Knox Security Certification Program
Choose the right certification level for your business.
Certifications are valid for one year and require re-certification annually to stay certified.
Certifications are technology agnostic. As your trusted partner we can make valuable recommendations for security process or technology.
Demonstrate to your customers and vendors the security of your company or solution.
Choose the Certification Level Right for You!
Regardless of your information security program maturity, we have certification levels to match.
- If you’re just getting started, and want to prove security to a prospective customer, check out our Knox Standard Certification.
- If your information security program is maturing and your organization has implemented more than the basics, get credit for it with the Knox Enhanced Certification.
- If your company utilizes advanced security techniques, and you want to be able to demonstrate it, consider the Knox Advanced Certification.
Our clients choose the Knox Security Certification Program for a variety of reasons, but the top 3 reasons are:
- Consumer Confidence: The Knox Security Certification helps demonstrate your security posture to your customers and differentiates you from your competition.
- Reduce time on Vendor Questionnaires: Almost all of our clients have to complete a Vendor Questionnaire now-and-again. The Knox Security Certification can help to reduce the time spent filling out different questionnaires with the same questions. We’ll issue you an actual certification you can send directly to the vendor. Most of our clients say they’ve reduced time spent on questionnaires by 50% with the Knox Security Certification.
- Internal Confidence: For companies that have been working on building their security muscle the Knox Security Certification is a great way to demonstrate your accomplishments.
The Knox Security Certification has allowed me to reduce the number of hours spent every week responding to vendor questionnaires.
Each certification level features a comprehensive set of control criteria and a client must meet all requirements to achieve certification.
This security certification is for most folks looking to get started and prove a solid security foundation.
Documented Data Inventory and Flows
Documented System and Device Inventory
Documented Approved Software List and Inventory
Established Security Awareness and Training Program
User Identification and Authentication Controls in Place
Malware Protections in Place
Remote Access Controlled
Least Privilege Practiced
Control of Mobile Devices
Vulnerability Scanning Program in Place (45 Day Remediation for Critical Vulnerabilities)
Annual Network Penetration Test Completed (45 Day Remediation for Critical Vulnerabilities)
Annual Web Application Penetration Test Completed (45 Day Remediation for Critical Vulnerabilities)
A certification for organizations looking for all of the Knox Standard and looking to showcase their external protections.
All of the Knox Standard, plus:
Perimeter Defense (incl. IDS/IPS) Established
Secure SDLC (Software Development Lifecycle) Practiced
Assesses Security of Third Party Partners/Suppliers
Logging and Monitoring Solution in Place
Commercially Reasonable Encryption Standards and is Implemented
Enhanced Vulnerability Management Program (Continuous Monitoring)
Patch Management Program in place
Hardening Standards for Servers and Workstations
Identity and Access Management Program in place
Network Traffic Filtering solution is in place
Device Sanitation Policy and Process is established
Self-Assessment Completed between Certification Assessments
Vulnerability Scanning Program in Place (30 Day Remediation for Critical Vulnerabilities)
Annual Network Penetration Test Completed (30 Day Remediation for Critical Vulnerabilities)
Annual Web Application Penetration Test Completed (30 Day Remediation for Critical Vulnerabilities)
A certification for organizations also looking to showcase their continuous monitoring and threat hunting capabilities.
All of the Knox Standard & Knox Enhanced, plus:
Application Control Software Deployed
Proactive Threat Hunting Tools and Process in place
Information Security Committee and Charter Developed and Practiced
Fully Documented Incident Response Plan
Web Application Firewall (WAF) in place
Data Loss Prevention (DLP) or Similar Solution in place
Frequently Asked Questions about Certification:
1. How long does it take to receive our certificate?
It depends on certification level you want, size of your organization, and scope of the environment we are assessing. Smaller certification assessments can be completed in as little as 2 weeks; some of our larger assessments (large organization with large scope) have taken 8 weeks to deliver.
2. I want to certify but I’m not quite ready–can you help me get ready?
Absolutely. We offer readiness reviews/assessments for organizations that want to certify but may not be quite ready. This results in a list of remediation items to fix before we begin the official assessment, as well as guidance on potential best ways to get there.
3. What happens if we fail the assessment?
We give customers 30 days to fix any outstanding items and prove that a process to maintain security hygiene is in place.
4. Why would I want to certify? Companies certify for a variety of reasons:
- Develops Consumer Confidence – This certification will help to prove to your current and prospective customers and partners that you’ve taken efforts to improve your security posture and it’s been independently validated.
- Proves Security to Auditors – Many companies are asked to complete vendor questionnaires or answer to security auditors. This certification helps to shorten the response time of those audits.
- Company Internal Credibility – For many of our customers trying to certify against a benchmark can prove to internal leadership that their investment in security is paying off.
5. Can you assist with remediation?
Yes. We want to be your trusted security partner. When you succeed, so do we.
6. I have had another vendor do my penetration testing, can I use that toward the certification?
Maybe. But here’s what we’re looking for to include a third-party test:
- Penetration testing completed within 30 days prior to the start of the credentialing effort. (Because remediation efforts might need to take place).
- Penetration testing needs to be an actual penetration test covering areas such as business logic abuse and access model testing. A penetration test is not a vulnerability scan. If you’re looking for more details, check out this blog post: https://www.nuharborsecurity.com/what-exactly-is-a-web-application-penetration-test/
- The test effort needs to be comprehensive following a guideline such as NIST 800-115.