Hardly a week goes by without hearing about yet another data breach or cyberattack that harmed some company somewhere – which means, naturally, that organizations everywhere need more comprehensive cybersecurity controls and risk management programs.
One part of that challenge is how to demonstrate the effectiveness of your cybersecurity capabilities to stakeholders. You should be able to prove that you have the processes and controls in place to detect cyber incidents, respond quickly, and recover data and operations in the fastest possible time.
This is where cybersecurity attestation comes in.
A cybersecurity attestation (also more simply known as a cyber attestation) is a review and confirmation of your organization’s security status by an independent reviewer.
Should your organization get a cybersecurity attestation? How does the process work? Let’s explore.
What Is Cybersecurity Attestation?
Merriam-Webster defines attestation as “proving the existence of something through evidence” and “an official verification of something as true or authentic.” A cybersecurity attestation is formal, documented proof of your organization’s security status.
Attestation does not necessarily mean that your cybersecurity posture is perfect or that you are completely protected from cyber threats. It simply shows stakeholders that you are managing your cyberthreat landscape to the degree that you claim. It provides evidence that you are doing your best to detect breaches and respond to threats in an appropriate manner.
The attesting party will evaluate your cybersecurity environment and provide assurance that you are doing everything possible to protect your data and systems. This typically includes a review of your cybersecurity infrastructure and risk management program to confirm whether those efforts meet the cybersecurity requirements set by a governing body.
Do You Need Cybersecurity Attestation?
Not necessarily. The main purpose of cybersecurity attestation is to build trust with stakeholders.
When you have completed cyber attestation, you can provide a higher level of assurance about your security posture and cybersecurity program and controls. You could then offer that attestation to customers, business partners, and other interested parties to demonstrate that your organization is trustworthy. It demonstrates your commitment to transparency and shows that you are making an effort to strengthen your cybersecurity posture. The report will help them gauge whether you will protect data in their care – such as their own personal data.
So, does your organization need cyber attestation?
The answer: it depends.
Your customers, vendors, business partners, or other stakeholders may require a security attestation from you. Some industries and regulatory agencies also ask organizations to get a security attestation and provide an authenticated attestation report.
In general, if your company is required to prove that controls are in place to secure sensitive systems and information, then yes, you should get a security attestation.
Cybersecurity Attestation and System and Organization Controls (SOC) for Cybersecurity
The American Institute of CPAs (AICPA) has developed a cybersecurity attestation and risk management reporting framework. This framework is part of the System and Organization Controls (SOC) for Cybersecurity assessment.
Like other SOC assessments, the goal of this assessment is to provide an assurance report that you can share with others. It is not a replacement for SOC 2 or SOC 3 reports. Rather, it provides a way to assure stakeholders about your cybersecurity program, so you should consider it an additional assessment on top of SOC 2 or SOC 3.
The SOC for Cybersecurity assessment helps independent auditors – typically service providers such as a public accounting firm specializing in cybersecurity – to assess enterprise cybersecurity risk management programs.
These auditors have the knowledge and expertise to understand cybersecurity risks and perform a quality assessment of your cybersecurity controls. After an objective review of your program, they will provide a report about the enterprise security posture. This information enables the board of directors, senior management, investors, and other stakeholders to understand the organization’s security efforts and judge the effectiveness of its internal controls.
Calculating a Security Score for Cybersecurity Attestation
Cybersecurity attestation is like a health report of your cybersecurity status. As part of the attestation, the auditor may give you a security score, which measures your security posture based on many security-related aspects.
A common starting point for calculating the security score is to use Microsoft Secure Score. Microsoft Secure Score acts as a security benchmark, indicating a company’s security posture. A higher score shows that the company has taken more actions to improve its security posture.
You will see your Microsoft Secure Score (1 to of 100) on the Microsoft 365 Defender portal. This number, expressed as a percentage, will help you to:
- Understand the current state of your security posture;
- Boost your security posture by improving your environment’s discoverability, visibility, and control;
- Establish key performance indicators (KPIs) to measure improvements in the security posture.
By following the Secure Score recommendations, you can strengthen your cybersecurity controls and protect your organization from threats. Your score will change when you implement these recommendations to configure certain security features, complete security-related tasks, and address a specific improvement action.
The attesting agency may walk you through your score to show where security vulnerabilities exist. The agency may also provide recommendations to address these security gaps and blind spots. Once the attestation is complete, the agency will provide a report you can show to your stakeholders to demonstrate your security status.
Important Elements of a Cybersecurity Attestation Report
The attestation report is based on your security management or control framework. You may have chosen the NIST Cybersecurity Framework (CSF) or a framework like COBIT (Control Objectives for Information and Related Technologies), PCI DSS (Payment Card Industry Data Security Standard), or ISO (International Standards Organization).
The evaluator will assess your cyber risk management program based on these frameworks to decide whether your controls are effective in achieving your risk assessment and management objectives.
The report may be customized depending on your organization’s size, type, industry, and cybersecurity requirements. But in general, cyber attestation reports include the following points about the organization:
- The organization has assessed its cybersecurity risks.
- It has implemented a robust information security management system (ISMS) and a cybersecurity framework.
- It has an incident response plan in place.
- That plan is integrated with its business continuity plan.
- It is taking steps to improve its cybersecurity posture and resilience.
Ideally, the report will describe your data breach prevention and detection processes. It could also include details about breach remediation and data recovery processes, the operational recovery plan, and the stakeholder communication plan.
The Cyber Attestation Process
The CPA firm’s independent attestation report lets organizations offer an objective review of their cybersecurity risk management program and security controls to stakeholders. The auditors generally use the following process to review enterprise cybersecurity risk management programs and create the attestation report.
Identify the Organization’s Goals
The auditor providing the attestation will first identify the organization’s attestation goals. Before testing starts, the auditor will create a testing plan to clarify the goals and methodologies. The auditor may have a kickoff call with the organization to finalize outstanding items and get a sign-off on the testing plan.
Testing and Evidence Gathering
The auditors will start testing and perform validation of the company’s cybersecurity program and security controls. They will gather evidence and keep the organization updated on progress.
Finalize the Attestation Report
After the testing, the reviewer will prepare the attestation report, which may include all the elements discussed earlier. The reviewer may provide a draft report and a final report which the organization can share with stakeholders to demonstrate the completion of the attestation process.
ROAR Can Help Improve Your Security Defenses
Security risks and threats are not going anywhere. You can, however, protect your operating system and enterprise assets by improving information security if you have visibility into the cyber threat landscape.
Reciprocity ROAR is an integrated cybersecurity risk management platform for Risk Observation, Assessment, and Remediation. Modern, cyber-aware organizations use ROAR to see risk across the business and build a unified foundation for a comprehensive cybersecurity program.
Reciprocity ROAR offers advanced automation and a pre-loaded content library for more than 20 frameworks. Workflows and templates streamline tedious activities throughout the lifecycle of the risk management process. The document repository and audit trails ensure you are always audit-ready.
Schedule a demo to see how ROAR can help you strengthen your security controls and prepare cybersecurity attestation.