The importance of security certifications
Outsourcing your company’s security demands a supplier that is big enough, resilient enough and secure enough to do the job properly. This is why Symantec.cloud invests so heavily in its infrastructure. Our global footprint includes 18 data centres across four continents, two network operating centres and thousands of servers handling email, Web, and instant messaging traffic.
We apply the highest standards to our data centres because our customers demand the highest levels of confidentiality, data integrity and reliability. Certifications like ISO 27001 and audit report standards like SSAE 16 are vital external instruments to demonstrate the quality and security of our cloud services.
This post will provide an overview of the various certifications and why they are important
What is ISO 27001?
ISO 27001 is a security management standard to guide the development and implementation of an Information Security Management System, commonly known as an ISMS. The Standard was published jointly by International Security Office (ISO) and International Eletrotechnical Commission (IEC).
What is ISMS?
Information Security Management System (ISMS) is a board approved, high level information security policy which is used to effectively manage how different types of risk, relating to an organization’s information assets, are to be treated and identifies a set of controls (responses to/countermeasures for) that respond to each of the identified risks.
What does it mean to be ISO27001 certified?
To be certified, Symantec must continuously test the existence and effectiveness of our information security controls. Under the standard, our ISMS defines the way we continually manage security in a holistic, comprehensive way.
Certification ensures that:
- Information assets are identified
- Risk of these assets is assessed in relation to the likelihood and impact of specific threats and vulnerabilities
- Where a level of assessed risk to an asset is not acceptable, controls are implemented to reduce such risk (the 133 controls dictated by ISO27002)
- These assessments and controls are frequently audited internally and externally to ensure security and best practice.
- Action is taken to address any non conformances or short falls identified.
Why is it important that Symantec is ISO27001 certified?
With the strict set of rules governing Symantec’s process and controls in terms of handling your information, you can feel safe knowing that Symantec is committed to information security at every level. You can place your confidence in our processes and controls backed by the certification. It also provides more transparency and certainty allowing you to evaluate our security practices. Furthermore, the certification is an ongoing process ensuring that we always review and maintain our security controls.
Who is the certifying agent?
Symantec's SAS 70/SSAE 16 audit and ISO 27001 certification were performed by KPMG. Certification by KPMG is officially recognized by the United Kingdom Accreditation Services to provide third party Certification across all business sectors.
What is SSAE 16 and SAS 70 type II?
Statement on Auditing Standards no. 70(SAS 70 Type 2) has similar functions as ISO 27001and is the most common type of audit used in cloud environments as it involves reporting on the security controls being used in cloud services.
Statement on Standards for Attestation Engagements no. 16 (SSAE 16) is the new "attest" standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). It is an enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS 70 and is now effective as of June 15, 2011.
In which country do each of the standards apply?
SAS 70 was mainly used in the United States to provide an audit of the design and effectiveness of controls, and SSAE 16 is used in a similar fashion. ISO 27001 is an international standard entirely devoted to security and adhering to the formal set of standards pertaining to its information security management system. It is commonly used in Europe, Japan and some Asian countries.
At Symantec our customers demand high levels of assurance about our security standards, to meet this demand Symantec.cloud has:
- ISO/IEC 27001 certification covering the entire Operations Department, which includes all production infrastructure.
- ISO 27001 certification scope reads “The Symantec.cloud ISMS scope applies to the people, processes and technology within Symantec.cloud Operations for the delivery of the Symantec.cloud Web, Email, Instant Messaging, End Point and Back Up services. This is in accordance with the Statement of Applicability v1.4.”
- All US Data Centers hold current SAS 70 Type II or the updated SSAE 16 accreditations. Data Centers located on the European continent are ISO27001 certified.
- As a publicly traded US-based corporation, Symantec is subject to Sarbanes-Oxley audits as well as a wide variety of other regulatory requirements, both internal and external.
- A comprehensive Data Protection and Privacy Audit of Symantec.cloud has been conducted by a major global audit firm as part of an annual cycle of ISAE3000 audits.
- Symantec operates a number of independent internal groups to ensure strong governance and management of information security and other risks, including Customer Assurance, an Information Security Department, a Trade Compliance group and an independent Ethics and Compliance team, a Privacy and Data Protection Team, Corporate Risk Assurance, and Legal.