Pratum Blog

Pratum receives SOC 2 Type II report for 2nd consecutive year.

We are pleased to announce that Pratum has received its SOC 2 Type II report for the second consecutive year.

For those who are not familiar with SOC 2 , the report is intended to provide interested parties (i.e. clients, vendors, partners) with independently-verified information that ensures the reported organization has appropriate security controls in place to properly handle and secure data.

Performed by a trusted, independent third-party firm utilizing the criteria set forth by the American Institute of Certified Public Accountants (AICPA), the report is based on Pratum’s existing internal controls and verified against the security trust services principle. The completion of this report is a testament to Pratum’s continued focus on ensuring that the company’s internal security practices align with expectations it sets for clients and their security programs.

SOC 2 Type II is the most comprehensive report within the Systems and Organization Controls protocol. The Type II report ensures the assessment of both the design of the security controls as well as their operating effectiveness, over a specified time period. Pratum’s most recent SOC 2 Type II report assessed security controls over a 12-month period, ranging from January 1, 2017 to December 31, 2017.

Receiving a SOC 2 Report

We are proud of our SOC 2 Type II report. It provides great value to our clients and an excellent means of auditing the effectiveness of our internal security controls. If your organization needs help with SOC 2, Pratum’s consultants can perform a SOC 2 readiness assessment to determine if your organization is prepared to undergo a SOC 2 engagement.

Contact Pratum
Risk-based cybersecurity decision making.

At Pratum, we talk at great length about solving information security challenges based on risk, not fear. After all, that is our mission. But what do we mean when we say that, and why should you focus on risk?

When people hear about cyber threats or learn of the most recent data breaches, the first thing they often feel is fear. Fear that their personal information may have been compromised or fear that their business may fall victim to a similar attack or maybe a fear that they have no idea what to do about cyber risk.

Fear is a powerful emotion that can distract from real issues and threats. This can lead to poor decision making and wasted resources. Cyber threats are a serious concern, but we shouldn’t allow fear alone to drive our cybersecurity decisions. Sometimes, fear is a nice wakeup call that drives action, but when you act, make sure to check your fear at the door and move forward with a risk-based approach.

Managing Cybersecurity Risk

Organizations should use the knowledge of risk to drive decisions. To properly manage cybersecurity risk, we must understand the likelihood that a security incident (i.e. Ransomware, phishing attack, data loss) will occur and the potential resulting impact. Armed with this information, organizations can determine their inherent risk, prioritize security activities, and make informed decisions about cybersecurity expenditures.

Removing fear from the equation encourages objective, risk-based decision making. This kind of decision making helps guide in developing the right cybersecurity program for your business. It also establishes the foundation for a sustainable security culture for employees and executives.

This may sound like common sense, but fear can disrupt the entire risk-based process. It’s easy to talk about maintaining an objective view, but the only way to stay true to the risk-based approach is by creating a plan before the disaster hits. Don’t wait until you have experienced an incident to focus on risk… at that point it’s no longer a risk, it’s a hazard.

Asking the Right Questions to Properly Manage Risk

According to NIST SP 800-53, there are several key questions that should be answered by organizations when addressing their security and privacy concerns:

  • What security and privacy controls are needed to satisfy the organization’s security and privacy requirements and to adequately manage risk?
  • Have the security and privacy controls been implemented or is there an implementation plan in place?
  • What is the desired or required level of assurance (i.e., confidence) that the selected security and privacy controls, as implemented, are effective in their application?

The answers to these questions are not given in isolation, but rather in the context of an effective risk management process for the organization that identifies, assesses, responds to, and monitors on an ongoing basis, security and privacy risks arising from its information and systems.

Risk-based decisions are informed decisions. Fear decisions are guess work. Business leaders owe it to all stakeholders (employees, customers, and shareholders) to make educated, thoughtful decisions that give the company its best chance for success. Don't let fear get in the way of progress.

If you need assistance with answering these questions or help with your IT risk management process, please contact Pratum. Our team will help you make decisions based on risk, not fear.

Want to learn more? Contact Pratum.
Cybersecurity firm Pratum opens new office in Cedar Rapids, Iowa.

CEDAR RAPIDS, IA - Earlier this month, cybersecurity firm Pratum opened an office in Cedar Rapids to satisfy the growing demands of its services in Eastern Iowa. Pratum president and CEO, Dave Nelson, made the decision to expand due in part to the growing threat of cybercrime and the likelihood of new and updated state regulations. “The Iowa legislature is working to update existing legislation to address cybersecurity challenges. Additionally, throughout the nation, business groups such as the National Association of Insurance Commissioners are calling for state regulations to prevent cybercrime,” says Nelson.

The new Cedar Rapids office, located at 305 2nd Ave SE, is the company’s second in Iowa and fourth in the U.S. For the past decade, Pratum has served businesses throughout the state and across the country, but Nelson feels that we as a nation are just now beginning to understand the severity of cyber threats. Nelson emphasizes, “As awareness builds, companies will act to mitigate the cybersecurity risks facing their businesses. Our new office helps position us for an efficient response to the increased demand for our services.

In 2017 Pratum grew its employee count to fifteen, up 50% from 2016. The company plans to increase that number to more than twenty by the end of 2018. Pratum’s new headquarters in Ankeny, IA is under construction and is planned to open in late summer. Most employees will call headquarters home, but as is the case in Cedar Rapids, both Dallas and Kansas City offices will also increase employee headcount.

Pratum is a cybersecurity consulting and managed security services firm that helps clients solve information security challenges based on risk, not fear. Our goal is to enable every client to securely use technology to meet business objectives.

Please contact us if you have any questions about Pratum.

Contact Pratum
Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.