INAP IS NOW HORIZONIQ.
Click here to LEARN more.

Aug 27, 2013

IT security audit 101: Four rules you need to know

INAP

By Clinton Henry, CISM, CISSP, Senior Director, Datacenter Infrastructure & Security for Worldnow

From time to time, it’s common to undergo an IT security audit. Having participated in more than 30 audits across multiple standards (SAS 70, SSAE 16, HIPAA, PCI, SOC 1 and SOC 2), I’ve gained some insights that may assist others embarking on the experience for the first time. Below are four rules to help you get through an audit quickly and efficiently – especially when the auditor is on site.

1. Ducks in a Row
Mike Tyson, the infamous boxer, was once asked how he handles boxing unknown opponents who’ve spent months studying everything about him and have developed elaborate strategies to defeat him. His response: “Everyone has a plan until they get punched in the face.”

Amusing quotes aside, planning ahead is essential for a successful audit. If you have a well-run team with clear policies, controls and enforcement, then you’re halfway there. Audits are about controls – you need to demonstrate that those controls are in place, documented, enforced, reevaluated and tested against regularly. Preparing and organizing documentation for an auditor prior to the audit is a key process, and allows you to respond to their requests quickly when they arise. It also forces you to re-evaluate policies that you may not have looked at in a while, and gives you a chance to document policies that may already be in place, but haven’t been officially documented or disseminated yet.

Contemporary workplaceIf your organization deals with third-party providers, it’s important to show an auditor that these vendors have been thoroughly vetted and held to stringent controls. At Worldnow, we leverage several vendors, including Internap and Salesforce. Internap provides colocation services and managed hosting for some of our critical equipment. Having their SOC 2 reports on hand is incredibly helpful to us and our auditor. Never leverage a provider who is not subject to standard industry controls such as SOC, HIPAA, or ISO 27002/17799 – you’re only asking for a headache when undergoing an audit.

2. Chinese Wall
In large firms when a single organization is representing interests of opposing parties, a “Chinese Wall” must be established to avoid conflicts. In financial firms, the trading desks are not allowed to know what analysts at the firm are going to say about a stock or company prior to it being released to the general public. During the security audit, a different kind of Chinese Wall should be established between the auditor and the company it audits. When the auditor is on site, be extremely mindful of “hallway meetings” because an overheard or misunderstood statement can lead to additional questions, which can bog down an audit for weeks or months. This is an adversarial relationship – it’s cordial, but please remember not to “speak out of school.”

It’s usually best to have a single point of contact with the auditor. This person interfaces with the auditor, collects and provides all documentation and is effectively a gatekeeper. This creates a streamlined process, prevents confusing email chains and will be appreciated by the auditor as it’s much easier to go through a single person for all information than coordinate with multiple people.

3. Don’t volunteer, elaborate, distort (lie) or speculate.
If you do interact directly with the auditor, and they ask you a “yes” or “no” question and you know the answer, say “yes” or “no”. If you elaborate, it could lead to multiple follow ups that wouldn’t have been asked otherwise – this should be avoided. Remember; don’t answer a question that isn’t asked. If you’ve ever been deposed, it’s the exact same process. Providing a history of the company, your architecture or anything else can only hurt you – this is a “point in time” audit, and discussing what was or what will be is counterproductive (tweet this).

What happens when you are asked a question that you don’t understand, don’t know the answer to, or know the answer but don’t think the auditor will like it? Don’t feel pressure to respond right away. The correct answer is, “I need to confirm that” or “I’m not sure” and offer to provide the information as soon as you can. This will prevent a lot of headaches — please trust me on this.

The auditor usually has an assistant who takes detailed notes of all your responses; these will be reviewed off site and will generate more follow-ups. This is where most people get burned – follow these steps to minimize the number of follow ups.

4. Keep your team in the loop
As with anything else, communication is key. Before, during, and after an audit, keep your team apprised of the situation. They should be just as prepared as you for the audit and kept updated with any significant developments. Keep your third-party partners in the loop as well. They are there to help you succeed and will usually provide a resource if questions arise from the auditor that pertain directly to them. Internap gave my auditor a guided tour of one of their data center facilities. This sort of service from your partners goes a long way with the auditor – it makes their job easier, which only helps you.

Audits can be a stressful thing, with a lot riding on successful completion. Each audit presents its own puzzles and challenges, but they do get easier over time. Those who surround themselves with smart people, communicate effectively, and prepare accordingly are usually rewarded with a passing grade. At least that’s the plan – just ask Mike Tyson.

Explore HorizonIQ
Bare Metal

LEARN MORE

About Author

INAP

Read More
May 7, 2013

SSAE, SOC 2 & SOC 3 reporting standards

INAP

SSAE, SOC 2 & SOC 3The last time I wrote about SOC 2 reporting, it was still very new. I was still learning about these standards, and as a result, may not have been as exacting as you might have wanted. I also may have been a little hard on SSAE reports. And despite my description, there is no SSAE SOC 2 report; SSAE and SOC 2 are different types of audits.

So now, I thought it might be worth a refresh of some key SSAE, SOC 2 and SOC 3 points, thoughts and opinions. So then:

  • SSAE 16 or SOC 1 is basically a replacement for what was known as SAS70. With this report, an auditor will evaluate controls as defined by the service provider and offer an opinion. Depending on how rigorously the service provider tests, the report may be extremely valuable or not that helpful to the service provider’s customers.
  • SOC 2 and SOC 3 are based around the American Institute of Certified Public Accountants’ Trust Service Principles (TSP) of security, availability, processing integrity, confidentiality and privacy. Service providers being audited under SOC 2 and 3 are evaluated against both their own controls and some predefined TSP controls. Because of these standards, these reports are, in my opinion and the opinion of others, more likely to be useful. Note however, that a service provider is not required to test on all 5 TSPs, so there may be differences even among SOC 2 or 3 reports from different providers.
  • A SOC 2 report contains the auditor’s report and details around the tests performed, the results and an opinion on the controls. A SOC 3 report only contains the auditor’s report on whether the controls meet the service criteria established under TSP. Which one is better depends on what level of detail a customer needs.
  • The testing for each type of audit can be at a certain time (Type I), or over a specified period (Type II).
  • No one gets certified with one of these audits. A service provider simply “successfully completes” the audit. To find out how successfully, you need to read the service providers’ reports.

Hopefully, the stuff above is useful and will help you make some informed choices. If you want some additional opinion, I am partial to SOC 2 Type 2 reports. It’s what we do here at Internap. These reports provide info about operational controls and provide auditor insight into how well those controls work. This seems to be what most of our customer’s auditors want.

But beyond that, these reports are great tools for us to benchmark our own performance. For Internap, it’s not just a marketing gimmick; it’s serious business. And that’s probably as important as any other reason when you trust your business with us.

Explore HorizonIQ
Bare Metal

LEARN MORE

About Author

INAP

Read More
Mar 6, 2013

Customer Spotlight: YouSendIt talks cloud, mobile, performance and team leadership

Ansley Kilgore


YouSendIt is a leading cloud file collaboration service that gives users anytime, anywhere access to content via web, mobile and desktop applications. In this customer spotlight, Sumeet Rohatgi, Sr. Director of Engineering at YouSendIt, shares his vision on current technology trends, cloud security, performance and building a successful team. To stay successful and meet the demand for comprehensive content collaboration in the cloud, YouSendIt relies on Internap’s Managed Hosting services, scalable storage solution and global Performance IP connectivity.

Q. What are the biggest technology trends that will affect your business in the near future?

A. The current phase of technology is marked with a rapid expansion of mobile computing capabilities and applications, which are increasingly dependent on the cloud to provide rich content and functionality. Along with the rise of these productivity applications, users’ content is getting fractured and spread over multiple cloud repositories (sometimes referred to as the ‘personal cloud’).

YouSendIt provides cloud content collaboration governance tools for enterprise IT, such as remote wipe, centralized policy management, compliance reporting and encryption. To help end-users search, use and control content spread across their personal cloud, YouSendIt is rapidly incorporating cloudnostic search technology gained from a recent acquisition, Found. Cloudnostic is the idea that anyone can access their content no matter where it is hosted.

Q. How do the growing concerns about online privacy and internet security affect your business strategy?

A. The astonishing influx of new mobile devices in the market brings new capabilities and applications that pose security threats. To secure IP, especially as it relates to enterprise content, some CIOs resort to draconian measures, and limit content collaboration capabilities like MDM (Mobile Device Management), MCM (Mobile Content Management), and even block access to entire sites within their internal organization networks. However, these devices can and often do connect to multiple networks, and IP (content) easily leaks out.

As a result of these concerns, we offer a toolset to build a secure and safe environment for content collaboration. Our solutions put control of shared content in the hands of professional users with features like password protection and file expiration. Our enterprise offering complements this toolset with a single sign-on for enterprise users, both from within the enterprise network and outside. Additionally, governance features like whitelist/blacklist enterprise domains provide a safe and trusted environment for collaboration. We encrypt all content at rest and perform virus scanning on files before downloading. Our cloud operations are PCI compliant and our processes are SOC 2/3 compliant. All communications to user devices and our cloud are encrypted and secure.

Q. Tell us why performance is important to your business.

A. The ability to access your cloud content anywhere, anytime and the fact that we have over 40 million users puts an enormous performance requirement on our infrastructure. Downtime or inability to access content even for a brief period is an immediate loss of trust, and at times a loss of business. Our applications (web, desktop and mobile) use Internap’s Content Delivery Network (CDN) to ensure content is delivered rapidly. We also have storage servers in multiple locations to help make content transfer faster to our users no matter where they are globally.

Q. Your CEO has discussed the importance of building a great team. What do you think is the most essential ingredient for successful technology teams?

A. Successful technology teams start off by having a set of shared foundational values — namely, respecting and trusting the judgment of every team member. In today’s cloud technology environment, a broad range of skills needs to be present on the team: setting up/maintaining cloud servers, being polyglot in writing platform specific applications and architecting solutions that can scale and be flexible at the same time. To counter a rapidly changing environment, being agile is another necessary ingredient. The team as a whole needs to be able to quickly understand and take advantage of features being added by the platform manufacturers. If you do not have respect and trust in your team, none of the above can happen.

From the rest of the organization, the team demands a high level of support and trust in their decision making. Technology teams should be empowered to make and conversely be held accountable for their decisions. The organization needs to be tolerant of risk and comfortable with the possibility of failure, as this creates a culture of innovation which can lead to subsequent higher returns.

Watch the video to learn more about how YouSendIt controls their IT Infrastructure.

Explore HorizonIQ
Bare Metal

LEARN MORE

About Author

Ansley Kilgore

Read More
Apr 3, 2012

What is SOC 2?

INAP

What is SOC 2?A customer recently tweeted asking us, “What is SOC 2 and what makes it better?”

SOC 2 in 140 characters:

SOC 2 assures clients we use systems to protect their data. It audits security, availability, process integrity, privacy and confidentiality.

[Tweet “SOC 2 assures clients we use systems to protect their data. It audits security, availability, process integrity, privacy and confidentiality.”]

The longer version:

SAS70 was designed to audit controls whereas SSAE was designed to attest to the validity of systems fitness for a particular purpose. The differences are more obvious at the associated SSAE SOC level. SOC 1 is primarily designed to review financial reporting systems. SSAE SOC 2 covers operational control systems following a predefined Trust Services Principles and Criteria around security, availability, process integrity, privacy and confidentiality. SOC 3 documents relate to whether service organizations systems met the SOC 2 criteria but do not describe the tests or results achieved.

Our SSAE SOC 2 reporting assures our customers that we have adequate control systems in place to safeguard their data and information.

For more information on the transition, plus how this reporting strengthens our managed services, visit our auditing standards page.

Explore HorizonIQ
Bare Metal

LEARN MORE

About Author

INAP

Read More