Thank you for Subscribing to CIO Applications Europe Weekly Brief
Driving Best Practice in Information Security Management
By Dave Roberts, CIO, Radius Payment Solutions
Dave Roberts is the CIO for Radius Payment Solutions, a fleet services company based in Cheshire and focused on Fuel Cards, Telematics and Telecoms. In 2015 Dave and his team started the journey towards ISO27001 Information Security Management and in March 2018 they successfully achieved the accreditation.
Radius continues to grow rapidly and the ISO27001 accreditation has created new opportunities for expansion into new sectors and verticals. There has been significant investment in technology to fulfil the groups strategic plans to become a technology driven business. Large investments from a security perspective have included tools to perform Vulnerability Assessments and Penetration Testing, as well as Email and Desktop orientated filtering, the latter being a multi layered approach using a number of different vendors for a ‘best in breed’ solution.
To find the best security solutions for the business we invariably consulted Gartner and Forrester to save us time conducting endless proofs of concept. New technologies also required new skills in-house to manage the technology and we recruited several key staff to help us define and build policies, processes and procedures to leverage the best security and infrastructure benefits.
A spin off to achieving the ISO27001 accreditation was also being able to gain Cyber Essentials Plus certification. We strengthened five key areas; Boundary Firewalls, Secure Configuration, Access Control, Malware Protection and Patch Management, all of which are essential aspects within the ISO27001 controls anyway. Cyber Essentials Plus re-certification occurred two weeks prior to achieving ISO27001 accreditation. We have also implemented a Cloud Access Security Broker to help us proactively identify any data leakage risks.
The process of formalising Information Security requirements has helped to change the behaviour and attitude of staff and improved general respect for the protection of information. In turn this has helped enhance our credibility with customers and stakeholders.
The accreditation has encouraged a culture of continuous improvement across the organisation.
New technologies also required new skills in-house to manage the technology and we recruited several key staff to help us define and build policies, processes and procedures
This has involved not only a serious level of investment in technologies but also considerable upskilling of key staff and general upskilling of all staff using a common standard of office tools. A full software licencing review was undertaken in the lead up to consolidation of key licencing requirements. Further upskilling of staff is now being achieved through our virtual learning environment, delivering information security, regulatory and induction training, awareness and assessment.
A project management methodology was developed around the APM body of knowledge, ensuring successful and consistent project delivery. Everyone involved in the programme benefited from this approach as it ensured project deliverables were achieved through the motivation and determination of the programme team.
A series of project plans were developed to ensure the programme objectives were achieved and prerequisites met. Utilisation of the plans enabled monitoring of progress through to achievement of ISO27001. Focusing on a phased and modular approach within the project plans also ensured deliverables were not overly complex at any point in time.
Many highlight reports and update meetings ensured the status of the programme was regularly communicated to stakeholders and investors. The reports monitored progress towards milestones and highlighted risks and issues. As we worked through the project life cycle, regular reviews were conducted ensuring continual improvement in information security and monitoring progress towards the ISO27001 standard.
Information security tasks were developed for various teams in the business to complete, with progress monitored by management. Developing our Disaster Recovery plans for IT core systems, emphasised the importance of application continuity across the business. This approach ensured employees were motivated to take responsibility for their respective applications knowing this was key to achieving accreditation.
The business has become a lot more technology lead as we break new ground in fleet management. Alongside this, the requirement for protective best practice and new legislation have helped to drive Information Security to be considered at the start of, and throughout, new projects. This has also raised the appreciation within the business of the importance of securing information and the work the Information Security team do in support of the business.
Alongside the extensive changes realised from ISO27001 best practice, we have introduced considerable change to IT infrastructure and IT operational practices, which has led to a massive change in culture throughout the business, as well as increased respect for information.
Having now achieved the level of success of the accreditation, indicative by the very limited observations the independent assessors were able to identify, and with the concept of continuous improvement being a key facet of ISO7001, the appetite within the business is now to achieve accreditation for the entire global organisation by the point of re-certification in early 2021.
All of this has helped to open new doors for the business and growing the opportunities to support a corporate objective for considerable growth over the coming few years.
Strategic Call Center Solution
Eddie Ho, CIO, Los Alamos National Bank
Payments Integration: First-Mover Advantage or Last Laugh?
Kenny Moyer, VP/Director of Profitability, Republic Bank
It's a New Ballgame in Banking
Jim Lee, SVP, Knowledge Management Director, Fulton Financial Corporation
Digital Shaping Customer Experience in the Banking Industry
Sara Roundtree, SVP Digital Strategy, Union Bank & Trust