Choosing the Right Approach to “Proving you’re Secure”

a Best-practices Guide to security attestation from pivot point security

An increased emphasis on ”Vendor Risk Management” has escalated the importance for business process outsourcers
to be able to prove they are secure and demonstrate they are compliant (attestation). The challenge is determining
the approach that best meets your requirements.
ISO 27001 Certification

We developed this hand-out to simplify the process of choosing the best approach to attestation.
SAS-70
LeVeL OF INTeRNAL TIme TO
OPTION* COST ASSuRANCe INDuSTRy ACCePTANCe ReSOuRCeS PeRFORm TyPe OF TeSTING
ISO 27002 May be acceptable but Penetration Test more commonly Compliance - Proves the "net" solu-
Compliance vulneRaBility
Assessment assessment used tion is not vulnerable

ISO 27002 Gap
Assessment
BITS Shared Assessment
Gap Assessments against
Client Standard or
Regulatory Standard
(e.g., HIPAA, PCI, etc.)
Widely accepted as validation of overall security level. Can be Substantive - Proves the "net"
penetRatiOn test used independently or in concert with design/compliance tests solution cannot be impacted by a
to provide much higher levels of assurance malicious individual
Widely used to maintain a relationship with a client who has Design - Likely only acceptable when
seCuRity ROaDmap recently enacted a much more stringent set of security coupled with a substantive form of
requirements for its vendors proof as well
Excellent mechanisms to succinctly demonstrate security. Design - Proves that the design of
seCuRe Data Generally with other forms of assurance or where more formal the environment is reasonable and
flOw DiaGRam documentation of controls are not available. appropriate
Design - High level of assurance
system seCuRity plan Widely accepted - many firms request this information in the
that the design of the environment is
or InfoSec Policy Doc form of control questionnaires
reasonable & appropriate

Design Review (e.g.
Network, Application,
Solution, SDLC,
Incident Response
DesiGn Review Low to High (dependent upon the vendor and ability of critical Design - High level of assurance that
Network, Application, Solution, risks to be mitigated by a small set of controls) solution element reviewed will mitigate
SDLC, Incident Response specific risks to acceptable level
Gap assessments Moderate to high level of acceptance dependent upon the extent/rigor of Design - High level of assurance that
against Client, Regulatory or the assessment, the “relevance” of the standard chosen, and the the design of the controls achieve the
Best Parctices Standards independence of the entity conducting the assessment. reference standards

System Security Plan Widely used/highly regarded in the financial sector. See Gap Design - Assurance that design of
Bits shaReD environment is consistent with Shared
or Information assessment Assessments. This is an ISO 27002 based standard.
assessment (essentially ISO 27002)
Security Policy
Document Design & Compliance - Assurance
isO 27002 Internationally recognized as the leading information security
that design of environment is consistent
Gap assessment “standard” for more than a decade (formerly ISO 17799).
Secure Data with industry best practice (ISO 27002)
Flow Diagram
Design & Compliance -
isO 27002 Validates both the design and operation of 27002 controls
Assurance that the controls are in
COmplianCe assessment providing a very high level of assurance
Security Roadmap place and operating as intended.
Validates that the documented controls are in place and Compliance - Assurance that the
sas-70 operating as intended as well as providing some assurance of controls are in place and operating as
Penetration Test the design. intended.
Internationally recognized certification of the design/operation Design & Compliance -
Vulnerability isO 27001 of the technical controls (27002) AND the Information Security Internationally recognized certification that
Assessment CeRtifiCatiOn Management System that governs them. design&operation of environment are secure.
* see reverse for detailed descriptions of options www.pivotpointsecurity.com - or 1.888.pivOtpOint
A Glossary of Terms
Vulnerability Assessment
Automated Identification of vulnerabilities on one or more of the
key components (e.g., network, systems, applications, databas-
es) supporting your customers’ service
Penetration Testing
Automated Identification of vulnerabilities on one or more of the
key components (e.g., network, systems, applications, databas-
es) supporting your customers’ service followed by manual pene-
tration testing intended to demonstrate the probability of the vul-
nerabilities being exploited and the associated impact
Security Roadmap
A roadmap detailing the migration of the environment to a much
stronger security posture
Secure Data Flow Diagram (SDFD)
High level data flow diagram depicting key security treatments of
data throughout the solution lifecycle
System Security Plan (or Information Security Policy
Document
Detailed documentation of the Policies/Standards/Procedures
relating to the solution
Design Reviews (e.g. Network, Application, Solution, SDLC,
Incident Response)
Deep dive into solution specifics that align with critical risks
visit www.pivotpointsecurity.com - or call us at 1.888.pivOtpOint
We m a ke i t s i m p l e t o k n ow y o u ’ r e s e c u r e a n d p r ove y o u ’ r e c o m p l i a n t .
Gap Assessments (against Client or Regulatory Standard)
Detailed review of the controls in place
(management/technical/operational) and determination of
whether they are "consistent" with the reference standard
BITS Shared Assessment
Detailed review of the controls in place
(management/technical/operational) and determination of
whether they are "consistent" with the ISO 27002 standard
ISO 27002 Gap Assessment
Detailed review of the controls in place
(management/technical/operational) and determination of
whether they are "consistent" with the reference standard
ISO 27002 Compliance Assessment
Verification that the design of the controls are consistent with the
ISO 27002 standard and that the controls are actually in place
and operating as intended
SAS-70
Verification that the controls specified by the organization are
actually in place and operating as intended
ISO 27001 Certification
Verification that the Information Security Management System
(the process of operating Information Security) is compliant with
ISO 27001 and the best practices detailed in ISO 27002