At InfusionPoints, we have just gone through the onsite portion of our audit for ISO 27001 and SOC 2, and should have those certifications along with our ISO 9001:2015 certification for our Cyber Security Center in the near future.
We've been supporting our customers for years with improving their security posture and helping them be compliant. However, there were lessons to be learned by going through the audit ourselves. InfusionPoints' President, Gary Daemer and CTO, Jason Shropshire took some time to sit down and discuss their thoughts on the audit process, and how this will help us better support our customers going forward.
InfusionPoints started as a traditional cybersecurity firm. In 2013, we began operating the Dell Cloud for US Government, resulting in the establishment of our Cyber Security Center in western North Carolina, and the development of our VNSOC360 managed security service. ISO 27001 and SOC 2 are key certifications that our customers look for to ensure that we are adhering to security best practices in our own internal security operations. ISO 27001 and SOC 2 will provide the credibility and confidence to our cloud, and managed security services practice going forward.
Preparation began by establishing an internal project for the effort, leveraging InfusionPoints’ program management capabilities. We then went through a process of mapping the security control frameworks that we are most familiar with, including NIST 800-53 and FedRAMP to ISO 27001 and SOC 2. Next, we went through the process of discovering gaps, which mostly related to the ability to generate appropriate evidence. Other areas that we improved involved improvements to our internal audit, mock audits, quality reviews and development of live test scenarios.
The actual audit process was a bit eye opening for us. It’s one thing to sit in an audit alongside of a customer, but it is a different experience when it is your own organization under the microscope! Part of the stress came from the need to understand the auditor’s language and how the ISO framework maps to NIST. This process has given us some great first-hand insights. The first is the importance of organizational change management, and how it can be more difficult for our customers than it might be for us. The second is the need to have a firm understanding of how the audit preparation process impacts the organization and the other initiatives that are underway. The third is the need to implement a long term continuous improvement approach.
Overall, we think our customers should have some good guiding principles around the process, specifically around continuous improvement for security. This is nothing new -- security is a process, and you can never be done. Make sure to know what you’re doing, have good documentation, and focus on meeting the requirements and measuring results through testing. Make ISO 27001 and SOC 2 work for you and leverage these as tools to benefit your organization.
I'm Jason Shropshire senior vice president and CTO at InfusionPoints and I'm Gary Daemer president of InfusionPoints so today Gary and I are going to talk a little bit about something that's very important here at InfusionPoints direction we've been going for a while and that is our path toward ISO 27001 and SOC2 compliance and we're going to talk about a little bit about the roadmap to getting there and how it relates to the way that we support customers and getting to achieve their compliance initiatives as well so Gary I'm going to ask you a few questions and we'll get started go through this sounds good awesome all right so why was it so important for us to obtain ISO 27001 and SOC2 certifications at this time okay you know initially a few points really started as a traditional consulting company helping our customers figure out how to integrate cybersecurity into what they're you know what they do to improve their security posture typically around security policies procedures security architectures mostly helping them with meeting government standards as well you know but really along those lines really was almost like have laptop will travel type of organization being on customer sites helping them figure out what they really needed to do but about six years ago we started helping dell federal services with a FedRAMP offering and you might want to speak a second or so on that yeah so yeah I guess it was 2013 or so that we got involved heavily in FedRAMP and we were taking the Dell cloud for US government through the process of FedRAMP accreditation and we ended up in a position where we were helping out with operational support so it became really important for us to kind of shore up that area of our business and do all the right things you can make that happen so really what that led us into you initially really started helping them with integrate you know and filling out their documentation around FedRAMP and then also helping them implement those security controls in their cloud service offering and at the same time go through that process they asked us hey would you want to go ahead and help us with the operational services so we built our cybersecurity Center here in with N Wilkesboro North Carolina to support that cloud and we went through two audits FedRAMP audits with this process to really focus on our government services while we were doing that we also decided what we're doing for Dell we could sell that to the commercial space as well so we wanted to be able to get focused on that commercial space and really that is the main reason why we wanted to go with the ISO 27000 been through two audits on the FedRAMP government side but we have this whole line of commercial service offerings that we have so we want to be able to add an additional international security standard to bring some credibility and some additional compliance layers into what we were doing as well okay great yeah so you know getting into the process of getting the accreditations right of getting those certifications how do we go about preparing for the audit well you know almost everything that we do we focus on what's it going to take to get the job done so we really establish a project with a way to measure the activities that need to get accomplished we typically use an agile type fashion to build out what we're doing in this case we used our JIRA board or a local JIRA board for managing all the activities that we needed to do and then along that line is really there's one of the first things that we did since we're mostly a government shop and we mostly leverage NIST for our security tools we really started to map all of our controls that we are doing to the ISO framework in trying to figure out how what we were doing today how would that actually map to you know what we were doing what we needed to do for the ISO 27001 and SOC2 so we as we did that we really started looking at the gaps where were the gaps and there were some gaps between the two standards of actually what they were looking for from evident standpoint but mostly weak mostly we had everything ready to go was with a few tweaks and then along with documentation and a few of our process as well mm-hmm along that same line it one of the one of the things that we like to do is really make sure that we're doing the right thing so we started an internal audit program and since we're already an ISO 9001 company we already have an internal audit for our quality management system so we just applied that same internal audit process that we already had in place for our ISO 27001 and SOC2 we also perform mock audits and this is something we assist our customers with at all times is helping them figure out what they need what they need to test for during the actual audit process so with this we didn't do my call that's on the entire 27001 standard we really focused on the areas we felt we were a little bit weekend so something that could come in ask us those tough questions right because the auditor is going to ask you those tough questions so you guys what you might as well learn them ahead of time as opposed to yeah so I mean one thing that really I thought was really interesting about what you were saying is we based really the ISO controls around and we map those to a framework that were more familiar with like NIST so I mean I think that that's pretty key because you know we were a federal we traditionally primarily have been a federal shop yeah FedRAMP and you know NIST 853 and there's the frameworks that we're very familiar with and we make those work since that's kind of our vertical right we made that work for the ISO controls instead of working for the ISO controls correct yeah I mean I think that that's key is you know make whatever vertical you're in make that work for you yes totally agree with that and the two other points I like to make as well it's through this process you know we also do many quality reviews and all of our procedures policies as well and also an architecture to ensure that meant the ISO 27001 standard as well performing live test scenarios I can't stress enough how important that was and not most folks thinks when you talk about live test everything about pen test or vulnerability test I'll talk about sure yes test your AC controls and make sure you're actually access controls to make sure that you're meeting the requirements as well so okay so you know getting down past all the preparation kind of stuff what was it like to you know go through the audit actually you know you're in with auditor and now it's you know here we are we tell us about that experience oh yeah you've already told me a lot about it so I have to admit there was a lot more stressful than I ever expected we've helped many customers the audits and I feel the stress of those audits but being the you know the business owner and the system owner of what was being audited somebody was peeling back the young you know layers back on our particular project and looking underneath the covers and trying to find things I think you know the stress was all on me because I must you know I enjoy stress because I'm in cybersecurity and that's kind of what we live for right but at the same time you know the biggest stress I believe was applying in this framework to the ISO framework and being able to make sure we communicate all the ways that NIST will map right directly to those frameworks and then be able to explain it in the words that the auditors understand I think that understanding the auditors language and to be able to translate between NIST and ISO that was extremely important and that that goes back to something I even said to the author or a couple times along the way is we're doing ISO to ensure that you know our business you know can compete in this new operational security space and really focus on the how ISO can fit us as opposed to making sure that we fit into ISO right because we're not doing a framework to just do a framework we're going we're trying to do something to ensure and show people that we are following good security practices right like in cases where we were told like you know where's your risk treatment plan you know by the auditor we said okay well here's how we treat risk and this is the way that we do it right which is you know follows more than this approach correct and instead of looking for a specific you know document named plan there anything yeah exactly we call it risk management mitigation but that's okay with just a little bit of word translation so you know given this this experience now I mean what do you think the differences are between you know preparing for your own organizations audit versus what we've traditionally done as consultants you know we've always helped customers prepare for their own audits across a lot of different frameworks correct so I mean what's good insights have you taken away from this as to what the differences what's different it to be to me there are really three major things that I that I see and the first is really organizational change and I really think that in cybersecurity some of the biggest challenges that we have with working with additional customers is the fact that the person that we working with may not be able to impact the people change in in cybersecurity people was typically the number one issue whether you're trying to change the way they were logging in or you're trying to change the way they're encrypting their laptops or not allowing to use USB sticks anymore I can impact that change pretty quickly because I can say this is the way it's going to happen and that's what ultimately happens right but for our customers they may not actually be able to make that impact how to make that change as quickly as required organization change management always been one of those yes it's definitely it's definitely it's definitely one of the largest issues I think the other where the other areas is really having a picture of what all is going on in their environment as well understanding you know what's impacting this particular project you'll really be able to focus on all right you know team A has 14 other changes that they're trying to implement While team B is doing something totally different and not been able to focus their attention on what needs to be needs to be changed whereas myself you know I could walk around the office and say hey Jason I need your team to focus on this and guess what happens your team focuses on right what we need so kay you know immediate hands-on interaction with the team whereas typically we're working through a POC who may not have as much ability to make the changes required yeah and we have the benefit of actually being a security companies you know there is that benefit as well it's a little bit easier well I explain to somebody why we do something a certain way and even though we've been doing it that way for a while and we explained the benefits of it there you understand it right away sure why haven't we been doing this the entire time so but that gets right to the next point which is really as you're doing this think of continuous improvement at all times right so you think about what the when you first lay in what you're trying to get accomplished your organization may not be a secure mature you know a secure mature security organization but as Jason just said we're a security organization so we're fairly mature and what we do so don't try to make things perfect all at once because you'll never get there so what you want to do is build something make it better and then make it better and make it better each time awesome so overall you know in the process what I mean what's the overall you know epiphany or insight that that we've taken away I think you know you know for ourselves and then as we you know talk with customers I think really going into this have some good guiding principles and if you talk to most of the customers that we work with they'll probably truly understand what we're saying here it's really some of those guiding principles is continuous improvement think of it as I'm going to make things better today and make things better tomorrow and each time we go there about this we're going to make things better each time don't strive for perfection right away because you're not good at you're just not going to get there mm-hmm and then don't over commit so let's just say the requirement says you need to do something annually well in your documentation do it annually if you want to do it twice a year then do it twice a year true but make sure you're right there right the documentation your standard operating procedures or your policies to what to meet there's minimal standards but if you need to do it twice a year then do it twice a year if and along those same lines is make sure you document in your in your documentation just enough to make it clear to the auditors you know what you're doing you and you're focused on achieving the essence of the rules as well whether there are security policies your SOP or your technical architecture as well and then your testing I just mentioned that a second ago but testing those key controls the areas where you feel weak make sure you're doing your internal audit on those make sure you're doing those ma collars on those as well and really you know at the end of the day you need to make ISO work for you to really make it fit your business right not the other way around I think everything and we learned this early on with our iso 9001 yes certification right is that you know if you're going to take the time to do these certifications the best the time the money and the blood sweat and treasure nature you know into getting these you really want them to benefit your organization right I want them to be just a paper exercise right so on you know that means making it you know truly finding how it fits in how it can improve your processes and make things ultimately better absolutely that's why we do this great well you know I really think that on this this whole process for us has just been about you know enriching our understanding of it and now we see it more from our customers perspective than we ever have so if anyone out there is in need of you know assistance with ISO 27 K ISO 9000 SOC2 or any other certifications of course we've been doing a lot of FedRAMP accreditation work you know let us know and I'm sure that our experience and you know with multiple customers now and increasingly are our own experience with our infrastructure good help so thank you very much for watching