Skip to content

Keepit 獲得企業範圍的 ISO/IEC 27001 安全認證

Certification by BSI Group Ensures that Keepit Meets Stringent, International Information Security Standards
Copenhagen, Denmark – May 17, 2022 – , the market leader in cloud backup and recovery, and the world’s only independent, vendor-neutral cloud dedicated to SaaS data protection with a blockchain-verified solution, today announced that the company has earned International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001:2013 certification for information security management systems (ISMS). By achieving the certification, Keepit continues to demonstrate its dedication and ability to deliver best-in-class security technology to its customers.

“We are pleased to announce Keepit’s ISO/IEC 27001 certification. This accomplishment, the work for which has been underway for years, conveys how committed we are to implementing the highest level of internal security and compliance, and to satisfying industry-leading standards for security and privacy,” said Keepit Chief Technology Officer, Jakob Østergaard.

“When it comes to backup and recovery, businesses seeking solutions need to be incredibly thorough in their due diligence processes. The ISO/IEC assessment report for Keepit acknowledged that our company already had a tradition of a high level of based on long-term work within our industry and with our partners, and we are pleased that our ISO/IEC certification will further reassure our customers and streamline their due diligence processes. Additionally, we are extremely proud that we met our distinct and ambitious goal of certifying our entire organization, including our entire software development lifecycle and the physical locations of the primary development offices”

 

A worldwide information security management standard jointly published by the ISO and IEC, the 27001 certification specifies a comprehensive set of best practices and controls — including policies, procedures, and staff training — that structure how businesses should manage risks associated with information security threats. The certification also outlines requirements for developing, operating, maintaining, and continually improving an ISMS. Benefits of Keepit’s 27001 certification include:

  • A systematic, verified approach to information security that results in superior customer data protection;
  • Ongoing performance evaluations and internal audits that ensure Keepit continues to meet the requirements of the ISO/IEC 27001 standard;
  • Continued improvement of business continuity management and disaster recovery plans;
  • Risk, vulnerability, and security incident management practices that enhance overall information technology (IT) operations security;
  • Compliance with current and future legal and regulatory requirements.

To attain ISO/IEC 27001 certification, Keepit engaged in a rigorous, multi-faceted audit conducted by The British Standards Institution (). Comprising a framework that includes 150 controls, the audit evaluated Keepit’s ISMS information security, cybersecurity, and privacy protection processes, and encompassed the entire company, including services and technology, business continuity and operations, disaster recovery, and sales and legal operations. For more information on ISO/IEC 27001, please visit.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.

什麼是ISO 27001,它如何能使你的企業受益?

The International Organization for Standardization is an internationally known and respected agency that manages and structures standards for various areas, including cybersecurity.

ISO 27001 is a systematic approach to managing confidential company information so that it remains secure. It includes people, processes and IT systems from the application of a risk management process.

But why would companies be willing to go through the ISO 27001 certification process? First, to ensure that your cybersecurity program is secure enough. So the certification process looks for weaknesses and adjusts cybersecurity to work for the company, not against it.

Second, compliance with ISO 27001 facilitates the two most important things for every business – customer and employee trust. Who would choose to buy your service or work for your company if you couldn’t guarantee the security of their private data?

Finally, ISO 27001 certification is a great tool for optimizing your internal workflow, eliminating obsolete processes and driving your business towards continuous improvement. Read on and learn more about the benefits of ISO 27001 compliance for your business.

What is the ISO 27001 standard?

ISO 27001 is actually a set of a dozen standards designed to protect a company’s confidential information assets.

The International Organization for Standardization considers ISO 27001 the leading information security management standard. During the course of this text, you will know the particularities of the requirements related to the Information Security Management System (ISMS) necessary for compliance with the ISO 27001 standard.

The implementation of ISO 27001 should facilitate the security management of sensitive assets. This could be financial data, staff information, intellectual property files, or data about your business partners. Attending the requirements of this standard should enable the company to protect itself against any loss, theft or unauthorized alteration of its confidential data and any associated risks.

Like any standard, ISO 27001 is not mandatory for companies. However, it is particularly useful when it comes to establishing information security controls. Some companies also use it to show their customers and partners how committed they are to cybersecurity.

In detail, the ISO 27001 standard is designed to protect a company’s information systems by preventing cyber risks. In addition the pattern:

  • Specifies the information technology protection measures that can be considered by Information Security teams.
  • Prevents the risk of intrusion and disaster in computer systems.
  • It also disseminates organizational best practices regarding cybersecurity.

All of this is part of the Information Security Management System (ISMS), and applies to information systems and processes as well as to people affected by cybersecurity. This system is a powerful tool for managing risk and anticipating cybersecurity breaches.

Why is ISO 27001 compliance important?

While ISO 27001 compliance is not mandatory for any organization, companies may choose to achieve and maintain ISO 27001 compliance to demonstrate that they have implemented the necessary security controls and processes to protect their systems and the confidential data in their possession. .

Achieving compliance with ISO 27001 is important as a differentiator in the market and as a basis for compliance with other mandatory requirements and standards. An organization that complies with ISO 27001 is likely to be more secure than one without it, and the standard provides a solid framework on which to build many of the security controls required by other regulations.

What are the phases for ISO 27001 compliance?

To get started with ISO 27001 compliance it is essential to understand some of the key concepts of ISO and what they can mean for a company that is looking to implement them.

Framework

To be certified by ISO 27001, a company must follow several procedures structured in an Information Security Management System (ISMS):

  • Precisely define the scope of your ISMS.
  • Conduct internal audits on information security risks to better ensure data protection.
  • Estimate the probability and impact of each of these possible events, for example by risk mapping.
  • Design a Risk Treatment Plan based on this mapping.
  • Write the Declaration of Applicability (SoA), a document through which the general management expresses its commitment to the cybersecurity measures described in the Risk Treatment Plan.
  • Convert the Risk Treatment Plan into an action plan, providing performance indicators and regular updates throughout the ISMS lifecycle.

The main objective of the ISO 27001 regulation is to guide organizations in the creation, implementation and application of an ISMS. This ISMS describes the controls, processes and procedures that the company has implemented to ensure the confidentiality, integrity and availability of the data in its possession.

Documentation 

To achieve compliance with ISO 27001, an organization must also document the steps that were taken in the ISMS development process.

Key documentation includes:

  • Scope of the ISMS
  • Information Security Policy
  • Information Security Risk Assessment Process and Plan
  • Information security objectives
  • Evidence of Competence of Persons Working in Information Security
  • Results of the Assessment and Treatment of Information Security Risks
  • Internal Audit Program and Results of Conducted Audits
  • Evidence from ISMS leadership reviews
  • Evidence of Identified Nonconformities and Results of Corrective Actions

Process

ISO 27001 defines a set of audit controls that must be included in a compliant ISMS. These include:

  1. Information Security Policies. This control describes how security policies must be documented and reviewed as part of the ISMS.
  2. Information Security Organization. Role responsibilities are an important part of an ISMS. This control divides security responsibilities across the organization, ensuring there is clear accountability for each task.
  3. Human Resources Security. This control addresses how employees are trained in cybersecurity when starting and ending roles in an organization, including onboarding, termination, and job changes.
  4. Asset Management. Data security is a primary concern of ISO 27001. This control focuses on managing access and security of assets that affect data security, including hardware, software, and databases.
  5. Access control. This control discusses how an organization manages access to data to protect against unauthorized access to sensitive or valuable data.
  6. Cryptography. This is one of the most powerful tools for data protection. Companies should implement data encryption whenever possible using strong cryptographic algorithms.
  7. Physical and Environmental Security. Physical access to systems can undermine digital security controls. This control focuses on securing buildings and equipment within an organization.
  8. Operations Security. Operations security focuses on how the organization processes and manages data. The organization must have visibility and control over the flows of data in its IT environment.
  9. Communications Security. Communication systems used by an organization (email, video conferencing, etc.) must encrypt data in transit and have strong access controls.
  10. Acquisition, Development and Maintenance of Systems. This control focuses on ensuring that new systems introduced into an organization’s environment do not jeopardize the company’s security and that existing systems are maintained in a secure state.
  11. Relationships with Suppliers. Third-party relationships create the potential for supply chain attacks. An ISMS must include controls to track third-party relationships and manage risks.
  12. Information Security Incident Management. The company must have processes in place to detect and manage security incidents.
  13. Information Security Aspects of Data Management Business Continuity. In addition to security incidents, the company must be prepared to manage other events (such as fires, power outages, etc.) that could negatively impact security.
  14. Conformity. As part of ISO 27001 compliance, the organization must be able to demonstrate full compliance with other mandatory regulations to which the organization is subject.

What are the main benefits of reaching ISO 27001?

There are obvious benefits for companies that comply with this standard. This requires actively implementing the necessary measures, processes, and policies for an improved security posture.

This reduces the chance of a company experiencing a data breach and, if it does, ensures that the company is fully prepared with incident response and business continuity plans to minimize damage.

Here are the key benefits of achieving ISO 27001 compliance.

Data Security Enhancement

By implementing the standard, you will understand your own security landscape and the most up-to-date digital defense mechanisms. You’ll learn about data management best practices through an audit of what you’re doing right, but more importantly, what needs improvement.

Threats that put your organization at risk will be assessed and you will learn how to protect your assets through tactics that involve confidentiality, safeguard and authorization procedures.

Improvement of Processes and Strategies

ISO 27001 puts cyber strategy at the forefront of its certification. Qualified auditors seek to address your risks to mitigate security breaches. They map goals and objectives into an actionable approach to defining data security accountability across your team. The certification process will also help you create documentation that can be used as a guide and updated for years to come.

Alignment with Management Systems

The good news is that ISO 27001 aligns with any current ISO management system you may already have in place. Because this standard fits so easily and has many overlapping clauses with other ISOs, it eliminates the need for constant verification and auditing of all your management systems.

Culture of Continuous Improvement

In the ever-evolving world of cybersecurity, this is a weight off your shoulders as you are assured that with the help of ISO 27001, you can always meet new requirements and obligations.

Development of a Quality Brand

Another big advantage of getting ISO 27001 certified is the benefits it does to your reputation. This standard is internationally recognized and externally assured, conveying to the business world that it is a credible and trustworthy organization.

It will automatically increase customer trust by demonstrating your commitment to cybersecurity and compliance with legislation such as GDPR. This will help you win new business, keeping you ahead of other organizations that are not certified, opening you up to new industries and contacts.

Cost Reduction

The ISO 27001 standard also helps in implementing policies to organize and improve business processes. This ends up causing a reduction in costs, as a result of the implementation of a good security and management system.

By having a clear view of strategic management, it is possible to reduce risks considerably. This ends up saving the company the resources that would be spent on corrections.

This directly influences the company’s cash flow, reducing costs with this type of situation, especially considering that the expenses to resolve any data security issue are always very high.

In this way, eliminating the risk of spending on this issue already makes the situation more comfortable for the company. In view of this scenario, it is simple to see why ISO 27001 is so important for companies.

Privileged Access Management as a key to ISO 27001 compliance

ISO 27001 covers a broad scope of information security. The framework includes controls for security policy, asset management, encryption, human resources, environment recovery, and more.

Access control, however, figures prominently in the framework. Specific controls deal with access, but authorization and authentication issues are crucial to almost every aspect of the framework. After all, effective data encryption is impossible if you cannot control who has access to encryption mechanisms.

Altogether, ISO 27001 provides 14 controls, five of which may be related to Privileged Access Management (PAM). Let’s investigate them more closely.

Section A.6 Information Security Organization

It requires a company to provide a transparent and detailed management framework that regulates and enforces cybersecurity programs. The company must be fully aware of what roles, responsibilities and tasks employees can and actually perform.

How can Privileged Access Management (PAM) help? Through the use of access policies and permissions, the software regulates and manages users and their rights and responsibilities. In fact, PAM restricts the ability to perform any unauthorized actions.

Section A.9 Access Controls

The company must regulate and, if necessary, restrict employee access to different types of resources and information.

How can Privileged Access Management (PAM) help? In fact, PAM can control which resources, which time period, and which users access should be granted. It helps to granularly distribute access rights as required by business needs and cybersecurity programs.

Section A.12 Security of Operations

Regulates the processes linked to the flow and storage of information.

How can Privileged Access Management (PAM) help? The solution is capable of tracking any user’s activities, such as attempts to relocate and change company data. It can also log all events, which contributes to faster incident response. In short, these features provide another layer of verification and transparency of data flows.

Section A.15 Supplier Relations

Describes the process of secure interaction between the company and third parties (vendor technical support, contractors, remote workers outside the network).

How can Privileged Access Management (PAM) help? To protect the confidential company data from third parties and prevent unauthorized access, the software can define the list of policies that define with clear permissions of third parties within the company’s information systems. In fact, PAM can also track users’ activities.

Section A.16 Information Security Incident Management

It controls and verifies how the company can act on alert security events and if response workflows are configured effectively.

How can Privileged Access Management (PAM) help? Using the out-of-the-box event recording mechanisms and video and text recordings of sessions, the software provides a quick way to understand the reason for the incident. By acting immediately, the company can mitigate the consequences of the security incident.

In fact, Privileged Access Management can simplify the ISO 27001 certification process because it is a ready-to-use instrument capable of mitigating threats associated with misuse of privileged access and adjusting the internal cybersecurity plan according to the requirements.

senhasegura solution for ISO 27001

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) standard 27001 is an internationally recognized standard for specifying Information Security Management Systems. Complying with this standard helps any organization to meet its obligations to customers and business partners.

For service providers, from cloud data centers to law firms, being able to operate requires attesting to their responsibility for their customers’ sensitive information. Auditors around the world also rely on the ISO 27001 standard as the basis for evaluating control and verifying compliance to a range of regulations and standards.

A PAM solution protects an organization against accidental or deliberate misuse of privileged access, and should be a critical element of an ISMS. The senhasegura solution tracks privileged users, enabling the implementation of ISO 27001 through a secure, centralized and simplified mechanism to authorize and monitor all privileged users for all relevant systems. In addition, senhasegura:

  • Grants and revokes privileges to users only on systems on which they are authorized.
  • Avoids the need for privileged users to have or need local passwords.
  • Quickly and centrally manage access to a set of heterogeneous systems.
  • Creates an unalterable audit trail for any privileged operation.
  • It is a critical element of the ISMS, allowing organizations to track every action of privileged users on their IT infrastructure.

Request a demo now and discover the benefits of senhasegura for your company.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Senhasegura
Senhasegura strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

MS Windows和Pandora FMS中的事件,有沒有人給出更多?

Diving into Internet of Things Statistics

An Internet of Things (IoT) device simply means a device which can communicate back and forth with a central hub, mainly via WiFi but also using technologies such as SIM cards and radio frequencies. We are living in the age of digital connectivity, if it can have an IP address then you best believe it’ll have one assigned. From Samsung’s AI-powered Family Hub Smart Fridge which tells you what recipes you can make based on the ingredients inside, to Tesla vehicles with over-the-air updates for not only the software but also actual motor components (a 2018 update on the Model 3 to adjust the anti-lock algorithm which helped with braking distance).  

Consumer technologies aren’t alone when it comes to utilizing the Internet of Everything. Industries such as healthcare have their own use case. Internet of Medical Things (IoMT) such as smart sensors for monitoring patients’ vitals are an essential piece of equipment in modern healthcare facilities.  

The statistics back this growth: there are already more active IoT devices (10 billion) than people on earth. It’s expected that there will be over 30 billion total IoT devices by 2025, with the market value projected to reach $875 billion by that time. Every second over 100 new IoT appliances connect to the public internet. It’s so widely adopted that almost a third of the US population own a smartwatch. This sharp increase in devices has a clear effect on the global volume of data being transported, the graph below shows year to year growth.  

Cyber Threats & Vulnerabilities of IoT

As the Internet of Things rapidly grows, the cyber threats and associated risks continue to evolve and become increasingly complex with hackers coming up with new ways to breach devices and networks. Every organization should be aware of their own network attack surface, which is the totality of all vulnerabilities from connected devices and hardware. Each device poses a possible point of entry for an unauthorized user to gain access. Ideally you keep your attack surface as small as possible, making it easier to protect. But for some organizations, this simply isn’t a possibility, as there might be a need for thousands, if not hundreds of thousands of IoT sensors to report on key analytics.  

As mentioned earlier, the healthcare industry has a sizable use case when it comes to IoT devices. An issue with this is the cost associated with these complex pieces of equipment such as MRI scanners and X-ray machines. It simply isn’t feasible for these items to be upgraded regularly, which in turn leads to outdated and unsupported systems still playing a key role in the infrastructure. As an example, Windows 7 support was discontinued in January of 2020 after 10 years in operation, creating an untold number of vulnerabilities for organizations around the globe. According to a report from Palo Alto Networks cybersecurity division Unit 42, 83% of medical imaging devices are running unsupported operating systems.  

IoT devices suffer from a range of other vulnerabilities, including: 
  • Weak/default passwords and settings: Back in 2016, the largest DDoS attack ever at the time was launched against the service provider Dyn using a botnet powered by IoT devices. Hackers used a piece of malware called Mirai, which after initially infecting a computer would continue searching for vulnerable IoT devices and use default usernames and passwords to login. These credentials can be found online easily, and if the network operator doesn’t change them, anyone can gain access. 
  • Poor device security from the manufacturer: When a device communicates in plain text, all information that is being transferred can easily be intercepted via a Man-in-the-Middle attack. 
  • Outdated IoT firmware: A large percentage of IoT devices use third-party libraries for their firmware, these can easily become outdated and with the lack of ability to update the firmware on some devices, this poses an issue. 
  • Protecting your IoT Devices and Network: Network administrators need to realise that with these new devices they need to ensure they are keeping up with the essential security solutions. Strong passwords, firewalls and anti-virus software simply isn’t sufficient. The first step in protecting your IoT devices is to learn and understand what the most likely cyber threats are. Create a threat model which identifies, evaluates, and prioritizes potential vulnerabilities. Having a documented network is essential, a well-maintained network management system with advanced monitoring will massively help identify weak spots in the network.  
Basic IoT network security measures include:
  • VLANs: Placing the IoT devices in their own VLAN with total segregation from the rest of the network. This doesn’t have to be anything overly complicated, just set some simple rules such as trusted and untrusted depending on how much faith you have in the device. E.g. A Nest smoke alarm can be placed in the trusted VLAN and have access to the internet but a cheap Chinese thermometer would go in the untrusted VLAN and not have access to anything else.  
  • Static IPs: If it is possible to assign a static IP, definitely do so. This helps you to keep track of the device and can make troubleshooting a whole lot easier. Another benefit of this is helping with identifying new devices on the network. 
  • MAC Address whitelisting: An easy way of ensuring only authorized devices can access your company network. But it is important to note that these can be easily spoofed. 
Advanced IoT security measures include:
  • Modern Network Access Control (NAC): Traditional NAC solutions don’t scale well when it comes to IoT. Standard IEEE 802.1x security protocols are mostly incompatible with IoT devices. As mentioned above, MAC authentication can be spoofed. With NAC, network administrators are able to configure and enforce security policies and analyze device risk postures. 
  • Automated configuration: Having an automated onboarding system in place for new devices is a smart idea. If your company has a large number of IoT devices, it can be easy for some to slip through the security configuration if done manually.  
  • Device certificates: Using X.509 device certificates to manage the identity and security of devices adds another layer of security. These certificates play a key role in PKI-based security and serve as proof of device authenticity by authentication, encryption, and data integrity. 
  • Secure API connections: APIs are commonly used to transfer data between applications and devices. This can give way to a whole host of cyber threats. It is essential that only authorized systems can communicate with the API. The use of tokens to establish trusted identities and provide access to the appropriate services is highly recommended. 

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About PandoraFMS
Pandora FMS is a flexible monitoring system, capable of monitoring devices, infrastructures, applications, services and business processes.
Of course, one of the things that Pandora FMS can control is the hard disks of your computers.