Information security is paramount to our reputation and that of our customers. Brainloop’s collaboration platform is built in line with the highest data privacy standards, including the GDPR legislation. Security at Brainloop starts before our software. It comprises technical security mechanisms, secure processes and organisational measures within the enterprise. These are key elements which are critical for server access and software updates because so much can go wrong in these areas. Policies are also in place to stipulate how people work with personal or confidential data. Brainloop is already very well organised in these areas with its ISO 27001, ISAE 3402 and Trusted Cloud data protection profile certifications. But the foundation underlying all processes is our internal Information Security Management System (ISMS).
ISMS as a concept
The ISMS is basically a set of procedures and rules that ensures information security within an enterprise. Brainloop’s ISMS is process-oriented and information security is implemented in accordance with the PDCA cycle which stands for Plan, Do, Check, Act. Planning is the first step. It involves companies formulating their goals and defining their measures, which are then implemented in the second phase – Do – via a series of processes or projects. In the Check phase, companies analyse the effects of the measures they have carried out. This phase is crucial for deciding whether the defined measures should be established as new standards, modified or cancelled. In the last phase, Act, the tactics are then put into production, used over a certain period of time, and then checked again. If it turns out that there’s still room for improvement, the changes are implemented and the cycle starts again from the beginning. In this way, the entire process undergoes continuous optimisation.
ISMS at Brainloop
We have defined various security elements on different levels. On the highest one, the governance level, we have a number of policies – an Information Security Policy, Information Classification Policy and a Corporate Policy. These policies ensure compliance with major security goals, including the confidentiality, integrity and availability of information. They stipulate that the data should only be accessible to authorised users, that it cannot be changed, and that it should be technically available at all times.
On the level below, we have further policies, including the Physical Security Policy, the Secure Network Policy and the Secure Operations Policy. The latter governs the secure operation of the SaaS platform and includes multiple aspects – from planning to testing to live operation. It covers test and release planning, the backup concept and the change management process.
The security elements are based on standardised procedures and concepts to ensure information security – they can include a specific release procedure, key management and predetermined visitor processes. We also increase awareness among staff with initiatives like ISMS courses for new recruits and participation in a social engineering game, which trains staff on how to deal with possible attack scenarios targeting sensitive information. We also regulate access to information and how it is handled based on the need-to-know principle, where each employee is only granted the accesses and permissions they really need for their work.
The security team: CISO and security architects
The security team at Brainloop comprises Chief Information Security Officer (CISO) and security architects. CISO is responsible for the entire ISMS and manages the coordination and implementation of integral technical and organisational measures. He ensures the correct implementation of key management as well as the identity and access management policy. The security architects also handle the technical aspects of software development. Their tasks include encryption, as well as testing the software and its architecture for possible vulnerabilities in order to continually improve it.
Multiple security certifications
Brainloop’s solutions have been certified compliant with the ISO 27001 standard since 2011. This proves that the ISMS fulfils the legal, regulatory and contractual requirements of the ISO 27001 standard for IT basic protection as defined by Germany’s Federal Office for Information Security (BSI). During the certification decision process, the ISMS also undergoes tests conducted by an ISO 27001 basic protection auditor, who is also certified by the BSI. This person examines our reference documents, carries out on-site tests, and produces an audit report. This audit report is then sent back to the BSI and is used to inform the organisation’s decision regarding certification.
Another of our certification standards is the International Standard on Assurance Engagement’s ISAE3402, which assesses the effectiveness of service providers’ internal control systems. To obtain this, our internal control system was tested for six months and this was followed by an assessment of its effectiveness.
We also meet the requirements of the Trusted Cloud Data Protection Profile, which corresponds with the stipulations of Germany’s data protection laws for cloud computing since GDPR came into effect on 25 May 2018.
Even if an ISMS has been set up and implemented, that doesn’t mean it will always function in the same way or be certified for ever. That’s why we follow the PDCA cycle to ensure that our company’s ISMS keeps proving itself and improves further.
To do this, we run annual internal audits that involve internal auditors testing information security. We also undergo an external audit once a year that is conducted by an external auditor from the certification body.
We also organise a series of voluntary penetration tests carried out by independent third parties to test the security of the application. These people simulate attacks on our systems in a targeted way – and that helps uncover any potential vulnerabilities.
Finally, ISO certification requires that all ISO 27001 controls are completely retested every three years. This ensures a permanent optimisation process for all aspects of information security at Brainloop. On top of that our customers regularly conduct their own audits of our systems. These assessments are another important yardstick for the maturity of our security concept.
Interested to learn more about Brainloop’s security concept? Here is blog post on our secure development lifecycle.