Our approach to information security

Written By Robert Taylor

It’s been a pretty eventful few weeks in the world of information security. Crowdstrike managed to single handedly take down a meaningful portion of the world’s computer systems. Followed by Microsoft facing further issues on Tuesday.

It’s incredible that a single company can have such a huge impact on the global economy, but I can’t help but feel that this is an omen of things to come, a future where everything is interconnected. This definitely gives me Mr Robot vibes, if you haven’t already watched it then I highly recommend it!

Given the above, I thought I’d share some of our information security journey. Ever since starting Origin we've always been incredibly paranoid when it comes to information and cyber security. We've always operated on the basis that we are one hack away from going out of business. We operate in an industry where trust lies at the heart of everything we do and once that trust is broken it's practically impossible to re-build.

Information security is a very broad term which unsurprisingly covers every aspect of managing a company’s information. Naturally this will vary significantly company to company, however there are a number of commonalities to every business such as human resources, physical office security, encryption standards, mobile device usage etc.

To assist companies with their approach to information security, the ISO 27001 standard was published in 2005. This standard serves as the gold standard for information security across the world. Obtaining the certification is incredibly challenging, involving a wide range of controls and processes to be implemented and requires buy-in throughout every level of your organisation.

We are extremely proud of being fully certified since March 2022. Every year we have a 3 day audit by an external auditor who probes everything that we have documented, ensuring that we actually practice what we preach when it comes to information security.

A major component of the certification is documenting your organisation’s approach to information security via a robust collection of policies. This has been a long journey at Origin. Back in 2016, before we had a single client, we started off with 6 information security policies. Today, we have 35! (I’ve listed them at the bottom for the cyber nerds who are curious).

We have spent countless hours architecting and developing our offering to be the most bank compliant as possible. This has involved placing information security at the heart of our day-to-day processes.

An organisation's approach to information security has to be a journey. Processes and controls need to be tailored to the organisation’s size and line of business. From the start our policies had always been based off of ISO 27001, however we only felt ready to apply for the full certification in 2022.

There are a number of annual processes that we run:

  1. Annual Penetration Test: Every year since 2017, we have engaged external information security professionals to perform what’s called a penetration test on our systems. We basically pay people to try to hack our platform and cloud infrastructure. They produce a report of findings, which range in classification from critical all the way down to informational, which you resolve and then get re-tested. The yearly findings are unsurprisingly extremely minor however these are great opportunities to learn and sharpen our knowledge.

  2. Annual Disaster Recovery Test: We simulate disaster scenarios where all of the infrastructure goes down and needs to be recovered. We have target recovery times which we assess ourselves on, to see if we achieved them or we need to refine further our recovery processes.

  3. Annual Incident Response Plan Test: We run simulated relevant information security scenarios such as a ransomware attack or information leakage. We typically have 1-2 members of the team autonomously running the scenario, while the rest of the company tries to resolve the situation. This can be incredibly informative, somewhat stressful but also rather fun for those involved!

  4. Internal Audit: We have an internal audit team who goes through the latest ISO 27001 standard with a fine toothed comb and interviews senior members of the team to find any non-conformities or areas for improvement. This exercise is effectively a dry-run for the annual ISO 27001 audits and allows us to focus on particular areas beforehand.

Apart from it being generally good practice, we go through these rigorous steps to demonstrate to our clients that we take them and the security of their data very seriously. Because we operate in the most heavily regulated industry in the world, this is obviously not a trivial matter.

When we onboard new clients, they all embark on an information security due diligence process to understand our approach and validate whether we can be a trusted partner for them. These processes can vary significantly from a quick review of our architecture all the way through to 200 question Excel files probing every aspect of our information security practices. We’ve even had a two day on-site inspection. Some of the types of questions that we encounter:

●      Your physical security: Do you have CCTV? What is the CCTV footage retention period? Is there a manned reception? Do you have any hazardous neighbours?

●      Pre-employment checks: When hiring new employees do you run credit, criminal, right to work, identity, negative social media, sanction checks?

●      Encryption: Do you encrypt your hard drives? Your databases? Your internal/external connections? Which encryption ciphers do you allow?

Unsurprisingly, this process can be a lot of work for us. There have been attempts at streamlining this process for vendors through industry certifications, and to be fair, being ISO 27001 certified does help, a bit. But, clients rightly want to own the due diligence on their vendors, which means we end up having to go through most of the work every time. While the audits are certainly grueling, we’re proud to have down the groundwork to implement such a robust information security framework, that we always come out of the other side passing with flying colours.

I’ll leave you with our mission statement that we developed 3 years ago when we were working towards our ISO 27001 certification which hopefully shows just how seriously we take information security:

"Information Security lies at the heart of everything we do at Origin. Our approach to Information Security is the foundation upon which our client relationships & trust are built. We are always curious and continually trying to improve by leveraging the latest best practices in order to remain accredited by UKAS to the ISO27001 standard."

Appendix - Origin Information Security Policies

  • Acceptable Use Policy

  • Secure Access Control Policy

  • Asset Management Policy

  • Asset Mapping

  • Backup Policy

  • Board Charter

  • Business Continuity Plan

  • Code of Conduct

  • Compliance Policy

  • Data Classification Policy

  • Data Deletion Policy

  • Data Protection Policy

  • Disaster Recovery Plan

  • Encryption Policy

  • Hardening Policy

  • Hiring Policy

  • Human Resource Security Policy

  • Incident Response Plan

  • Information Security Policy

  • Information Security Management System Manual

  • Network Security Management policy

  • Operational Objectives

  • Password Policy

  • Patch Management Policy

  • Physical Security Policy

  • Portable Computing Security Management policy

  • Responsible Disclosure Policy

  • Risk assessment and risk treatment table

  • Risk assessment and risk treatment methodology

  • Software Development Life Cycle Policy

  • Vendor Management Policy

  • System Acquisition, Development and Maintenance

  • Total Performance Policy

  • Vulnerability Management Policy

  • Cloud Services

Robert Taylor
Previous

A new record!
Next

A Busy Year