scout-certifications

(photo by torbakhopper / CC BY)

This is a brief post on standards and laws to consider when evaluating online services, and in particular the certifications potentially relevant to your online provider. In my evaluations of online services I do refer to standards/ laws, and this post will provide the details behind those references.

For those not familiar, “online”, refers to a service accessed over an Internet connection, and is often referred to using the metaphor “cloud” services. The infrastructure required to deliver the online service is owned and managed by the service provider, which can be very attractive for a small business.

Certifications are obviously important in providing a validation that certain requirements have been met. This is well known in Scouting organisations. Just stating that you have met the requirement is not sufficient. You need some form of check to certify the requirement has been met (even, if that check is a self certification).

So while it is great to trust that your online service providers meet certain requirements, there is no substitute for verifying if they meet the requirements claimed, and certifications provide a pragmatic proxy for that verification.

The standards and laws to consider are important for two key reasons:

  1. Outsourcing IT services to online providers, will not reduce the responsibility you have to ensure that your particular business is compliant with the relevant standards and laws that apply to your industry.
  2. By understanding the certifications available for an online provider to meet with respect to relevant standards and laws, you can better make decisions on the online providers best placed to deliver your IT needs.

The following list captures the key standards to consider in alphabetical order. A selection of US and European standards/laws are listed, but as you can appreciate, its not feasible to capture every law for every country.

Name Industry Jurisdiction Description
Data Protection Directive Any Europe
  • The Data Protection Directive is a European Union (EU) directive which regulates the processing of personal data within the European Union. Each member country of the EU is responsible for their own implementation of the directive into law.
  • The Data Protection Directive covers how personal data is processed, and this includes, collection, storage, adaptation, disclosure by transmission, dissemination, erasure or destruction.
  • US-EU Safe Harbor is a  process for US companies to comply with the EU Data Protection Directive. This is described in a separate table entry.
  • If you plan to use cloud services for processing (see definition earlier) of data from customers in Europe, then the Data Protection Directive is relevant. The relevant certifications vary by country.

Useful references:

FIPS 140-2 Any De facto international
  • Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2), is security standard used to accredit how encryption is implemented. This includes the encryption algorithms and many other related aspects to encryption.
  • While FIPS 140-2 is a U.S. government standard, it is become a defacto standard internationally.
  • If you plan to use cloud services, then independent certification that the encryption methods are independently certified is prudent.

Useful references:

FISMA US Federal Government US
  • FISMA, or Federal Information Security Management Act of 2002, is a US law rather than a standard, and “requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source”.
  • FIMSA, from a small business perspective, is only relevant if considering supplying technology to the US Federal Government.

Useful references:

HIPAA Health US
  • The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information.
  • Important is the definition of a business associate, “Business Associate Defined. In general, a business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information”.
  • Important is the need for a written agreement with business associates if used, “When a covered entity uses a contractor or other non-workforce member to perform “business associate” services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement).
  • HIPAA is important if you plan to use online services with individual health information covered by US law.

Useful references:

ISAE 3402 Any International
  • ISAE 3402, is a standard from the International Federation of Accountants, that covers Assurance Reports on controls at a service organisation.
  • ISAE 3402 (or US adaption SSAE 16) applies when using a service provider for processes that could impact your financial reporting. For example, you plan to use an online service provider for accounting software, or storage of accounting data.
  • Type 1 compliance looks at controls in place at a point in time, Type 2 compliance looks at effectiveness of controls over 6 months.
  • While ISAE 3402 is an accounting standard, the implications for information technology are all positive. A cloud provider with ISAE 3402 certification (or the US adaption SSAE 16) provides confidence that their controls, including technology controls, have been independently audited.

Useful references:

ISO 27001 Any International
  • ISO 27001 “specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature”.
  • According to one estimate, ISO 27001 average certification costs about $48,000. At this price, there is no excuse for a serious online provider to not be certified.
  • If you plan to use cloud services, then independent certification that your potential service provider has an effective information security management system in place is prudent.

Useful references:

PCI DSS Any International
  • PCI DSS, or Payment Card Industry Data Security Standard,  “provides an actionable framework for developing a robust payment card data security process, including prevention, detection and appropriate reaction to security incidents”.
  • PCI DSS is developed by the PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa).
  • If you plan to use cloud services, and complete payment using a credit card, then certification that your payment is processed in accordance with PCI DSS is prudent. This equally applies if you plan to sell services online.

Useful references:

SSAE 16 Any US
  • SSAE 16, or Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization (SSAE16), is the US adoption of the international standard ISAE 3402.
  • The standard covers assurance reports on controls at a service organisation that are likely to be relevant to your internal controls for financial reporting. For example, you plan to use an online service provider for accounting software, or storage of accounting data.
  • Type 1 compliance looks at controls in place at a point in time, Type 2 compliance looks at effectiveness of controls over 6 months.
  • SSAE 16 is the replacement to SAS 70The SSAE Type 1 report checks the data protections in place, and the SSAE Type 2 report includes testing of the protections in place.
  • According to one estimate, Type 2 audits are ranging from $20,000 – $50,000. At this price, there is no excuse for a serious online provider to not be certified.
  • While SSAE 16 is an accounting standard, the implications for information technology are all positive. A cloud provider with SSAE 16 certification (or the international standard, ISAE 3402) provides confidence that their controls, including technology controls, have been independently audited.

Useful references:

 

US-EU Safe Harbor Any US
  • US-EU Safe Harbor is a voluntary certification process for US companies to comply with the EU Data Protection Directive on the protection of personal data.
  • US-EU Safe Harbor was developed by the U.S. Department of Commerce in consultation with the European Commission.
  • An organisation can self certify that it adheres to the US-EU Safe Harbor principles.
  • If you plan to use cloud services for processing of data from customers in Europe, and your business is in the US, then the US-EU Safe Harbor may be relevant (“processing” includes, collection, storage, adaptation, disclosure by transmission, dissemination, erasure or destruction).

Useful references: