Standards of Security for EA Vendors

Dec 4, 2019
Written by
Razvan Mitache
Razvan Mitache

Standards of Security for EA Vendors

We’ve spoken about security on this blog before. We addressed how you can build a better protected organization with the help of enterprise architecture, for instance, and also collated our thoughts on improving cybersecurity with EA in a whitepaper (have a read if you haven’t already). That’s because we are genuinely preoccupied with the topic and we make it our business to not only adhere to high security standards ourselves, but also create awareness within our industry around this important subject.

Today’s post is related to security from a slightly different angle. We mentioned in a previous blog post that security is one of the important capabilities of a solid architecture platform. We’d now like to explain what we meant by that and actually go into some specifics using ourselves as a case study.

Standards of Security

 

Security certifications

Here at Bizzdesign we make security a priority, and as such we are an ISO 27001 certified company. This is a widely acknowledged standard that ensures we have implemented an Information Security Management System (ISMS), which is up to date and functions as it’s supposed to. The certification alone doesn’t mean that a vendor’s software or development process are secure, just that a documented ISMS with adequate rules and policies is in place.

More importantly, Bizzdesign is also ISAE 3402 SOC 2 compliant, which stands for Service Organization Control 2. This is a considerably more stringent – and as a result more difficult to obtain – security attestation. During the process of getting certified, an organization’s ISMS is scrutinized and its policies are evaluated to determine whether they are fit for purpose or not. What’s more, auditors determine on a regular basis if the rules have been followed as specified in the documentation or not, with the obvious consequence that a failure to do so would attract a disqualification.

We’re quite proud of this achievement. That’s because whereas most companies only receive a SOC 2 attestation for the Security and Availability criteria, BiZZdesign’s SOC 2 report also covers Confidentiality, which is arguably the most important item for enterprises looking for a cloud-hosted EA solution. Together, the ISO 27001 and SOC 2 attestations form a gold standard for information security but in case anyone is wondering, yes, we are also GDPR compliant.

A culture of information security

So that’s the ‘outside-in’ half of the story when it comes to our commitment to security, whereby we sought and indeed achieved best practice certifications as defined by the industry. Now, moving on to the other, ‘inside-out’ half, we’d like to focus on three things, the first of which being the concept of having a culture of information security. We believe Bizzdesign can speak on good authority when it comes to displaying an enterprise-wide preoccupation with this subject. For instance, there is a body within our organization called the Information Security Group, which manages the ISMS and, in our case, actually comprises all our C-level executives.

This means we aren’t relegating all security-related operations and tasks to some unfortunate team member in IT, we in fact have the company’s management team closely involved in the realities and decision making that pertain to the topic of information security. Again, we are genuinely preoccupied with this. Furthermore, we have a standard screening process for all new employees and in fact conduct extra screening steps before assigning people to roles that allow access to systems containing confidential data. All employees have their machines encrypted.

Secure software development

The second item we’d like to mention is our software development process. It’s staged, it assigns clear responsibilities, and revolves around a peer-review method. This makes it impossible for any one developer to insert malicious code into our product, especially when you consider that it includes extensive tests and static code analysis. Also, it’s noteworthy that we employ infrastructure-as-code for our hosting environments to eliminate manual interactions, with that code undergoing a peer review process as well. By the way, since we get asked this regularly, we want to make clear that as part of our practices we never use customer data to test our software.

Active and proactive security measures

Finally, the third item is that we power our SaaS offering via Amazon Web Services (AWS) using the most ironclad security features and running a wide range of active and proactive safeguarding methods. So, for example, we engage in activities such as regular penetration and disaster recovery tests. We implement access controls in order to effectively disseminate responsibility and eliminate single points of failure (e.g. the team managing the code cannot deploy it, ever). Additionally, we make our support team available to customers 24/7/365 for security issues as part of our standard SLA.

But what about the security and availability of the hosting servers you ask? AWS conforms to the same ISO 27001 and SOC 2 standards, and has several additional certifications relevant to their services such as ISO 27017 (security controls for cloud services). On top of that we perform encryption of data at rest and in transit, and carry out our deployments across multiple AWS data centers. In fact, we even make daily geo-redundant data backups and for the most stringent of industries we offer optional extra-secure connectivity options – get in touch if you want to learn more. As you can see, we take the security of our customers’ data seriously. All these procedures and precautions are aimed at catering to any security requirement a customer might have and give them the peace of mind that their information is always out of harm’s reach.

Conclusion

In conclusion, we expect it’s obvious by now that at Bizzdesign we prioritize security and treat it as an integral part of our offering. Apart from a brilliant enterprise architecture platform and associated EA-related services, we also bring other important elements to the table. In today’s blog post we addressed one of those elements – security. We hope this post gave you a better understanding of what it means to do business with a secure partner and what actively investing in safeguarding customers’ data looks like. Please keep this in mind next time you’re selecting business software, like an EA management platform.