DextraData implements ISMS according to ISO/IEC 27001 and manages the security of its DevOps environment with the self-developed IRM solution GRASP
Secure software developer environment at the push of a button
Company
Since 1995, DextraData has been supporting companies in the planning and implementation of IT projects right through to responsibility for regular operations. Extensive technological know-how, comprehensive consulting experience and expert knowledge in the areas of data center and process automation make DextraData a sought-after partner for companies facing the current challenges of digital transformation. As an Independent Software Vendor, DextraData develops innovative industry solutions that create transparency, optimize processes, and provide decision support and added value for the business.
Challenge
As the developer of the CIO COCKPIT, Dex7, Logipad, VIBS9 and GRASP software solutions, DextraData requires ISO 27001 certification as proof that effective security measures are implemented in the company to protect information and data. ISO 27001 is an internationally recognized standard for information security management systems (ISMS) that provides a framework for establishing, implementing, monitoring, evaluating and improving information security measures in organizations. ISO/IEC 27001 certification demonstrates to customers, partners and other stakeholders that an organization is taking appropriate steps to protect information and data, which can be an important competitive advantage.
As a software developer, information security is critical to DextraData, as the company often has to deal with the processing of confidential data and sensitive information. “As a trusted adviser, ISO 27001 certification has been a no-brainer for us to ensure the security of our software development processes and to strengthen the trust of our clients and partners in the security of our products and services,” says Thomas Ulrich, Director Software & Business Applications & Analytics at DextraData.
Implementation
Only one product came into question for the implementation: GRASP, the Integrated Risk Solution developed by DextraData itself. GRASP stands for Governance, Risk, Audit, Security Platform and is capable of digitizing and managing all necessary steps of the implementation.
ISO 270001 certification had a history at DextraData. Before launching its own GRASP solution, the process of introducing an ISMS was long and tough. Thomas Ulrich remembers: “Initiatives were started again and again to do the preliminary work. It never came to a conclusion. Too many manual and analog steps developed into a full-blown time-eater. So the idea and eventual implementation of GRASP also resulted from our own experiences.”
While GRASP also grew the company’s own expertise, in order to find out how DextraData was positioned in terms of information security, an audit and GAP analysis was carried out by external consultants. “Based on this analysis, we were able to determine what needed to be done and when to ensure secure software development,” says Thomas Ulrich at DextraData. From that moment on, the team internally named the project “WORF” after the security officer of the USS Enterprise.
With GRASP, audits can be planned effectively and stress-free.
The findings of this analysis were documented directly with GRASP. In addition, risks were identified and sample templates discussed in a plenary session. The actual implementation of the ISMS that followed then required an extensive definition of responsibilities, the development of security policies and procedures, the implementation of training and awareness measures, and the introduction of security controls and monitoring measures. This is where the strengths of the GRASP in-house solution now came into their own. Normally, measures, documents, responsibilities and deadlines would be spread across several people in multiple documents, spreadsheets or even printed out in drawers or folders. The risk of overlooking, forgetting or insufficiently documenting things is high and would jeopardize obtaining and maintaining an ISO 27001 certification.
Through a one-time inventory and digitization of structures, processes, assets, systems and documents, GRASP minimizes this risk and creates full transparency and overview through its single point of truth approach. One person was now able to manage all ISO 27001 policies and processes. DextraData benefited from its self-selected low-code in this process, as this enabled employees to adapt GRASP to their specific roles even without programming skills.
Receiving certification – WORF project nearing completion
The most exciting part of an ISO/IEC 27001 certification is ultimately the external review by a certification company. An audit plan specified which areas of the ISMS would be examined, how long the review would take, who would be involved, what documents would need to be provided, and what audit methods would be used. In the case of DextraData, two auditors from the certification company E-Security-CERT GmbH visited the DextraData sites in Essen and Hamburg and conducted an on-site review. During this process, the auditor assessed the implementation and application of the ISMS by reviewing documents, conducting interviews with employees, and reviewing physical and technical security controls.
DextraData’s staff was very well prepared due to the effective organization of the ISO team. Effective measures were taken through GRASP, which, above all, increased colleagues’ awareness of information security. In cooperation with the e-learner myBreev, for example, employees received mandatory training and regular newsletters were sent out on the subject of information security.
After the audit was completed, E-Security-CERT GmbH issued a report stating that DextraData’s ISMS met the requirements of DIN EN ISO/IEC 27001:2017-06. The Klingon had done his job perfectly.
Result
GRASP supports DextraData in driving and managing the implemented ISMS. “Only by using our own solution were we, as a medium-sized company, able to efficiently organize all the necessities for certification and bring the project to a conclusion.
The goal of ensuring the confidentiality, integrity, and availability of information in the developer environment of the software solutions CIO COCKPIT, Dex7, Logipad, and GRASP, and thus minimizing business risks, was achieved thanks to GRASP. In addition, the likelihood of cyberattacks, data breaches, and other security issues has been significantly reduced.
Through our efforts in secure software development and training of our colleagues, we are able to optimize our workflows while ensuring the safety of our clients and employees.