Earning Your Security Trustmark+

Transcription

1 QUICK START GUIDE Earning Your Security Trustmark+ CompTIA.org

2 Introduction One of the biggest challenges for solution providers is protecting their clients networks and information in a manner that addresses a myriad of regulatory and proprietary concerns. A variety of federal, state, regional and even local rules have been enacted to ensure that businesses are securing their customers personal and confidential data and systems. When the requirements of certain industries are added to the list, it creates a dizzying number of security measures that solution providers and MSPs must deal with every day. So how do solution providers evaluate the risk for their organization as well as their clients and then develop a viable plan to address potential threats? They can start by using assessment processes employed by IT security professionals, then reviewing the industry best practices. After identifying current gaps in their clients system protection, they can construct a comprehensive plan that encompasses compliance and industry requirements, as well as any other necessary precautions. As everyone knows, network and data security extends way beyond the technology. It doesn t matter how comprehensive or expensive the system is when employees fail to follow prescribed processes that protect their company s information. Every IT security plan should address as many of these potential faults as possible, including layered protection that reduces the opportunity for them to occur. So how does a solution provider ensure their company can meet the comprehensive security needs of their clients? One option is to attain the CompTIA Security Trustmark+, a business credential that identifies companies that have embraced the most rigorous industry best practices. Before receiving this designation, solution providers and MSPs must be able to identify regulatory compliance gaps and address problem areas in security policies, processes and planning. The CompTIA Security Trustmark+ is the IT Industry Association s vendor-neutral credential for best security practices. All program applicants undergo a comprehensive CompTIA is very organized and the guidance and logistics provided throughout this credentialing process were remarkable, said Scott Spiro, President of CSG. The entire experience was collaborative and very positive! 2 CompTIA.org

3 quick start guide Earning Your Security Trustmark+ third-party audit that ensures each of those standards is in place and properly followed. The CompTIA Security Trustmark+ was designed by a team of experts from many areas of the IT industry to be affordable and achievable by businesses of all sizes. Many industries have requirements for protecting data, including health information, financial data, credit card information, and government secrets. Even if a solution provider organization is not covered by data protection regulations themselves, they may be forced to comply in order to support customers who are. A number of businesses are required to comply with data protection laws intended to address security breaches, including intrusions that could compromise names, birthdates, Social Security numbers, and other confidential information. Earning the CompTIA Security Trustmark+ shows clients that their data is being handled by an organization that takes security seriously and professionally. Enhance the Standing of Your Security Business Practice The CompTIA Security Trustmark+ program offers a wealth of endorsement and marketing opportunities for solution providers. One of the biggest benefits of the credential is a steadfast validation of the protection capabilities it offers their customers. The Security Trustmark+ includes 100 industry controls with applicants required to submit full documentation of all their company security policies and procedures. The CompTIA Security Trustmark+ assessment is then reviewed by an authorized 3rd party evaluator. Based on the assessor's recommendation, this high level of verification becomes a strong endorsement of the holding organization's commitment to best practices for information, personnel, and environmental security. As a result, the Security Trustmark+ is more likely to be considered as a viable substitute for many existing compliance regulations. Businesses that earn the CompTIA Security Trustmark+ can proudly tout their accomplishment to clients and prospects. The credential validates their defensive protection expertise and demonstrates that the organization s methods have been vetted by a trusted IT industry organization. Independent verification of the processes used to protect confidential information is further validation that the company has the skills to properly protect its clients from serious network intrusions and costly data breaches. That level of assurance is crucial in today s online-dependent business environment. The CompTIA Security Trustmark+ ensures current and prospective customers that their solution provider is both capable and qualified to support their security needs. The Trustmark has allowed us to speak more convincingly and with more credibility with upper scale accounts. It gives our clients the peace of mind that they need to know that we are, in fact different and better than perhaps most or all of the other organizations they are talking to and considering doing business with. Oli Thordarson, CEO, Alvaka Networks The CompTIA Security Trustmark Assures a Professional Status If a solution provider is serious about becoming an information and network protection specialist, following the controls set forth in the CompTIA Security Trustmark+ should be a standard operational procedure. Each section is detailed and easy to follow, including a number of practices that most solution providers already adhere to. 3

4 Applicants can start by documenting the Security Trustmark+ control measures that already have in place and then proceed at their own pace until the remaining sections are completed. This gives solution providers the flexibility to upgrade and adjust their systems at their own speed. They can adapt and change policies and procedures in a more structured manner while adding new security controls all without disrupting their organizations existing expansion plans. The process that solution providers must follow to earn a CompTIA Security Trustmark+ gives them a comprehensive look at what their current IT security capabilities are, as well as the industry standards they should be following. We ll review this process shortly. The criterion may vary depending on certain business variables, but those who systematically follow the recommended process will be putting their organization solidly in position to earn the credential. By reviewing the control framework before starting the application, solution providers will be able to easily gauge their ability to meet each of the Security Trustmark+ controls. By properly preparing and organizing their internal capabilities and resources, solution providers can significantly reduce the time and effort required to earn this credential. After completing the online enrollment process, applicants should consider engaging other Trustmark applicants and holders through the LinkedIn Trustmark Forum for additional tips and suggestions for successfully completing the program. Peer groups and mentors can also help walk solution providers through the procedures, templates and other tools, and show them how to organize all the required documentation. After that information has been compiled, the online application can help applicants self-assess their capabilities in each of the 5 key IT security areas (Identify, Protect, Detect, Respond, Recover). Depending on the size of the organization and the level of preparation, the entire process may take as little as two weeks or as long as six months (the shorter duration is recommended). The online application requires documented evidence of the organization s ability to perform in several areas, with variations based on a number of business factors. Fourteen documents must also be submitted along with the application, covering the following topics: IT Security Policy & Procedures Business Impact Analysis Risk Assessment Incident Response Plan Business Continuity Plan Disaster Recovery Plan Hardware Inventory Network Diagram Service Provider List Data Classification Policy Job Description Regulatory Compliance Training History Protection Communication Solution providers have to submit the documents mentioned above as well as address several specific security functions as part of the CompTIA Security Trustmark+ application process. Those functional areas include: 1. Asset & Resource Management. Identifying and prioritizing assets, software, hardware, etc. according to criticality is an essential step for an organization to help manage risk. Data flow, internal and external systems, security roles and responsibilities all play a role in Asset & Resource Management. 2. Business Environment. Understanding the supply chain, potential weaknesses for exploits, the role of the business in specific industries, and the interdependencies of critical systems are all aspects of the environment the business operates within. 3. Governance. An official security policy states the minimum security requirements that those in an organization are expected to follow and governs the business overall IT security policy. Depending on the size and complexity of the applicant organization, this document must include the minimum requirements outlined in the CompTIA Security Trustmark+ controls (though it may be more comprehensive). 4. Risk Assessment. Managing risk through a Vulnerability Management Program that takes into account things such as vulnerability identification, threat intelligence and assessment, a Business Impact Analysis, identifying and managing risk tolerance will improve an organization s 4 CompTIA.org

5 quick start guide Earning Your Security Trustmark+ ability to properly identify and respond to situations. Understanding what is a risk and how to react in those situations are vital for any IT business. 5. Access Control. An essential condition for a comprehensive security program is to limit access to critical data and other resources. This helps prevent privacy violations, ensures greater adherence to compliance requirements and prevents the loss (or modification) of valued information. This section requires a documented process for adding and terminating authorized users; ensuring that only permitted parties can gain access to data and network resources. It should also include steps to make sure each user properly follows identity and password processes, meeting the minimum security requirements listed in the Security Trustmark+ controls. 6. Awareness & Training. The organization must utilize various awareness tools that emphasize the need for employees to follow proper security procedures at all times. Initial and ongoing training must be provided to ensure these tools are appropriately utilized and each process is followed judiciously. They must have a communication plan to increase awareness of the available tools and to stress the importance of adhering to the company s established security measures. 7. Data Security. Client information, accounting records, personnel files, and critical proprietary information that support each client s business operations must be stored in protected files. That responsibility extends to data loss, unauthorized viewing, modifications, and copying. Many businesses also have a legal responsibility for protecting the privacy and confidentiality of their clients. To meet the requirements of the CompTIA Security Trustmark+, solution providers must classify data into access categories that are appropriate for their specific businesses. Those groups include Restricted (healthcare, financial, trade secrets, payroll, human resources, contracts), Company Confidential (phone lists, policies), and No Restriction (marketing information provided to the public, for example). Data owners must limit access to each category on a need to know basis and all information must be properly classified and managed from the time it is created. 8. Information Protection Processes & Procedures. Things such as baseline configurations, system development life cycles, change controls, backup, and Incident Response Plans all help establish an organization s overall security posture. Confidence that recovery plans will work, creating a secure work environment, aligning human resources, and other fundamental processes and procedures provide the foundation for a secure IT business. 9. Maintenance. Ongoing local and remote maintenance help ensure continued protections. 10. Protective Technologies. A comprehensive understanding of the technological controls in place to encourage and support data protection and security. Log records, removable media policies, principles of least functionality and network protection are areas of focus for the CompTIA Security Trustmark Anomalies & Events. Knowing what an anomaly is, noticing warning signs, establishing acceptable thresholds and understanding the potential impact of an anomaly allows organizations to react properly and to the right level. 12. Continuous Monitoring. Network, physical and personnel monitoring to quickly identify situations that exceed a determined tolerance must occur continuously. Malicious and mobile code detection paired with periodic checks of service providers and employees support the same. 13. Detection Processes. Documenting how to detect and respond to specific events and communicating that information to the necessary security staff will improve an organization s ability to respond. Testing of these plans and processes is vital. 14. Analysis. Clear guidelines of how to react to an event based on how it is analyzed. Understanding the impact, situations where forensic information needs to be collected, and proper classification of events as part of an Incident Response Plan. 15. Response. Clear plans for communication, mitigation, and opportunities for improvement to an Incident Response Plan. These mechanisms help contain an incident and inform the necessary stakeholders. 16. Recovery. Plans, lessons learned, public affairs, and, if necessary, reputation recovery are encompassed in activities to recover from an incident. 5

6 How to Get Started Once solution providers review all the benefits of the CompTIA Security Trustmark+ and decide to pursue the credential, the process can begin. Payment for the application fee is completed online (discounts apply for CompTIA members) which provides immediate access to all of the resources available, including the Reference Guide and optional Template Packet. The next required step is completion of an online self-assessment form and submission of the required IT security documents. Applicants may proceed with the CompTIA Security Trustmark+ application process at their own pace, uploading the required information piece-by-piece over an extended time, or all at once. That flexibility allows solution providers to balance their priorities between running their business and completing a valued business credential. As they proceed through the process, opportunities to improve their organizations policies and procedures may be identified based on the control framework and requirements of the CompTIA Security Trustmark+. Once an organization has achieved all standards in the prescribed controls and the 3rd party validation process has been successfully completed, the business credential will be awarded. Since an annual Light Touch Review is part of the renewal process, Security Trustmark+ holders can assure their clients that they continually maintain the strict principles required to protect their confidential information. A prospective client (an investment advisory firm) asked, How do we know that we can trust your company to protect our data? I showed them the criteria for the Trustmark we achieved, and they signed the contract, John Guttridge, President of Black Box Computer Consulting We believed our company had already implemented good security measures and were very happy that we passed the assessment the first time through. We needed to prove to clients that we protect our data and theirs with the same level of care we preach to them. We proved that a high level of security can be achieved even though we do not have the resources of a large company. Lester Keizer, CEO of Business Continuity Technologies Quick Overview of the CompTIA Security Trustmark Process 1. Follow the Preparation Checklist and Required Documentation, located in the CompTIA Security Trustmark+ Reference Guide. This document is found in the My Account login area of the CompTIA website. 2. Assemble the required documentation, which will be submitted with the online application. To receive the business credential, fourteen specific documents must be tendered. During the Security Trustmark+ application process, a number of other articles may need to be created to help substantiate and highlight the candidate company s skills and practices. 3. If necessary, utilize the template packet to assemble the documents required to receive the business credential. Note: the provided samples are incomplete and cannot be used as they are for submission, but can be used as a starting point to generate the necessary documents. These templates are available for download in the My Account Login section of the CompTIA website (payment of the application fee is required for access to this section). 6 CompTIA.org

7 quick start guide Earning Your Security Trustmark+ 4. Complete all of the online assessment control questions, upload documentation and submit the final assessment for review. 5. CompTIA will assign an authorized 3rd party assessor to arrange a virtual audit of your Security Trustmark+ assessment. Need more information, or are you ready to get started? Contact us at: [email protected] About the CompTIA IT Security Community To help solution providers stay abreast of developments in IT security, both at the regulatory and business level, CompTIA formed a collaborative group to foster discussion among peers and share resources. The IT Security community, which was the driving force behind the CompTIA Security Trustmark+ business credential, keeps it members up to date on a host if industry developments. Members share best practices, help solve collective problems, and build relationships that can lead to long-term valued business partnerships. Participants include solution providers, managed services providers, distribution and vendor executives and other IT channel experts. Through the community blog, members have been able to keep track of significant industry discussions, such as the national data breach legislation proposed in Washington D.C. While different states are addressing specific actions when a data breach occurs, no Federal law has yet been established, though Congress has discussed legislation. CompTIA continues to advocate for passage of a bill on behalf of the industry and provides frequent updates to the IT Security Community. The group is regularly engaged in creating end user education for compliance and regulations. Members develop new initiatives to address the security issues related to new technologies and for developing security education tracks for solution providers. They are also charged with industry awareness campaigns and making periodic updates to the CompTIA Security Trustmark+. Find out more about the CompTIA IT Security community at CompTIA.org/communities About CompTIA CompTIA is the voice of the world s information technology (IT) industry. As a non-profit trade association advancing the global interests of IT professionals and companies, we focus our programs on four main areas: education, certification, advocacy and philanthropy. We: Educate the IT channel: Our educational resources, comprising instructor-led courses, online guides, webinars, market research, business mentoring, open forums and networking events, help our members advance their level of professionalism and grow their businesses. Certify the IT workforce: We are the leading provider of technology-neutral and vendor-neutral IT certifications, with more than 1.4 million certification holders worldwide. Advocate on behalf of the IT industry: In Washington, D.C., we bring the power of small- and medium-sized IT businesses to bear as a united voice and help our members navigate regulations that may affect their businesses. Give back through philanthropy: Our foundation enables disadvantaged populations to gain the skills they need for employment in the IT industry. Our vision of the IT landscape is informed by more than 25 years of global perspective and more than 2,800 members and more than 2,000 business partners that span the entire IT channel. We are driven by our members and led by an elected board of industry professionals. All proceeds are directly reinvested in programs that benefit our valued members and the industry as a whole. Headquartered outside of Chicago, we have offices across the United States and in Australia, Canada, China, Germany, India, Japan, South Africa and the United Kingdom. For more information, visit CompTIA.org. 7

8 CompTIA.org 2014 CompTIA Properties, LLC, used under license by CompTIA Member Services, LLC. All rights reserved. All membership activities and offerings to members of CompTIA, Inc. are operated exclusively by CompTIA Member Services, LLC. CompTIA is a registered trademark of CompTIA Properties, LLC in the U.S. and internationally. Other brands and company names mentioned herein may be trademarks or service marks of CompTIA Properties, LLC or of their respective owners. Reproduction or dissemination prohibited without written consent of CompTIA Properties, LLC. Printed in the U.S Oct2014