At Katabat we take extreme pride in the comprehensive and robust security with which we protect our operational infrastructure and, of course, the data of our customers. As ransomware and other hacking attacks become an ever more common part of the daily news, I thought it would be a good time to provide some insight into how we protect our IT resources from hackers—including professional criminals and state actors.
My own introduction to the need for IT security came way back in the 1990s, when I was as a systems manager at the University of Pennsylvania and we had to deal with the repercussions of a student who thought it would be great to share the root password on a Solaris machine with his friends on the internet. This led to my first exposure to what I would much later learn was an activity called a forensic analysis of an intrusion.
Diving Deeper into Security
As I dove deeper into the field of security, I learned that while it was certainly essential to create secure applications, it was also mission critical to secure the entire infrastructure hosting the applications, databases, and other enterprise elements.
Later, I would join the security team at BlackRock, the New York-based multinational investment management corporation, where I worked for 10 years helping to protect that company’s extremely sensitive data. This was where I began working on security audits. The CPAs and accountants realized that they couldn’t really do a meaningful audit without understanding how the backend computer systems worked, and how data was safeguarded from alteration or theft.
I was soon managing BlackRock technical audits for information security (SOX and SAS-70), which proved to be a tremendous experience. In many ways we were creating new security processes along the way. Auditing is the best way to identify—and remediate—security weaknesses.
At Katabat: Your Security Partner
After joining Katabat—more than a decade ago—it was a pleasure to work with the vast security teams that some of our global banking customers deployed. Whether working with global giants, or with small or startup organizations where there might not be a designated security officer, Katabat operates as a security partner. Sometimes that means seamlessly integrating with a multinational’s internal security team. Sometimes that means serving as a de facto security advisor for a small organization that might be so focused on core competencies that they require a nudge and guidance toward ensuring the security of their internal data, as well as the personally identifiable information (PII) of their customers.
As part of our commitment to security, Katabat adheres to a number of security standards and regulations, including:
PCI Compliance
- Payment Card Industry Data Security Standard (PCI DSS) is the information security standard for organizations that handle credit cards. Katabat has always been PCI compliant, and renews its attestation of compliance annually. While designed for protecting credit card data, PCI provides a great blueprint for all forms of computer security. PCI is based on six “control objectives,” which are:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Each of the above points are detailed with robust guidance—everything from the firewall configuration to data encryption, to penetration testing. If all companies implemented such practices, the global IT infrastructure would be a safer place than it is today.
SOC 2 Attestation
- System and Organization Controls (SOC) defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by organizations that provide information systems as a service to other organizations to issue validated reports of internal controls over those information systems to the users of those services. There are different types of SOC reports, with SOC 1 analyzing financial reporting. SOC 2 focuses on infrastructure and practices across areas representing its five Trust Service Principles, which include:
- Security
- Availability
- Processing Integrity
- Confidentiality
- Privacy
SOC 2 compliance is verified in the form of an attestation report prepared by an independent CPA firm authorized by AICPA to perform such audits. The audit reports, which can be more than 200 pages long, represent a thorough examination of prescribed best practices. As with PCI, SOC 2 audits must be repeated annually.
GDPR
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation on data protection and privacy that also addresses the transfer of personal data outside the EU and the European Economic Area (EEA). The GDPR’s primary aim is to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. While we must follow GDPR requirements for our data centers based in the UK and Australia, we go further by extending the same protections to all of our installations, even those based in the U.S., to provide even greater protection for PII and other data.
In addition to the annual PCI and SOC 2 audits of our operations, we also conduct our own internal security audits. From experience I know that our own internal audits are far more stringent than what I have seen or heard of anyplace else.
The combination of PCI compliance, SOC 2 compliance, GDPR compliance—in addition to our own internal audits, and on top of our other robust and system-wide security measures, including encryption of all data while in transit—provides an exceptionally secure foundation.
This is why we see ourselves as security partners. We know the needs of our customers in the financial services sector, because that is the space from which Katabat grew, it’s the background from which we have come. Few sectors have security needs as mission critical as financial services and why we handle security with such focus and dedication. We are proud to serve as security partners—helping our customers stay as secure as is possible in this sometimes unsecure world.
=
Arthur, a Certified Information Security Manager, is responsible for the strategy, oversight and management of Katabat’s Information Security, Privacy & Technology Risk programs. Prior to joining Katabat in 2012, he was Vice President, Technology at BlackRock. His diverse background includes enterprise systems administration and management, consulting as well as academic research. Arthur is a member of the Information Systems Audit and Control Association (ISACA) as well as the International Association of Privacy Professionals (IAPP). Arthur received a Bachelor of Science degree in Engineering at The Pennsylvania State University and a Master of Science Degree in Engineering at the University of Pennsylvania.
More from Arthur Haigh