What You Need to Know About Changes to the STAR Program

The CSA recently announced that the STAR Program will now allow a one-time, first-year only, Type 1 STAR Attestation report. What is a Type 1 versus Type 2 examination and what are the benefits for starting with a Type 1 examination?

Type 1 versus Type 2
There are two types of System and Organization Control (SOC) 2 reports, Type 1 and Type 2. Both types of reports examine a service organization’s internal controls relating to one or more of the American Institute of CPAs’ (AICPA) Trust Services Principles and Criteria, as well as the Cloud Security Alliance’s (CSA) Cloud Controls Matrix (CCM). Both reports include an examination on the service organization’s description of its system.

A Type 1 report examines the suitability of the design of the service organization’s controls at a point in time, also referred to as the Review Date. A Type 2 report examines not only the suitability of the design of controls that meet the criteria but also the operating effectiveness of controls over a specific period of time, also referred to as the Review Period.

In Type 2 examination, the auditor is required to perform more detailed testing, request more documentation from the organization, and spend more time performing a Type 2 examination than with a Type 1 examination. The additional documentation and testing requirements can put a greater strain on an organization and require more resources to complete the audit.

A service organization that has not been audited against the criteria in the past may find it easier to complete a Type 1 examination during the first audit as it requires less documentation, less preparation, and the organization can respond quicker to gaps noted during the examination.

The cost for a Type 1 examination is less than for a Type 2 examination because the examination testing efforts are less than what is needed for a Type 2. Additionally, fewer organization resources will be utilized for a Type 1, resulting in additional cost savings.

If the service organization, or specific service line or business unit of the organization, was recently implemented, the organization would have to not only ensure that controls were put in place to meet the criteria, but also ensure the controls have been operating for a certain period of time prior to completing a Type 2 examination. In this situation, there would not be enough history or length of time for a service auditor to perform a Type 2 examination. A Type 1 examination would allow for a quicker report rather than waiting for the review period in a Type 2 examination.

Benefits of a Type 1
There are several benefits to starting with a Type 1 report that include:

  • Quicker report turn-around time and STAR Registry
  • Shorter testing period
  • Cost efficiencies
  • Easier to apply to new environment or new service line

An organization might be trying to win a certain contract or respond to a client’s request for a STAR Attestation in a short period of time. A Type 1 examination does not require controls to be operating for a period of time prior to the examination. Therefore, the examination and resulting report can be provided sooner to the service organization.

Starting with a Type 1 report has many benefits for a first-year STAR Attestation. The organization will find this useful when moving to a Type 2 examination in the following year.

It is important to note, though, that Type 1 shall be considered just as an intermediate and preparatory step prior to achieving a Type 2 STAR Attestation.

Debbie Zaller, CPA, CISSP, PCI QSA, Principal, Schellman & Co., LLC

[Cloud Security Alliance Blog]

Building a Security Transformation Program in Our New Information Security World

From an information security perspective, companies often have perceived their own organization as a castle with well-defined walls, with few entry points sufficiently staffed with guards monitoring what information is coming in or leaving the organization. If further protection is needed, it is obvious what to do: build higher or thicker walls or add additional security guards. What is inside the castle can be considered safe.

However, there have been several significant changes in the past few years, namely:

  • New business models and supply chain dependencies transcending traditional company and information boundaries
  • Advances in technology and digitization increase ICT reliance
  • Increasing reliance on external parties and their security approach
  • Scarcity of resources, be it financial or human resources
  • Increased regulatory requirements supporting the shift from a protection focus to a detection/response focus (e.g., GDPR)
  • Changes in the cyber threat landscape (e.g., crime-as-a-service, espionage)

This means that reliance on traditional perimeter security is no longer sufficient, a mindset that information security professionals have been advocating for several years. The National Institute of Standards and Technology (NIST) in the US, for instance, has developed a model by mandating an ‘Identify – Protect – Detect – Response – Recover’ approach.

The next generation CISO
So why are so many companies still struggling to adopt this approach? A CISO of a reputable company once said: “I was hired for my technical security skills; however, I do not know how to build an organizational change program.” The next-generation CISO not only needs an understanding of security challenges, but also needs to deliver this change in a programmatic approach.

The need for a step-change in information security
What is needed is a way to package the NIST thinking into an information security transformation framework considering the organizational model of companies.

The goal of the different components:

  • Governance, risk and compliance: Align the approach to the company’s governance model and build alliances with related functions, such as risk management, corporate security, compliance and audit.
  • Secure architecture: Ensure a ‘security by design’ approach.
  • Secure baseline: Do the fundamental things right (e.g., patching, monitoring, adopting good IT operations practice).
  • Cyber threat management: Understand the threat environment and provide appropriate incident response.
  • Training and awareness: Address the human factor in information security.

Define KPIs
By first comparing the current organizational capabilities against future need, we can determine how fast and in which areas a company needs to act. Derived from this assessment, the projects can be planned and budgeted covering several years, including sourcing requirements (in-house or managed security provider). Each year, the required capabilities are re-assessed considering the threat landscape, business strategy and technological advances.

One key element is the definition of KPIs to measure the progress for each framework component. These KPIs help to communicate the benefits of a multi-year program to senior management. The assignment of skilled project/program management resources also helps to maintain the focus rather than daily operational tasks superseding project/program goals.

Experience so far
Taking this approach, we have experienced the following changes:

  • Shift toward a holistic view: from a tool discussion to a capability-based discussion covering people, process and technology.
  • Regular re-assessment of capability profile, threat landscape and business strategy define the security projects for the coming year.
  • Capability needs drive security strategy and implementation priorities.
  • A failure to meet incident resolution target KPIs resulted in a root cause analysis and renegotiation of service level agreements (SLAs) with vendors.

New threats demand a new mindset – and approach – for information security professionals.

Editor’s note: Monika Josi will present on “Building a Sustainable Security Program” at ISACA’s EuroCACS 2017 conference, which will take place 29-31 May in Munich, Germany.

Monika Josi, Head of Group Security Consulting, AXAS AG

[ISACA Now Blog]

What To See in Austin – Security Congress Sessions Announced

With less than 150 days until Security Congress, the full agenda has been released. Keynote speakers include Ben Makuch, national security reporter for VICE News, Donald W. Freese, deputy assistant director at the FBI, and Juliette Kayyem, founder of Kayyem Solutions.

The seventh annual conference will be hosted at the JW Marriott Austin, September 25-27, 2017. There will be 11 tracks at this year’s event, including:

  • Cloud Security
  • Cyber Crime
  • Critical Infrastructure
  • Incident Response & Forensics
  • Governance, Regulation & Compliance
  • Identity Access Management
  • People & Security
  • Professional Development
  • Software Assurance/Application Security
  • Swiss Army Knife
  • Threats

We listened to the feedback from past year’s events and this year, cloud security is the largest track with three FULL days of sessions on the topic. The Swiss Army Knife track also returns this year. This track is a potpourri of cybersecurity topics that impact practitioners and sessions will include tips, tools and tricks to help attendees in their day-to-day work.

New this year are workshops, with topics including “Can IT and OT Ever Come to the Same Table?” and “CISO Skill Set: The Tools and Techniques You Need to Succeed.”

The Center for Cyber Safety and Education will also be presenting a session for Safe and Secure Online Volunteers, “I’ve Completed Orientation, Now What?” to help members put their knowledge to use and help their community – children, parents and seniors – stay safe online.

If you’re not a member of your local (ISC)² Chapter, be sure to attend the information session hosted by Jayda Shriver, Chapter Program Manager. The session, (ISC)² Chapters: Membership Has Its Benefits, will discuss ways to learn how to join, or start, a chapter in your local community.

View the full Security Congress agenda online now and register before July 31 for early bird savings.

[(ISC)² Blog]

The Darknet and Deep Web: What Are They, and Why Should I Care?

In this age of growing technology, we trust the Internet. We trust it with making secure payments, storing our medical history and sharing personal photos with family and friends. We trust a website when it claims our information is safe from intruders and that when our information is posted privately, it is only ours to see.

However, once information is posted, sent, or clicked, it is public. Hackers can crawl into these supposedly private portals and extract information.

The vast Internet consists of three layers. The first layer is public, consisting of sites we use frequently such as Facebook, Twitter, Amazon and LinkedIn. This layer makes up only 4 percent of the entire Internet.

What is the other 96 percent? The deep web and the darknet. The deep web, the second layer, is a network where data is stored in inaccessible databases. The darknet is the third, deeper layer of the Internet where hackers congregate and facilitate illegal meetings. Customers whose data is breached do not have access to the darknet.

Tor (originally short for The Onion Router) began life as a U.S. Navy project for anonymous online activity but is now used by a wide range of groups, including the military, journalists, bloggers, activists and, yes, criminals. Tor makes communications harder to trace through traffic analysis by routing Internet activity through a series of network nodes, each ignorant of the whole route from beginning to end. The trade-off for increased security is slower speed.

To surf the darknet, we use a browser that allows us to access .onion sites with call browsers like:

  • Tor Browser
  • TAILS
  • Onion Browser

Or, websites like “Tor2Web” and “Onion2web” can be used, which allow users to easily access .onion sites on browsers like Google Chrome. As easy as this may be, it guarantees that your IP address is exposed – and when this happens, you’re open to all sorts of attacks from hackers.

Here are some steps to protect your computer:

  • When users surf the darknet, it opens up their computer to possible malware and scans that can compromise their network. Do not surf the darknet from a work computer on your work network. Use a computer that you are willing to rebuild, and use a VPN to protect your network connection. I would also advise using software that can protect your computer from any unauthorized changes such as:
    • Deep Freeze
    • Sandboxie
    • SmartShield
    • SysFreezer
  • Be safe and do not enable any Macros or scripts on a .onion site
  • Do not download files off untrusted or unknown sites.
  • Do not buy anything on the darknet because there are lots of scams. Buyers may never even hear from the seller, and what you are buying may be illegal.
  • Be careful of what you may find on the darknet because it could be related to something illegal – drugs, weapons, hackers, pornography and classified data. You may have to report to the authorities what you find and explain what you were doing. Furthermore, nearly all darkweb transactions use cryptocurrencies like Bitcoins, so it’s completely untraceable, and a refund is usually out of the question.
  • Do not make friends or enemies on the darknet; messing with a hacker can potentially ruin your life.
  • You can use services that will search for you, or allow you to search in a secure manner, like Harris corporation’s TORNADO.TM

What are some reasons to search the darknet? There could be company data that may be on the darknet now, such as user name and passwords, network maps, and other confidential data that could be problematic. Once users become good at searching the darknet, they can create a seed file. A seed file is kept internally by companies. Finding them on the darknet is an indication that the company has been compromised.

Editor’s note: To learn more about this topic, an archived webinar, “The Dark Web – A Threat To Your Business?,” is available at www.isaca.org/Education/Online-Learning/Pages/Webinar-The-Dark-Web-a-Threat-to-Your-Business.aspx.

Jay Ferron, C|EH, CISSP, CHFI, CISM, CRISC, CVEi, MCTIP, MCSE, MVP, NSA-IAM, past president Greater Hartford ISACA Chapter, Interactive Security Training, and Tim Singletary, CISSP, CISM, CRISC, CTT+, C|EH, Security +,A +,Net+ ,Linux+, Harris – Information & Cyber Solutions

[ISACA Now Blog]

English
Exit mobile version