When it comes to IT security, it can seem a bit like the Wild West out there.
What we read and hear can be scary too. However, rather than operate in fear, we should embrace process and controls so that our day to day operations have security at the heart of them.
Continuous improvement YES, complacency NO.
Without good security, millions of people all over the world would have been unable to keep working effectively from home. This silent task is primarily the remit of Infrastructure people, whom we remembered and praised in the early days of lockdown.
In a recent blog we talked about mistakes, grouping them into three categories: human error, systemic failure, omission.
The Krescendo security team is committed to mitigating each of these: by adopting a precautionary approach in granting and gaining access to sensitive information, by involving third parties in audits and hack attempts, by keeping informed and always trying to think and act ahead.
Last week we achieved re-certification on Cyber Essentials. This is only one of the dots that define our security perimeter, which includes:
- ISO27001 (BSI – https://www.bsigroup.com/) – the information security standard. Without ISO27001 it is very difficult to give ourselves and our clients the confidence that all the correct policies, procedures, and controls are in place to deliver secure global solutions at a scale. We’ve recently been re-certified for another 3 years, this being our 7th year;
- Cyber Essentials and Cyber Essentials Plus (Falanx – https://falanx.com/) – covering the fundamentals of IT security to protect us from Cyber Attack. This is really the first certification any IT service provider should get;
- CSA Star Self-Assessment (Cloud Security Alliance – https://cloudsecurityalliance.org/star/registry/krescendo/) – at Krescendo we’re not really a cloud service provider, however this self-assessment (not certified by an external body) is very useful for mapping controls to standards other than ISO27001. We have just published our assessment for the new version of the questionnaire.
- GCloud (Gov Digital Marketplace – https://www.digitalmarketplace.service.gov.uk/g-cloud/supplier/709325 AND https://www.digitalmarketplace.service.gov.uk/g-cloud/services/423790143715005) – at Krescendo we’re always looking to put our processes and controls to the test and the UK Government are another useful yardstick;
- External Web Application penetration tests (Falanx – https://falanx.com/) – although we are conducting regular internal vulnerability scans of our infrastructure and our web applications, it’s essential that we use external experts to ensure we are leaving no stones unturned;
- Client co-ordinated web application vulnerability scans using Veracode – most large financial organisations are now running centralised systems for scanning 3rd party vendor web applications. One such system is Veracode (https://www.veracode.com/). This is just another form of web application and infrastructure vulnerability scan, which is complementary to internal scans and the penetration tests that our outsourced experts conduct.
A burden? No, the foundation that helps Krescendo deliver robust solutions to global clients.