Companies that invest in information security build a culture of trust that energizes and reaffirms employees they’re on the right team. After all, trust begets trust.
This mindset is especially important as MSPs evolve to play a more significant role in providing thought leadership to businesses, IT departments, auditors, and insurance companies.
After recently completing a few mandatory training exercises, I was inspired to review Integris’ 90-page SOC 2 Type 2 Audit and Atlas, our comprehensive “all things Integris” library that includes:
- Charters
- Contracts
- FAQs
- Guidelines
- Job Descriptions
- Marketing Materials
- Plans
- Policies
- Processes and Procedures
- Service Schedules
- Standards
- Templates
Stewardship of Client Assets
The audit and Atlas are the source materials for our operations and inform the recommendations we give our prospects and clients. I always get re-energized with details like these because they demonstrate we practice what we preach.
And when I trust my company to exhaustively cover the fundamentals, I can confidently proclaim we’re proper stewards of client assets.
I’ll share a few trust-building highlights to give generalists encouragement to consider ways of strengthening information security without getting bogged down in layers of cybersecurity solutions and tools.
Third-Party Audits Strengthen Information Security Confidence
Integris’ dedication to information security is underscored by our commitment to annual SOC 2 Type 2 Compliance. This third-party review and attestation verify the fitness of our infrastructure, software, people, data, and procedures to protect customer data.
With 64 individual requirements, SOC is based on five “Trust Service Criteria” (TSCs), defined by Control Case as:
- Security: Included in all SOC audits, security covers common criteria related to protecting data and systems. The Security TSC aims to ensure information and systems are protected against unauthorized access, disclosure, and damage.
- Availability: Availability addresses accessibility and aims to assess the data that customers receive and how readily available it is. It also reviews accessibility for operations, monitoring, and maintenance of data.
- Processing Integrity: Integrity ensures systems are processing the data as authorized and assesses the accuracy, completeness, validity, and timeliness of the data. It also validates that systems are achieving the goals and purposes that they were designed to achieve.
- Confidentiality: This control aims to ensure “confidential” data remains protected and secure. It encourages encryption for in-transit data as well as client certificates and personal authentication certificates.”
- Privacy: Privacy addresses how data is collected, used, disclosed, retained, and disposed of. It aims to ensure the confidentiality and security of personally identifiable information (PII). PII includes name, social security numbers, contact information, addresses, etc. It is required that organizations demonstrate that they protect and handle personal information securely.
Verified Operational Controls
The SOC audit ultimately confirms we’re deploying control activities through policies that establish expectations and procedures that bring the policies to fruition.
This initiative includes inspecting each policy and procedure manual (yes, every last category is documented), to ensure controls over operations are reviewed annually or when significant changes occur.
Knowing we put this kind of care and attention into protecting ourselves (and by extension, clients) stokes company spirit and pride of association.
Learn More: SOC 2 Type 2 Report Sample
Rediscovering the Inspiration for Best-in-Class Information Security
Not to be confused with plans, procedures, and processes, I also took a deep dive into our information security policies. Let’s call it a refresher course for compliance nerds.
I’m so glad I ventured down the rabbit hole because I was pleasantly overwhelmed with the detail and depth of these mission-critical operating documents. Our Strategic Security Advisory Committee has 45 policies!
From acceptable use to business continuity, data retention, mobile device management, remote access security, risk assessment, and more, every facet of our IT environment is documented.
Due to the confidential nature of the documents, I can’t share any granular details, but will note, none of them mention brand name hardware, software, or cloud products.
Instead, the narrative for each policy clearly states the high-level business goals.
While every business uses technology, a policy is much broader in scope. For instance, a typical risk assessment policy focuses on:
- Providing an analysis of possible threats
- Preventing injuries or illnesses
- Meeting legal requirements
- Creating awareness about hazards and risk
- Creating an accurate inventory of available assets
- Justifying the costs of managing risks
- Determining the budget to remediate risks
- Understanding the return on investment
Information Security Policies Save Time and Money
According to some estimates, 60% of businesses don’t have information security policies. This means they’re overlooking the efficiencies of selecting IT resources, MSP partners, hardware, and software without the benefit of a guiding sheet of governing documents.
As a compliance and cloud-forward MSP with clients all over the United States, we can’t cut any corners. All Integris policies, procedures, standards, and plans are written internally. And everything in our library follows NIST and ISO 2000 standards and incorporates ITIL (Information Technology Infrastructure Library) terminology.
As per TechTarget, “ITIL is a framework designed to standardize the selection, planning, delivery, maintenance and overall lifecycle of IT services within a business. The goal is to improve efficiency and achieve predictable service delivery.”
Most importantly, we use all of these foundation assets to inform every purchase in our IT stack.
Are you following an established information security framework or just improvising?
Taking Your Information Security to the Next Level
While SOC 2 Type 2 auditing isn’t relevant to all businesses, every business needs dynamic information security policies, supported by related policies since security encompasses a broad range of adjacent domains.
For instance, your digital security policy is meaningless without a physical security policy to prevent threat actors from entering your office and leaving with servers, backup devices, and laptops.
At Integris, we’re always looking for better ways to illuminate the reasoning behind the IT recommendations we give our clients. And if readers absorb just a fraction of our enthusiasm for orderly IT governance and documentation, we’ll consider this blog a success.
Please schedule a discovery session to learn more about the benefits of elevating your approach to information security.