Dear readers & Energy One Belgium fans,
Everyone is aware of the importance of watertight IT security when it comes to sensitive data and systems, even if you are no IT expert.
The past decades has seen the rise of different kinds of attacks that can cripple whole IT systems. We’re not going to show you any examples, a cursory google search should give you a few years’ worth of reading 😉 .
In the past (and in some cases still nowadays), companies ensured control & security by managing local servers running their own (or third party) applications. A part of this responsibility has shifted to IT Suppliers due to the move of applications to ‘the cloud’ and outsourcing solutions to specialized Software-as-a-Service providers.
Cloud hosting providers offer services at a fraction of the costs of self-installation on local servers. Flexible payments plans avoid large investments and provide new opportunities for new and existing business-lines.
Flexibility and cost control also brings risks; are security, privacy and availability established as solid as you would expect or your supervisors and customers require? An ISAE 3000 (SOC 2) provides all answers to these questions and risks.
What is the ISAE 3000, SOC2 audit
ISAE stands for International Standards for Assurance Engagements. Organizations increasingly outsource processes or data to service providers. Processes or storage that have no relation to financial processes are relevant for an ISAE 3000 (SOC 2 report).
A SOC2-report is an internal control report that focuses on controls at a service provider relevant to security, availability, processing integrity, confidentiality, and privacy of an organization. An ISAE 3000 (SOC 2) report ensures that a service organization keeps data private and secure while processing or in storage, and that data is accessible at any time.
What does this mean for you
Our clients are active across Europe in Gas & Power trading, shipping, and supply to end-users (cities, large industrials, etc.). While our SaaS solutions are used for handling the operational side of things, they are closely integrated with the software ecosystem of our client.
We have to exchange data with software solutions responsible for gas & power trading, forecasting, capacity booking, etc. Furthermore our software handles the communication between our clients and their counterparties (TSOs, SSOs, etc.).
We prevent messages from being intercepted, and data from being corrupted. This safety measures are needed to prevent significant losses such as imbalance fees, breach of (supply) contracts, the failure to execute a profitable trade, or inability to deliver the gas/power where you need it.
Why are we doing this
“The reason why we are implementing the ISAE / ISO information security frameworks is because we care about your information.
Such frameworks consist of a set of control objectives and related control activities which we translated into policies and procedures in our organisation. All Energy One Belgium employees will be regularly coached, so they work according to these policies and procedures.
Implementing these procedures in an existing way-of-working (based on AGILE) was a challenge, because we didn’t want to increase the workload of our employees. Therefore, most of the procedures are supported by automation flows in JIRA / Teams / Monitoring tools, where we guide the people through these processes. As an additional benefit, our auditors can gather all data within one system (JIRA).
So as a conclusion, for you as a customer, you can see that we value your data and that we handle it in a secure manner by following the correct procedures.”
Jan Corluy – Chief Technology Officer at Energy One Belgium
Our auditors: EY Belgium
EY Belgium has a team of highly skilled IT security experts within its Advisory division. During the ISAE3000, Soc2 Type 1 attestation audit we worked closely with the team at EY to evaluate, document, and improve on a range of topics:
- Security & risk management
- Change management
- Logical access management
- Disaster recovery
- Incident management
- Vulnerability management
- Operations management
- Supplier management
After 9 months of hard work by our CTO, Jan Corluy, and the IT & operations teams, we passed the ISAE3000, Soc2 Type 1 audit successfully on 25/06/2020!
Next steps: ISO 27001
The ISAE implementation provided us an implementation of an important subset of controls and control activities of the ISO 27001 framework.
To move further on our implementation track for the ISO project we currently have designed all the ISO 27001 documents. The next step now is to translate these documents / policies into clear procedures / automated checks and coach our employees in using them.