Would You Buy a Car Without Seat Belts?
Recent headlines said, “Network ransacked in huge brute-force attack” (Source: The Register) and “Hackers break SSL encryption used by millions of sites” (Source: Huffington Post) among many other security and privacy news that fill the news outlets every time I look and listen.
The problem is not some new phenomenon, but one that continues to repeat itself again and again throughout human history. Complacency, deregulation and a lack of oversight repeatedly represent the 1-2-3 knockout count for organizations. We have everything we need to fix the fundamental problem and that is by using an alternative 1-2-3 knockout count through governance, technological control and vigilance.
Through governance, basic rules and requirements are established; through technological controls, a steadfast mechanism applies governance without bias and finally, through vigilance, these processes, procedures and controls are tested.
Just like a modern automobile has standard safety equipment such as seat belts and air bags; modern business and consumer applications and supporting technology have security components that come standard. Some people may choose to not wear those seat belts and eventually end up head first through the windshield and in the morgue as a result. The same is true of your business and consumer technology. If the security components are not used properly, a breach or privacy invasion with ensuing litigation or identity crisis is sure to follow. The end result may very well be the bankruptcy morgue.
As a corporate consumer, how do you verify that everything that can be done to protect privacy, security and intellectual property is in place and functioning correctly?
One method is to look for independently verified, internationally recognized, certifications of those control environments certified by reputable organizations. One such certification for commercial organizations is called the SSAE 16, otherwise known as the Standards for Attestation Engagements Number 16, which is an internationally recognized third party assurance audit designed for service organizations. It is also the international standard that replaced the now defunct SAS 70.Continued on the next page