July 15, 2024
Hilary O'Brien
To understand the differences between Data Security, Information Security, and Cyber Security, it's helpful to recognize how each term fits within the broader landscape of protecting digital and informational assets.
Information Security (InfoSec) is a broad term encompassing the protection of all forms of information, whether digital or physical. It focuses on ensuring the confidentiality, integrity, and availability of information. Examples of InfoSec processes include security policies and risk management frameworks, employee training and awareness programs, physical security controls (e.g., access badges, surveillance), and security controls like firewalls, intrusion detection systems, and data loss prevention.
Data Security focuses on protecting specific data sets from unauthorized access, corruption, or theft. It involves the measures and processes used to safeguard data at the granular level, such as databases or files. It includes protections such as encryption, access control mechanisms (e.g., role-based access controls), data masking, and backup and recovery solutions.
Cyber Security specifically targets protecting systems, networks, and digital devices from cyber attacks. It is a subset of InfoSec that focuses on defending against threats that arise in the digital world. Protections include firewalls and intrusion prevention systems, anti-malware and endpoint protection, and network security practices (e.g., secure network architecture, segmentation).
For F&A teams and their vendors, security is paramount and involves a robust framework of policies, technologies, and practices aimed at protecting financial data from breaches, ensuring regulatory compliance, and safeguarding against fraud and other threats.
In today's digital age, where data breaches and cyber threats loom large, the importance of ensuring the security and reliability of software solutions cannot be overstated. As organizations increasingly rely on software to drive their operations, it's imperative to have mechanisms in place to evaluate and mitigate risks effectively.
Jill Knesek, Chief Information Security Officer (CISO) at BlackLine, notes, “With everything online and in the cloud, there are so many vulnerabilities and a lot of opportunities for hackers to access data. Sensitive data. Data that has value. There is an entire dark web where data is sold and traded from companies that hackers have breached.”
Companies must do everything they can to protect their data, and that includes a close look at their vendors’ security.
BlackLine works with the financial data of some of the biggest, most innovative companies in the world. Accuracy is at the core of what we deliver to our customers, and we can’t do that without valuing security and ensuring our customers’ data is safe.
We are acutely aware that our customers trust us and our platform with their most valuable and important financial data. As a vendor of unified, comprehensive, flexible, and scalable solutions that help companies open the door to future-ready financial operations, BlackLine is part of our customers’ supply chains. We are a downstream provider of information and applications. Where other companies meet the bare minimum requirements when it comes to data security, we go beyond with the additional parts and pieces.
Knesek says, “We pride ourselves on being a strong, dependable link in our customers’ supply chains.”
To that end, BlackLine has more security certifications than any of our competitors.
We provide globally recognized reports and certifications—SOC1s, SOC2s, and ISO Certifications—and are verified and audited by a third-party, unbiased auditing firm. Further, we validate the security controls, compliance, governance, and work we do at BlackLine as part of our security program.
Since all of our solutions are in the cloud, we want to ensure our customers understand that our cloud security implementation is strong. Equally as important, we ensure personally identifiable information is kept safe.
We are proud to offer world-class security to our clients, including:
External independent auditing and risk management
Customer pen testing
A leading CISO with 25+ years' experience and numerous industry accolades
Partnerships with top-tier data centers and hosting environments that are SOC 2 Type 2 attested and ISO 27001 certified
Certifications include:
SOC 1 Type 2, SOC 2 Type 2, SOC 3 reports
ISO 27017 (Cloud Security)
ISO 27018 (Cloud Privacy)
ISO 27701 (Privacy Information Management) certified
ISO 27001 (Information Security Management)
ISO 27701 (Privacy Information Management)
To dive into more detail, here is some information about why certain of these reports are so critical.
Type 1 SOC reports provide a snapshot of an organization's control environment at a specific point in time, focusing primarily on the design of these controls. While this offers valuable insights into the structure and intentions behind the controls, it may not provide a comprehensive understanding of their operational effectiveness over time.
On the other hand, Type 2 SOC reports delve deeper, offering a thorough evaluation of controls' operational effectiveness over a specified period, typically spanning six months to a year. This comprehensive assessment goes beyond design considerations, providing valuable insights into how well the controls are implemented and maintained in practice.
For customers purchasing software solutions, insisting on Type 2 SOC reports is paramount for several reasons:
Risk Mitigation: Type 2 SOC reports offer a more robust assessment of an organization's ability to manage risks effectively. By evaluating controls' operational effectiveness over time, customers can make more informed decisions, reducing the likelihood of potential disruptions or security breaches.
Continuous Assurance: In today's rapidly evolving threat landscape, a one-time assessment is not sufficient. Type 2 SOC reports provide ongoing assurance by monitoring controls' performance over an extended period, enhancing trust and confidence in the software provider's commitment to security and compliance. In addition bridge letters can be provided to confirm there have been no change or failures to the documented controls since the date of the report. Bridge letters are typically provide monthly following the report issuance.
Regulatory Compliance: With regulatory requirements becoming increasingly stringent, demonstrating compliance is essential. Type 2 SOC reports offer smoother audits and regulatory compliance efforts.
Vendor Accountability: Insisting on Type 2 SOC reports sends a clear message to software vendors that consistency of control effectiveness and application and security are non-negotiable. This emphasis encourages vendors to invest in robust control environments, fostering a culture of accountability and driving continuous improvement.
Prioritizing Type 2 SOC reports when purchasing software solutions is essential for safeguarding investments, maintaining operational resilience, and mitigating risks effectively. By demanding the depth and reliability that Type 2 SOC provides, organizations can ensure they are making informed decisions and safeguarding their data in an increasingly complex digital landscape.
Knesek warns, “Cyber-attacks, supply chain attacks, they are not going away. Hackers are only going to get smarter and smarter.” Unfortunately, the world will continue to hear about data breaches across various industries.
However, Knesek goes on to say, “At BlackLine we are continuing to invest in security as we invest in our solutions. We have a dedicated security team focused on keeping your data secure, and we collaborate with our customers to understand emerging threats, challenges, and concerns. BlackLine is your partner for digital transformation success—committed to inspiring, powering, and guiding finance and accounting teams and keeping their data secure.”
In This Post
About the Author