Insights

Client Safety: Information Security Management & ISO27001

Five Lessons From a Security Officer on Keeping Your Data Safe

Client Safety via Information Security Management & ISO27001 Certification

Media and business publication Fast Company is in crisis mode after their internal CMS system was hacked. During the breach, hackers sent two racist and vulgar push notifications to all of Fast Company’s Apple News Subscribers. 

This hack is the latest in a growing number of cyber security breaches experienced by major online organizations. In September, Uber was also hit by a major security attack

After their internal network was compromised, Uber scrambled to get their engineering systems and internal cloud services including Amazon Web Services (AWS) and Google Cloud (GCP) offline. But the hacker still managed to send employees an internal Slack message demanding higher pay for drivers.  

If security management wasn’t top-of-mind before, it sure should be. Especially–if like Crystalloids–your business manages tens of millions of customer records. Or, if you fall under EU’s GDPR laws which require you to publicly report any breach to government officials and impacted individuals in under 72-hours. 

This is the kind of publicity any consumer-first business needs to avoid. That’s why at Crystalloids, our Security Officer Ronnie Bathoorn spends part of his everyday ensuring our developers, analysts, engineers, and project managers are abiding by ISO/IEC 27001 information security standards

In our first coffee-table chat with Crystalloids, we sat down with Ronnie to learn more about information security and why it matters when it comes to project development and data management. He also discusses the importance and value of being ISO27001 certified.

Here’s what we learned:

1. Getting ISO27001 certification is both gruelling and rewarding:

“We began our ISO27001 certification process after a valued client of ours requested it,” noted Ronnie who added that since Crystalloids processes tens of millions of personal data for clients, safeguarding their interests, along with our firm and employees' interest is crucial. But the year-long process of certification is never-ending. 

“It is a lot of work and you have to keep at it since you do get audited, meaning we have to maintain our procedures consistent with ISO everyday in everything we do so we can maintain our certification status.”

But according to Ronnie, who has been with Crystalloids for 15-years, the extra effort and staff training is worth it. 

“Our clients now know that we put in the extra work to reduce any risks and mitigate risks for us and clients– we present another certain level of trust since not as many small businesses like ours have ISO certification.”

2. Information security and management is an everyday business:

The cyber threats of yesterday are not the same as the ones today or the ones that can come tomorrow. This means that security management–for any organization–is ongoing and constantly evolving. 

“Security risks and hacks are constantly changing - what was safe practices a year ago might not be the same now,” noted Ronnie. “This is why you have to educate yourself and everyone in your organization and keep on top of this education with every employee.” 

For Ronnie, as a Security Officer, he’s noted that proper security practices have to begin internally. Before any client can trust your firm with information, their staff must trust your firm and co-workers with personal data. 

“As a firm, we need to be aware and in control…we make sure all our developers are informed and trained in security management - we ask our developers to get certified individually and as a Google partner we already have a requirement for our staff to have certification in security.”

3. Test environments are one of many ‘best-practices’ for developers: 

Ronnie explains that when it comes to developing and deploying software “making sure that we have a dedicated environment when developing and a controlled testing platform for deployment to production” is crucial in our industry. 

“We develop software for customers. And how we develop that software is designed in such a way to minimize risks on information security issues. We have separate test development and production environments so everything is tested in a different environment before it is put into production.”

4. At Crystalloids we have embedded best practices in-line with ISO: 

“Our information security applies to everything we do for all our customers…our ISMS is a set of risks we have identified for Information Security, and together with policies we work to mitigate these risks. For example, we have a change management procedure which means that before software is pushed to production it is tested. If the deployment to production fails we have a way to roll back to a previous version.” 

In addition, “our code is stored in a version management system (git) so we can keep track of the changes that are made. There are design principles like ‘least privilege’, ‘security by design’  that we use when designing our software to make sure it is safe.”

5. There are steps companies can take to mitigate information security risks: 

According to Crystalloids Security Officer, a crucial step for any company as it relates to information security is “realizing that security is not a one-time-thing - it is continuous and any change in your organization needs tracking so you know who has access to what and so forth.”

Other practical efforts your company can take include new-hire onboarding best practices. For example, “if we have a new employee and they get a laptop, we have to make sure the laptop is encrypted…there’s also a security checklist we have to go through - this is just one example of how to incorporate security best practices. 

For firms like Crystalloids, that develop software and work with sensitive marketing data, a crucial step you can implement right away is ensuring developers are using proper encryption. “Big vulnerabilities can occur if developers are not using proper encryption and security standards each time they handle client work. Developers need to be constantly aware of the software they write and where they store it.”

Since many of the projects Crystalloids does are in the marketing CRM field, our developers process a lot of data for clients so we run a big risk if our own security is not up to par. 

To preemptively prevent any potential risks for us and clients, “we all adhere to our own policies - we do these security things we say we do. Since you get audited as part of the ISO process we have to maintain our procedures consistent with ISO so we can maintain this status” shared Ronnie. 

The team at Crystalloids began the ISO implementation process in 2020 and received their certification in 2021. Crystalloids was recently re-certified in ISO 27001 for 2022.


ABOUT CRYSTALLOIDS

Crystalloids helps companies improve their customer experiences and build marketing technology. Founded in 2006 in the Netherlands, Crystalloids builds crystal-clear solutions that turn customer data into information and knowledge into wisdom. As a leading Google Cloud Partner, Crystalloids combines experience in software development, data science, and marketing, making them one of a kind IT company. Using the Agile approach, Crystalloids ensures that use cases show immediate value to their clients and make their job focus more on decision making and less on programming.