At MoreApp we take security seriously. In fact, security is our number one priority! How does MoreApp secure your data?
We have some good news to share with you! We passed our ISO 27001 recertification, successfully tested our Business Continuity Plan (BCP) and a Penetration test (Pen test) was performed to find vulnerabilities.
What is a Business Continuity Plan Test
The Business Continuity Plan (BCP) is a set of metrics and instructions, developed preventively to ensure we can continue providing our critical services in the event of a calamity. A calamity is defined as an event that could cause problems for operations, staff, stakeholders, reputation, trust and/or business goals, such that business continuity is in danger. Examples are the failure of critical IT infrastructure, a fire in the office building or a strong absenteeism due to a pandemic or natural disaster.
How Did We Execute the BCP Test
On June 9 2020, we performed a BCP test. Which was a great adventure and we are proud of the teamwork!
Simulation: A flood in Eemshaven, The Netherlands, destroyed our MoreApp cluster. Our API is offline and the product is unavailable. There's no sign of a short-term solution from Google.
Actions taken: In the morning the development team got a call from Pagerduty saying that the MoreApp Platform was suddenly unavailable. The development team got into action right away. It seemed Eemshaven was 100% offline. We decided to set up a new cluster in a different region, Google Cloud Platform (GCP) Frankfurt is still online. A new cluster was set up with Terraform. In the meantime, we informed our customers using notifications in our app and Platform, in all 6 supported languages. Also, we sent out an email to our customers, so those not using MoreApp at the time were also informed. After deploying all services to the new cluster, the Development team gave the green light. The new cluster was active from the data center in Frankfurt! Lastly, we informed all of our customers that the Platform was back up.
Conclusion: We were able to quickly set up a new cluster in a different region. We’ve also taken measures to improve this process even further. The good news is that our app also works offline, so our customers can always keep filling in forms, even in this highly unlikely scenario.
How Did We Receive Our New ISO 27001 Certification
On June 22 and 23 2020, Certicus performed a 2-day security audit, to ensure that our Information Security Management System (ISMS) is compliant with the ISO 27001 standard. ISO 27001 is recognised as the premier ISMS standard worldwide.
Almost everyone on the team got interviewed, from Product Genius to CTO. The interviews were conducted online due to the current pandemic. During these calls, questions were asked about how the employees handle the security processes and how they implement and comply to the ISMS in their daily practice.
As a result, we got a new ISO 27001 certificate which is valid for the coming three years. Every year, an internal audit will be executed to see if our information security system still meets all certification requirements.
“The MoreApp team goes further than providing an innovative application for their customers. The entire organisation is passionate about information security and internal control. This combination has ensured that MoreApp has been able to successfully meet the requirements of the ISO 27001 standard. Thom and his team are continuously managing risks, guarding information security and delivering quality throughout the certification process.” - Roël Naipal, auditor at Certicus.
Roël Naipal & Koen van der Aa - Certicus
How to Improve Our Software Based on a Penetration Test
In a Pen test, you test a (web) application or network to find security vulnerabilities. This is also known as ‘ethical hacking’. The goal is to find and fix security vulnerabilities before an actual hacker can exploit them.
From April 20 - 24, 2020, a Pen test has been performed on our software by Avisi. During the investigation, risks have been identified. Based on these vulnerabilities we know how to improve our software in order to protect ourselves from attackers!
Are you working with more SaaS companies and are you sending them security assessments? Did you know that you can also create a security assessment form with MoreApp? We’ve added an example to the Marketplace. Download the security assessment template.