inet TMS functions are primarily used as software-as-a-service. This places a special responsibility on inet for the handling of customer data. To prevent losses and avoid liability risks, we implement our information security system according to the international standard ISO/IEC 27001:2005. All documents, processes and procedures are to be structured, implemented, monitored and enhanced based on the example of this standard. The objective of all of these measures is to guarantee the confidentiality, integrity, and availability of information.
inet's security objectives are to:
- ensure stable, highly available IT systems
- prevent any major disruptions in the communication and IT interfaces with customers and business partners
- guarantee confidentiality, correctness and integrity of customer and company data
- observe legal provisions and regulations as well as contractual and other relevant regulations
Many requirements of the standard have been implemented since we first decided on ISO 27001. We have encrypted data, introduced security guidelines and stricter monitoring, and have implemented security measures in the data centers. TÜV Rheinland i-sec is assisting inet in these endeavors and also providing expert guidance and support in preparation of the upcoming pre-audit.
The most important changes are organizational. These include new roles and responsibilities. User roles and rights ensure that only authorized users can access the specific areas they need for their daily work. We've redefined the process for granting rights and the access rights themselves at inet, and introduced authorization workflows. For example, database administrators are no longer able to simply view data – this further limits the number of readers for heightened security. Changes are logged whenever other users with corresponding rights access productive data.
Awareness is key
As a cloud computing provider inet must guarantee the security of information and the protection of assets by reducing the risk of human error, theft, fraud or misuse of facilities. For this reason we established an ISMS team (Information Security Management System Team) – headed by an information security officer and an information security coordinator. They keep a close eye on information security at inet-logistics, develop security concepts and guidelines adapted to the needs of inet-logistics and coordinate these with both the management and TÜV Rheinland i-sec. However, in some respects, their greatest challenge is to create awareness as well as sensitivity and constantly remind everybody at inet about security. Every employee must be aware of the threats to information security and have adequate tools at their disposal to support the organization's own security policy.
“Our challenge is to make all employees aware of the importance of information security. Encrypted databases or strict access rights don't help if printouts are left at the printer, doors stay open, phone calls are made in public areas or laptop screens are visible to others. Sensitized employees actively report deficiencies and are the best source for suggestions for improvement.” (Rene Leimegger, information security officer)
This awareness shall be increased in the future by both regular seminars and internal audits. Other issues such as stricter contractual provisions for supplier management and further technical improvements will be addressed as part of the sought certification process.
At the beginning of 2012, inet's headquarters will move to new premises. The new office also means a new security challenge. Secure access is one important issue that must be ensured through a combination of different measures (doors with alarms, video recording, electronic access control systems, etc.).