Thursday, January 24, 2019

Secure Translations - Security first, then Compliance - Part 5 of Many

Let me Google "Compliance is not Security" for you. Wow! That is a lot of hits. Of course the reverse is also true "Security is not Compliance". What is the big deal?

This is the 5th post on my Secure Translation series, and this time I would like to look into two common threats: Lack of Security first approach and lack of Compliance.

People hear me constantly saying "culture comes before tools" or "culture first, then tools" and this expression summarizes the answer to the "Compliance is not Security" debate. You need both, period. However you cannot be compliant without having security, neither you can be secure without compliance. Definitely "Security first, then Compliance" but do not interpret that as you do not need compliance. You need compliance to complement your security as much as you need tools to complement your organization's culture.

Let us go as usual through our effective quantitative risk management framework to analyze these threats.
  • Threat: Not implementing a security plan and/or not adhering to compliance standards.
  • Asset: Any service used to serve customers including those provided by your service providers like Language Service Providers (LSP).
  • Vulnerability: Not implementing a security plan leaves critical resources vulnerable. Not adhering to compliance standards leaves the security plan unchecked.
  • Risk: The impact of ignoring security and/or compliance is high for the business and the likelihood for any compromises increases to the roof. These threats are therefore at the top of high risk exposure for any business.
  • Safeguard: Use a security plan that adopts an existing well known framework like NIST or a combination of multiple frameworks. Make sure all your service providers including Language Service Providers do have a SOC 2 Type II report (only a type II report matters here, do not go for less) to comply with the highest security compliance standards in USA and an ISO 27001 certification to globally comply with the highest international security standards. If your LSP does not hold these reports and certifications or if they just hold a certification and you are expecting to receive secure translations, you need to ask for their Information security risk assessment process, their Information security risk treatment process, the Results of the information security risk assessment, the Results of the information security risk treatment, the Evidence of the monitoring and measurement of results, their documented internal audit process, the Evidence of the audit programs and the audit results, the Evidence of the nature of the non-conformities and any subsequent actions taken, the Evidence of the results of any corrective actions taken. You need to check the credentials of the CPA firms that performed the audits, if they are authorized to perform these attestations, and whether they are providing attestations to technology leaders. Many LSPs will mention SOC 2 reports but all they are saying is that their services are hosted in data centers that hold such report. This is a major issue because they are per GDPR your processors and they should be the ones holding these reports to claim that they are providing secure translations. Other LSPs mention the existence of a SOC 2 report which is not updated annually. There are some LSPs that do have a SOC 1 or even a SOC 2 type I but those won't fit the bill. They must have a SOC 2 type II report for attestation that they produce secure translations. Do review the report, search for the exceptions found and how they are monitoring their service providers' SOC 2 Type II reports as well. Under GDPR they become controllers of your data when other third parties are in charge of hosting databases, files and system processes. If your current LSP does not proof they hold a SOC 2 Type II report look for one that does. If your LSP is not security compliant, such organization cannot provide secure translations. If your LSP does not have a robust security plan that includes internal and external annual controls, then such company cannot deliver secure translations. If an LSP holds an ISO 27001 certification you should ask for the statement of applicability (SOA) to validate that the Information Security Management System (ISMS) applies controls that address the type of risks that your company expects to see based on your own ISMS.
A note of caution here would be that if you have a strong internal audit department and the budget to incur in your own audits of your LSPs and their providers, then you might be able to make business with a non certified or non report holder however I would question the cost effectiveness of such path. Better to audit attestations than auditing full plans, policies and internal controls for several controllers and processors down the complicated hierarchy of service providers.

In my next post I discuss privacy breach threats.

You can follow the "Secure Language Translations" series in this blog, on linkedIn, Twitter or Google+. My objective is to educate executives and managers but also to help engineers in reducing the organization risk through sound security measures.

No comments: