We do not currently have ISO27001 certification, but we have taken active steps to align with controls (and alternative compliance to said controls, when appropriate) with 2023/2024 plans to transition from a passive data protection and information risk management plan into a more aggressive active posture. We also have measured ourselves against other standards, including CIS V8, and strive to adhere to compliance against a mesh of regulatory frameworks in regions our customers operate – including GDPR compliance.
We have attached a white paper that outlines some of the current controls and practices we follow, and in this note, we would like to highlight some of the changes/programs that we have underway currently that will reduce the attack surface and improve defenses and visibility.
- New Security-Focused Leadership, Dedicated Security Role
We have recently hired a new VP of Technology that has an extensive background in cyber security and commercial cyber security product development that includes data governance and cyber maturity assessment tooling. New initiatives are already underway to strengthen our security posture and further reduce attack surfaces.
We have also created a new senior-level security role that will be working closely with the VP of Technology – this is in recognition that security is not a cost-center but an operational element of the business that in time will work alongside (not into) Technology.
- Modernizing Endpoint Defences
We have recently taken the decision to introduce an EDR technology as part of modern defenses to gain new endpoint and server telemetry beyond traditional audit and access logs.
- Modernizing SAST/DAST Stack
We are taking steps to add ‘as-you code’ security tooling for our developers’ IDEs and their day-to-day development workflows and to entrench vulnerability assessment of third-party libraries used in our wares – in effect we are aiming to not only improve code quality but ensure that our team also avoids risky design patterns and poor cyber-hygiene practices.
- Password Vaulting
Prior to introducing a PAM capability which we have road mapped for 2024 we are tackling the challenge of credential management and have added a Vaulting service where all privileged/system credentials will be secured. This is a new control that shifts away from generally accepted design patterns with reliance on ACLs and Sys- tem-level protections to guard these credentials and now allows us to cycle/change credentials on-demand.
- Data Governance and Information Management
We are currently developing a new program that recognizes that past efforts held some issues such as conflating sensitivity identification with data classification. This work has been underway for some time and is driven by our legal department to help us better identify/articulate what information is being created and consumed throughout the enterprise – and ensure the correct handling guidelines are applied based on the sensitivity identification of that information. We are building this program with an eye to downstream information control systems beyond container and rights management and into data loss prevention entitlements.
There are many new such initiatives that we will be taking on in the coming months to shore up attack surface, improve visibility, and reduce risk beyond our existing posture. In Mondia, we view security as an ever-shifting landscape, and being a vendor with global reach in hundreds of markets we recognize the need to continuously improve.