World Accreditation Day Event

June 9, at 13:00 GMT (6 AM PST)

Michael D. Peters
eJD, MBA, C|CISO, CISSP, CRISC, CISA, CGRCA, QSA, CMBA, CISM, CGRCP, CCE, ISSA Hall of Fame

CEO Lazarus Alliance, Inc.
A certification body and cybersecurity audit firm to the global business community.
https:// LazarusAlliance.com

CEO Continuum GRC, Inc.
A software as a service (SaaS) company providing the world’s only FedRAMP and StateRAMP Authorized risk assessment and management GRC solution.
https://ContinuumGRC.com

Certification and Accreditation in the Digital Arena

The New World Workforce Order

If there is an upside to the recent pandemic, it is that it accelerated existing trends in remote work, e-commerce, and automation. This acceleration ushered in technologies that supported the urgent need for global businesses to not only support their workforce, but to survive.

The short-term consequences were sudden and often severe leaving millions of people furloughed or losing their jobs, and so many others being required to rapidly adjust to working from home as offices everywhere closed.

Remote technologies have saved businesses and their employees who have leveraged them to not only carry on the task, but to transform them in ways that promote working smarter, not harder.

As it pertains to Certification and Attestation Bodies, these trends in remote technologies and cloud computing have reduced the physical need to be there, as the virtual need to be there emerged and now factors prominently.

This is not a United States phenomenon, but a global one. The lasting impact of the pandemic on labor demand, the mix of occupations, and the workforce skills required by the largest labor market in the United States, France, Germany, India, Japan, Spain, the United Kingdom, and China representing nearly half the global population and 62 percent of GDP.

This change in working environments has expanded the traditional corporate boundaries outward and into the employees’ home environments. As it pertains to certifications and accreditation, the world did not stop requiring that organizations who are the custodians of human information, intellectual property and the continuity of our supply chains remain viable. The basic requirements did not diminish at all, they just became more complicated.

This complication associated with the expansion of the corporate boundary now includes all the new endpoints that worked themselves into these new remote endpoints from a myriad of geolocations.

To make matters even more challenging, these endpoints tend to be protected by legionnaires who are ill-equipped, untrained and quite possibly look like our grandmothers and children under the age of five!

These endpoints are tempting soft targets for would be invaders hoping to storm the corporate bastions through the plethora of beachheads our fearless leaders of the pandemic forced upon the world’s businesses.

Rock Turning

The importance of certifications, attestations, authorizations and accreditations based on globally recognized standards has never been more important.

The proactive and systematic nature of assessing against frameworks such as ISO 27001, NIST 800-53, FedRAMP, EUCS, C5, PCI, SOC 2 and many others represents a structured, meaningful turning of the symbolic rocks designed to identify, and eliminate risks to the organizations, before they manifest into catastrophes.

Irrespective at this moment of whether these assessments are being administered by internal staff or highly credentialed, independent third-party audit professionals, the fundamentals are the same.

Every control question in a compliance framework is a risk evaluation. The careful evaluation of the requirement considering each control response and test design description narrative. They must contain as many of the following four (4) categories as possible to be considered complete.

• People: Who is involved with ensuring a control requirement is compliant and effective? The Who might be the HR Department, or the CISO, or Jane Doe specifically.
• Processes: Every company has a method of operating and performing tasks. These processes should be defined in a way that everyone understands how that process works to enforce control effectiveness.
• Policies: There is frequently a policy, or procedural document in place (or should be!) to define how a client sets the standard, or process, or regulatory requirement.
• Technologies: Most control requirements have a technical implementation for effectiveness and enforcement. It may be an external service provider, or an internal technology, but regardless, define it. Provide product names, platform names, third-party names, and all the details needed to completely articulate what is in scope and under test.

Once the control implementation descriptions are written, and the assessor determines how to evaluate the implementation effectiveness of the compliance control, it is time to test.

Defensive Gaps

Now is when the expertise of trained professionals who are qualified to evaluate the effectiveness of the people, processes, policies and technologies that comprise the organization’s defenses is most important.

Self-assessments are a good start but are also like the proverbial foxes guarding the hen house! This is where the value of an independent third-party certification body is so vital.

First, you receive the assessment administered by trained and well credentialed audit professionals who are regularly examined themselves for delivering on the prevailing standard. The associated value of certifications and accreditation helps to enforce standards and quality.

Secondly, it is impossible to gage the expertise of internal staff, not to mention the impartiality risks having the test-taker write the test!

Trust but verify!

During all certification and accreditation audit engagements, it is the goal to obtain evidence to support our understanding of the focus boundary systems’ people, processes, policies and technologies.

For all frameworks, we must determine whether controls included in the description of the system have been implemented by performing at least one of the following four (4) types of evidence review that needs to be explicitly stated in our testing performed descriptions.

These examples are:

• Inspection: Physically inspect documentation that the client has provided (policies, personnel records, screenshots, etc.).
• Observation: Observe the work being performed by viewing a client’s screen via screen share, watching a video of a client performing a task, or watching the client when conducting an on-site visit.
• Reperformance: Reperform a control using the client’s systems by obtaining auditor credentials.
• Inquiry: Conduct interviews of client management and personnel.

Not all testing activities are created equal. Each of these evidence reviews is sufficient by itself for our testing procedures except inquiry. If we have only inquired of the client, we need to supplement that testing with at least one of the other three evidence review types.

Trust but verify!

Remaining Relevant

To reemphasize, remote technologies have saved businesses and their employees who have leveraged them to not only carry on the task, but to transform them in ways that promote working smarter, not harder.

By using purpose-built software as a service tools for administering and protecting certification and accreditation activities, we promote the accessibility and information security within our ever expanding digital arena we all work within.

By embracing the modern capabilities of remote collaboration and observation technologies, we eliminate the necessity to be physically on location. This benefits both the assessing organization and the organization under assessment.

There are always intrinsic benefits to a physical presence, but as the pandemic has taught us, we have the will and the capabilities to promote security and standards compliance that protects the world’s citizens and organizations alike.