As a business begins to see the challenges of distributed data access, the selection of a query engine becomes critical for business operations.
For an organization that values security and compliance, the procurement process will include a due diligence process to assess the governance and risk management program of the analytics engine.
You want to select a third-party that supports queries from a myriad of data sources, though just as important, ensuring appropriate security controls and robust data protections needs to be a key part of the vendor selection. Harnessing the value of distributed data can only be achieved if the analytics engine has security policies and processes in place that meet or exceed best practices.
The most tangible way to verify that a provider is aligned with these best practices, is by ensuring they have undergone an external audit by a reputable third party firm.
While Starburst cares deeply about fast access to data, we also believe in secure access to the right data. The confidentiality, integrity, and availability of data is fundamental to Starburst operations and we demonstrate this commitment by undergoing external audits. The Starburst organization is ISO 27001 Information Security Management System (ISMS) certified and has successfully completed a SOC 2 Type 1 audit for our Galaxy offering. Starburst is currently finalizing its inaugural SOC2 Type 2 assessment. Please contact your Starburst Account Executive for a copy of these attestations.
It evidences that security is a priority for the C-suite
External audits provide indisputable evidence of a top down approach to compliance and a leadership commitment to security. Management commitment is a key tenant of the 5.1 ISO/IEC 27001 domain and “ensuring the integration of the information security management system requirements into the organization’s processes” is noted as a leadership responsibility.
Without this commitment, a business cannot verify that security is made a priority by management and allocated with appropriate resources, both financial and through human capital.
Like ISO/IEC 27001 domains, AICPA standards, as part of the SOC2 framework, call for setting the tone at the top regarding both risk management and business objectives relative to security and governance. Accountability of internal controls is prioritized by those who obtain SOC2 final reports.
When you are a data-driven organization, you want to partner with vendors that demonstrate they will prioritize the security of your data. A top-down approach to security and compliance can be easily evidenced by obtaining your vendor’s SOC2, ISO 27001 or equivalent report.
It simplifies your business’ audit process
When your data analytics solution provider can demonstrate evidence of an external certification, it makes your audit process easier. Many external audits will require your business to demonstrate that third-parties employ robust security measures and controls. Selecting an analytics engine that can evidence ISO/IEC or AICPA-aligned controls will allow you to demonstrate to your auditors that the vendors you use have been independently assessed, allowing for your business to have a smooth audit process.
Evidence of secure management in your supply chain means less back and forth with external auditors regarding the third-parties you utilize: leading to an audit report that is less likely to have deficiencies or nonconformities.
It shows repeatable following of SOPs
Obtaining a voluntary compliance certificate verifies that a business has built out administrative policies and standard operating procedures and that these processes are followed within the organization at all levels. This is especially valuable in startup and scale up environments, as strict adherence to SOPs provides irrefutable proof that an organization is ready for growth and expansion.
To meet the market’s growing demand for fast data analytics, it was high-priority for Starburst to implement and adhere to SOPs – and to have external auditor evidence that these controls were working as intended. Our third-party audit reports confirm we are actively following robust SOPs relative to security and risk management in our day to day operations.
How do you “dig deeper” into the audit report provided by your analytics query accelerator?
1. Ensure the provider you select has the table stakes audits covered. A SOC2 report or ISO 27001 certification are considered fundamental expectations in the software space. As an independent audit report, it indicates that the analytics engine “does what it says it is doing” in regards to security, compliance and risk management.
It shows that they have put the controls in place – and that they follow the controls they have put in place.
2. Select an industry leader that has completed more than one audit, across different certifying bodies. If an organization can evidence more than one assessment done by an external, independent assessor (such as having done a SOC audit and an ISO audit), it indicates that they are committed to multiple audit domains. More audit domains demonstrates a resolve for more security coverage.
A combination of SOC2 and ISO 27001 includes over two hundred and fifty security controls, which is a significant time and financial investment for a business. However, this is a sound decision for a software provider, because it demonstrates clearly that they are invested in providing secure services, while simultaneously ensuring that a customer’s most sensitive information security assets remain protected to the furthest extent possible. At Starburst, we opted to do both SOC2 and ISO 27001, because we want to exceed security best practices. A multi-audit approach ensures stronger security controls, more in-depth risk coverage, and demonstration of a holistic approach to information security.
Protecting data from unauthorized access and theft is a priority for businesses that rely on secure, quick access to their information. The importance of selecting a data analytics engine that maintains a high level of information security cannot be overstated. Reduce the workload on your vendor management team and the cybersecurity risk on your organization during the procurement process by adopting an analytics provider that has been externally audited.