Show Notes: https://justinfimlaid.com/benefits-of-a-security-certification-&-equifax-security-breach/h
Contact Me: https://justinfimlaid.com/contact-me/
A lot of companies
or agency executives are looking for a security certification or some kind of
assurance they can sleep well at night.
Truth of the matter is no security firm would assert that their clients
are bullet proof from a cyber security breach.
The threat landscape is shifting intraday and anything a security firm
would attest to today might be outdated by the time the team walks out of the
building. In our industry today – there
is no certification that offers this level of warranty. HITRUST, PCI-DSS, ISO27001, SOC Reports all
ensure that a process is in place not necessarily the rigor of the security
control in place and value of said control in the long run. The Knox Security
Certification, is the lone technical security certification but that also has
bounds to the warranty and very much requires that the company continue to
maintain the hygiene of their security posture as nothing in security is set it
and forget it.
Any potentially viable security certifications is in jeopardy because of this coupled with the fact there is so many people that misunderstand this concept. Case in point is the Equifax security breach. If you don’t know Equifax, congratulations on making it out from under your rock and listening to this first. Equifax is a large credit reporting bureau that holds credit and personal information for millions of people. The breach, impacted over 140 million people…which to put that in perspective is also HALF the citizens in the US.
Here’s the thing,
Equifax has an ISO27001 certification. The certification was delivered by Ernst
and Young and their EY CertifyPoint division. Some folks, including those at
Equifax, seemed to think this certification shielded them from breach. If you ever listened to any of my podcasts or
read anything I’ve written related to ISO27001, you know that ISO27001 simply
certifies you’ve followed a framework and methodology to choose security
controls—not whether those controls are right and complete security controls
for your environment. To add one more,
scope is a big component of ISO27001 and just because someone has an ISO 27001
certification doesn’t mean it for the environment they say it is. For example, some companies have an ISO27001
certification on their broom closet and say it’s for the whole company.
The issue with this
Equifax situation is that E&Y, according to MarketWatch, issued an attest
opinion that all security controls were complete and in place, which later
could not be supported. Aside from this
not being possible because it fails to acknowledge existance of the crystal
ball that predicts any and all zero day attacks, it’s also a conflict of
interest and violation of any accreditation rules.
To me this indicates
a huge lack of understanding OR purposeful negligence.
from former SEC Chiefs…I’m withholding names since I don’t know if quotes are
taken out of context BUT one head scratching quote, I’m paraphrasing,
“there’s question concerning how much
reliance should be placed on the ISO certification when assessing internal
controls over financial reporting.”
Uhh…you think? I can
help out there…none. There should be no
reliance. The context of the control is
COMPLETELY different than what you would expect for a SOX 302 or 404 control.
This brings me to
the belief that there continues to be a huge and massive misunderstanding of
security controls at the highest level of organizations and within
organizations that are supposed to be a trusted security advisor.
More often than not
I see accounting firms fulfilling this assessment and assertion role within
BUT who did Equifax