Theta Lake Blog

Always On Security: Theta Lake's Alignment with CISA's Emerging Software Cyber Principles

Written by Marc Gilman | May 24, 2023 3:35:42 PM

On April 13, the US Cybersecurity and Infrastructure Security Agency (“CISA”) and several other global cybersecurity agencies issued a practical roadmap for technology product design called “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.” The document provides a clear articulation of CISA’s cybersecurity expectations, which signals a emerging paradigm shift noting that “[m]anufacturers are encouraged to take ownership of improving the security outcomes of their customers.” This transition finds CISA focusing more on software developers as responsible for consumer security as opposed to the governmental or private sector users of these applications.  

As the industry digests these statements from CISA, Theta Lake offers the following observations, noting that our product and processes broadly align with these proposed measures as result of our cybersecurity maturity, expertise, and discipline around routine auditing and testing of controls.

The guidance contains several smart and impactful recommendations that chart a path to improving security practices among organizations developing platforms for customer use. The scope encompasses “manufacturers” of all sorts and includes both direct to consumer applications as well as enterprise software platforms like Theta Lake’s Security and Compliance Suite.

From a software product design perspective, CISA outlines three core principles for manufacturers:

  1. The burden of security should not fall solely on the customer.
  2. Embrace radical transparency and accountability.
  3. Build organizational structure and leadership to achieve these goals.

In addition, CISA provides a set of key secure by design tactics that enable technology vendors to strengthen operational protocols to enhance consumer protections.  These tactics include protocols such as memory safe programming languages, static and dynamic application security testing, defense in depth, and code reviews.  

Cumulatively, Theta Lake aligns to these requirements as part of its routine audits and STAR3 security architecture. Our annual SOC 2, Type II and PCI DSS audits include routine third-party penetration testing, vulnerability scans, backup and recovery testing, software development lifecycle processes, incident response, and policy and procedure controls. Theta Lake additionally maps its SOC 2 controls to the ISO 27001 and HIPAA, which include additional, complimentary controls that support stronger security. 

 
Our STAR3 security architecture includes controls such as encryption in transit and at rest, Single Sign On capabilities, regional cloud-based data resiliency, and privacy enhancing technologies such as the ability to remove, redact, and remediate data on collaboration and chat platforms.

In addition to the controls described above, Theta Lake centers customer security at the core of the Security and Compliance Suite with additional features such as the ability for customers to bring and manage their own encryption keys.  Additionally, Theta Lake supports a “Bring Your Own Storage,” or “BYOS,” configuration that integrates our smart capture and supervision capabilities with customers’ existing cloud storage environments.  BYOS enables customers to retain and manage communications data entirely independently in the cloud.  

Collectively, Theta Lake’s platform aligns, and in many cases exceeds, the emerging benchmarks from CISA and other global cybersecurity agencies.  We’re continuously improving the cybersecurity controls in our products and monitoring the state of evolving agency guidelines and best practices.

Learn more about Theta Lake:

 

To learn more contact…