Cyber security has become the main topic of discussion in the past year. More and more major organizations have been hit by security breaches. It is important to note that it is not always due to the code that they implement and create themselves. It is more due to not having the practices in place to make sure they are using third-party code that is safe and secure.
Using manual checks and vendor risk management (VRM) is not enough today. Your vendor risk management team will look and see that a library is free, or a piece of software costs $5,000, so it may fit under a risk assessment threshold. Though, just because the software you are purchasing is not expensive, does that mean it should not be checked upon implementation and then again during an update or upgrade? No. These are some of the most important code bases to check. Automation is the key.
Every year, we see significant global security breaches around the world. Just recently, the largest meat processing plant in the world was shut down for multiple days. In addition, one of the largest hacks in history, known as SolarWinds, used a supply chain method to use a gap in an IT program to gain access to compromise data, networks and systems within government agencies, Microsoft, Intel, Cisco, Deloitte and over 18,000 other large organizations.
After the SolarWinds breach, the US Government has placed an Executive Order for cybersecurity initiatives and to care about the full software supply chain within every application. This will also require private vendors that work with the federal government to have these initiatives in place. In summary, these include:
- A Software Bill of Materials (SBOM) will become mandatory
- Importance on open-source provenance
- Automation tools will be important
- Secure development environments
- Much more
ISO 27001:2017 takes best practices, consistency, policy, and growth into consideration. 95% of cybersecurity breaches are caused by human error https://www.cybintsolutions.com/cyber-security-facts-stats/. So, having policy, training, and consistent procedures is imperative to make sure your organization is as safe as possible. Any smart hacker will try and target your weakest link, which means you cannot allow anything to be weak.
iText has been ISO 27001:2017 certified for the past 3 years. Over that time, we have seen growth and expansion to consistently cover the growing needs within information security. Part of the reason we had chosen ISO, rather than NIST or any other program was the requirement for yearly audits and proof of growth. The world evolves exponentially around us, and we have to change and grow with it to make sure all of our customers are also safe from cybersecurity or supply chain issues.