CloudCore Networks Information Security Management System

Security Management
Compliance
Risk Management
CloudCore Networks is a cloud hosting and managed IT services provider founded in 2010 and headquartered in Perth, Western Australia.
Title CloudCore Networks Information Security Management System
Doc# DOC-RISK-002
Version 1.0
Date 26-07-2023

CloudCore Networks is a cloud hosting and managed IT services provider founded in 2010 and headquartered in Perth, Western Australia.

The company operates 3 data centers in Australia and hosts applications and IT infrastructure for over 500 business customers. CloudCore has around 200 employees and contractors across its data centers and corporate office. The IT team manages server hardware, networking, data backups, security controls and 24/7 monitoring for client infrastructure hosted in the CloudCore data centers. CloudCore’s executive leadership includes:

The company has increased its customer base by 25% annually for the past 3 years. Key solutions include public/private cloud hosting, disaster recovery, data backup and virtual desktop services. CloudCore handles sensitive customer data including financial records, healthcare data, intellectual property, PII and corporate emails. Protection of client data and systems is a high priority to maintain trust and compliance obligations.”

CISO Responsibilities

  1. Setting Security Policies and Procedures: The CISO is responsible for creating, implementing, and managing the organisation’s security policies and procedures that are aligned with ISO 27001 standards. These include policies for data access, usage, storage, and transmission. These policies must be detailed, clear, and enforceable.

  2. Risk Assessment: Conducting a comprehensive risk assessment is crucial in the ISO 27001 process. The CISO must identify all assets, threats, vulnerabilities, impacts, and the likelihood of occurrence to calculate the risk. They must also provide appropriate mitigation strategies.

  3. Security Awareness Training: The CISO must ensure that all staff are aware of the security policies and trained in security best practices. They must conduct regular training sessions and drills to ensure that the staff can identify security threats and understand their responsibilities to prevent security breaches.

  4. Regular Audits: Conducting regular audits is essential to measure the effectiveness of security controls. The CISO must ensure that audits are carried out at regular intervals and any non-compliance found during audits is addressed promptly.

  5. Incident Management: The CISO needs to establish and manage the incident response process. This involves creating an incident response team, developing a response plan, testing the plan, and conducting a post-incident review to identify areas for improvement.

  6. Continuous Improvement: The CISO should ensure that the ISMS is continuously improved through the use of metrics, audits, management reviews, and other feedback mechanisms. This means keeping up-to-date with the latest threats, vulnerabilities, and best practices in the field of information security.

  7. Liaison with External Parties: The CISO should also act as a point of contact during the ISO 27001 certification audit. They need to ensure that the external auditors have all the necessary information and can freely perform their tasks.

  8. Management Reviews: The CISO needs to present reviews to the top management, showcasing the performance of the ISMS, its effectiveness, and any changes in the risk environment or business operations.

  9. Ensuring Legal and Contractual Compliance: The CISO must ensure that the company complies with all relevant legal, regulatory, and contractual requirements. This includes data protection laws, cybersecurity laws, and any specific contractual obligations with clients or third parties.

By adhering to these duties, the CISO plays a crucial role in ensuring that the organisation can meet the requirements of the ISO 27001 standard, thus demonstrating to clients and partners its commitment to information security.

Overview

  1. Scope and Context: The ISMS starts by defining its scope, which could be the entire organisation or specific areas. The context would include understanding the organisation, its strategic direction, stakeholders, legal and regulatory requirements, and the role of information security in achieving business objectives. CloudCore Networks would establish its ISMS to cover all its data centers and corporate offices, considering the nature of the sensitive customer data they manage.

  2. Risk Assessment: This involves identifying the assets, threats, vulnerabilities, impacts, and the likelihood of occurrence to calculate the risk. CloudCore Networks would need to assess all its IT systems, hardware, software, and human factors that might pose a risk to the security of its data and services.

  3. Risk Treatment: Once risks are assessed, a risk treatment plan is designed. This would include implementing the appropriate security controls to mitigate these risks, based on the organisation’s risk acceptance level and the resources available.

  4. Information Security Objectives: These are set based on the outcomes from the risk assessment and treatment processes, and they should be consistent with the organisation’s overall strategic objectives.

  5. Security Policies and Procedures: CloudCore Networks would need to develop comprehensive security policies and procedures, encompassing areas like access control, data encryption, network security, incident response, disaster recovery, and user education.

  6. Training and Awareness: Regular training sessions and awareness programs need to be conducted to ensure all employees understand their roles and responsibilities in protecting the company’s and customer’s data.

  7. Incident Management: The ISMS should include an effective incident management process to ensure swift response and recovery in the event of a security breach.

  8. Regular Audits and Review: CloudCore Networks would need to conduct regular internal audits and management reviews to ensure that the ISMS is performing as expected and to identify areas for improvement.

  9. Continuous Improvement: The ISMS should incorporate a process for continuous improvement, updating security measures based on new threats, changes in the organisation, and feedback from audits and incidents.

Remember, the development and implementation of an ISMS is an ongoing process, it involves a continuous cycle of planning, implementing, monitoring, reviewing, and improving the organisation’s information security.

Scope and Context

Scope:

The scope of CloudCore Networks’ ISMS encompasses the entirety of the organisation’s operations, including all data centers, the corporate office, and remote work environments. This would include the management of server hardware, networking, data backups, security controls, and 24/7 monitoring for client infrastructure hosted in the CloudCore data centers.

The ISMS would cover all business units, including the IT team, customer support, sales, marketing, and management. It would apply to all employees and contractors, whether they are working on-site or remotely.

Furthermore, the scope extends to all information assets, including but not limited to:

  • Customer data, such as financial records, healthcare data, intellectual property, personally identifiable information (PII), and corporate emails.
  • Internal data and proprietary company information.
  • Physical assets such as server hardware and network devices.
  • Software systems, including proprietary applications, databases, and third-party software.
  • Human resources - the knowledge and actions of staff can have a significant impact on information security.

Context:

Understanding the context involves evaluating the internal and external factors that can influence the performance of CloudCore Networks’ ISMS.

Internal Context: The company’s strategic direction is to maintain its leadership in cloud hosting and managed IT services by continually improving its services and maintaining the security and privacy of customer data. The organisational culture is focused on technology innovation, customer service, and information security. The sise and complexity of the organisation, having multiple data centers across the US and over 200 employees and contractors, add to the complexity of the ISMS.

External Context: CloudCore Networks, being based in Perth, Australia, operates under Australian laws and regulations regarding data protection. This includes the Privacy Act 1988 and its Australian Privacy Principles (APPs), which govern how personal information is handled. If CloudCore Networks handles any health-related information, it must also comply with the Health Records Act 2001. Additionally, if the company has clients in Europe, it would need to comply with the General Data Protection Regulation (GDPR).

The company also operates in a competitive global market for cloud hosting and managed IT services, adding external business pressures. As with all businesses in the IT sector, CloudCore Networks faces an evolving threat landscape with potential cybersecurity threats from a variety of sources.

Stakeholders: The primary stakeholders for CloudCore Networks’ ISMS are its customers, employees, and shareholders. Customers trust CloudCore Networks to host their applications and protect their sensitive data, employees need a secure environment to work efficiently, and shareholders expect the company to manage risks and ensure business continuity. Additionally, regulatory bodies, potential customers, and the general public can also be considered as stakeholders for the ISMS.

By defining the scope and context, CloudCore Networks can ensure that its ISMS is fit for purpose, protecting all relevant information assets, and aligned with the company’s strategic direction and the needs of its stakeholders.

Risk Assessment

Risk Assessment is a structured and systematic process to identify, analyse, and evaluate the risks associated with the potential misuse, loss, damage, or exposure of the organisation’s assets. For CloudCore Networks, the risk assessment process would involve several steps:

1. Asset Identification: The first step involves identifying all information assets that could be affected by potential threats. In the case of CloudCore Networks, assets would include:

  • Physical Assets: Data centers, server hardware, network equipment, workstations, laptops, and mobile devices.
  • Digital Assets: Customer data (financial records, healthcare data, IP, PII, and corporate emails), proprietary company data, databases, software applications, system logs, configuration files, backup files.
  • Human Assets: Employees and contractors who handle, manage, or have access to the company’s information assets.
  • Intangible Assets: CloudCore Networks’ reputation, brand value, customer trust.

2. Threat Identification: The next step is to identify the potential threats to each of these assets. Threats could be:

  • Natural disasters: Fires, floods, earthquakes which could impact physical infrastructure.
  • Cyber threats: Malware, phishing attacks, hacking attempts, DDoS attacks, insider threats.
  • Human error: Accidental data deletion, misconfiguration of systems, improper handling of sensitive data.
  • Legal and regulatory: Non-compliance to data protection laws such as Australian Privacy Principles (APPs) or GDPR for European customers.

3. Vulnerability Assessment: This step involves identifying the vulnerabilities in the system that could be exploited by potential threats. Vulnerabilities might be outdated software, weak encryption, insecure network protocols, lack of user awareness, or lack of regular security audits.

4. Risk Evaluation: Once assets, threats, and vulnerabilities are identified, CloudCore Networks would need to evaluate the risk. This involves calculating the potential impact and likelihood of each risk.

Impact could be assessed in terms of financial loss, reputation damage, or operational disruption. Likelihood is determined based on the current security controls, the frequency of the threat occurrence in the industry, and the organisation’s history of security incidents.

For example, a DDoS attack on CloudCore’s servers might have a high impact, causing disruption to their services and significant reputation damage. If their network security controls are not robust, and given the frequency of DDoS attacks in the industry, the likelihood could be high.

5. Risk Prioritisation: After the risks have been evaluated, they are prioritised based on their impact and likelihood. High impact and high likelihood risks would be prioritised for immediate treatment.

The risk assessment would be an ongoing process, repeated at regular intervals, or when significant changes occur in the business or the external environment. The risk landscape is constantly evolving, especially in the IT industry, and CloudCore Networks must keep its risk assessment updated to maintain the effectiveness of its ISMS.

The outcome of the risk assessment would provide a clear understanding of the organisation’s risk exposure and form the basis for the subsequent Risk Treatment process, where appropriate security controls are selected and implemented.

Risk Treatment

Risk Treatment is the process of selecting and implementing measures to modify risk. Risk treatment invariably involves balancing the costs of implementing the control against the losses that would be expected if the control is not in place. The ultimate aim is to reduce the risks to an acceptable level considering the organisational context and risk appetite.

In the case of CloudCore Networks, the risk treatment process would involve the following steps:

1. Selection of Risk Treatment Options: There are generally four ways to deal with risks:

  • Risk Acceptance: Where the risk is deemed to be low, or the cost of implementing controls outweighs the potential damage, the risk may be accepted. This does not eliminate the risk but is an acknowledgement of it. An example could be a minor software vulnerability in a non-critical system with no sensitive data.

  • Risk Avoidance: This involves not performing an activity that could carry risk. For instance, if a third-party software is identified as a serious threat to the network, CloudCore Networks might avoid using it altogether.

  • Risk Mitigation: This involves implementing controls to minimise the impact or likelihood of the risk. This could be implementing strong firewalls and DDoS protection measures to reduce the risk of cyber attacks, or regular employee training to reduce the risk of human error.

  • Risk Transfer: This means handing over the risk to a third party, typically an insurer. CloudCore Networks could have insurance to cover the financial impact of certain types of data breaches or physical damages.

2. Implementation of Controls: Based on the selected treatment options, appropriate controls are implemented. These controls would be selected from the ISO 27001 Annex A, a comprehensive list of best-practice controls for information security, or other relevant control sets.

Controls can be:

  • Preventive: Measures that prevent a risk from occurring, such as strong access controls and data encryption.
  • Detective: Measures that identify when a risk event has occurred or is occurring, like intrusion detection systems or regular security audits.
  • Corrective: Measures that recover operations after a risk event, like backup and restore procedures or disaster recovery plans.

In the case of CloudCore Networks, we use a combination of these controls. For example, to treat the risk of DDoS attacks, they could use preventive controls like firewalls and DDoS protection services, detective controls like network monitoring tools, and corrective controls like incident response and disaster recovery plans.

3. Documentation: All risk treatment information should be documented in a Risk Treatment Plan. This includes the details of the risks, selected treatment options, assigned responsibilities, proposed actions, priorities, and deadlines. The documentation would provide a clear roadmap for managing the identified risks and maintaining accountability.

4. Monitoring and Review: After the controls are implemented, their effectiveness should be monitored and reviewed regularly. For instance, CloudCore Networks could conduct periodic testing or auditing of its controls, like penetration testing for cyber threats or fire drills for physical threats.

5. Residual Risk Assessment: After the risk treatment process, there may still be some level of risk remaining, known as residual risk. This risk should be evaluated and compared against the organisation’s risk acceptance criteria to decide if additional controls are necessary or if the residual risk can be accepted.

Risk treatment is a crucial component of the ISMS and a continuous process that evolves with the changing risk landscape and business context. CloudCore Networks would need to ensure that its risk treatment process is robust, adaptable, and aligned with its business objectives and risk appetite.

Information Security Objectives

Information Security Objectives define what the organisation intends to achieve with its Information Security Management System (ISMS). These objectives must be aligned with the business’s overall strategic goals and be measurable, achievable, relevant, and time-bound.

In the case of CloudCore Networks, the Information Security Objectives include:

1. Ensuring Confidentiality, Integrity, and Availability (CIA) of Information: As a cloud hosting and managed IT service provider, CloudCore Networks handles a wide range of sensitive customer data. The company needs to ensure the confidentiality of this data to prevent unauthorised access or disclosure, maintain the integrity of the data to prevent unauthorised modification or destruction, and guarantee its availability to prevent disruption to the services.

2. Compliance with Legal and Regulatory Requirements: Being based in Perth, Australia, CloudCore Networks needs to comply with the Australian Privacy Principles (APPs) and the Health Records Act 2001. Moreover, if they serve customers in Europe, they need to comply with the GDPR. One of the objectives would be to ensure ongoing compliance with these and any other applicable legal, regulatory, and contractual requirements.

3. Continual Improvement of the ISMS: CloudCore Networks should strive for continual improvement of its ISMS to keep up with the evolving threat landscape and business context. This could include improving security controls, processes, or competencies based on the findings from audits, incidents, or changes in the environment.

4. Strengthening Incident Response Capability: The company should aim to strengthen its capability to respond to information security incidents. This could involve enhancing incident detection mechanisms, reducing the time taken to respond to incidents, or improving the effectiveness of incident recovery procedures.

5. Enhancing Employee Awareness and Training: Given that human error can be a significant security risk, CloudCore Networks should aim to enhance employee awareness about information security. This could involve increasing the coverage or effectiveness of security awareness training or improving the compliance with security policies and procedures.

6. Reducing the Number of Security Incidents: An objective could be to reduce the number or severity of security incidents, which could be measured by monitoring incident reports over time.

7. Maintaining Customer Trust: As a service provider, maintaining customer trust is crucial for CloudCore Networks. An objective could be to maintain or enhance the level of customer trust, which could be measured through customer surveys or feedback.

Each objective should be associated with one or more key performance indicators (KPIs) to measure its achievement. For instance, the objective of reducing the number of security incidents could be measured with the KPI of the number of incidents reported per quarter. The KPIs should be reviewed regularly, and the results should be used to evaluate the effectiveness of the ISMS and guide its continual improvement.

The setting of Information Security Objectives is a strategic process that requires a clear understanding of the organisation’s business goals, risk environment, and stakeholder expectations. The objectives provide a clear direction for the ISMS and a basis for measuring and improving its performance.

The “Security Policies and Procedures” chapter of the ISMS is a crucial one as it outlines the rules, practices, and guidelines the organisation must follow to protect its information assets. While it can indeed include a list and description of all your policies and procedures, it also serves to communicate the organisation’s stance on information security to all relevant parties.

Here are the key elements:

1. Purpose of the Policies and Procedures: This section articulates the need for the security policies and procedures, their role in achieving the organisation’s security objectives, and the consequences of not adhering to them.

2. Scope: This defines who the policies and procedures apply to. This would typically include all employees and contractors, but it could also extend to third parties like suppliers or customers, depending on the nature of the organisation’s operations and risks.

3. Roles and Responsibilities: This outlines who is responsible for implementing, maintaining, and enforcing each policy and procedure. Typically, this would include roles like the CISO, IT managers, system administrators, and all users of the information systems.

4. List and Description of Policies and Procedures: This is where you list all your policies and procedures, along with a brief description of each. It could include policies like the Acceptable Use Policy, Access Control Policy, Data Classification Policy, Incident Response Procedure, etc. Each policy and procedure should be documented in detail separately, but in this chapter, you just need to provide an overview of what each one covers.

5. Compliance Requirements: This section describes how the policies and procedures meet the organisation’s legal, regulatory, and contractual obligations, as well as any industry standards or best practices they follow.

6. Review and Update Process: This outlines the process for reviewing and updating the policies and procedures. This should be done regularly, or when significant changes occur in the business or the risk environment.

7. Training and Awareness: This describes how the organisation ensures that all relevant parties are aware of and understand the policies and procedures. This could involve regular training sessions, reminders, or tests.

The “Security Policies and Procedures” chapter serves to establish a solid foundation for your ISMS by providing clear guidelines on how information security is managed in your organisation. It’s important to ensure that all your policies and procedures are aligned with your risk treatment plan and help you achieve your information security objectives.

Security Policies and Procedures**

1. Purpose

The security policies and procedures are the cornerstone of CloudCore Networks’ commitment to securing the confidentiality, integrity, and availability of our client’s data. They provide a framework of standards and best practices that our employees and contractors must follow to ensure the protection of the data and infrastructure we are entrusted with. Non-compliance with these policies can lead to security breaches and legal liabilities, harming our company’s reputation and bottom line.

2. Scope

The policies and procedures apply to all employees, contractors, and any third parties who have access to CloudCore Networks’ systems and data. This includes our data center staff, IT team, executive leadership, and external consultants or suppliers.

3. Roles and Responsibilities

The Chief Information Security Officer (CISO), Mark Gonsales, is responsible for the overall management of our security policies and procedures. The IT team is responsible for implementing the technical controls outlined in the policies. The HR department is responsible for ensuring all employees and contractors receive necessary security training. All users of our systems are responsible for adhering to the policies and reporting any suspected security incidents.

4. List and Description of Policies and Procedures

Here is a list of our key policies and procedures:

  • Acceptable Use Policy: Specifies what behaviors are considered acceptable when using our systems and data. It includes rules about internet use, email use, and the handling of confidential data.

  • Access Control Policy: Details the controls we have in place to restrict access to our systems and data. This includes user authentication, authorisation, and password management procedures.

  • Data Classification Policy: Defines how we classify our data based on its sensitivity and the controls required for each classification level.

  • Incident Response Procedure: Outlines the steps to follow when a security incident occurs, including incident reporting, investigation, containment, recovery, and follow-up.

  • Disaster Recovery and Business Continuity Plan: Provides a plan of action for restoring our operations in the event of a major incident like a natural disaster or cyber attack.

  • Encryption Policy: Defines when and how encryption should be used to protect our data, both in transit and at rest.

  • Vendor Management Policy: Specifies the security requirements for third parties who have access to our systems or data.

  • Security Awareness and Training Policy: Outlines our approach to ensuring all employees and contractors understand their security responsibilities.

5. Compliance Requirements

Our policies and procedures have been designed to comply with the Australian Privacy Principles (APPs), the Health Records Act 2001, and the ISO 27001 standard. If we serve customers in other countries, we also ensure compliance with their respective data protection laws, such as the GDPR for European customers.

6. Review and Update Process

Our policies and procedures are reviewed at least annually or whenever significant changes occur in our business operations, technology, or the legal and regulatory environment. The CISO is responsible for initiating the review process and proposing any necessary updates, which are then approved by the executive leadership.

7. Training and Awareness

We provide regular security awareness training to all employees and contractors to ensure they understand our policies and procedures. The training covers the key aspects of our policies, common security threats and how to avoid them, and the process for reporting suspected security incidents. We also test the effectiveness of our training through simulated phishing attacks and periodic compliance audits.

Through these policies and procedures, CloudCore Networks seeks to create a robust security culture where every individual understands their role in protecting our company’s and our client’s data.

Training and Awareness

1. Purpose

The purpose of the Training and Awareness program is to ensure that all employees, contractors, and third-party vendors are aware of their roles and responsibilities in protecting CloudCore Networks’ information assets. By increasing awareness and knowledge about potential threats and vulnerabilities, we can significantly decrease the likelihood of successful cyber-attacks and data breaches.

2. Scope

The Training and Awareness program applies to all personnel within CloudCore Networks, including full-time employees, part-time employees, contractors, interns, and third-party vendors with access to the company’s data and information systems.

3. Roles and Responsibilities

The CISO, Mark Gonsales, is responsible for overseeing the development and execution of the Training and Awareness program. The HR department is tasked with coordinating training schedules, tracking participation, and maintaining training records. The IT team is responsible for developing training content, conducting training sessions, and assessing the effectiveness of the training.

4. Security Awareness Training

All new employees and contractors are required to complete security awareness training as part of their onboarding process. The training covers key areas such as:

  • Understanding our security policies and procedures
  • Recognising and responding to phishing and other common cyber threats
  • Properly handling sensitive data according to our data classification policy
  • Using strong passwords and multi-factor authentication
  • Reporting suspected security incidents

After the initial training, ongoing awareness activities are conducted throughout the year. These include:

  • Monthly Security Newsletters: These cover recent security incidents in the industry, changes in our policies or procedures, and tips for maintaining good security hygiene.
  • Quarterly Training Refreshers: These sessions refresh knowledge of our security policies and updates on the latest cyber threats and defense strategies. emails to test employees’ ability to recognise and report phishing attempts.
  • Simulated Phishing Attacks: We periodically send simulated phishing

5. Specialised Training

In addition to the general security awareness training, we provide specialised training for roles with specific security responsibilities. For example:

  • The IT team receives training on secure coding practices, network security, and incident response.
  • The HR department is trained on secure handling of employee data and recognising insider threats.
  • The executive leadership is briefed on their role in supporting the ISMS and managing information risk.

6. Third-party Vendor Training

Third-party vendors with access to our systems or data are required to demonstrate that they have completed equivalent security training. We also provide them with training on our specific security policies and procedures.

7. Training Evaluation and Improvement

The effectiveness of the training and awareness program is evaluated through:

  • Tests at the end of each training session
  • Tracking the number of reported security incidents
  • Observing the results of simulated phishing attacks
  • Employee feedback surveys

The results of these evaluations are used to continuously improve the program, ensuring it remains relevant and effective as our business and the threat landscape evolve.

By investing in security training and awareness, CloudCore Networks seeks to build a strong security culture where every individual understands their role in protecting our assets and contributes to our security objectives.

Incident Management

1. Purpose

The purpose of Incident Management is to establish a systematic, consistent, and repeatable process for handling information security incidents at CloudCore Networks. This process ensures that incidents are detected and reported promptly, investigated thoroughly, and dealt with effectively to minimise harm and prevent recurrence.

2. Scope

incidents that could impact the confidentiality, integrity, or availability of The Incident Management process applies to all types of information security CloudCore Networks’ systems or data. This includes cyber attacks such as malware infections, hacking attempts, or data breaches, as well as non-technical incidents such as physical theft of equipment or inadvertent disclosure of sensitive information.

3. Roles and Responsibilities

The CISO, Mark Gonsales, is responsible for the overall management of the Incident Management process. The IT team is responsible for detecting, investigating, and responding to incidents. All employees and contractors are responsible for reporting any suspected incidents as quickly as possible.

4. Incident Detection and Reporting

Incident detection is primarily handled by our IT team, using a combination of intrusion detection systems, log monitoring, and regular security audits. However, all employees and contractors are trained to recognise potential security incidents and are required to report them immediately using our secure incident reporting tool.

5. Incident Assessment and Classification

Upon receiving an incident report, the IT team assesses the incident to determine its severity and potential impact. Incidents are classified as low, medium, or high severity, based on factors such as the sensitivity of the affected data, the extent of the system compromise, and the potential damage to our reputation or operations.

6. Incident Response

Our response to an incident depends on its classification. For high severity incidents, a cross-functional Incident Response Team, led by the CISO, is convened to manage the situation. The team’s tasks include:

  • Containment: Taking immediate steps to prevent further damage or data loss. This might involve disconnecting affected systems from the network or changing access credentials.
  • Investigation: Determining the cause of the incident, the extent of the damage, and the perpetrator if possible. This might involve forensic analysis of system logs or coordination with law enforcement agencies.
  • Recovery: Restoring affected systems to normal operation, ensuring they are free from any threats, and confirming the security of our data.
  • Communication: Keeping stakeholders informed about the incident and our response, in accordance with our legal and contractual obligations. This might involve notifying affected customers, regulators, or the media.
  • Review: After the incident has been resolved, the team conducts a review to learn from the incident and improve our defenses. This includes updating our risk assessment, revising our policies or procedures, and providing additional training as needed.

7. Incident Tracking and Documentation

All incidents and our response to them are documented in an Incident Management Log. This log is reviewed regularly to identify trends or patterns and adjust our preventive measures accordingly.

8. Incident Management Training

All employees and contractors receive training on our Incident Management process as part of their security awareness training. The IT team and the Incident Response Team receive additional, specialised training on incident detection, investigation, and response techniques.

The Incident Management process is a crucial part of CloudCore Networks’ commitment to protecting our clients’ data and maintaining their trust. By preparing for incidents and handling them effectively when they occur, we can reduce their impact and learn from them to strengthen our defenses.

Regular Audits and Review

1. Purpose

The purpose of Regular Audits and Reviews is to regularly evaluate the effectiveness and efficiency of CloudCore Networks’ Information Security Management System (ISMS) to identify areas of improvement and to ensure compliance with ISO 27001 standards and other applicable regulations.

2. Scope

The audit and review processes apply to all elements of the ISMS, including risk management, security policies and procedures, security controls, training programs, incident response and management, and continuity plans.

3. Roles and Responsibilities

The CISO, Mark Gonsales, is responsible for planning and overseeing the audit and review processes. The Internal Audit Team, an independent team within CloudCore Networks, is responsible for conducting internal audits. External auditors are hired to perform annual third-party audits.

4. Internal Audits

Internal audits are conducted semi-annually by the Internal Audit Team. These audits assess both the operational effectiveness of our security controls and the compliance of our practices with our documented policies and procedures. Areas covered in the internal audits include but are not limited to:

  • Access controls
  • Network security controls
  • Incident response and management
  • Security awareness and training
  • Data protection and privacy
  • Compliance with applicable laws and regulations

The Internal Audit Team presents its findings to the CISO, along with recommendations for improvement. These findings are reviewed, and necessary changes are implemented.

5. Third-Party Audits

CloudCore Networks also contracts an external auditor annually to conduct a comprehensive review of our ISMS. This ensures an unbiased evaluation and verifies our compliance with ISO 27001 and other relevant standards. The results of these audits are presented to the executive leadership and used to guide strategic decisions about our information security program.

6. Management Reviews

The CISO conducts a formal Management Review of the ISMS annually, taking into account the results of the internal and external audits, changes in our business or the threat landscape, feedback from employees and customers, and any incidents or near misses. The review focuses on the effectiveness of the ISMS and identifies opportunities for continual improvement.

7. Continual Improvement

Based on the findings of the audits and management reviews, the CISO develops an ISMS Improvement Plan. This plan outlines specific actions to address any identified gaps or weaknesses, improve the effectiveness of our controls, and enhance our overall security posture.

8. Audit and Review Training

All members of the Internal Audit Team are required to have relevant auditing qualifications and receive ongoing training to stay current with auditing practices and information security trends.

The Regular Audits and Review process is fundamental to maintaining and improving the ISMS of CloudCore Networks. By actively seeking out areas of improvement, we can ensure our defenses evolve with the changing threat landscape and continue to effectively protect our clients’ data and our systems.

Continuous Improvement

1. Purpose

The purpose of the Continuous Improvement process is to ensure that CloudCore Networks’ ISMS does not remain static but evolves and improves over time. It allows us to adapt to changes in our business environment, technological advancements, emerging threats, and regulatory landscape to ensure optimal and robust information security.

2. Scope

Continuous improvement encompasses all aspects of the ISMS including policies, procedures, practices, controls, and the overall performance of the ISMS. It involves making iterative improvements over time as well as significant changes or upgrades when necessary.

3. Roles and Responsibilities

The CISO, Mark Gonsales, oversees the continuous improvement process, while every team member within CloudCore Networks contributes to the process through their respective roles.

4. Improvement Inputs

Several sources of information feed into the continuous improvement process:

  • Audit findings: Both internal and external audits provide valuable insights into the performance of our ISMS and areas where we can improve.
  • Management reviews: These high-level reviews may identify strategic changes that need to be made to our ISMS.
  • Incident reports: Analysis of security incidents and near misses can reveal vulnerabilities that need to be addressed.
  • Employee feedback: Employees often have practical suggestions for improving our security procedures and controls.
  • Customer feedback: Feedback from our customers can help us better align our ISMS with their needs and expectations.
  • Regulatory changes: Updates to laws or regulations may require us to make changes to our ISMS.
  • Technology changes: New technologies or changes to our IT infrastructure can present opportunities for improving our security controls.

5. Improvement Actions

Based on these inputs, the CISO, in collaboration with the IT team and other relevant stakeholders, develops a plan of action to improve the ISMS. This might involve:

  • Updating policies and procedures
  • Implementing new or improved security controls
  • Conducting additional training
  • Investing in new security technologies

Each improvement action is assigned a responsible person, a deadline, and a set of success criteria. The improvement actions are tracked and their effectiveness is assessed to ensure they are producing the desired results.

6. Monitoring and Measurement

To gauge the effectiveness of the improvement efforts, key performance indicators (KPIs) are used. These can include metrics such as the number of incidents, audit findings, training participation rates, and system uptime. These KPIs are regularly reviewed and reported to ensure the ISMS is moving in the desired direction.

7. Iterative Process

Continuous Improvement is an ongoing, iterative process. After the implementation of improvements, another cycle of measurement, feedback, and adjustment begins. This keeps the ISMS continually adapting and evolving.

In conclusion, continuous improvement is the key to maintaining an effective and robust ISMS. It enables CloudCore Networks to stay proactive in the face of an ever-evolving cybersecurity landscape, ensuring that our customers’ data remains secure and our business resilient.