Development of information security at Keypro
Information security is an everchanging and developing part of the business at Keypro.
MDM, SIEM / SOC, EDR, NDR, ISO27001, NOC, SOC2… Word monsters and abbreviations. That rumble could go on almost indefinitely. Nowadays there are lots of security aspects to take into account: technology, certifications, processes, guidelines, policies, training, etc. Is this all necessary? To answer shortly, yes it is.
The world has changed and is becoming more and more uncertain. At the same time, the systems are becoming more complex. The EU Data Protection Regulation has defined sanctions for data leaks and it also increases the need to understand security issues and to adopt security technologies. Customers are also constantly demanding better security from their software service providers, which is a good thing.
We should not forget the importance of physical security: locking, access control and alarm systems. These so-called traditional security solutions are still as important as ever and maybe even more important today. Then how can information security as a whole be managed?
Resourcing, both human resources and cost challenges, must be under control. However, it's not always necessary to know everything, as there are many information security development partners who are able to help. However, it's essential that the company has appointed someone who can take responsibility and develop security operations in-house.
Information security is divided into technical and administrative information security, in addition to physical security. Together, all of these components support each other and are used to create a company security policy.
Security is a measure of quality that requires continuous improvement. It's not a one-time task that can be completed and then ignored. Instead, it must be consistently managed and developed to adapt to the ever-changing world around us.
Security work is also often risk management and the ISO27001 security certificate is largely part of this risk management work. Security issues are approached from a risk perspective and these risks are mostly global issues (war, pandemic, regional conflicts, etc.) or they can be very small internal risks that have been identified and documented by the company itself. Thus, even a local shortage of security experts may well be a risk.
When quality is systematically monitored and developed, the same can be done for information security. An annual clock in data management is an excellent tool. When security tools, management and policies are in place, then for example, an external company could come to review implemented security policies and technologies. That's when the audit work begins. Acquisition of certificates and all security work must cover the entire company, including the company's top management and board. Management involvement in security work is the key to success.
So what has been done at Keypro Oy regarding this? Practically exactly the same things as listed above. Keypro Oy has been doing systematic work in the management of information security for a long time and one of the achievements is the ISO27001 information security certificate. This certificate always requires an annual audit by an external company to keep the certificate valid and the company's security up to date. Keypro's top management has been very active in developing security policies.
Administrative information security is also constantly involved in the process according to the annual clock. ISO27001 internal audits also keep the annual clock running well. An external audit at the end of the year will ensure a track record of our work.
A separate roadmap has been created for the security work, and security is constantly being strengthened according to the existing plan. The roadmap includes technical security enhancements for device management, terminal security and the security of the company's own software solutions. Also, many smaller practical things to improve security are being done all the time.
In many cases, security issues are presented through intimidation and threats. That is not the way we want to operate. The road to safety is based on the idea of "continuous improvement", in which systematic and purposeful progress must be made. However, one must always remember that there is no such thing as a completely secure environment. You need to be able to observe and develop, not try to make a perfect system.