If you are an information security executive, then at some point during your tenure you will likely have to demonstrate to another company, vendor, or 3rd-party the strength of your Information Security Program. Many organizations, especially vendors who provide a service to another company, choose to conduct a SOC2 assessment to demonstrate the operating effectiveness of their controls. SOC2 reports, as well as control assessments based on frameworks such as NIST 800-53, may provide value to your organization and may allow you to check a box next to a compliance requirement.
While the entities that helped to craft these frameworks may be control experts, they may not possess the breadth or depth of knowledge that a Cybersecurity firm like NuHarbor has. Because of that, we’d like you to meet Knox, the new information security certification program from NuHarbor Security.
What is different about Knox?
Here at NuHarbor we like to do things differently, not just for the sake of being different but because we always want to be operating with the best interests of our diversified clientele in mind. Not every organization is the same. As a result, assessments such as SOC2 often have multiple controls/requirements that do not add business or security value for your organization. To prevent this inefficiency in the certification process, the Knox security certification criteria has been tailored from the ground up based on cybersecurity best practices. This allows it to serve both as a way for you to demonstrate security prowess and to gain comfort that your security hygiene is where you want it to be.
With scalability and flexibility in mind, we crafted Knox with a tiered approach. This allows you to implement changes to your security control suite at a pace appropriate for your organization. You do not have to rush right to the goal line and work to achieve the highest tier of Knox certification. For many organizations, a lower tier may be an easier lift and better fit for a variety of reasons (e.g. type of industry, organizational size/maturity, legacy culture, etc.). As your security program matures, you can then evolve your security footprint to achieve a higher level of certification.
While we have chosen to build flexibility into the certification program, there are some logistics that are not choices and cannot be changed. This is important to maintain the value and viability of a Knox certification. The intent of our program is to facilitate demonstrating the continued operating effectiveness of your information security controls throughout the year. Knox is not intended to be a one-and-done assessment. To that end, annual reassessments are required to maintain your certification. This helps to ensure that as new threats emerge, and your environment changes, the certification process accounts for that change.
During a Knox certification assessment, we may identify deficiencies in your control environment. Any deficiencies must be remediated within 30 days. Some deficiencies may require a technical solution that would need significantly more than 30 days to implement and operationalize. In these situations, a re-assessment may be required to allow for proper focus on the elements of the environment that have changed.
Knox Certification vs. Readiness Assessment
One question you may have with respect to your organization is if you are ready for a full certification at this time. In situations like these, you can choose to have NuHarbor perform a Knox readiness assessment. A readiness assessment can be viewed as a dress rehearsal or dry-run. NuHarbor will partner with your organization to review the certification requirements in detail and provide feedback on which Knox criteria may require remediation. The readiness assessment will allow your security team to get a feel for what NuHarbor’s expectations are for each Knox criteria for your chosen certification level.
Unless your organization has a mature cybersecurity program and has been regularly assessed by a 3rd-party, a readiness assessment is always our recommended starting point.
Knox Certification sounds like a lot of work. Will it be overwhelming?
As your trusted cybersecurity advisors, we will always be open and honest with you. Yes, the process for achieving your chosen level of Knox certification will be a lot of work. It will require a significant level of management commitment in planning for and executing the certification process, and remediation of any identified control weaknesses. However, we strongly believe that with the right level of effort, Knox certification will be achievable and add real business value to your organization.