With everyone at MS World Partner Conference hearing about sharing all your data in the cloud then security must be top of the agenda for every CIO. But I read on the Nimbus website and in their marketing material that if you have a truly process focused organization then compliance to the various standards should be a by- product. In effect, free. But is it really true?
That is a very different world for most regulatory-bound corporates who have separate teams dealing with Sarbox, ISO9000 (quality), ISO27001 (security), Investors In People….. and the list goes on
So the true test came last week. Nimbus has been selling its BPM software, Nimbus Control, to major corporates including Nestlé, Chevron, HSBC, Unilever and Novartis for the last 12 years and hosting its Nimbus Cloud software for over 5 years. So achieving the ISO 27001 Information Security Management certification is required to give client’s comfort that their data is safe whether it is handled by Nimbus people (consultants and support) or hosted on the Nimbus Cloud platform.
What is interesting, is that clients are now viewing their documented process information as highly sensitive. After all it is the DNA of a business, but until recently it’s true value has often not been recognized.
External security consultant experts, ECSC, were called in. Their first job was gap analysis. How far adrift was Nimbus from the ISO 27001 standard and how much work is required? This was an experience much like the first visit to the dentist after a 5 year gap!
External security consultant experts, ECSC, were called in. Their first job was gap analysis. How far adrift were Nimbus and how much work is required? This was an experience much like the first visit to the dentist after a 5 year gap, or the your first company physical.
So how did Nimbus do? Of the 133 control points, 4 were not relevant, and of the remaining 129 there were 96 green, 16 amber and 17 red. ECSC have had 10 years of evaluating companies so it was very gratifying to read in their report
“It should be noted that in our extensive experience with a range of client ISO Gap Analysis projects, of those at a similar stage of ISMS development, Nimbus have demonstrated one of the highest levels of compliance we have seen.”
Why? In their fit gap report ECSC cited that a process focused approach was a major contributor. Nimbus uses Nimbus Control to document and manage its processes – “Drinking their own champagne” I think is the term.
“I am delighted that our commitment to process excellence has been validated so publicly” said Lucy Mills, Nimbus Head of Business Excellence. “We are audited by the major pharmaceuticals and always highly rated for our world class R&D processes, but the security review was across the entire business”.
And the ROI of a process-driven approach is compelling. The external consultants from ECSC estimate Nimbus can achieve the accreditation twice as fast as the competitors – and that means less of their help which in turn means less spent with them in fees.
But there is another benefit. One which is less easy to put a price on. The reputation and livelihood of Nimbus.
Cloud computing is often discounted by organizations, citing security as the major risk. But as ESCS highlighted, probably the greatest risk to data security is the proliferation of mobile devices which can connect to the network and download data. And this problem is only going to get worse. The press is full of examples of lost laptops with incriminating client data. Lose a clients data and you could lose a client. Word gets around and suddenly you don’t have a business.
So, I am typing this on my new iPad which has 16GB of storage. Plenty of space to hold vital, incriminating and possible confidential data. And Apple’s iPhone and iPads running products like GoodReader (just 99c) with DropBox (free) make it very easy to connect and sync data between PC/Mac. But where is the data stored on Dropbox? So it is critical that I understand what I should and should NOT be transferring via Dropbox.
No IT department in the world can now lock down devices so far that there is no risk of security and still have a business that can function. When HMRC lost the CDs with millions of people’s bank details the internal backlash was fierce. No memory sticks on site. Laptops ideally should be left locked in cupboards. Stable door, bolted, horse : you arrange the sentence. And none of this would have prevented the “CD incident”.
So what is the answer? Strong yet pragmatic security policies, supported by transparent processes and reinforced by education.
As we say – “Compliance is easy. Write down what you want people to do, and then get people to do it”