Defense in Depth Part I: Reflections on our ISO 27001 Certification Process

ISO 27001 at Corevist

Security is crucial for an SAP eCommerce integration. A compromised corporate network costs millions of dollars, and heads can roll. Since our founding as B2B2dot0 in 2008, we’ve witnessed 3 corporate network meltdowns among our clients. It’s a terrible thing when a business cannot meet its business objectives due to compromise.

That’s why we pursue a continual, progressive Defense in Depth strategy for Corevist security.

As Chief Information Security Officer, I take great personal interest in the security of all things Corevist. Since we embarked on our ISO 27001 certification process in October 2016, I’ve had the opportunity to reflect on Corevist’s information security and what it means to me. Here are some thoughts that have stood out to me over the last 10 months.

Why ISO 27001?

When it comes to IT security, there are many ways to qualify that your ISMS (Information Security Management System) meets the security requirements of your target market–for example, SOC II, PCI Compliance, and NIST. For healthcare providers, even, HIPAA addresses security for IT in part. These and other methods offer standards against which a system or technology is judged.

ISO 27001 is a demanding certification. So why did we choose to pursue it?  

The reason is quite simple, really. ISO 27001 is the ‘high bar’ for many organizations. Indirectly, it allows us to tick all the boxes that a client’s security officer will ask us about but more importantly it says, “We care about ISMS!” With a single certification, we can offer a streamlined Information Security inquiry process. At the same time, that certification allows us to go above and beyond our client’s requirements, too. Given our International Market and presence, choosing ISO /IEC 27001:2013 was a natural selection. We are a global company serving global clients so what better way to qualify our hard work than pursue a globally recognized certification for our ISMS.

Managing security in-flight is difficult, but it’s imperative

Security is constantly evolving. The systems that are already in production require an adaptive approach that keeps them secure while not interfering with their uptime and availability. This is a huge challenge—but it’s absolutely essential to our clients’ operations, and we proudly maintain the strictest security protocols on systems that are used day-in and day-out for mission-critical operations. When we implement improvements, our clients business is foremost in our mind. As part of our continual improvement process, we want to strengthen our security BUT keep your business storefront up and running at the same time.

Intelligent equipment is crucial

Hackers are always trying something new as a way to circumvent current control measures. At Corevist, we maintain an aggressive stance. We’ve ensured that we use the latest security technology in protecting the Corevist app and other company assets.

In particular, we’ve invested in next-generation firewalls (NGFWs) with unified threat management at various points on our network to deepen our Defense in Depth strategy. We monitor data outside the perimeter, as well as inside. In other words, we monitor packets even after an entity has gained legitimate access to the network. This prevents malicious attackers  from leveraging legitimate credentials to cause havoc, and it also prevents malware from migrating from a vendor’s machine to our app.  

Security requires a proactive stance

InfoSec is about Prevention, Detection, and Correction. Someone getting a virus on the computer is a perfect example. Viruses change their patterns, so our detection technology must remain ahead of the curve.

Being proactive is a core value of Corevist. We have a verb for being reactive—“to react.” I’d like to propose a new verb for the English language: “to proact”—to act ahead of time, heading off problems before they even occur. This is what security requires, and it’s built into every tenet of the ISO 27001 certification which we’re pursuing. It’s hard work, but we are pushing forward to reach the mountaintop.

Security requires advocating to your client on their behalf

As a security expert (CISSP, CISM, CISA, and ISO/IEC 27001 Lead Implementer certifications), I sometimes find myself in the position of educating our clients on fine points. I love this opportunity to strengthen a client’s security as we address integrations with our products.

For example, we once worked with a client who wanted to authorize an entire subnet of IP addresses to access a certain piece of functionality. Our security team found that to be a problematic approach. Why leave room for even one IP within the subnet to be compromised and have instant access to the functionality? Instead, we recommended authorizing only the bare minimum number of IPs–preferably only the systems that need access. Consider our direct client access as a ‘Need To Know’ mentality. If the systems in your networks don’t “Need To Know,” they should not have access from our network. The same is true in reverse.

To be clear, there was no risk to Corevist associated with the issue. Rather, we saw a potential risk to our client, and we advised them to the recommended methods. We believe this type of security advocacy is one way we can perform “due diligence” toward our clients. We do it every day.

The Takeaway

You may have noticed a general lack of “technical specifics”  in this article. That was by design. Our security systems are state of the art, and we have to keep them in a “black box.” If you want to learn more, feel free to contact us. We’re happy to discuss what Corevist’s security means for your business.

Photo courtesy of Dale Gillard. Licensed under Creative Commons 2.0.

Subscribe to our blog

About Author

Steve Oates

Steve has more than 16 years of experience providing advisory and direct technical services to businesses including Fortune 1000 clients each in various stages of technology enterprise development.

He earned a Master’s Degree in Information Sciences | Cyber security and Assurance from the College of Information Sciences and Technology at Pennsylvania State University. In addition, he maintains certifications related to Microsoft systems / network management, CISSP (Certified Information Systems Security Professional) and CISA (Certified Information Systems Auditor).