UX in network apps: how not to fail
UX in network apps: how not to fail
Close

20 July 2022

Software Development

Security standards at CodiLime – how do we keep the data safe?

9 minutes reading

Security standards at CodiLime – how do we keep the data safe?

According to SonicWall's 2022 Cyber Threat Report, the number of cyberattacks - including encrypted threats, ransomware, intrusion attempts, and cryptojacking - rose by more than 100% during the past year. Cyberattacks equal lost money. And in today's business environment, nobody can afford that. 

Here, we share with you how we mitigate these risks at CodiLime and, along the way, save money - ours and our clients’. 

Security standards – our perspective

At CodiLime, we are security freaks - our auditors praise us for the fact that our procedures are an organic part of the organization’s ways of working. We include our various internal teams in security discussions and consider their points of view, opinions, and circumstances. Our employees understand and use our security  standards, as they are engaged in their development from the early stage. 

What, in detail, are we doing day-to-day to ensure a level of security that satisfies both our clients and ourselves? Read on for some examples of our safety routines. 

Security best practices and principles at CodiLime

  • Secure processing of personal data and other information

We only use legal and up-to-date software and drivers on servers and workstations for the encryption of laptops, PDA devices, and mobile phones. We give only the minimum required operational access rights to Information Systems. These activities combine to ensure the safety of personal data. At CodiLime, we use only encrypted communication for system access and run regular backups (and we test whether they restore correctly). We also scan our devices and network, looking for potential vulnerabilities. 

  • Continuous training 

We regularly test our employees on security-related rules and regulations, including how they should protect their devices, secure remote environments, set secure passwords and store them properly, conduct access transfers, and that they can identify information correctly according to our four-level information classification system. 

  • Monitoring and improvement 

We do our best to maintain the company's reputation for fulfilling its ethical and legal responsibilities. We also monitor our processes to improve our ways of working by introducing continuous risk assessment and improvement. 

  • CodiLime’s Information Security Management System 

Our Information Security Management System (ISMS) includes all major information relating to security at CodiLime. Our dedicated team continuously develops and improves the ISMS. Also, the team conducts internal audits, management reviews, and risk assessments on a regular basis.

  • Security during the whole software development life cycle 

As a rule, client-specific security requirements and policies are the priority for us, and they are incorporated in the first instance. Suppose a client does not have policies in place. In that case, we offer our secure development policy, adjusted to the software development lifecycle phases such as requirement analysis, design, development, testing, and maintenance. 

Our actions and approach have been legitimized during the official ISO 27001 certification. The certificate was not an end in itself, but it was a nice recognition of our efforts. For more on ISO 27001, see below. 

Information security standards at CodiLime are certified with ISO 27001 

We can proudly say that we have obtained the ISO 27001 certification. Information security has always been one of our top priorities – we want to cut the mustard with the leaders in the technology-driven industry with whom we partner. 

You can find more information about our ISO certification by reading our company news

However, we're not resting on our laurels regarding information security – CodiLime's Information Security Management System (ISMS) is constantly being improved and strengthened by new solutions. Besides our own internal examinations and tests, our ISMS is also checked via external audits conducted by BSI. Moreover, we regularly conduct internal audits and build risk assessment expertise as we educate our employees. 

That said, these are all standard procedures – you can find their reflection, more or less, in other companies' policies. What are we personally proud of? Read on to find out what we do by way of ‘extra’ measures. 

ISO is not everything – what else do we do? 

Firstly, we have no ‘offline’ procedures. What we do with our data and information is stored in the tools we use to trace activities and processes. That means that every step or action taken is recorded by the dedicated tool in use. In case of a problem, it is easier to step back and analyze the path to find out the cause. 

We analyze the software that people want to use. Regardless of the team and area of ​​the company, we check every piece of software and every tool, including the ones that are required for clients’ projects. 

We use a ‘shared drive’ approach, keeping as much data as possible in reliable cloud storage so the hardware itself contains minimal information. 

Safety and security rules should impose the smallest limitations on the organization’s creativity and productivity. That's why we constantly develop and adjust our approach in response to new challenges and upcoming changes. One example of our progress is our new mobile management policy. 

Most of our employees prefer to work remotely - our task was to provide them with solutions that let them do their work from their chosen location without compromising data security. One result is a BYOD policy. 

Our BYOD (bring your own device) policy is a response to employees’ need to securely use their personal devices for work. From the very first, we were sure we did not want to install spyware on our employees' devices. We went along with our companies’ leading values: team up to win, act to deliver, and disrupt to grow. We consulted widely with our people about the BYOD policy, considering their opinions and believing that information security standards should be a help, not a limitation. We set up an inner test group and, after successful results, we introduced the procedure throughout the organization. We use minimally invasive tools to know which devices connect to our resources, ensuring that they are approved and meet our technical security requirements. We can also, in case of accident or loss, cut off individual devices from our resources remotely. Now our BYOD policy covers every type of smartphone or tablet, and every employee. 

However, we believe that rules can not be followed without awareness and understanding. From their first day at CodiLime, our employees have a security onboarding session to raise awareness. We have prepared an informative campaign which is delivered via emails, Slack notifications, and posters in the offices. Finally, we checked the results – over 90% of all employees passed the security test at the first attempt.

The whole CodiLime is engaged in following the security standard rules – employees of all levels are aware, report their doubts, and, most importantly, are not afraid to ask questions. Without their support and insights we would not be so secure. 

Conclusion 

Nowadays, data is one of the most valuable resources that a business can have. That's why it is so important to keep it secure. At CodiLime, we are aware that as an up-to-date, modern company. We are responsible not only for our own data but also that of our clients. For that reason, we have prepared this range of procedures and policies –  to ensure that our work is successful and effective without compromising information security.

Mateusz

Mateusz Mróz

Head of InfoSec
Karolina

Karolina Rusinowicz

Content writer