Being a software-as-a-service (SaaS) platform that handles sensitive customer data, we have always believed that information security is fundamental to the success of our Global Risk Platform (GRP).
Whilst we have instilled a strong security ethos during our short 2-year history, implementing good practices in information security around firewalls, code reviews and the like, it was important for us to prove to our customers that we do everything we claim to do. Our customers really value compliance.
This led us to pursue the Service Organizational Control 2 (SOC 2) accreditation, the widely recognised and coveted gold standard for information security. It requires organisations to establish and follow strict information security policies and procedures, covering:
· A secure software development lifecycle
· Access control that follows “least privilege” best practices
· Detailed logging, monitoring, and alerting
· Encryption controls that meet or exceed best practices
· Completion of internal and external penetration testing
· Active monitoring for intrusion events and security incident handling
· Data backup and disaster recovery
The certification is built on a set of five specific Trust Services Criteria, we focused on two:
· Security: That information and systems are protected against unauthorized access, with security referring to both information and information systems
· Confidentiality: That various types of sensitive information deemed confidential is protected
We are very excited to announce that, over three short months and an important step in our company’s history, we successfully passed the SOC 2 Type I examination proving that we have suitably designed policies, procedures and controls in place. During the process, the Auditors repeatedly complemented our level of compliance maturity.
Whilst our key vendor choices of AWS for the cloud hosting platform of the GRP and Microsoft Azure AD for our internal identity and access management service made the process easier, the secret tool was our very own Enterprise Risk Cockpit; a web based, enterprise grade risk management application that provides a real-time view of our enterprise risk profile based on an aggregation of risks and controls from across all company security related touch points.
Leveraging its unique conceptual model, it allowed us to define our Information Security objectives based on the NIST Cyber Security Framework, create our company risk strategy, and link those to the ITL4 processes and procedures best practices; all underpinned by a mapped set of ISO27011 Appendix A controls. The ARIC accountabilities model that is embedded throughout the Risk Cockpit ensured System Information Owners are reminded to score their systems using the CIA rating method, prompted to provide an Effectiveness score for their controls and define the severity for their risks. These are then all rolled up using metrics into visually stunning dashboards that allows for the easy tracking of progress.
While obtaining Type 1 attestation is an important milestone in our efforts to be the most secure risk platform in the market, we understand that our work is never done and to continue to show our commitment to information security, we are scheduled to be Type II audited later this year. This will involve a further comprehensive audit of the established information security policies and requires us to evidence to a greater level of detail that we are adhering and to the procedures and controls. Following that, the Risk Cockpit will then allow us to seamlessly demonstrate NIST, ITLIL 4 and ISO27001 compliance.
Here at KRM22, we believe effective security is a team effort, which involves the participation and support of each and every one of us as members of staff who interact with data information systems.
While we already had the key cultural attributes required for operational excellence, our SOC 2 journey has and continues to be a great way to reinforce the importance of this to the entire team. Security, privacy, and resiliency are everyone’s job!