Posts

ISO 27001 Certification

Prophecy International is continuously investing time and resources to meet customers’ strict requirements for internal controls over financial reporting and data protection across a variety of high regulated industries. We are pleased to announce that Prophecy International has successfully completed ISO 27001 certification for its applicationsc Snare and eMite, covering the development delivery of the environments within the organisational units of Intersect Alliance International Pty Ltd (Snare) and eMite Pty Ltd (eMite).

The certification was completed by SAI Global in Australia, covering ISO/IEC 27001:2013 for the scope of “Development and delivery of the eMite and Snare solutions as defined in the Statement of Applicability version 1.0”. Certified 28th September 2021. Certificate number ITGOV40332.

The issuance of this certificate reaffirms our commitment to internal control and data protection. Customers may use this third party audit to assess how Prophecy International software and services can meet their compliance and data-processing needs.

Information is the lifeblood of most contemporary organisations. It provides intelligence, commercial advantage, and future plans that drive success. Most organisations store these highly prized information assets electronically. Therefore, protection of these assets from either deliberate or accidental loss, compromise or destruction is increasingly important.

ISO 27001 is a risk-based compliance framework designed to help organisations effectively manage information security.

Having an international standard for information security allows a common framework for managing security across business and across borders. With an evermore connected world, the security of information is increasing in importance.

Data and information needs to be safe, secure, and accessible. The security of information is important for personal privacy, confidentiality of financial and health information and the smooth functioning of systems and supply chains that we rely on in today’s interconnected world.

ISO 27001 provides the framework for organisatons and security teams to effectively manage risk, select security controls, and most importantly, a process to achieve, maintain and prove compliance with the standard. Adoption of ISO 27001 provides real credibility that we understand security and take security seriously.

ISO 27001 is made up of a number of short clauses, and a much longer Annex listing 14 security domains and 114 controls. The most important of the short clauses relate to:
  • The organisational context and stakeholders
  • Information security leadership and high-level support
  • Planning of an Information Security Management System (ISMS), including risk assessment; risk treatment
  • Supporting an ISMS
  • Making an ISMS operational
  • Reviewing the system’s performance
  • Adopting an approach for corrective actions
Based on the risk profile of the organisation, controls may be selected to manage identified risks. Within the Annex, the 114 listed controls are broken down into 14 key domains which are listed below:
  1. Information security policies
  2. Organisation of information security
  3. Human resource security
  4. Asset management
  5. Access control
  6. Cryptography
  7. Physical and environmental security
  8. Operations security
  9. Communications security
  10. System acquisition, development and maintenance
  11. Supplier relationships
  12. Information security incident management
  13. Information security aspects of business continuity management
  14. Compliance

How Snare & eMite Can Help

There is an increasing global need to enhance security, no matter the size of an organisation or the industry. One step towards securing your organisation is choosing suppliers who have not only demonstrated a commitment to security, but have the certifications to back it up. Our priority is your security – let us know how we can help!

Contact your regional Snare or eMite team.

Snare’s Commitment to Security

 

In light of recent malicious activities by foreign actors, we seek to ensure our Snare customers, partners, and prospects that we are are committed to providing the most secure platform we can based on the primary pillars of cybersecurity:

 

C. Confidentiality.

I. Integrity.

A. Availability.

 

Our customers must authenticate to get their software and license downloads – we do not issue software. The software is downloaded over encrypted channels after the customer has authenticated to the customer portal.

 

We harden the software stack for the Snare Agents and Snare Central software so they do what they need to and nothing else.

 

We do not use third party software such as .Net or Java in the agent software to minimize its footprint to potential vulnerabilities.

 

We contain our own micro web server in the agents that only does what it needs to do, as they don’t need a full stack web server.

 

We use separation of duties – The Security admin can control the agent and Snare Central policy, not the SysAdmin, to ensure that policies are set and logs are collected.

 

We watch the watcher – Snare Agents audit and log local user changes and activity to customers’ systems and the Snare software itself.

 

We have independent third party verification being Veracode Verified status for our Snare Windows Agent and Snare Agent Manager.

 

We mask sensitive data via the Snare reflector and our Snare Database Activity Monitoring (DAM) solutions to ensure that the logging system is not storing sensitive data when there are regional PII related compliance needs.

 

We provide over the wire encryption using TLS for web access, for sending logs, and mutual authentication options when both ends need to be validated to ensure that the log data is kept private on the network.

 

We provide destination failover using options like DNS updates to change the destination logs are being sent to.

 

We are committed to providing you the most secure platform possible. Share with us your ideas.