Usage of cloud solutions is expanding in enterprises due to the many benefits it provides. But it can introduce risks if they are not developed and deployed correctly. Providers of cloud-based solutions (such as Binocs) are expected to have processes and controls in place to ensure what we call ‘CIA’: confidentiality, (data) integrity and availability.
Time for an ISMS upgrade
At Binocs, we have an ISMS (Information Security Management System) in place to make sure we comply with the security requirements of modern enterprise cloud applications and the expectations of our clients.
Last month we finalized a project to upgrade our ISMS (“Information Security Management System”): the first version of our ISMS dated from 2016; we extended it along the way to be compliant with ISO27001 requirements (ISO27001 being the de facto standard for information security management systems). Last summer we decided to do a full review to make sure we’re up to date with the latest requirements of the market and make sure our ISMS is strictly aligned with ISO27001’s predefined structure. To make sure we were not overlooking anything, we involved an external specialist to assist us in this project.
Obviously, the project started with risk assessments, evaluations of the current procedures and updating these procedures to a new structure. One change versus the previous ISMS version is that we now rigorously follow ISO27001 for all Binocs related processes: not only the cloud services itself but also marketing, sales, Binocs Academy, consulting and customer support.
The core aspects of our ISMS did not change. Still, all procedures that were in place were challenged and often restructured. The standard list of 114 controls of ISO27001 was reviewed rigorously.
Simplify & leverage existing tools
We used to have a dedicated ISMS “platform” to store ISMS procedures. As part of simplification, we abandoned it and choose to leverage tools that are already in place within the Binocs Team :
- “Microsoft Teams” to publish procedures
- “Binocs Support” call tracking system to register incidents, CAPAs,…
- “Binocs Academy” e-learning platform to share training and register them
- PowerBI dashboarding
Its clear such an approach increases ISMS adoption by our team. Furthermore reusing our Support and Academy tools pushes us to optimize these tools even further.
Unexpected penetration testing
Besides the procedural aspects and the standard ISO27001 controls, we implemented a number of technical security controls inside Binocs. These are based on industry best practices – think e.g. the OWASP top threats – and we ask external specialists to execute penetration testing (aka “pen-tests”) on Binocs. The results of these pen-tests can be shared with our clients and, if applicable, of course, CAPAs are defined.
As a little anecdote (or not so little): the penetration testing happens unannounced; when the last pen-test were executed, our DevOps team noticed the attempts to break into Binocs. They were rightfully proud!
Listen to the clients!
Our existing ISMS covers all ISO27001 requirements. Still, as part of our Bluecrux DNA, we also decided to hear what our clients have to say about this. This gave us additional insights and lead to some additional measures. All this will result in increasing confidentiality, integrity and availability of your Binocs data. You may notice this in practice during a project: our consultants are reluctant to email files with unencrypted PII over the internet. There are better ways, even if they take a little longer.
Where possible we’ll avoid having to exchange this data at all though: extracting data from Binocs and uploading it to Binocs is something we can train Binocs key-users to do themselves. By doing this, we reduce info security risks whilst at the same time increasing your ability to make Binocs use within your organization sustainable and reducing the application’s TCO.