System and organization control reports are a vital part of businesses’ risk management programs. SOCs are market-driven reports that businesses worldwide rely on to assess risk. These reports use the latest accounting standard, SSAE 18 (which supersedes previously cited standards, including SSAE 16, AT-101, and SAS 70). Learn to implement SOC reporting in your business.

Although SOC reports are not a regulatory requirement, there are still compelling reasons to use them. For starters, they provide an audit-based opinion from an independent party. An independent party helps increase transparency and build trust between the service provider and its customers. Companies take a leap of faith sending all their data to a service provider, and it’s likely your customers’ auditors might ask to see your SOC reports if they haven’t already.

Service organizations such as software-as-a-service companies or payroll processors, in particular, can benefit greatly from SOC reports. More recently, SOC reports have become an aid for those looking into a standard report over cybersecurity programs beyond just a service provider.

SOC reports serve as standardized reporting metrics for how companies address emerging risks.

In a time when breaches and data security are top of mind, SOC reports can reduce the number of questions from your customers that pertain to security during the request for proposal process. They might also reduce the volume of audits required by your customers.

Security regulations and guidelines such as HIPAA, FFIEC, and others require third-party (sometimes fourth-party) vendor risk management. A review of SOC reports has become a standard request to support customers’ vendor management programs.

3 Steps to Implement SOC Reporting

SOC reports can be a significant benefit for many businesses, as long as they’re used effectively. That requires a few steps that are well within reach of most businesses:

1. Do your research.

Given the importance of SOC reports, make sure your team is informed. If your company is still unsure whether your current control environment is ready for a SOC report, consider reviewing the American Institute of CPAs’ SOC criteria.

Additionally, a readiness assessment can be performed by a CPA firm. This assessment can alleviate concerns about security and compliance reporting before undergoing a future examination, and it can identify weaknesses that need correction and validate the scope of the report.

2. Determine which type of SOC report is right for you.

It’s essential to understand the differences between the SOC reporting options: SOC 1, SOC 2, SOC 3, and SOC for cybersecurity are the current suite of SOC reports (SOC reporting for supply chains is in development). In a nutshell, SOC 1 focuses on internal control over financial reporting.

This report does not come with predefined criteria, but it typically focuses on general IT controls and business transaction processing controls. SOC 2, SOC 3, and SOC for cybersecurity, on the other hand, are focused on a standard set of cybersecurity criteria, including security, and optional incremental criteria, including confidentiality, processing integrity, and privacy.

To determine which report is necessary or the most beneficial, focus on the services you provide to your customers. Do your services impact your customers’ financial statements? If so, choose SOC

• If your services include processing or storing client data, opt for SOC.
• If services relate to customer financial statements and include processing and storing customer data, both types of reports are warranted. SOC 3 is a shorter version of SOC 2 and is intended as a public-facing report.
• SOC for cybersecurity is a newer report with a broader focus that can expand to the entire organization or select business units rather than merely a product or service.

3. Ensure you have leadership in place to oversee reporting.

SOC reports can be instrumental in cybersecurity reporting, an essential concern for many companies. They can also benefit internal board reporting regarding threats from data breaches and other cybercrime. Plus, private equity firms conducting due diligence on cybersecurity practices before making a deal can use these reports as a standardized tool. But to reap these kinds of benefits, businesses have to have the right leadership in place.

Whether your business opts for SOC 2, SOC 3, or SOC for cybersecurity reporting, the chief information officer (or, better yet, the chief information security officer or other designated member of the security committee) should be responsible for ensuring that controls for in-scope systems are designed, implemented, and operated effectively. They must also monitor service commitments to customers.

Many of the SOC criteria are based on the company’s commitments to its customers, so management must ensure compliance. Management includes controls of the infrastructure, software, people, procedures, and data.

CISOs should also select the trust service criteria (e.g., security, confidentiality, availability, privacy, and processing integrity) that apply to the system in scope. The system must also provide an assertion about the description and the suitability of design and operating effectiveness of controls.

Once businesses have done their homework, decided which type of report is the best fit, and made sure they have leadership in place to oversee reporting, they can begin to reap the numerous benefits of SOC reports.

The post 3 Steps to Implement SOC Reporting in Your Business appeared first on ReadWrite.

Thanks to the prevalence of bring-your-own-device programs and increasing reliance on mobile work, the need for high-quality mobile device management is higher than ever. To meet this demand, company leaders must understand what comprises a good Mobile Device Management (MDM) strategy and a 4-step guide to mobile device management — how to implement one effectively.

Today’s employees love their smartphones, but not all of them are eager to use personal devices at work. Concerns about data privacy make many workers leery about handing over access to their employers. Evolving reliance on cloud technology multiplies points of access, too, which further complicates the issue.

The “bring your own device,” (BYOD) culture will continue to expand, which means companies must find the balance between privacy and safety.

One recent report found that the BYOD market will hit a compound annual growth rate of more than 17 percent by 2023. Businesses need to implement smart, scalable MDM strategies to keep their operations protected and powerful.

For many companies, that task is too big to manage alone. Employee concerns, data protection, cloud technology familiarity, and other MDM issues all require a full staff to manage them. To thrive in a rapidly evolving MDM space, organizations are turning to MDM partner companies to manage their business needs and compliance challenges. These partners provide significant help to companies looking for guidance and clarity in a BYOD-driven world.

To get the most from your MDM partnership, keep your employees happy. You’ll also want to fulfill the needs of your business as it grows — so follow this four-step guide on MDM mastery:

1. Establish an acceptable use policy.

Every device that accesses company data must pass muster. Create and establish an acceptable use policy to set the foundation for mobile device use at your business. This policy will set the foundation for the way your company handles everything from new device onboarding to employee departures.

A good policy should outline parameters such as encryption, passwords, and device lock. You will want to impliment a detailed BYOD plan that provides guidelines for using personal devices at work. With 85 percent of companies now embracing BYOD plans and employees increasingly concerned about their privacy — acceptable use policies protect and reassure everyone involved. Reinforce this policy through security awareness programs as part of creating a culture of security at your organization.

2. Choose the right applications.

Choose applications that are easy to use and helpful to the company. For example, some applications store data locally on the device while others do not. Working inside the cloud provides employees access to countless applications, so be judicious when assessing your options. Err on the side of caution, and use only applications that provide essential benefits to your business.

Using too many apps can lead to forgotten passwords and IT headaches — not to mention security concerns from an abundance of access points. Thirty percent of enterprises think security is the most prominent obstacle to BYOD adoption — and app selection is a critical component of maintaining data security.

3. Restrict access to settings.

Employees don’t need access to everything. Excessive access can lead to data breaches, unintentional and otherwise, and breaches grow costlier every year. Kaspersky found that the average cost of a data breach at a small business spiked from $88,000 in 2017 to $120,000 in 2018.

Working online in shared workspaces creates opportunities for information loss or misuse. Sadly, only 56 percent of companies have the power to employ key tactics like remote wipes of sensitive data.

When working in the cloud, restrict access to shared application settings to keep the system safe. Access restrictions protect companies from malicious acts and accidents alike. Only a few users need master access, depending on the size of the company and the practicality of implementation, so make exceptions for tight security only on a need-to-use basis.

4. Find an MDM service to fit your needs.

Many MDM services can help you manage your mobile devices. Depending on the operations of your company and the services you require, your options for MDM partners may vary. Conduct thorough research on potential candidates to find the best one for your organization.

The right partner should make it easy for you to stay compliant on information security issues, such as tracking devices and maintaining updates. Your MDM service should empower your company and protect it. In a cloud environment, endpoint management should complement your MDM, which can detect suspicious authentication from devices, enforce multifactor authentication, detect malware, and detect suspicious ingress and egress activity.

Most MDM services work by installing a bit of software on user devices. This software can handle everything the business needs, but companies should be mindful when implementing MDM services with BYOD populations. Many employees might be leery of allowing an MDM solution on their personal devices. Consider employee sentiment, and be prepared to answer questions about privacy before moving forward with a new service.

Reliance on cloud technology and the prevalence of smartphones will only grow stronger in the years ahead. 

To operate effectively in this environment, take the precautions outlined in this guide and work with employees and your vendor to keep your company and information safe. The challenges of mobile device management will continue to evolve, but with the right mindset, tools, and partners, you can stay ahead of the curve and keep your business safe.

The post The Cloud-Based Company’s 4-Step Guide to Mobile Device Management appeared first on ReadWrite.

Investors are more worried than ever about digital threats. Respondents to PricewaterhouseCoopers’ 2018 “Global Investor Survey” named cyberthreats the top threat to businesses — a leap from fifth place the previous year.

Those fears are justified. Research published last December by SafeBreach, which studied 3,400 security breach methods, reported a malware infiltration success rate above 60 percent. Once inside the systems, hackers had an even easier time moving around than they did trying to get in. In fact, 70 percent of them were able to navigate through systems laterally.

Security leaders are right to be concerned, but identifying breaches is easier said than done. Just because something is abnormal does not mean the system is breached, and sometimes the system is breached well before anything abnormal happens. When the time comes to take action, many teams are unable to even diagnose the problem.

A true security incident refers to something that could negatively impact information security objectives like confidentiality, integrity, or availability. When something in the system triggers an alert or looks unusual, security teams need to have a protocol in place to diagnose, act on, and neutralize the issue. An effective incident response plan can be the difference between an easily fixed vulnerability and a catastrophic security breach.

What Makes a Security Response Plan Legit?

Unfortunately, the variable nature of cybersecurity incidents makes preparation difficult. Putting together an incident response plan is like preparing for a tornado — you won’t truly know the extent of the damage until the storm has arrived. You can, however, plan several effective courses of action and gather everything you’ll need to respond

Designing an incident response plan takes time, but it’s far less stressful to plan before an event than during or after one. Some time-strapped businesses might be tempted to download a generic security plan off the internet, but without the time investment on the front end, nobody in the organization really buys in to the plan or studies it in depth. So when an incident occurs and some of the protocols in a generic plan — for example, taking 72 hours between the time of incident and communication of incident — conflict with organizational needs, nobody is really sure what to do.

Europe’s GDPR legislation has a section attempting to provide some standardization for incident response, but those guidelines only provide a starting point for organization-specific plans. CISOs and their teams face too many variable questions to depend on cut-and-paste plans. If the company has been negligent in its obligation to monitor its environment, does it account for that? How do the company’s internal controls identify an incident in the first place? Does the organization possess the necessary tools and people to follow through with a plan? There are a lot of questions, and it’s up to the CISO to find the answers and include those answers in a customized plan.

CISOs Stepping Up

CISOs oversee the entire security operation, so when a crisis does hit, it’s incumbent upon them to lay out a clear direction for each stakeholder on the incident response team. This includes security, legal, and forensic employees (often outside consultants); law enforcement (often the FBI); relevant regulators; insurance companies; the PR department; human resources; and anyone else who might be affected by a breach. Knowing when to involve third parties and when to keep the process in-house should be included in each organization’s incident response plan, which is part of the reason customization usually leads to more effective plans.

Frameworks such as the NIST Cybersecurity Framework can help organize a cybersecurity program through four distinct steps: identify, detect, respond, and recover. By using this framework as a jumping-off point, CISOs can assemble and implement an incident response plan that works for their organization and leaves as little to chance as possible.

Just as important as the plan’s existence is its maintenance. Threats evolve, and regular testing and revising of an incident response plan will keep the team engaged. Identification of new threats is the biggest hurdle, but those new threats require new kinds of responses, too.

No company should be breathing easy without a robust incident response plan. The next cybersecurity threat is always just around the corner, and ill-prepared companies run a huge risk for themselves and their customers.

The post Security Teams Need to Be Prepared With an Incident Response Plan appeared first on ReadWrite.

If you scour the internet for your personal data, stop. It’s already out there in the hands of companies, and no number of removal requests will change that. What you should be worried about is whether executives at these companies are asking themselves the right question: What constitutes ethical use of consumer data?

What if you discovered, for example, that data your company has could cure cancer? Would you have an ethical obligation to disseminate that data even if your data source would prefer you didn’t? Is it OK if you’re profiting off of someone’s data without that person’s consent? What if you work at a health insurance company that denies someone coverage because he or she Googled “cancer” one too many times? What should you do?

That, in a nutshell, is the data dilemma that business leaders are facing. Collection isn’t the issue; use is.

A Question of Right and Wrong

When it comes to their data, many Americans see a black-and-white issue. In fact, 43 percent of them dislike their digital devices monitoring their activities, even when that data could be helpful on a personal or societal scale.

But how can data collection be morally “wrong” when it’s the backbone of so many services we use? How many lives and gallons of fuel have been saved by Google Maps’ turn-by-turn directions? How many jobs have been found by software that matches applicants’ attributes to open positions? How many human connections have been built through social media platforms that suggest friends?

When used responsibly, data can do a lot of good. In fact, it’s vitally important to today’s economy. Just as oil fueled the Industrial Revolution, data makes possible personalized digital services from Spotify to Google to Amazon. Outlawing collection would irreparably stifle innovation and progress.

But data can also do a lot of damage. Dictators love data because it makes cracking down on dissent incredibly easy. Social media platforms use data to sell targeted ads to actors such as Russia that divide societies with inflammatory, eye-catching propaganda. Over and over again, companies such as Equifax spill hundreds of millions of Americans’ financial data all over the web.

Mere collection of consumer data is morally neutral, and ending it would imperil the world’s economy. When companies, governments, or other entities use that data in ways that benefit them while adversely affecting others, that’s when ethical problems arise. That’s what we must find a way to regulate.

A Framework for Ethical Data Use

On May 25, the first large-scale attempt to balance data’s innovatory prowess with its potential for abuse went into effect. After two years of planning, the European Union rolled out the General Data Protection Regulation.

Although time will tell how effectively government can regulate and enforce data protections, GDPR will create a formal system of checks and balances. EU citizens domiciled in the Union will gain certain rights over their data such as the “right to be forgotten,” “right to access,” “right to correct,” and “right to object.” The companies collecting or processing their data will be held responsible for protecting consumers’ privacy and preventing breaches.

But the world can’t wait decades to decide whether or not GDPR works. The truth is that the companies that collect and use data need to take responsibility. Today, too many are mining consumers’ data without having a real reason to do so. Some don’t even know how they’ll use the information in the future.

Facebook is a particularly avid data collector. The company knows the car you drive, your favorite foods, how often and where you travel, the type of phone you use, the charitable donations you make, your political leanings, and much, much more. Facebook might even know you better than you know yourself. Does Facebook need all that data? At best, no. At worst, Facebook is selling private information to companies and governments that don’t have its users’ best interests at heart.

Not only is collecting unnecessary information unethical, but it’s also dangerous for both the consumer and the company doing the collecting. Every piece of stored data is one that could be leaked or stolen. That creates headaches for users, corporate compliance officers, and PR teams.

Before mining consumer data, online or off, corporate leaders must consider whether it aligns with their business mission and vision. If it’s not useable today, it shouldn’t be stockpiled for a rainy day. If it is useful today, the data collected should be anonymized, used in a way that benefits the consumer, and disposed of when it’s no longer needed.

Of course, most companies aren’t doing those things. No wonder just one in four consumers think that most companies handle their sensitive data responsibly, while one in 10 think they have complete control over their data.

To close the trust gap, companies must be transparent. Individuals whose data is collected deserve to know why, how it’s going to benefit them, and the steps the collector takes to strip it of identifying information. People will only start trusting companies with their data when those companies give them a reason to do so.

But don’t companies already seek consent and share data use details through end user licensing agreements (EULAs) and similar privacy agreements? You know, the kind you mindlessly scroll through and then click “I accept” at the end?

Technically, they do. But beyond the fact that most people would need a lawyer to understand them, EULAs tend to be overly broad, enabling “any use” the company deems acceptable. Then, once a user has accepted one, he or she has no real way of opting out of collection. Almost across the board, EULAs strip consumers of leverage they’d otherwise have against a company that uses their data unethically or unlawfully.

Even by collecting data on an “as needed” basis and improving consumer protections, however, companies can’t totally prevent breaches. So why not make that breached information worthless? In other words, why not anonymize and open-source all consumer data?

This would be a radical departure from how we currently handle data. Think of it as a centralized database or an open-sourced ombudsman in which no one entity owns the information. Everyone would be able to see what data is collected, by whom, how it’s used, and who it’s shared with. Rules about how data should or shouldn’t be used would be made collectively rather than by one company or government.

Will we get to a point when all data is openly shared? Probably not for decades or perhaps not at all. But we need a better answer than we have today. For the information economy to work, consumers must be able to trust companies with their data. Until we develop greater protections, consumer distrust will hinder innovation, just as banning all data collection would.

Data’s ethical dilemma won’t be solved today or tomorrow, but it will be sooner or later. If companies won’t decide to take better care of consumers’ data, governments or the free market will do it for them.

The post Could the General Data Protection Regulation Be the First Step Toward Real Data Protection? appeared first on ReadWrite.