upon ISO 27002 for the cloud services industry.

The standard provides guidance specific to cloud-service providers on 37 of the controls in ISO 27002, but also features seven new controls:

• Shared roles and responsibilities within a cloud computing environment
• Removal of cloud service customer assets
• Segregation in virtual computing environments
• Virtual machine hardening
• Administrator’s operation security
• Monitoring of cloud services
• Alignment of security management for virtual and physical networks

This standard is relevant to organizations that provide cloud-based services, and for any organization that stores information in the cloud.

Benefits of ISO 27017

Any cloud provider that is entrusted with sensitive customer data could potentially benefit from ISO 27017. The standard assists organizations by providing guidance unique to the cloud environment, and addresses pain points for many cloud providers such as the delineation of roles and responsibilities within a cloud computing environment.

This standard can help organizations enhance their information security management system to the specific needs of their environment. Additionally, utilizing the ISO 27017 standard allows for organizations to reduce the risk inherent to cloud-service organizations, and the potential cost of a breach.

How to leverage certification for ISO 27017

Because ISO 27017 is not a management standard, organizations cannot be certified strictly against the ISO 27017 controls. However, A-LIGN can assist organizations by adding the additional ISO 27017 controls to the scope of an ISO 27001 certification audit to ensure that companies can demonstrate conformance to the ISO 27017 standard.

Read more: Strengthening the Cloud: ISO 27017 and ISO 27018

ISO 27018

ISO 27018, or Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting is PII Processors, is a standard designed for cloud computing organizations who are responsible for handling personally identifiable information.

ISO 27018 provides the following controls to supplement those set within ISO 27001 and ISO 27002:

• Customer and end-user control rights
• Restriction on disclosure to or access of third parties to PII
• Treatment of media containing PII

Benefits of ISO 27018

There is a need for organizations that handle PII to ensure this information is secured. This standard creates an additional level of customer confidence in ensuring that standards are in place to protect the information, allowing both the customer and end-user to be assured that their information is safe.

This standard can help organizations enhance their information security management system to the specific needs of their environment. Additionally, utilizing the ISO 27018 standard allows for organizations to minimize the risk inherent to cloud-service organizations, and the potential cost of a breach.

How to leverage certification for ISO 27018

Again, because ISO 27018 is not a management standard, organizations cannot be certified strictly against the ISO 27018 controls. However, A-LIGN can assist organizations by adding the additional ISO 27018 controls to the scope of an ISO 27001 certification audit to ensure companies can demonstrate conformance to the ISO 27018 standard.

Choosing the Right ISO Standard

The ISO 27000 family of standards provides options for organizations to implement the controls that are relevant to their business needs, their customer needs, and their end-user needs.  As an accredited certification body, A-LIGN can conduct the certification audits to demonstrate conformance with ISO 27001, ISO 27017 and ISO 27018.

FISMA, or the Federal Information Security Management Act of 2002, assesses the controls outlined in NIST 800-53. You can review those requirements in Figure 1, below.

One of the benefits of FISMA is that it provides different implementation options depending on the levels of potential impact for an organization or individual if there were a security breach. A breach of security could be a loss of confidentiality, integrity, or availability. The three FISMA implementation levels are: low, moderate and high.FISMA established security guidance for federal entities and their agencies to adhere to, and thus organizations looking to win government contracts must adhere to the standards. The focus of this program is to improve the security of information through the creation of clear standards that can be used by all deferral agencies, in order to protect the security of information and information systems.

Low

Low-impact systems are systems that, if compromised in some way, would only have limited adverse effects on the organization or individuals.

Moderate

Moderate-impact systems with a breach in security result in a serious adverse effect on an organization’s operations, organizational assets or individuals.

High

High-impact systems are of critical importance to a government entity. A breach of any kind would result in severe or catastrophic amounts of damage to the organization, and could potentially result in a shutdown of operations, significant fiscal loss, physical damage to individuals, or a severe loss of intellectual property.

Achieving FISMA Certification

For organizations looking to win government contracts, FISMA compliance provides clear requirements for the development, documentation and implementation of an information security system for its data and infrastructure.

We want to ensure that your organization does not fall victim to these common ISO 27001 pitfalls so that your information security management system (ISMS) continues to operate as designed and subsequent audits flow smoothly. Becoming ISO 27001 certified is a rigorous process for most organizations but the work should not stop after receiving the sought after certification. Take a look at the four most common problems to help your company stay on track after certification.

Failing to schedule the internal audit and management review

The completion of the internal audit and management review are critical to the success of the ISMS. A-LIGN reviews these activities during each audit activity and looks to ensure the quality-level and completeness are in line with the requirements. These activities build on each other as the internal audit feeds into the management review, and then both feed into the continuous improvement cycle.

You should ensure that the internal audit is scheduled well in advance of the surveillance audit, so the management review and continuous improvement activities have time to be performed. We start the surveillance audit approximately nine months after initial certification is received, so a typical timeline would be to start the internal audit six to seven months after certification.

Changes in key personnel

Many times the ISMS is implemented by an individual who fields many of the questions during an audit and has overall responsibility for the ISMS.  If that person leaves the company, the ISMS can fall apart.  In order to help prevent this, we recommend that all companies designate a back-up person who has a general understanding of the ISMS. If your primary ISMS manager moves into a different position or to another company, ensure that the designated backup steps in to ensure that the ISMS continues to function.

Failing to be vigilant

It is common for organizations to breathe a sigh of relief upon receiving the initial certification, but at times they may go too far into “relaxation mode” and could still fall victim to common ISO 27001 pitfalls. ISO 27001 defines the ongoing processes that should be in place throughout the year, not just during the audit. The management controls, including periodic meetings, documented approvals for decision, meeting minutes of oversite committees, etc., must be maintained to evidence that the ISMS continues to function.  This is also true of controls defined in the statement of applicability.

Companies should ensure the ISMS is a living process that is built into the culture of the organization so that it continues to function as designed after certification is received.

Not considering environmental changes

ISO 27001 requires that any changes in the environment be considered through the risk assessment process and any new or modified controls flow in to the statement of applicability. It also requires that A-LIGN be notified and a new certificate issued if there are changes to the scope or statement of applicability.  When changes are considered in the environment that may impact the scope of certification, it is important to review and update the ISMS documentation to ensure it correctly reflects the environment post-change.

These top ISO 27001 pitfalls are all easily remedied through management oversight and following the controls as defined in your ISMS. Establishing a long-term ISMS framework can help to create an ongoing culture of security in your organization and help to ensure smooth surveillance audit cycles.

As the global usage of cloud technology continues to grow, businesses must strategically consider the risk of storing protected information and explore security options in order to protect their information systems. There are multiple security standards for cloud services providers and users to utilize in order to secure the cloud-based environment and minimize potential risk of a security incident.

Because of the way in which cloud services operate across different locations, an international standard is necessary in order to satisfy the security requirements of clients. ISO, or the International Standardization Organization, has created a standard specialized for cloud companies. That is where ISO/IEC 27017 and 27018, cloud-based compliance frameworks are able to assist cloud organizations.

ISO 27017

ISO 27017 is designed to assist in the recommendation and implementation of controls for cloud-based organizations. This is relevant to organizations who store information in the cloud, but also for organizations who provide cloud-based services to other organizations who may have sensitive information.

This standard is built upon the ISO 27002 standard, but allows for specific controls to be added for the needs of cloud organizations and their end-users.

ISO 27018

ISO 27018 is, again, designed for cloud computing organizations but specifically is designed to protect personally identifiable information stored and/or processed in the cloud. In addition, this standard is primarily focused on the standards relevant to cloud providers, not customers.

This standard creates an additional level of customer confidence, specifically when working with organizations who handle sensitive information. This standard provides for the practical application of minimum protection standards that should be implemented to maximize client and end-user assurance.

Why Get Certified?

For cloud providers, ensuring the safety of consumer information is the number one priority. In light of recent breaches that have compromised user data, receiving certification through an international standard provides an organization with the globally accepted security controls. It also demonstrates to the cloud provider’s customers the importance they place on protecting consumer data. This provides a unique marketing advantage to firms that are able to tout their ability to confidently secure customer information.

While some organizations seek certification to conform to their unique regulatory needs or the needs of their clients, other organizations should consider ISO 27017 or ISO 27018 in order to minimize both the risk inherent to cloud-services organizations, and the potential cost of a breach. Adhering to the rigid guidelines of ISO 27017 and 27018 allows your organization to operate with confidence and build a reputation of trust with your clients.

The hacking industry was alive and well in 2015, and it’s funny how the majority of attack vectors haven’t changed in the past five years. I thought it would be interesting to share information gathered from expert pen testers regarding the top three vulnerabilities uncovered in 2015 as well as insight into prevention.

The winner… drum roll please… for the most commonly exploitable vulnerability in 2015 penetration tests:

1. SQL Injection
2. Cross-site Scripting (XSS)
3. Misconfigured Server Settings

No surprises there, right? I have seen these same vulnerabilities since I started interfacing with security clients in 2006. I’ve categorized prevention and insight into these vulnerabilities as follows:

SQL Injection (SQLi)

If in 20 penetration tests, you are able to successfully exploit an SQLi vulnerability on 2 of them, that means for 10% of the companies assessed, one could steal their ENTIRE database via their web portal. If these numbers are reflective of websites as a whole, that means that 10% of the companies across the world have either already lost or will lose all of their sensitive data to attackers, which is a staggering thought. No wonder it still ranks as #1 on the Open Web Application Security Project (OWASP) top 10. This makes it #1 on our list too due to the possible damage done and the ease of exploitation.

SQLi is easy to fix too. The best way to do this is to use a safe API that provides a parameterized interface or just completely avoids the use of the interpreter. If a parameterized API isn’t available, then escape the special characters that are inputted and put in a whitelist of acceptable input. Not a blacklist though, that is too easy to get around.

Cross-site Scripting (XSS)

19 of the 20 penetration performed had one (or many) XSS vulnerabilities – either reflected XSS or stored XSS. These are easy to exploit for hackers, just an email/blog post/clicked link away from compromising a client machine. When a clever hacker pairs an XSS vulnerability with a well-crafted phishing email, he is almost guaranteed to compromise some client PCs and accounts.

Regarding prevention, the recommendation is to escape all untrusted input from a webpage. If your users can input something into a page, then so can a hacker.

The escaped input should also be paired with another whitelist of acceptable input.

Misconfigured Server Settings

This one is so easy to prevent and yet can cause a lot of damage if in place. Many of the websites I looked at allowed me to “retrieve” sensitive information through custom-crafted URL queries. I had one site that allowed me to browse protected web content just by inputting some special characters after the URL. Another site allowed me to see who was logged into the server at the time.

Misconfigured server settings are also a quick fix. A repeatable hardening process for all web servers usually catches any problem. The OWASP has some great guides to configuring a server correctly here.

Final Recommendations

These top three security fixes, as you can see, are almost banal. They don’t involve expensive hardware or strategies, but they do involve a culture of security, policies, and best practices. In fact, many of these findings come from point-in-time test environments, such as those complying with PCI, vs. organizations trying to establish a long-term information security management system framework or ISMS, like the ISO 27001 standard seeks to do. At least the entities tested had a pen test and fixed the vulnerabilities.

An ongoing culture of security and establishing and updating/improving InfoSec policies can help to avoid these vulnerabilities in your organization.

As a provider of managed services, your customers are entrusting you with the responsibility for some of the controls that could impact the integrity, availability and confidentiality of their data. Although they transfer the responsibility for the controls, the ultimate accountability remains with your customers and in most cases, they will request evidence that appropriate controls are in place to protect their data. As a managed services provider there are several options that you can pursue to provide this evidence.

The first is to work directly with every customer and answer their audit questionnaires, provide them detailed evidence of the controls and possibly undergo on-site visits from each of your customers or their auditors. This is typically not an efficient method and can cause a significant impact on your daily operations due to the continual barrage of audit-related tasks.

The second option is to undergo a SOC 2 examination. SOC 2 is built on the Trust Principles of Security, Availability, Confidentially, Processing Integrity and Privacy. Depending upon the services provided and the level of access you have to your customers’ data you can choose one principle or all five. The SOC 2 report can be distributed to your customers as evidence of the controls in place to protect their data. In addition to the reduced audit impact the SOC 2 can bring to your organization, it also demonstrates your commitment to security and controls in your environment. At the conclusion of the examination, the AICPA provides a logo to display on your website.

The SOC 2 report addresses general controls for the protection of data but is it sufficient for your customers in specific industries such as healthcare or payment card processing? For your customers in these industries they may require additional controls as defined by the HIPAA/HITECH Acts or the PCI Data Security Standards. As with the SOC 2 examination, in order to keep from responding to each customer’s audit requests, as a managed service provider you can undergo an audit against the HIPAA/HITECH or PCI DSS security assessment and provide evidence of compliance to your customers.

These audits are not mutually exclusive. Many of our clients undergo multiple examinations/audits to meet the requirements of their customer base. A-LIGN assists our managed services client by bundling these projects and performing them together. By bundling these projects A-LIGN is able to reduce the time it takes to perform the fieldwork thereby reducing the overall fees.