Solidifying customer confidence in security due diligence
If you’re a B2B business looking to or already supplying to large organisations, you will probably have noticed an uptick in the number of questions and the “proof” of information security controls asked of you for systems that host business critical and customer sensitive data.
These are not difficult questions to answer but can be very time consuming. However, your reputation may be on the line over time if you fail to provide proof to your customers that internal information security management systems (ISMS) you said you have are actually enforced.
On the flip side, if you are able to provide assurances that your ISMS policies are being enforced and can be independently verified, you will solidify customer confidence and have much greater appeal to win business than your competitors who don’t.
What is normally asked in procurement security due diligence by large customers?
Many require third-party vendors to have some or all of the following certifications which are relevant to the services being provided, e.g. PCI Certification, ISO 27001, SOC 2 Type II, penetration testing results.
What is the PROOF asked of you?
PCI Certification - Proof of internal controls for handling credit card information
ISO 27001 - Proof of internal information security management system (ISMS) controls
SOC 2 Type II - Proof that ISMS controls are operating as intended
Penetration test - Proof that software and systems developed have been robustly tested for software vulnerabilities.
Certifications are one thing, but providing proof of systematic testing and compliance adds to the reputation of the vendors. Almost all certifications have detailed requirements in the relevant standard and require a third-party auditor:
to assess compliance against the applicable standard,
prepare a detailed report of any weaknesses or deficiencies and then,
issue a certificate of compliance once remediation work is completed.
How to best provide this proof without breaking your bank and diverting resources to time consuming audit and report generation?
The answer is three-fold:
Independent: carried out by a trusted third-party
Continuous Verification: not just a one-time check but continuous audit based on real-time data
On-demand Report Generation: reporting is readily available any time.
How can Detexian help?
Detexian provides independent, continuous verification of security controls for critical SaaS applications for which reports can be generated on demand via its SaaS Security Posture Management solution.
It is a single pane of glass across Office 365, G Suite, Atlassian, Salesforce, and other platforms. It detects critical user misconfigurations, audits SaaS permissions and more. With Detexian, regulatory compliance is made easy. You can generate audit reports to demonstrate evidence of control effectiveness over time that your auditors and regulators want.
Check out LAB Group Case Study on our webpage. Many of LAB Group’s prospective customers are large financial institutions who follow stringent vendor security assessment processes. Prospective Customer security teams seek to verify security control effectiveness and want assurances that ISMS policies are being enforced.