Why CompTIA Security Trustmark+™?
Last year, Right Hand Inc began embarking on the path of becoming CompTIA Security Trustmark+ certified. In this brief post, I want to highlight the why and the how for getting the Security Trustmark+. Let’s start with the why.
In the past, there have been several times we have been asked if we’re SAS 70 and then SSAE 16 certified. At the time, the businesses that asked about this were not large enough and a big enough portion of our business to warrant the expense of these certifications. In order to achieve these certifications, you can easily spend over $150k! We knew on the security side we were doing the correct things, but we didn’t have the demand to justify going through the process.
Then as we started to go out and do more and more security assessments for organizations who already have an IT provider, we found out that almost every time the security in place was not up to industry standards. Our goal is to continue building a best-in-class MSP backed by best-in-class processes delivered by a team dedicated to delivering best-in-class results. That not only applies to support but also to security.
The problem we found is when we brought the security problems to the surface, many prospects would go back to their current provider who would tell them it’s no big deal. No big deal? Having insecure ports open on a firewall, user accounts active that have been gone for years, patches missing, and a myriad of other security problems is a very big deal in a world where hackers are holding data ransom and now disclosing your customer data if you do not pay up.
At that point, we took a hard look at ourselves and put ourselves in the prospects point of view. We are coming in and telling them all these issues. Their provider is saying it is no big deal. As far as they know, we are all the same. We had to figure out a way to differentiate ourselves and to show when it comes to security, Right Hand is the go-to company.
In the meantime, CompTIA – the largest and most respected association in the IT industry – had developed a series of company certifications. The most recently revamped certification is the CompTIA Security Trustmark+, which follows the NIST Cybersecurity Framework and is a third party audited certification. We decided this is a way we can demonstrate to clients and prospects that we follow NIST standards, have the proper security in place, it has been validated by a third party, and this is something we can help them with.
Next, we will talk about how we went about it.
First, you must make the decision to commit to it. It takes a significant amount of time to complete. We decided it was worth the time and the investment, so we signed up and paid CompTIA to get the certification.
After signing up, you begin the process by following the NIST matrix CompTIA designed for IT providers. This covers all the areas of the NIST Cybersecurity Framework.
After initial delays, the team quickly established a weekly meeting committee to ensure timely completion of the project. A group of us met every Wednesday morning for sixty to ninety minutes and diligently worked through the framework. This group consisted of two CISSPs, a Security+ certified engineer, and our service manager. We did not just want to get through it. We wanted to find anything we may have missed, fix it, and then get through the certification.
Did we change anything internally? Yes.
During our risk assessment and business impact analysis, we quickly realized our strong position in providing services. If our building burned to the ground, we had all of our client support systems already in the cloud. We had in-house accounting systems, potentially causing issues with payroll, accounts receivable, and accounts payable. The team migrated those systems to Azure and accesses them using Citrix.
We improved by self-hosting tools in the cloud, taking on the responsibility of maintaining them to mitigate risks. Our company fully adopted hosted tools, with the vendor managing, securing, and supporting them. Our vendor maintains our system security with a large team, developers to address security issues, and invest in necessary technology. With MSPs falling prey to hackers through their self-hosted tool sets, it made a lot of sense for us.
One last thing we changed was our processes. As part of the certification, you need to review policies, permissions, etc. on a regular basis. You also need to perform certain exercises, like tabletop exercises of a security incident. We created recurring tickets in our system to remind us of the necessary tasks and processes for maintaining compliance.
Finally, after we completed everything on our end, we had to provide everything to the third-party auditor. This included copies of our policies, proof of various controls in place, and attestations for anything for which you cannot provide proof – for example, our vendors are SOC II compliant, but we have NDAs in place and cannot share that documentation.
Overall, we completed the certification in about six months because we already had most of the necessary controls in place.
We will continue to follow the NIST Cybersecurity Framework and keep our certification current. By investing significant time and money, anyone can start an IT company in our world, as there are no entry barriers. Anyone with a self-printed business card can claim to be an IT expert. When it comes to security, an IT company needs more than just IT experts. Right Hand, with the CompTIA Security Trustmark+, now has third-party verification, proving our reliability in protecting client organizations.
See the full story in the Pittsburgh Post-Gazette
For more information on the CompTIA Security Trustmark, visit http://www.comptia.org.
Click here to learn more about us
Josh Wilhelm Acquires an Interest in Right Hand Inc and Joins the Organization as President