13th Sept: Behind the Scenes: DC Two's Journey to ISO and What it Means for Our Customers Read more
Having a highly resilient information security posture is crucial in running a resilient cloud and data solutions company. However, as that company grows, simply having them isn't enough. It becomes necessary to have indisputable proof that this system exists and can be maintained and improved by all staff.
At DC Two, we reached this stage and decided to attain a global security standard that not only documented our strong security posture but also pushed us to ensure we are following the very best practices of information security. This led us to pursue the prestigious ISO 27001 (ISMS) certification, and in July 2021, we were accredited by Bureau Veritas.
"The scope of our certification fully covers the capacity to securely design, develop and deploy integrated cloud and data center infrastructure (fixed and modular) with associated management and maintenance services."
ISO 27001 (ISMS) is one of the world's leading information security standards, demonstrating our ongoing commitment to the security, confidentiality, and high availability of our services. It lays out a broad set of best practices for building and maintaining a resilient Information Security Management System (ISMS).
Achieving ISO 27001 certification goes far beyond a tick on a form but instead involves a thorough and relentless review of a company's ISMS. DC Two's Information Security Management System passed all audits, and this means that as a cloud and data solutions company, we have:
DC Two maintains a resilient Information Security Management System (ISMS) that proactively safeguards sensitive information assets. This proves that our entire IT infrastructure at DC Two – including our customer and company data — is safe.
Privacy and security have always been of paramount importance to us. And as a data center and cloud services company, we understand how critical information security is to attaining our goals which is why we follow the very best security practices. With this ISO 27001 certification, we can guarantee that we are committed to maintaining our ISMS as we continuously strive to achieve the CIA triad – Confidentiality, Integrity, and Availability.
(Information assets include Personal Information (PI) as defined within the Australian Privacy Act.)
While we've worked very hard to establish a robust Information Security Management System (ISMS) at DC Two, we know that it's not enough to build it. We have to test it and validate it to ensure that we're enhancing its ability to proactively identify and mitigate cyber threats. We also have to challenge our own concepts on cyber risks and our ability to mitigate them. To this end, we regularly train our staff and perform quarterly security audits against ISO27001 (ISMS) requirements to maintain compliance.
The collection, analysis, and management of log data are integral to meeting the ISO 27001 (ISMS) standard. And as a proactive step towards compliance, DC Two's ISMS comes integrated with a comprehensive SIEM (Security information and event management)* solution that detects critical security events as they happen across our firm. Real-time identification of these events combined with an active alert system provides our security experts with clear information to quickly mitigate potential threats.
*SIEM (Security information and event management) - Security information and event management is a field within the field of computer security, where software products and services combine security information management and security event management. They provide real-time analysis of security alerts generated by applications and network hardware. Read more on Wikipedia
Despite its clearly defined requirements, adopting the ISO 27001 framework can be overwhelming to achieve without meticulous planning and proper vendor selection. Remember, it is a vendor-agnostic framework, so we had to select appropriate security products that fit our business profile for implementation.
As a first step, we assessed vital impact areas when choosing a security product and service to ensure all expectations are considered for adoption. Thanks to the attention to detail shown by our team of security experts, we settled for a security product that had little or no impact on our daily operations. Following this, an appropriate security approach had to be set up.
ISO 27001 refers to CIA as Confidentiality, Integrity, and Availability. Other security focussed groups and systems refer to the CIA as Confidentiality, Integrity, and Authentication. As a security-first company, we implemented a multi-faceted approach in line with both global standards to fortify the security posture of our data center and cloud services.
Once everything was in order, we commenced implementation and focused on these initial areas;
This critical phase of ISO 27001 implementation commenced with a broad review of DC Two's current security software systems, including redundancy, capacity, and functionality across multiple sites. Cameras, sensors, and cabling were also assessed to ensure they were working within desired parameters. After review, risks specific to physical security were documented in the risk register and swiftly addressed. Outcomes included installing new cameras to enhance security surveillance and replacing defective door and alarm sensors to prevent unauthorized personnel access.
Why? While the term "physical security audit" may conjure a sense of fear for some firms, everyone here at DC Two welcomed it — mainly because it plays a crucial role in assuring our customers that we operate within an efficient and secure IT environment to safeguard their data.
With several ISO 27001 controls implemented, DC Two had already made a key number of improvements in its network security posture before this audit. However, opportunities for improvement were identified, including;
These areas of DC Two's most recent network security audit were quickly resolved within the designated timeframe.
Why? With routine network-security audits, DC Two customers can rest assured that data deployed on our network servers are safe, secure, and accessible.
Frequent security awareness and staff training were critical areas of ISO 27001 (ISMS) implementation. We focused on closing skill gaps and concentrated on ways to create a security-first mindset among employees through relatable learning scenarios. This is an ongoing exercise for all staff members at DC Two and is enforced with all new hires.
Why? By implementing staff training initiatives, DC Two customers can be confident that their data is managed by qualified experts who are skilled in solving today's emerging privacy and security challenges.
ISO 27001(ISMS) requires an ongoing commitment to upholding the measures put in place to achieve compliance in the first place. To maintain compliance, DC Two implemented a management system that automates almost all 14 security controls of ISO 27001 – thereby reducing time spent on regular compliance tasks.
Why? By maintaining compliance with ISO 27001, DC Two customers can be even more confident that there are security policies in place to preserve the confidentiality, integrity, and availability of their data.
Maintaining service integrity requires procedures and policies where business can continue as usual without disruption. Apart from meeting ISO 27001 regulatory requirements, DC Two also implemented Jira and Confluence to build an impressive portfolio of business-critical processes.
Why? With business-critical processes in place, our customers can count on the high availability and operational efficiency required to keep mission-critical projects up, running, and protected at any scale.
Over the past 14 months, the DC Two team has been working tirelessly to get DC Two ISO certified. It has been a sharp learning curve and rigorous process; however, we've done it in time to position DC Two as an industry leader in information security.
However, we fully appreciate that the work of securing our information assets – and that of our customers – is never done. We must constantly strive to do better and evolve to meet the next set of industry challenges. That means staying up to date on opportunities to improve DC Two policies, as well as data privacy and information security tools and platforms. And we're committed to doing just that.
Ensure maximum reliability, security and uptime for your business critical systems. Find out more about how they can help you by getting in touch with the DC Two team on +61 8 6141 1011 today.
I've known John and the DC Two team for a number of years. They are experts in all things cloud, and share the same passion for technology as our IT business, Ever Nimble. We have worked with them on a number of occasions, including a complex global Veeam deployment, and they have provided incredibly quick access to Co-Lo space when we needed it urgently. I would highly recommend the team; we are a very proud partner.
- Chris Morrissey, CEO, Ever Nimble