Although vendor-written, this contributed piece does not advocate a position that is particular to the author’s employer and has been edited and approved by Network World editors.
In the world of compliance and governance, terms such as certified, compliant and validated have distinct meanings that are often mistakenly used interchangeably. It is key to understand the terms themselves and how they are used in the industry, so here’s a handy guide.
Before we dive into the specific types of credentials, it is important to understand that there are two fundamental processes that take place during an initial audit – attestation and assurance -- that determine the extent to which the audit criteria are fulfilled. Conducting these procedures helps businesses meet third-party risk and compliance requirements and provides information to customers and other stakeholders that validates the integrity of an organization’s control environment. To put it in simple terms, think of it like a letter of recommendation or evidence showing that something is true:
* Attestation. This is when an auditor has validated or verified that your claims are true to the extent that they will put their organization’s reputation on the line by signing an attestation. In doing this validation they have directly reviewed processes, examined product code, and dug into the evidence of the attestations requirements to the best of their ability. For instance, audits such as ISO-27001, SOC-2 and FIPS are considered attestations.
* Assurance. This is when an auditor has reviewed a company’s process or product based on evidence provided by the company to the auditor. While this may seem similar to an attestation on the surface, it is not. It’s as if an auditor were to say, “To the best of our ability and based on the evidence provided by the company, we can assure they are following the proper guidelines.” A good example would be HIPAA or ISAE-3000 — both of which are referred to as Type II assurances. The term “Type II” refers to the length of the audit process—for example, HIPAA and ISAE-3000 were reviewed by auditors over a 6-month period.
Now that we’ve covered some of the basics, let’s explore the differences between common compliance terms:
* Compliant. In order to be compliant with regulations, an organization must align their process and controls with the requirements of the regulation. My company Druva, for instance, is HIPAA compliant based on a 6-month assurance audit conducted by KPMG where we provided evidence and the auditor concluded that our process and controls comply with HIPAA’s guidelines.
Another way that organizations can enable compliance is to conduct their own assessment of their process and controls, and align them with the requirements and intent of the regulation. Take compliance for ITAR, for example.
* Certified. Based on attestations, certifications have an official process in place, which requires a governing body to audit a company’s process, controls and products before they can officially receive a certificate and be ‘certified’. Safe Harbor (when it existed) had its own official certification process, for instance. But not all regulations have a certification process. HIPAA is one example where organizations can only be HIPAA compliant, not HIPAA certified.
* Validated. In addition to complying with requirements, some regulations go a step further and require validation for authenticity of certified components. FIPS 140-2 certification is one such regulation that requires validation for certified encryption modules. In basic English, that means the code inside the encryption modules or libraries has been reviewed and certified by the U.S. government.
When an organization acquires these modules for usage in their product, they are pre-compiled, meaning the encryption code cannot be altered because they come with an identifying fingerprint that ensures the integrity of the module. Once these modules are integrated into the product, an outside third-party that is recognized for auditing FIPS modules conducts an audit of the implementation and validates the authenticity via the fingerprint. After passing the audit, the third-party entity will write a letter of attestation and sign it stating that the company’s FIPS implementation complies with the FIPS encryption standard.
Understanding these common terms can better prepare you to address the growing complexity of compliance regulations as they pertain to your organization and industry. In addition, it can act as a guide for implementing the best technology solutions to help you manage compliance and protect your organization as a whole. Keep in mind that compliance terms can vary by country and context, such as with the recent GDPR legislation, so it is important to understand the regulatory compliance requirements of each country you operate within.
Packer has more than 20 years experience in influencing products in the enterprise technology space, primarily focused in the areas of information management and governance. At Druva, he leads Product Marketing, which serves as an integral part of product definition and direction.