The Benefits of Third Party Verification and Validation
Recent regulatory initiatives like Cybersecurity Maturity Model Certification (CMMC) highlight the government’s belief that HIPAA Security Rule self-assessment is no longer sufficient against today’s risks. To be secure and compliant, the use of a third party is essential to protect data. Like having the right answer in an algebra test, having the right security answer is not enough to pass: you need to show your work to someone who can confirm it.
Recent FTC enforcement actions, like the SkyMed case, illustrate the federal government’s focus on protecting consumer information, and its having little or no tolerance for companies that benefit from promoting false comfort by making unsubstantiated false claims of compliance and security.
Common sense suggests that a company should display a third party’s “seal,” only if that third party has met or followed a specific set of legitimate criteria to earn the seal.
A World Without Third Party Verification and Validation Is Impossible to Navigate
A world without verification and validation seals is not very realistic – it’s a fantasy land, or perhaps more to the point, a nightmare land. Think about the types of companies that issue third party seals. Good Housekeeping issues its “Seal of Approval” to products that have undergone testing by the Good Housekeeping Research Institute, a private entity. Green Seal awards products that meet life-cycle-based criteria for sustainability. Before Green Seal declares a product as “green,” the company seeking Green Seal’s seal must submit performance testing results, labels, and marketing materials, for rigorous evaluation.
The SOC 1 report is also provided by a third party, in this case an accounting firm. Also known as the Statement on Standards for Attestation Engagements (SSAE) 18, the SOC 1 report addresses an organization’s controls that are likely to be relevant to an audit of a user entity’s (customer’s) financial statements.