Why CompTIA Security Trustmark+™?
Last year, Right Hand Inc began embarking on the path of becoming CompTIA Security Trustmark+ certified. In this brief post, I want to highlight the why and the how for getting the Security Trustmark+. Let’s start with the why.
In the past, there have been several times we have been asked if we’re SAS 70 and then SSAE 16 certified. At the time, the businesses that asked about this were not large enough and a big enough portion of our business to warrant the expense of these certifications. In order to achieve these certifications, you can easily spend over $150k! We knew on the security side we were doing the correct things, but we didn’t have the demand to justify going through the process.
Then as we started to go out and do more and more security assessments for organizations who already have an IT provider, we found out that almost every time the security in place was not up to industry standards. Our goal is to continue building a best-in-class MSP backed by best-in-class processes delivered by a team dedicated to delivering best-in-class results. That not only applies to support but also to security.
The problem we found is when we brought the security problems to the surface, many prospects would go back to their current provider who would tell them it’s no big deal. No big deal? Having insecure ports open on a firewall, user accounts active that have been gone for years, patches missing, and a myriad of other security problems is a very big deal in a world where hackers are holding data ransom and now disclosing your customer data if you do not pay up.
At that point, we took a hard look at ourselves and put ourselves in the prospects point of view. We are coming in and telling them all these issues. Their provider is saying it is no big deal. As far as they know, we are all the same. We had to figure out a way to differentiate ourselves and to show when it comes to security, Right Hand is the go-to company.
In the meantime, CompTIA – the largest and most respected association in the IT industry – had developed a series of company certifications. The most recently revamped certification is the CompTIA Security Trustmark+, which follows the NIST Cybersecurity Framework and is a third party audited certification. We decided this is a way we can demonstrate to clients and prospects that we follow NIST standards, have the proper security in place, it has been validated by a third party, and this is something we can help them with.
Next, we will talk about how we went about it.
First, you must make the decision to commit to it. It takes a significant amount of time to complete. We decided it was worth the time and the investment, so we signed up and paid CompTIA to get the certification.
After you sign up, you then start the process, which is going through the NIST matrix CompTIA has put together for IT providers to follow. This covers all the areas of the NIST Cybersecurity Framework.
After a little delay and getting the ball rolling, we quickly realized we needed to establish a committee that meets on a weekly basis to get this completed. A group of us met every Wednesday morning for sixty to ninety minutes and diligently worked through the framework. This group consisted of two CISSPs, a Security+ certified engineer, and our service manager. We did not just want to get through it. We wanted to find anything we may have missed, fix it, and then get through the certification.
Did we change anything internally? Yes.
When we went through the risk assessment and the business impact analysis, we quickly realized we were in a very good spot with providing our services. If our building burned to the ground, we had all of our client support systems already in the cloud. We did have accounting systems in house, so there was the potential for some issues with payroll, accounts receivable and accounts payable. We decided to move those systems to Azure and utilize Citrix to access them.
Another area we improved on is we were self-hosting some of our tools in the cloud already, but the risk there was we had to maintain them. We decided to move to totally hosted tools where our vendor would host, secure, and support our tools. Our vendor has a much larger security team, has the developers to fix any security issues, and has the money to invest in all the security technology needed to maintain the security of our systems. With MSPs falling prey to hackers through their self-hosted tool sets, it made a lot of sense for us.
One last thing we changed was our processes. As part of the certification, you need to review policies, permissions, etc. on a regular basis. You also need to perform certain exercises, like tabletop exercises of a security incident. We were able to create recurring tickets in our system to remind us of all the various recurring tasks and processes we needed to follow to stay compliant.
Finally, after we completed everything on our end, we had to provide everything to the third-party auditor. This included copies of our policies, proof of various controls in place, and attestations for anything for which you cannot provide proof – for example our vendors are SOC II compliant, but we have NDAs in place and cannot share that documentation.
All in all, it took us a about six months to complete the certification, but that was because we already had most of the controls in place needed to achieve the certification.
We will continue to follow the NIST Cybersecurity Framework and keep our certification current. It is a significant investment of time and money, but in our world there is no barrier to entry for starting an IT company. Anyone with a self-printed business card can claim to be an IT expert. When it comes to security, an IT company needs more than IT experts. They need security experts, and now with the CompTIA Security Trustmark+, Right Hand has the third-party verification to prove that we are the security experts our clients and prospects can count on to protect their organizations.
For more information on the CompTIA Security Trustmark visit http://www.comptia.org.