As a marketing person at an information assurance firm I spend a lot of my time looking at both of these issues. I have recently noticed that “ahead of the curve” organizations are increasingly using their information security posture as a marketing tool. I thought the approach taken by a SaaS company that we were reviewing on behalf of a customer was intriguing.

The page I landed on was specific to the company’s security.

SaaS Service Security Measures

The SAAS company had a page that promoted its security controls. As s a company serving over one million customers, they have a lot at risk – especially as the Poneman Institute estimates that the average data breach costs about $202 per name in a data breach notification case.

I really like the company’s open/transparent approach of a simple bulleted list of key security controls in place:

• The SaaS company implemented physical security controls: biometric scanners at their 24/7 monitored data centers.
• The SaaS company office is secured by keycard access, and is monitored with infrared cameras.
• They also have their policies documented in case of a disaster.
• As part of their Data Loss Prevention plan, databases are segmented by accounts.
• Customer data is backed up offsite.
• Passwords for customer accounts are encrypted.
• Login pages and the SaaS application are encrypted with SSL.
• Login pages have been tested to hold up against a brute force attack.
• Not only does the SaaS company perform Social Engineering tests, but they also train new employees about Social Engineering and the use of Social Media.
• The SaaS company performs regular security penetration tests. Additionally, they are using different vendors for multiple opinions. They are performing Vulnerability Assessment and Penetration Tests against their:
• Network
• Databases
• Application

Perhaps the most interesting control is that they require any new employees to read “The Art of Deception”, by Kevin Mitnick.

While their data center isn’t ISO 27001 Certified, I am glad to also read that they have ISO 17799 based policies and procedures as part of their SAS-70. While you may be doing all of the “right things” (e.g., a Vulnerability Assessment, Penetration Test or Social Engineering) you are likely not getting the maximum marketing benefit of doing so if you are not communicating your activities and controls in an open and honest fashion on your website.

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!