TRADESPARENT recently announced it has adopted ISO 27001 and completed the SOC report. We sat down with Norbert Verhagen, Managing Director and Chief Information Security Officer, to discuss this development and security in the broad sense.
How significant is security to the business of TRADESPARENT?
TRADESPARENT specializes in data management and reporting for agribusiness companies. Our SaaS solutions achieve this by leveraging the client’s data and systems landscape in a cloud-based environment, built for and operated by our clients. Naturally, safeguarding the confidentiality, security and availability of our client's proprietary data has been at the top of our agenda from the very start of our company 10 years ago.
What are the common security concerns of a trading or processing operation in the context of rolling out a reporting and data management solution?
Security concerns at the reporting level typically occur around the secure transportation, storage and accessibility of confidential data. Each trading and processing company is different, both in terms of characteristics and where they are in the digitization journey. Irrespective of that, achieving an end-of-day or even real-time view of the company’s exposures requires a secure infrastructure and framework where different systems and databases can communicate and for the teams to collaborate towards the same goal. The common security concerns will largely be a result of the infrastructure and workflows put in place by the company.
Why did TRADESPARENT seek to receive ISO certification and SOC report?
The objective was to fully embed security inside TRADESPARENT. The ISO 27001 Certification is the formal stamp provided to us by one of the world’s top independent auditors. It confirms that TRADESPARENT has all the 114 ISO controls which belong to the standard are in place. The control categories include, among others, information security policy, security organization, communication vendor management, access controls, system deployment, continuity planning and compliance. Whereas ISO is a Certificate, the SOC (or ISAE 3204 standard) report is a written document which can be obtained upon request by our clients and prospects. It describes our business and specifically how TRADESPARENT has implemented its controls around security. The SOC tests have been conducted by a different auditor than ISO to provide impartiality.
Since TRADESPARENT had the controls in most cases already in place, the ISO 27001 process provided guidance to complete, in a structured way, all the required policies and procedures. The process has also been very beneficial internally as it raised the security awareness inside TRADESPARENT even more: from business analysts, consultants, Sales and Marketing, HR, hosting, all the way to management.
What does this development mean for TRADESPARENT and its clients?
We completed the audit in three months with zero non-conformities. This is an excellent result by any standard and I am proud of the whole team for this accomplishment. To the extent that commodity Trading and Processing necessitates secure and operational systems, our clients need not just take our word for it: TRADESPARENT is a best-practice organization and solutions provider as far as information security is concerned.
We expect this development to be an asset for our international growth. We have seen over the last 18 months TRADESPARENT hosting services become the standard across the industry, where users can access their Tradesparent cloud-based environment day and night, wherever they are. In many cases, our services integrate directly with our clients’ own Active Directory, i.e. Single Sign-On. We expect these accreditation to help us develop new relationships and provide our solutions to trading and processing portfolios across Europe, North America, Asia and the Middle East.
Taking a broader view of security in our industry, what are the most pressing risks today?
The first disruptions caused by Covid-19 have resulted in many professionals working from home. We see that not every company is equipped with remote facilities today. Using services which provide continuity and trust is even more crucial in these times. Threats are continuously changing and organizations which gamble on security are at greater risk during such disruptions.
The top vulnerability in the industry remains email, considering the confidential and time-sensitive nature of the information exchanged across this communication medium. At the IT and Systems level, a classic, usually complex, on-prem environment presents very different security challenges and workflows than a “boxed” cloud-based solution.