Category Archives: certification

I am a software tester, InfoSec is mostly tangential to my job, and people only ask me questions about InfoSec because I am not afraid to use Google or Stack Exchange when I don’t know something. (which is most of the time)

Our US operations manager wants to have a conversation with me to learn more about Information Security. He got an email from a prospect in the financial sector that includes this section:

(a) ACME will ensure its information security program (“Info Security
Program”) is designed and implemented, and during the term of this
Agreement will continue to be designed and implemented, to: (1)
reasonably and adequately mitigate any risks identified by either of
the parties related to the Software and Services, and the protection
of Customer Confidential Information disclosed to ACME or ACME
Personnel, and (2) describe and report on its own risk assessments,
risk management, control, and training of ACME Personnel in compliance
with the Info Security Program, security oversight regarding ACME
Personnel, and the process for the annual certification of the Info
Security Program. ACME will safeguard against the destruction, loss,
alteration, or unauthorized disclosure of or access to Customer
Confidential Information in the possession of ACME Personnel,
including through the use of encryption while transmitted or in
transport, or while being stored, processed or managed on ACME
equipment when such encryption required by Law, is advised by industry
standards for similar products or services, or is required in an
Transaction Document (collectively, the “Data Safeguards”). ACME will
ensure that the Info Security Program is materially equivalent to
Customer’s own information security standards in place from time to
time applicable to the risks presented by the Products or Services
(collectively the “IS Standards”). The parties may redefine the term
“IS Standards” to mean any industry-recognized standard or testing
protocol (e.g., NIST, ISO 27001/27002 or SSAE, AT101), if expressly
set forth in an SOW.

This language is so scary that I first pooped in my pants, and then created a security.stackexchange.com account to ask for advice because I don’t even know where to start. We are a small software company (less than 40 people) that is fortunate enough to have some commercial success, and we’re not careless about security, but we don’t have any formal Information Security Program (yet).

Some questions:

• Can someone please translate the above quote into common English?
• I read something about annual certification, would it be ok to say that our company should make use of a third party security auditor and let them tell us what we should do?
• Who within our organisation would typically be responsible for implementing an Information Security Program?
• I am thinking about recommending to buy ISO27001 (I mean the actual PDF file that contains the text of that standard, which can be purchased for 166 Swiss Franks from the iso.org store), but who should read it? (related to the previous question)

Background information:

• We collect typical CRM information to be able to send invoices.
• We do not collect sensitive information, like data about the users/customers of our customers.
• Our support team may ask sample data for troubleshooting purposes, and will always ask for “dummy” or sanitized data that reproduces the issue at hand.

This question is not a duplicate of How to communicate how secure your system is to your employer’s clients. That posts is about how to communicate to customers – we already know that because the customer already told us which kind of communication they want – they mentioned a SOC Type 1 Report. It is also not a duplicate of How to get top management support for security projects? because management support is easy in our case: get security certified or miss out on big contracts.

Continue reading How to start with an Information Security Program?→