How we handle security needs & ongoing security improvements. Part 1

Published: May 3, 2019 4 min. read
Svitla Team
By Svitla Team
1943-security.jpg

Over the last fifteen-plus years, we at Svitla Systems, Inc. have worked with many different customers in widely varying industries. During this time, we have seen information security concerns become universal, though more so in certain industries. This is often because of stricter laws and regulations applicable to the particular industry.  

Some examples of these in the United States include:  

  • Healthcare industry: Health Insurance Portability and Accountability Act (HIPAA). 
  • Financial services and banking:  regulations from the Financial Industry Regulatory Authority (FINRA), the Securities and Exchange Commission (SEC), and the Sarbanes-Oxley Act (SOX), among others.
  • Retail and eCommerce: Payment Card Industry (PCI) Data Security Standards (PCI-DSS) compliance requirements.  

Also, the European Union (EU) enacted a sweeping data-privacy focused law last year, General Data Privacy Regulation (GDPR), which has an impact well beyond EU countries and is not limited to any specific industry.

None of these specific laws and regulations apply directly to the industry within which Svitla operates, the outsourcing and contract software development industry. Yet all of them impact Svitla through our broad, diverse set of customers and their industries. That is why we consider the entirety of these regulations in our security policies and procedures. Our staff members are knowledgeable about information security regulations, ensuring that our own and our customers’ security postures are maintained properly.

Cybersecurity Managed Services for Total Protection Protect your digital assets with Svitla Systems’ comprehensive cybersecurity expertise and proactive defense strategies. Get a Consultation

As part of the ongoing effort to continually improve our security posture, each year, Svitla identifies several information security related initiatives as focal points. In 2019 we have three main focus areas:

  • “Controls, Policies and Procedures”,  addressed in Part 1 of this series; 
  • “Internal IT Infrastructure”, covered in Part 2; and,
  • “New Customer-centric Solutions”, discussed in Part 3.

Controls, Policies and Procedures 

Organizations assess their ability to meet the requirements of these laws and regulations through their internal controls. Audits like the American Institute of Chartered Public Accountants’ (AICPA) Service Organization Controls (SOC) and the International Standards Organization (ISO) 27001, are used to document that appropriate controls are in place to protect company assets, including information and data.

The AICPA SOC audits have become widely known, high-profile report structures that help organizations thoroughly demonstrate their control capabilities to their customers, either for the entire organization or a specific system. 

There are two kinds of SOC reports:

  • SOC 1:  applying to financial transaction processors where their work impacts their customer’s financial reporting;
  • SOC 2: applying to other organizations, like Svitla Systems, which provide more general services to their customers.  

Further, there are two different Types of audits for each SOC report. Type 1 applies at a specific point in time and emphasizes the suitability of the controls in place (“Are you controlling what you need to control?”), and Type 2, which covers a range of time and evaluates the efficacy of the application of the controls (“Are you doing what you said you would?”).

The controls are grouped under five trust principles: privacy, confidentiality, security, availability, and processing integrity. Common controls articulate and work together across these principles to ensure information assets are appropriately protected.

This is a somewhat simplistic view of these audits; for a more complete understanding of the subject, we recommend reading this overview article. 

For outsourcing and consulting companies like Svitla Systems, SOC 2 reports help verify the presence and effectiveness of an appropriate control environment in the organization. 

Our recent SOC 2 certification report is already available for our customers, upon request. The audit focuses on the trust principles applicable to Svitla’s business operations, primarily security and availability. The SOC 2 certification confirms that the controls implemented by Svitla Systems through its internal processes and procedures were reviewed and updated to correspond the high standards of the SOC audit, which covered a six-month period of time. The updates were communicated through organization-wide training to ensure all associates are aware of and knowledgeable about the policies, procedures, and controls, as well as the purpose for each. 

This training was part of our broader ongoing information security training program, which has both online and in-person delivery components, as well as assessments to gauge learning and track completion for all associates. The assessment results also serve as a feedback mechanism to improve future iterations of the training, with the goal of improving associates’ ability to absorb, retain and apply the information. 

Another example of a certification that demonstrates the high quality of our internal processes is the ISO 27001 audit, which Svitla will receive in 2020. Both will be available to our clients for review upon request.

Look for our next article, where we will take a closer look at “Internal IT Infrastructure” and discuss the hardware related initiatives and new capabilities it will provide to all of our associates and customers. 

Learn more about handling software solutions security needs from Part 2.

Written by
Mike Sweetman
1943-security.jpg

FAQ

How can we effectively manage security?

Security is well managed by controls, policies, and procedures with the aid of recognized standards and support audits like SOC 2 and ISO 27001. Other certifications that are regularly updated include training for staff members and continuous improvement of infrastructure to ensure compliance with industry regulations and international best practices. Internal processes that align with the principles of privacy, confidentiality, and security would ensure not only security for information but also keeping client trust as per the regulations.

How do you maintain security in the workplace?

Workplace security begins with having in place strong internal controls, policies, and procedures. SOC 2 and ISO 27001 certifications are ways to ensure the effectiveness of such measures through regular audits and to ensure that high standards are being met. Full training for all employees on having knowledge and awareness of security policies is an ongoing process. This helps to keep sensitive information protected as per relevant regulations and also creates a safe environment for the organization, as well as its clients.

What is the biggest security weakness in an organization?

The greatest security vulnerability in any organization is usually human error, whether through ignorance or mishandling sensitive information. No matter how advanced the level of technical protection installed, it can easily be compromised without adequate employee training on related security policies and best practices. Regular education and testing of procedures, plus their reinforcement, largely mitigate this risk. Training the human element in tandem with technical controls makes for a more resilient security posture.

How can safety and security be improved?

A proactive and comprehensive approach to safety and security begins with the establishment of internal controls, policies, and procedures. Regular independent audits in addition to certifications like SOC 2 and ISO 27001 would make sure that the measures are effective in practice, continuously up to standards of preventive vigilant practices. In addition, regular detailed training of all staff helps build an environment where everyone is aware of security issues and implements best practices. It can review these by making changes to these elements that would advance the state of safety and security.