Pratum Blog

SOC 2 Report on white background with SOC 2 overlaid

SOC 2® reports are probably coming up in a lot of conversations among your industry peers and key partners. But do you need to get a SOC 2® report? The process represents a significant investment of both money and time (about 18 months to complete a typical SOC 2® Type II reporting process). As you weigh whether the investment is worth it for your business today and in the future, consider these factors. (And if you need a summary of how SOC 2® works, jump to the bottom of this post.)

Why You May Need a SOC 2® Report

  • Retain/create opportunities with larger clients – Many big companies have strengthened their cybersecurity programs by dramatically tightening requirements for their third-party vendors. If you can’t produce proof that you have a mature security program, you may lose deals or never even get invited to bid. We’ve heard many stories about companies that caught their big break with a large client because they had a SOC 2® report ready to go while their competitors scrambled to satisfy the customer’s requests. That’s why many firms have recognized that SOC 2® gives them a competitive advantage.
  • Efficiently answer clients’ security questions – Many organizations have found themselves overwhelmed with constant security questionnaires from clients and partners doing their due diligence on the companies they rely upon. In many cases, you can avoid wading through dozens of custom client questions by giving them a copy of your SOC 2® report. After a few of those situations, the SOC 2® process pays for itself in terms of time savings for your staff.
  • Improve your overall security – Don’t overlook the core purpose of the SOC 2® process: improving how you handle data security. During the prep process, you’ll surely clean up a lot of your controls and processes—and probably find some surprises in the way your team is doing things. During the process, you may be notified of additional ways you can make improvements. All of those improvements mean you should experience fewer business interruptions and costs from data breaches. Again, the SOC 2® process will probably pay for itself by helping you avoid costly incidents.
  • Accelerate your progress on compliance requirements –SOC 2®’s requirements overlap with standards and frameworks such as HIPAA and ISO 27001. That means going through the SOC 2® process will also help you take big steps toward meeting other compliance requirements you may have.
  • Increased operational efficiency – During the process, you’ll uncover areas where you can improve things like how you share information, how you process change requests, etc. So while a SOC 2® report focuses on security, pursuing it will help tune your overall operations.
  • Secure better cybersecurity insurance rates – Insurance rates have skyrocketed in the last year as insurance companies try to get a handle on all the ransomware claims they’ve been paying out. To get the best available premiums, you’ll have to demonstrate the maturity of your program. A SOC 2® report can help make that case.

SOC 2® Defined

Companies use the widely accepted SOC 2® compliance model to confirm that their vendors/partners handle information securely. Rather than simply trusting vendors who declare themselves secure, companies can demand a SOC 2® report as third-party proof of the vendor’s security. In a SOC 2® audit, a firm recognized by the American Institute of CPAs (AICPA) reviews a company’s controls over a specific period of time and issues an opinion on its compliance with the standard.

Companies can seek either SOC 2® Type I or Type II. Type I examines the design of controls at a specific point in time. Type II evaluates the operating effectiveness of those controls over a period of time. While a Type I report can be completed fairly quickly, a Type II audit can take up to 18 months, including the readiness and audit periods. Retaining SOC 2® validation requires repeating the audit on a regular basis (usually annually).

Pratum consultants help numerous companies each year determine whether they would benefit from a SOC 2 report and then prepare for the SOC 2 process if they move forward. To learn more about how Pratum can help simplify the journey for you, contact us today.

Cybersecurity in 60 Webinar: How to Get the Most Out of a Penetration Test Highlights

Performing regular penetration tests is an easy decision. They represent a key piece of your overall security strategy. But getting the most from your next penetration test can be more challenging as you sort through multiple questions. How do you choose the best penetration test vendor? How do you decide what to test? Why do quotes from different vendors vary so much?

All these key topics came up during Pratum’s latest Cybersecurity in 60 webinar. Pratum Senior Penetration Tester Jason Moulder and Troy University CTO Greg Price shared insights from the perspectives of a tester and a client on how to make the most of a penetration test. Here are the highlights of their conversation. To view the entire webinar, click here.

Pen Testing Client Greg Price, CTO, Troy University
Greg Price
CTO, Troy University
Pratum Senior Pen Tester Jason Moulder
Jason Moulder
Senior Penetration Tester, Pratum

Q:

What should everyone know before they start a penetration test?

Jason:

First, make sure that you’re getting an actual penetration test and not just a vulnerability scan. (This infographic shows all the elements that go into a full penetration test.)

Second, do your homework on the penetration testing company you’re thinking of using. What kind of credentials do the actual testers have? How many years of experience do they have? What are people saying about them online? You should look for a long-term partnership, not just one-and-done things.

Greg:

It seems like someone calls me every day who is hanging out their shingle as a cybersecurity expert. I’m always dubious of those claims, especially if the organization appears overnight. So the maturity of the organization we’re going to work with is of enormous interest for me.


Q:

So what’s the difference between a vuln scan and a penetration test?

Greg:

A penetration test is predicated on a vuln scan. Any penetration testing professional has to know the lay of the landscape, which is where a vuln scan comes into play by knocking on the door, running various scans to see what’s forward facing for the Internet to take a peek at it.

The penetration test provides me greater insight into those vulnerabilities. It shows where gaps are not only from a technical perspective, but from a policy perspective. It provides a practical application of how my team is working, what’s going on with our resources.

Jason:

Keep in mind that a vuln scan is only programmed to find things that are known. (Click here for a full comparison of penetration tests and vuln scans.)


Q:

How do you set effective rules of engagement for the test?

Greg:

You can get stealthy with a penetration test or get loud and bang on the doors and hope somebody’s paying attention. If the rules are not laid out clearly, those doing the work can get too noisy and too rough and disrupt the environment, and that can be an absolute disaster.

We’ve used groups in the past that completely ignored the rules of engagement. If they found something, they would take it all the way down. That’s an awful experience for an organization of any size, but especially for us with a global operation and students engaged in various educational opportunities.

Jason:

That’s also an issue when it comes to automated tests like vuln scans. If the team isn’t coordinating with the client and saying what they’re going to be doing at a certain time, you can mess up all kinds of things such as rewriting databases, deleting things, and creating other unintended types of consequences.

Greg:

I don’t want a penetration test to turn into a test of my disaster recovery (DR) plan.


Q:

How do you set the proper scope for a penetration test?

Jason:

We identify components that would seriously affect you and everybody connected to you if they got compromised. I try to work with clients to keep the cost manageable while giving you what you actually need. We’ll guide you on what we see with other clients in the same industry, threat intelligence we’re getting and other things.

Greg:

As the customer, I should have some idea of where my weaknesses are, what I want to build on, where I want to strengthen the environment. If you’re not focused and looking at what’s vital to your organization, you could waste a lot of money just wandering around the edges and poking at things that are trivial. Also, be sure that you know how cloud and third-party components are managed before starting a penetration test.

So when you walk into a penetration test scoping call, you have to know what’s of great value and what needs to be protected from a corporate strategy perspective, a regulatory need, or a compliance need.

Take a good look at your DR plan. What are you looking at reconstituting if you have an enormous failure of your primary data operations? That’s probably the template for what you want to put in front of someone to do a penetration test against.


Q:

How often should you do a penetration test?

Jason:

If you have some underlying regulation that says you have to do at least two penetration tests a year, then you can’t really bypass that. But on average, if you don’t have anything really pushing you to do this more often, you should do a full penetration test at least once a year on your entire environment: external, internal, wireless.

Greg:

If you have experienced some massive shift in the infrastructure, introduced some product, exchanged some hardware, or done something else sizable, then it’s time to have someone come in and go after it and make sure it’s living up to expectations from a security perspective.


Q:

Should you tell your IT team when a penetration test is going on?

Greg:

I don’t tell anybody within my organization. I want it to be a test of our controls and tools, but I also want to see that the team reacts appropriately and that the various mechanisms we have in place for mitigation and triage are also functioning.

Jason:

I would rather see a team doing what they’re supposed to be doing. If it gets up to the CTO’s level, he can stop it there rather than going into the IR plan. We may purposefully fire off some real heavy stuff to see if we get shut down.


Q:

What’s your advice for organizations early in their security journey who might be choosing between things like a penetration test and risk assessment?

Jason:

First, make sure you’ve prepared by getting controls in place, mitigating vulnerabilities and patching software before you do a penetration test. Then you can engage a vendor to come in and do an audit or a risk assessment. When you get that report on paper, then the penetration test is there to quantify that.

Greg:

You don’t want to roll right out of the gate with having just turned on some new things and hired a couple of folks to work security and then bring in a penetration test group to examine what’s going on. That’s not going to be a good engagement for anybody. Use the penetration test as an opportunity for improvement. For me, it’s definitely a verification and validating tool.


Q:

The final report from a penetration test can be overwhelming. How do you react to findings and not take it defensively?

Jason:

We’re not trying to say you’re doing a bad job. We’re showing where you need to invest in training or shore things up. We hope that part of our result is to create a driving factor that shows your boss you need to reinvest into your overall scheme and hone the team’s skills a little more.

Greg:

I like to use the final report as a team-building exercise. We focus on the end goal of being better after we complete the exercise. If we got a report that proclaimed that we had absolutely nothing going on and everything was perfect, I would be skeptical.

Jason:

Some of the low-risk or informational findings could be the segue into a bigger finding when you chain that stuff together, and we identify that during the engagement.

Greg:

That shows the importance of people who have experience and actual experts to conduct these tests. Without that knowledge of the penetration tester to assemble those things, you may think it’s no big deal. But when it’s brought into context by people who have a lot of experience, that’s where the value really comes out in these types of examinations.


Q:

Prices on penetration tests diverge widely. What are key things to look at when comparing quotes?

Greg:

I typically look at the penetration testing team’s experience and their approach. We also review whether the tools they use are inhouse or open source or commercial.

Jason:

Take a hard look at why a lower price is lower. Sometimes we come in a lot lower than competitors because we cut out a bunch of stuff that you said you wanted, but doesn’t make sense for your objective. We want to focus in on your overall objectives and goals and why you need this penetration test to begin with. We don’t have to test everything in the environment. It's not cost-effective.


To talk with Pratum’s team about how can get the most value from your next penetration test, contact us today.

Information Security leader training employees about security awareness

If you work in the IT world or deal with information security on a regular basis, you’ll hear people talking about “security awareness training.” The term can be confusing because awareness and training are not the same thing. Generating awareness of something is distinctly different than the act of training. Awareness is about the learner receiving information from the teacher. Training is an active, engaged process in which the learner builds meaningful knowledge and skills that facilitate action.

To adequately train your team in cybersecurity, think of learning as a continuum. It starts with awareness, builds to training, and can evolve into education for those making a career out of information security. Building on concepts from the National Institute of Standards and Technology (NIST), this article highlights the IT Security Learning Continuum and covers both the differences and links among awareness, training and education.

NIST - Figure 2-1: The IT Security Learning Continuum
NIST's IT Learning Continuum

Security Awareness

Awareness refers to having knowledge of a situation or fact. According to NIST’s glossary of terms, “Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.” Examples of awareness activities include anti-phishing posters placed in common areas; discussions of stronger passwords at staff meetings; or informational videos distributed via email.

It's critical to build your security training program on a strong foundation of awareness. The only way we can expect teams to innately understand existing risks, let alone react to them, is to give them guidance. That guidance begins on an employee's first day by including cybersecurity awareness as a required part of the initial onboarding process

For example, NIST uses the example of building an awareness session (or awareness materials you distribute) around virus protection. You can address the subject simply and briefly by describing what a virus is, what can happen if a virus infects a user’s system, what the user should do to protect the system, and what the user should do if a virus is discovered.

NIST’s guide to IT security training requirements (known as SP 800-16) describes a transition stage between awareness and training called Security Basics and Literacy. At this stage, users learn a core set of terms, topics, and concepts. During the literacy stage, information is not tied to specific tools or systems. Literacy delivers basic concepts so that users can move on to more robust training programs, and it prioritizes personal responsibility and behavioral change.

Security Training

NIST SP 800-16 defines training as the part of the continuum that “strives to produce relevant and needed security skills and competencies by practitioners of functional specialties other than IT security (e.g., management, systems design and development, acquisition, auditing).” The most significant difference between awareness and training is that awareness seeks to focus an individual’s attention on an issue or set of issues, while training seeks to teach skills that allow a person to perform a specific function.

Awareness is a basic necessity, but training is the difference maker when it comes to truly safeguarding an organization’s sensitive information. And delivering information security training one time per year is simply not enough. You should plan to spread awareness and training activities across the year to provide greater persistence. Because cyber threats are constantly changing, the awareness and training program must be agile enough to provide information regarding the latest threats.

Security Education

NIST SP 800-16 defines education as the realm of people seeking a career in security. NIST says, “The ‘Education’ level integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge, adds a multidisciplinary study of concepts, issues, and principles (technological and social), and strives to produce IT security specialists and professionals capable of vision and pro-active response.” Education goes beyond basic security courses and training. In NIST’s view, education is accomplished through a degree program at a college, university, or other educational forum.

You don’t need to give everyone a formal security education to establish a successful security program. Awareness and training, however, are integral to a security-minded business culture.

Pratum’s team can help you create an awareness and training program tailored to your team’s specific needs. To get started on your program, contact us today.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.