Open jburger opened 4 years ago
@jburger Hey Jim, hope you are well.
Can you comment on the effort to achieve the ISO 27001:2013 certification? We would like to use OD as part of our deployment strategy and need to ensure compliance.
Hey @andrewharry doing pretty good thankyou! Hope you are well too :)
First up, we now have our own self assessment available here for you: https://octopus.com/docs/security/caiq
We're still on the journey towards ISO 27001:2013, we have started using vanta to help us to automate testing compliance with the standards (we'll do our best against the additional SOC II Type II controls as well) behind the scenes. We're currently addressing the gaps that fall out of that analysis and I'm confident that we should be able to run [human] internal audits towards the end of the year and into 2022, with a hopeful completion of Q2 2022 for the entire effort.
In the past 6 months we've grown a lot, both in product engineering, as well as hiring 8 people into our security and risk teams to ensure we have the right capacity to deal with the increased rigour.
Hope that helps, and let me know if I can assist with any inquiries for you with regards to specific controls!
@jburger I sent and email at
Hi there, just wanted to ask if there is any news on the ISO 27001:2013 certification process? Can we gratulate?
As part of delivering Octopus Deploy, we have always invested a proportion of our time and effort into the security of the product, and the platform we've built around it's delivery. This year isn't any different on that front, however we are trying out some new things.
Primarily we want to be more transparent about what we do to ensure our security - we feel that this will give our existing customers more insight into what they can expect from us. We also have always had a fundamental belief that real trust & security is achieved by being prepared to be transparent and accountable, not by secrecy or obscurity.
We also feel that it will show prospective customers that we care deeply about the security of our products, services and the people and data that drive it. In short, we want to continue to be worthy of the trust our customers put in us.
In the spirit of that we're sharing our roadmap for public review and comment.
Strategic Objectives
As well as following our product roadmap for the year, we'd like to achieve the following company wide trust & security objectives this year:
To depict this in terms of effort over time - we’d probably land on this (very rough) graph:
ISO certification planning & implementation
We'll be making our firsts steps towards ISO certification, this will see us go over our processes with a fine tooth comb, and ensuring our documentation is up to date, and planning improvements as we identify the need to so. Some of us will do training, to help drive our own understanding internally of what that all means.
We're lucky in that many of us have come from backgrounds where SOC II, ISO & PCI compliance were a part of daily life, so we have some real world experience with this too. We know that compliance can potentially bring about positive or negative changes, depending on your approach.
High level scope
In order to realistically achieve this we're going to scope our appetite for standards based scrutiny using the following statement:
Exclusions
We recognize that, at our size, not everything can be 'made compliant' though. We make use of many tools & processes that don't directly contribute to producing or supporting customer value, and that do not store customer data in any way. Often these tools are used in isolation of one another. We don't consider these to be in scope: the risks are low, and they are immaterial to our overall posture.
Being a 'remote first, cloud first' company, our headquarters in Brisbane (our sole premise), doesn't store any data, nor is it critical to the functioning of our business, so we also exclude this from compliance scope.
Implementation of this initiative is going to require sustained focus and will result in an ongoing amount of effort to maintain over time.
Security 'basic training' program
We train people at key points in time (as needed, on change of role etc.), but we could do better on having a cadence on checking in that people are up to date with the latest approaches to personal security in our workplace. We'll be leaning on some classic HR approaches for this, like learning management systems, workshops etc.
Security testing improvements
We’d like to spend more time on our current set of static and dynamic analysis tools this year, as there are some great gains to be had here. Staying on top of vulnerable dependencies, testing for new vulnerabilities as they emerge and analyzing our code base and infrastructure as code is high on our agenda.
We also spend a significant amount on ‘red team’ human review over our website and products and we intend to increase the scope and depth of that, not simply to meet compliance standards but to ensure we’re as prepared as possible for a wide variety of real world attacks when they do happen.
More orchestration and automation of incident responses
We already have a great deal of experience in our engineering team when it comes to IR. We also make great use of centralized logging within our business, with dedicated engineers paying attention to the details there. We also have a wealth of knowledge when it comes to automation. Marrying these skills is the very definition of SOAR (Security Orchestration/Automation and Response) at a fundamental level.
Right now, our alerts go to places that wake the right people up, and a lot of the situations we encounter, we've written automation for. Our goal for this year, on this front, is to surface more incidents & requests that can be automatically dealt with, attempt to reduce the amount of human interaction and decision required, and drive those responses to as near to real time as we can.
Helping customers assess our security posture themselves
Many of our customers (and I suspect, some that wanted to be, but aren't) have asked us to fill in security questionnaires in the past and we've typically declined because they're quite laborious and often different from customer to customer.
We'll be changing our position slightly on that soon with some pre-filled questionnaires that are designed to make light work of those internal questionnaires that so many businesses require for their own compliance purposes. At the moment we're looking very closely at the Cloud Security Alliance CAIQ questionnaire. While this is a cloud specific questionnaire, we feel it represents how we operate most closely: we have no physical infrastructure of note.
This will be an ongoing exercise, in that the answers to these questions aren't static, so we’ll need to be keeping them up to date with our current state.
Building a ‘trust center‘ for our company website
Just as businesses over a certain size dedicate a percentage of their budget on security improvements, they also set aside a percentage of their websites real estate for providing customers with a central place for discovering content relevant to their trust & security needs. We’ll be no different, with work already underway to bring a lot of that content together.
The goal for this trust center will be to improve the 'time to confidence' for any given customer, be it confidence in the answer to their questions about configuration, or our security posture.
Our security feature documentation is also in need of some re-arranging, so this process will also fit under this banner.
Wrapping up
Thank you for reading about our trust & security roadmap for this year. We'll detail insights into the decisions that drove this strategy, and how we are tracking against this roadmap on our blog, so stay tuned.
I'm a fan of the 'strong opinions, weakly held' philosophy, so please do reach out with any feedback, ideas or support - it will help us to forge the best path!