MDM, SIEM / SOC, EDR, NDR, ISO27001, NOC, SOC2…
Word monsters and abbreviations. That rumble could go on almost indefinitely. Lots of security issues: technology, certifications, processes, guidelines, policies, training, etc.
Is the world full of all this today and is this all necessary? Yes it is!
The world has changed and is becoming more and more insecure. At the same time, the systems are becoming more complex. The EU Data Protection Regulation has defined sanctions for data leaks and it also increases the need to understand security issues and to adopt security technologies. Customers are also constantly demanding better security from software service providers and that is a good thing!
We should not forget the needs of physical security: locking, access control, and alarm systems. These so-called traditional security solutions are still as important as ever and maybe even more important today. Then how this whole security can be managed?
Resourcing, both human resources and cost challenges must be under control. In fact, it is not always necessary to know everything, there are many information security development partners in this area as well who can help. However, it is essential that the company has appointed someone who can take responsibility and develop security operations as a whole.
It is necessary to divide information security into technical information security and administrative part, and at the same time remember also physical security. Together, all of these components support each other and they are used to create a company security policy and framework to move forward.
Security is also a measure of quality and that is meant to be improved. Also, security is not something that can be bought out of the box solution and then be completely forgotten. It is a system that needs to be constantly managed and developed as the world changes and security comes with it.
Security work is also largely risk management and the ISO27001 security certificate is also largely part of this risk management work. Security issues are also approached strongly from a risk perspective and these risks are mostly global issues (war, pandemic, regional conflicts, etc.) or they can be very small internal risks that have been identified and documented by the company itself. Thus, even a local shortage of security experts may well be a risk.
When quality is systematically monitored and developed, the same can be done for information security. The annual clock idea in data management is an excellent tool. When the security tools, management and policies are in place, then for example, an external company could come to review implemented security policies and technologies. That's when the audit work begins. Acquisition of certificates and all security work must cover the entire company, including the company's top management and board. Management involvement in security work is key to success.
So what has been done at Keypro Oy regarding this?
Practically exactly the same things as listed above. Keypro Oy has been doing systematic work in the management of information security for a long time and one of the achievements is the ISO27001 information security certificate. This certificate always requires an audit by an external company annually to keep the certificate valid and the company's security up to date. Keypro's top management has been very active in developing security policies.
Administrative information security is also constantly involved in the process according to the annual clock. ISO27001 internal audits also keep the annual clock running well. An external audit at the end of the year will ensure a track record of our work.
A separate roadmap has been created for the security work and security is constantly being strengthened according to the existing plan. The Roadmap includes technical security enhancements for device management, terminal security and the security of company own software solutions. Also, many smaller practical things to improve security is being done all the time.
In many cases, security issues are presented through intimidation and threats. That is not the way we want to use it. Road to safety is a work based on the idea of "continuous improvement", in which systematic and purposeful progress must be made. however, one must always remember the idea that there is no completely secure environment.You need to be able to observe and develop, not try to make a perfect system.