CIS SecureSuite helps new CISO rapidly achieve SOC 2 compliance
Case study: Tax Credit Co. (TCC)
TCC is a fast-growing firm in the tax incentive advisory and processing industry, with offices in New York, Los Angeles, and Alpharetta, Ga. TCC specializes in solutions for the Work Opportunity Tax Credit (WOTC); income and employment verification; research and development tax credits; sales and use tax incentives; and other federal and state tax incentives, including the COVID-19 employee retention credit.
A CISO’s goal: a hardened environment
In May 2020, TCC underwent a System and Organization Controls (SOC 1 and SOC 2) report audit. SOC 1 examines a provider’s internal control over financial reporting. SOC 2 is based on five “trust service principles”: security, availability, processing integrity, confidentiality, and privacy. A SOC 2 certification assures customers that their provider is compliant with industry standards.
Avishai “Avi” Avivi joined TCC as chief information security officer (CISO) late in 2019, which left him only a few months to ensure that TCC passed the audit and earned its SOC 1 and SOC 2 certificates.
Needing compliance quickly and at scale
TCC leverages advanced IT systems to provide specialized services to its clients. The enterprise IT infrastructure consists of more than 150 workstations, nearly 90 servers, and numerous technical environments. The challenge for Avivi as the new CISO was to ensure that this complex environment would not only pass the audit, but also satisfy his own high standards for security.
Avivi quickly developed a policy for system hardening and workstation security using the CIS Benchmarks™ — a vendor-agnostic, consensus-driven, and industry-recognized set of security configuration guides. He also used the CIS Controls® to keep current with the evolving threat landscape and provide a prioritized path to gradually improve the organization’s cybersecurity posture. As a CIS SecureSuite Member, Avivi took advantage of additional resources to aid in creating custom configuration policies, system assessment, and remediation, based on the Benchmarks and Controls.
Proving secure configuration to auditors
The auditor wanted to understand the process TCC used to tailor the CIS Benchmarks best practices for use within various environments. He also asked to see evidence of system conformance to the standards.
Avivi showed the auditor how the CIS Benchmarks and CIS Controls were being applied and provided the assessment report from CIS-CAT Pro, a free web application that CIS SecureSuite Members can use to conduct, track, and assess their implementation of the CIS Controls. The evidence provided by the configuration assessment report satisfied the auditor, and TCC earned its SOC 1 and SOC 2 certifications.
Saving time and resources with proven best practices
Avivi first learned about CIS while working at a well-known online investment platform. He understood that once he became a CIS SecureSuite Member, he could provide the entire IT organization — including its developers and database experts — security information they needed in a timely and cost-effective manner.
“The CIS Benchmarks add value to an organization’s cybersecurity initiatives and serve as a baseline so that any industry can benefit,” said Avivi. “They are generic and applicable for many scenarios, rather than tied to a particular industry, and definitely helped TCC achieve a hardened environment and industry-best compliance."
Priceless security for peace of mind
To be pragmatic about security, risk is unavoidable. It must be managed and reduced. One of the best ways to do so is to leverage the experience of one’s peers. Security and IT professionals don’t have to be very prescriptive in terms of applying the CIS Benchmarks. They can read through the documentation, understand why the recommendations are made, and act accordingly.
Avivi believes that the benefits of CIS SecureSuite Membership are priceless since they give his organization a high level of security and peace of mind.
Chief Information Security Officer
Tax Credit Co.
Avishai “Avi” Avivi joined TCC in 2019, with over 25 years as a senior information security leader with multiple companies, including Wells Fargo and E*Trade. He’s created and implemented security programs with a focus on best practices and control maturity. Avivi’s information security career started with his service at the Israel Defense Forces, Unit 8200. His career spans multiple roles and domains across information security, including information security product research and development, professional services, customer support, consulting, and strategic leadership. Avivi holds a dual MBA from UC Berkeley’s Haas School of Business and Columbia University’s Business School. He is CISSP, CISM, CRISC, CISA, CIPT, and CIPM certified and holds the Stanford University Strategic Decision and Risk Management program certification.