Continuum Clarifies What SSAE 16 Compliance Means

When contracting with a service provider, such as a data center, it is important for companies to ensure that their provider possesses the cyber security-related certifications and compliance standards that are applicable to the company’s industry. Data centers, as well as service providers who contract with data centers, sometimes claim to be “SSAE 16” certified. In an effort to cut through the noise and clear up some of the confusion regarding SSAE 16 compliance, Continuum would like to clarify what SSAE 16 compliance is—and isn’t.

What is SSAE 16?

Continuum GRC Clarifies What SSAE 16 Compliance Means

SSAE 16 is an internationally recognized auditing standard for service organizations. It was developed by the American Institute of Certified Public Accountants (AICPA) and replaces the previous standard, SAS 70. SSAE 16 reporting helps service organizations comply with the requirements of Sarbanes Oxley (section 404) to demonstrate effective internal controls covering financial reporting. SSAE 16 applies to data centers that host systems that are involved in their clients’ financial reporting, as well as web hosting providers, ASPs, and ISPs who perform services that are relevant to their clients’ financial reporting.

There are three types of reports that can be issued: an SOC 1, an SOC 2, or an SOC 3, all of which address different controls. Performing an SSAE 16 audit and issuing an SOC report demonstrates a service provider’s commitment to maintaining a sound control environment that protects their clients’ data and confidential information.

Some service providers who use SSAE 16-compliant data centers imply that they are, somehow, SSAE 16 compliant by proxy. This is not the case; just because you use a provider who is SSAE 16 compliant does not mean that your company is SSAE compliant, and to imply such is black-hat marketing.

There is No Such Thing as SSAE 16 “Certification”

A Google search on “SSAE 16” reveals numerous instances of companies claiming to be “SSAE 16 Certified.” Organizations are compliant with SSAE 16; there is no such thing as becoming “SSAE certified.” SSAE 16 has to do with issuing SOC reports; no “certification” is awarded to anyone. Beware of any service provider that claims to possess an SSAE 16 “certification” or purports to be working towards getting one.

Need SSAE 16 Compliance Auditing Services?

If you have questions about SSAE 16 compliance, or if your company needs SSAE 16 auditing services, Continuum can help! Continuum provides both do-it-yourself and Cybervisor®-supported SSAE 16 modules to support SOC 1, SOC 2, and SOC 3 audit reports.

Continuum’s primary purpose is to help organizations attain, maintain, and demonstrate compliance and information security excellence, in any jurisdiction. Continuum GRC specializes in IT security, risk, privacy, governance, cyberspace law and compliance leadership solutions and is fully dedicated to global success in these disciplines. Learn more about Continuum GRC and why Continuum is Proactive Cyber Security™!

[bpscheduler_booking_form]

Spear Phishing: Don’t Take the Bait!

Following a string of high-profile incidents that began earlier this year, the healthcare industry has been highly focused on preventing ransomware attacks. IoT security has also emerged as a growing concern. However, healthcare organizations (as well as businesses in other industries) cannot afford to ignore another growing threat: spear phishing.

Like regular phishing, spear phishing involves sending legitimate-looking but fraudulent emails asking users to provide sensitive information and/or initiate wire transfers. However, while regular phishing emails are sent out en masse to the general public, spear phishing emails are highly targeted and sent to specific, predetermined victims, usually a small group of people working at a specific company.

In a recent press release, the Federal Bureau of Investigation warned of a dramatic rise in a type of spear phishing known as a “CEO email scam” or a “business email compromise scam.” According to the FBI, from October 2013 to February 2016, law enforcement identified 17,642 victims, totaling $2.3 billion in losses. Since January 2015, reports of spear phishing have increased by 270%.

Like regular phishing, spear phishing involves sending legitimate-looking but fraudulent emails asking users to provide sensitive information and/or initiate wire transfers. However, while regular phishing emails are sent out en masse to the general public, spear phishing emails are highly targeted and sent to specific, predetermined victims, usually a small group of people working at a specific company.

Main Line Health Attack Proves that Employee Data Is at Risk

In February 2016, while everyone’s attention was focused on the Hollywood Presbyterian ransomware attack, Main Line Health, which operates four hospitals near Philadelphia, was hit by a spear phishing scheme. Emails were sent to employees, purportedly from the organization’s CEO and CFO, requesting employee payroll and W2 information. While some employees immediately realized the emails were fraudulent and reported them to management, at least one employee was tricked into sending the requested information to the hacker. As a result, Main Line Health had to notify its employees that their personal information may have been compromised and offer them free credit counseling and monitoring services.

When healthcare organizations think about cyber security, they usually focus on patient data protection. However, the hackers who compromised Main Line Health were not seeking to infiltrate patient data, but employee data, and the attack may have been connected to a very large spear phishing scheme targeting HR and payroll professionals in various industries nationwide. It is suspected that the hackers running the scheme intended to use the stolen data to file fraudulent tax returns.

How to Protect Against Spear Phishing

Email spam filters can be adjusted to recognize emails from suspicious sources and block them before they reach employees’ inboxes. However, some phishing emails will undoubtedly still get through. The best way to protect against spear phishing is to teach employees how to recognize the telltale signs of a spear phishing email, such as:

  • The salutation and/or the closing seem odd. For example, management normally refers to you as “William” or “Mr. Doe,” but the email is addressed to “Bill.” In the case of Main Line Health, the closing is what alerted one employee to the fraud; the email message, which purported to be from the CEO, was signed “John Lynch,” but the employee knew that the company’s CEO goes by “Jack.”
  • The request is unusual and/or does not follow normal company protocol. For example, the email is asking for employee W2 information, but requests like this are not normally handled through email or by the employee who received the request, or the person who allegedly sent the email has never requested similar information before, or it’s unusual for the person who allegedly sent the email to directly contact that particular employee.
  • The wording and tone of the email are stilted. Many spear phishing attacks are launched by foreign hackers who are not fluent in English; the email may be riddled with punctuation, spelling, or grammar errors, be worded oddly, or use British spelling. The wording may also be overly formal – or overly casual.
  • The domain the email was sent from is incorrect. Instead of “yourcompany.com,” the email may have been sent from “yourcompany.com-xyz.com” or some other derivative.

Employees should be taught that if something seems “off” about an email, they should consult a supervisor or IT security personnel before responding to it. Additionally, as part of your organization’s overall cyber security plan, a firm protocol should be established regarding requests for sensitive employee and patient data, and employees should be trained not to release sensitive data unless the protocol is followed.

In addition to using email spam filters to intercept suspicious messages, training employees to spot spear phishing emails, and implementing a solid security plan that includes protocol for the release of sensitive data, it’s a good idea for healthcare facilities to enlist the services of a professional cyber security firm such as Continuum GRC. The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your healthcare organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 or book some time with us to discuss your organization’s cyber security needs and find out how we can help you protect your facility’s employee and patient data.

[bpscheduler_booking_form]

The Citadel Breached – The Cyber Security Act of 2015

Continuum GRC unveils the next generation of cyber-crime prevention for organizations with NIST and SEC, NFA compliance requirements in concert with the Cyber Security Act of 2015.

Continuum GRC released the next generation antidote to fight cyber crime, compliance failures, corporate fraud and criminal cyber-misconduct with the IT Audit Machine (ITAM IT audit software).

Continuum GRC releases the next generation of cyber security crime prevention addressing breach epidemic in concert with the Cyber Security Act of 2015.

Considered to be the best assessment tool for governance, risk and compliance (GRC) in the global business community in compliance with the Cyber Security Act of 2015, this next generation of ITAM IT audit software ups the ante by managing big data and frameworks with virtually endless possibilities. These new enterprise capabilities coupled with the already powerful analytic and logic features are a technological force to be reckoned with.

Congress & President Obama recently enacted a cybersecurity piece of legislation known as the “Cybersecurity Act of 2015” which is designed to ensure that public companies “provide a basic amount of information about the degree to which a firm is protecting the economic and financial interests of the firm from cyber-attacks” using guidance from the SEC, NFA and the National Institute of Standards and Technology (NIST).

In addition, the Cyber Security Act of 2015 strengthens and prioritizes cybersecurity at publicly traded companies by encouraging the disclosure of cybersecurity expertise, or lack thereof, on corporate boards at these companies. This legislation requires companies to disclose – in their SEC, NFA filings – whether they have a director who is a “cybersecurity expert” – and if not, why having this expertise on the board isn’t necessary because of other cybersecurity steps taken by the company.

The Cyber Security Act of 2015 would require the SEC, NFA and the National Institute of Standards and Technology (NIST) to provide guidance on the qualifications necessary to be a cybersecurity expert.

Michael Peters, CEO of Continuum GRC said “The IT Audit Machine NIST and SEC, NFA compliance assessment modules are just one of the many innovations from Continuum GRC that really sets us apart from other cyberspace Security, governance, risk and compliance software firms.”

The top sources for learning more about the threatscape for cyber security since 2005 has been the Privacy Rights Clearinghouse and a similar industry analysis resource is the Identity Theft Resource Center who have only been tracking cyber security breach statistics since 2014. Continuum GRC has been leading the charge since 2000 when the company introduced the concept of Proactive Cyber Security™ to the world.

Annual number of data breaches and exposed records in the United States from 2005 to 2015.

When the majority of cyber threats are waged against the SMB space and a whopping 60% of those companies will be out of business within six (6) months post breach, we are understandably sympathetic to the rising level of despair company leaders and the board is suffering with.

“Are we next? That is the big question being asked more frequently now at the board level.” Said Peters

This second chart shows the percentages by industry where the cyber security data breach threats are being most successful.

Annual number of data breaches and exposed records by industry in the United States from 2005 to 2015.

NIST regulations are complex and expertise in deciphering this regulatory mystery is in short supply which is one reason ITAM IT audit software is such a great solution. Continuum GRC removed the guesswork from compliance completely. With intuitive and guided questionnaires you cannot make mistakes and missteps putting your company at risk.

Gone are the days where audits, assessments and compliance work was overshadowed by endless spreadsheets, version control madness, escalating costs and audit anarchy. The IT Audit Machine puts the power of technology, collaboration and simplicity to work for the entire enterprise and does it in a progressive, proactive way.

Cyber-crime prevention is of paramount concern to organizations of all sizes, all industries and on all parts of the world. Continuum GRC put its extensive experience in cybercrime and fraud prevention in the governance, risk and compliance (GRC) spaces to work for the global business community.

“Service providers globally are under increasing attack by cyber criminals. These criminal acts could have been prevented through a proactive cyber security position. Continuum GRC is proactive cyber security with our NIST compliance and assessment automation modules and templates.” said Peters.

Continuum GRC’s primary purpose is to help organizations attain, maintain, and demonstrate compliance and information security excellence, in any jurisdiction. Continuum GRC specializes in IT security, risk, privacy, governance, cyberspace law and compliance leadership solutions and is fully dedicated to global success in these disciplines.

Learn more about Continuum GRC and why Continuum GRC is Proactive Cyber Security™!

Download the whitepaper!

Have a question or want to schedule some time with our Superheroes?

[bpscheduler_booking_form]