ISO 27001: Ensuring Optimal Data Protection for KJT Clients
Last year, KJT was awarded ISO 27001 certification after demonstrating an ongoing and systematic approach to managing and protecting data – both its own and that of its clients. According to Senior Director, Information Technology and Information Security, Param Singh, KJT’s data security accreditation is anchored by the company’s Information Security Management System (ISMS), which provides a framework for how to manage and treat information securely, including the implementation of applicable security controls.
The ISO Standard covers both the technological aspects of security as well as corporate, physical and environmental controls (e.g. compliance checks, badge readers, back-up generator) relying on regular risk assessments to consistently identify and treat security threats.
“ISO 27001 requires certified companies, such as KJT, to undertake regular reviews to ensure ongoing compliance and continuous improvement,” said Param. “12 months after being certified, KJT went through its first surveillance audit, and we’re proud to announce that the company passed with flying colors!”
Read on to learn more from Param and the rest of KJT’s Information Security Team about the ISO 27001 framework – from the benefits it brings to what it takes to become, and remain, accredited:
KJT’s Dan Wasserman (Chief Operating Officer), Param Singh (Senior Director Information Technology and Information Security) and Andrew Phillips (Information Security Manager) talk ISO certification:
Q: Why did KJT decide to pursue ISO 27001 certification?
DW: At KJT, we know we have to earn our clients’ and our research respondents’ trust every day – especially as we handle their valuable data throughout the process of delivering market research and consulting services.
ISO 27001 certification assures them proper and continued measures are being taken to protect their assets. The certification also serves as assurance that many of the information security requirements necessary to meet laws and regulations such as HIPAA and GDPR are implemented and are operating effectively.
Q: What does it take to achieve ISO 27001 certification?
PS: Pursuing ISO 27001 certification required a strategic risk assessment across the full KJT enterprise. This was conducted with the help of an external IT consulting firm that worked with us to identify gaps and guide us on ways to remediate any issues uncovered along the way. From HR to IT to Finance, we analyzed all data risks, both within our own systems, as well as third-party systems.
The results of these analyses formed the baseline for the data security policies, processes, and technical safeguards we employ today to protect information throughout the company and our extended network – otherwise known as KJT’s Information Security Management System (ISMS). As our ISMS has matured, so has our overall information security culture, which decreases the risk of phishing attacks, while also providing system redundancies and back-ups.
Q: Once a company has been certified, how does it maintain ISO 27001 accreditation?
AP: This certification runs on a 3-year cycle, with annual audits that ensure ongoing compliance, as well as maturation of the company’s ISMS throughout that timeframe, with the cycle beginning anew on year 4. The 27001 ISO Standard requires a continuous improvement mindset, which helps certified companies stay ahead of evolving cyber threats to preserve the confidentiality, integrity, and availability of the high value assets for which we are responsible.
At KJT, we benefit from an agile work environment that can quickly adapt to new company policies and/or the introduction of future regulatory or legislative requirements. Our ability to embrace the ISO framework, has really upped our game, by helping us standardize our approach to reducing risk and by building a culture of information security at KJT with heightened awareness and focused data security processes across all teams and functions.
Q: How does KJT audit its supplier relationships?
PS: KJT’s suppliers are a critical component of our ISO certification. We’ve always reviewed our vendors, but the process we have in place now is much more formal and robust. We now risk-rank our vendors based on several key factors – conducting a thorough information security assessment on each. The most critical and high-risk vendors (the ones with the greatest access to the most sensitive data) are reviewed annually to ensure appropriate controls remain in place.
Q: How does everyone at KJT engage with the ISMS?
DW: Everyone here understands the importance of the company’s ISMS in addressing increasingly sophisticated cyber security threats that are coming at an accelerated pace. They also know that each employee owner has a role to play within ISMS, whether it’s making sure they’re not clicking on suspicious links or opening up fraudulent emails that might expose us to risk. Our intent is to heighten this awareness, so in combination with our employee ownership mindset, if/when our employees see something that may put us at risk, they report it so we can get it fixed. Staying vigilant is one of the key points that we try to instill in our employees.
To ensure alignment, we send security updates periodically throughout the year and conduct quarterly security awareness training. Our goal is to educate everyone on the most current threats, malware, viruses, and phishing techniques, which can result in a company-wide data breach.
KJT also conducts quarterly phishing tests, ensuring employees are following protocol. The results of these tests show us that individuals are taking data security seriously, reporting suspicious emails and taking the appropriate steps to mitigate risk. This benefits their personal lives as well, helping them address data vulnerabilities on their phones and home computers.
Q: Are certain companies or industries more susceptible to cyber-security threats than others?
AP: A research firm such as KJT handles a lot of sensitive data on a regular basis, which requires trust in our ability to safeguard our clients’ assets. The fact that we work within the healthcare industry adds another layer of risk: medical records reveal a lot of personal information that can be valuable on the ‘dark web’ for illicit transactions such as purchasing prescriptions or making false medical claims.
In the time span between 2009 and 2017, nearly 2,200 data breaches occurred, exposing 176,705,309 private health records. (Due to the criticality of medical information, each of these types of breaches can equate to $7 million in losses vs. $3.5 million as compared to other segments.)
The stakes are high, and we take our responsibility to our clients’ and respondents’ data very seriously. For us, it’s not just about regulations or fines. At the end of the day, information security is imperative to safeguard people’s medical data – as well as our client companies’ ability to make continuous improvements that benefit our national healthcare system. Because the work we do and the data we manage at KJT can affect health outcomes, the company expects every employee here to work and behave in an ethical and responsible manner, in accordance with KJT’s core values, including that of Integrity. Only when our people act with integrity can the word also apply to our systems, safeguards and data.
Q: What do you see as the future of data security?
PS: We anticipate more information transitioning to a cloud-based environment, so data will be increasingly accessible via remote technologies and devices, as well as through traditional office infrastructure. This will require appropriate controls at all access points. We expect more sophistication from hackers and cyber criminals, which necessitates a commensurate push on evolving our data security protections. All in all, the threat of spyware, ransomware, data breaches and cyber scams will only grow. It’s our job to ensure everyone is aware of the associated risks, and how to lower the exposure to data vulnerabilities. As Andrew stated, the stakes are incredibly high in the healthcare segment, and data security is a critical priority in the protection of information that can affect people’s health, wellness and lives. Having gone through the ISO 27001 certification process and our recent surveillance audit successfully, I can confidently say, KJT is up to the task!
