{"id":2531,"date":"2021-06-10T10:20:36","date_gmt":"2021-06-10T08:20:36","guid":{"rendered":"http:\/\/i360.trejka05.pl\/?p=2531"},"modified":"2021-07-16T12:33:25","modified_gmt":"2021-07-16T10:33:25","slug":"transcript-of-iso-iec-27001-information-security-for-loyalty-schemes","status":"publish","type":"post","link":"https:\/\/i360.com.pl\/en\/transkrypcja-iso-iec-27001-bezpieczenstwo-informacji-programow-lojalnosciowych\/","title":{"rendered":"Transcript \u2013 ISO\/IEC 27001 Information security for loyalty programmes"},"content":{"rendered":"<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN:<\/strong> Katarzyna Nawrocka &#8222;O programach lojalno\u015bciowych noc\u0105&#8221;.<span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\">The security of the loyalty programme management software developed by i360 is one of the main pillars of our growth. Today, I am delighted to welcome Rafa\u0142 Malon, with whom I will be discussing the key challenges in ensuring information security. Good evening.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>Good evening.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>Rafale, we\u2019re going to be talking about information security. But before we do, I\u2019d like to ask you to tell us what the Malon Group, of which you\u2019re the CEO, does.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>Yes. We specialise in implementation projects, consultancy projects and training programmes relating to management systems. In the broadest sense. There are a great many management systems on the market. We cannot say that we specialise in any one in particular; we support businesses that wish to achieve certain outcomes and results that these management systems provide. This includes, amongst other things, ultimately obtaining a certificate confirming that their operations comply with a specific management system or management standard.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>As for this certificate, I\u2019m asking because, off-camera, we had the pleasure of discussing the fact that you\u2019ve had audits both yesterday and today \u2013 some behind you and some ahead of you. So I take it that this is how you operate \u2013 you check what the safety assurance system is like at these companies?<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>Yes, we assess the current situation within companies and, if we identify any discrepancies or gaps in relation to the standards and the requirements set out within them, we then launch a project aimed at ensuring compliance. In other words, we implement all these requirements, and the solutions that stem from them, into the day-to-day running of the organisation. So, once we have identified any gaps or discrepancies, we carry out all the necessary measures to ensure compliance. Next, of course, we must verify whether this has already been achieved before an independent body arrives to check whether compliance is, in fact, in place or not.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>The website of the company you run shows us just how many different areas you cover. We\u2019ll also find plenty of abbreviations there that we could demystify today and explain to our viewers, so that they can navigate them and understand them.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>I suppose the key term used there \u2013 though it\u2019s hard to call it an abbreviation \u2013 is, of course, ISO. ISO refers to the standards and specifications issued by the International Organisation for Standardisation, which is very often referred to simply as ISO. Alongside this committee, or rather, this committee often collaborates with other committees such as the IEC. This is the committee responsible for standardisation at an international level in the fields of electronics and electrical engineering. One such example of a standard issued by both of these standardisation committees \u2013 that is, by ISO and the IEC \u2013 is ISO 27001, which sets out the requirements for an information security management system. However, there is a very large number of standards setting out requirements for management systems. Of course, these organisations do not deal solely with management systems, nor are they limited to standardisation in this field. They also deal with standardisation in areas such as technical matters relating to products, processes and services \u2013 in fact, virtually everything imaginable. As an organisation, ISO has already published several thousand standards that are recognised worldwide. On our website, you can also find many other abbreviations and terms. These very often stem from the nature of a particular standard, or serve as a way of identifying it, setting out the requirements that must be met by a given organisation. Other abbreviations or terms that you may come across on our website relate to information security. Of course, there is also the term \u2018GDPR\u2019. The GDPR, which you have already discussed in one of the episodes.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>Let me just interrupt you for a moment to say that we\u2019ll post a link to this episode below so that our viewers can watch it too. And I\u2019m really glad you\u2019ve seen it.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>To oczywi\u015bcie, jak najbardziej. Tak, rozporz\u0105dzenie RODO, oczywi\u015bcie nie tylko rozporz\u0105dzenie RODO, ale r\u00f3wnie\u017c ca\u0142e ustawodawstwo nasze krajowe zwi\u0105zane jest r\u00f3wnie\u017c z bezpiecze\u0144stwem informacji oczywi\u015bcie ukierunkowanym na ochron\u0119 danych osobowych. Ale mamy jeszcze inne okre\u015blenia. Okre\u015blenie, kt\u00f3re si\u0119 pojawia, czyli &#8222;tisax&#8221; &#8211; jest to spos\u00f3b oceny, system oceny opracowany przez niemieckie stowarzyszenie producent\u00f3w w bran\u017cy motoryzacyjnej, kt\u00f3rych celem jest tak naprawd\u0119 zapewnienie pewnych standard\u00f3w przetwarzania informacji, przetwarzania danych, zapewnienia ich bezpiecze\u0144stwa w\u0142a\u015bnie w bran\u017cy motoryzacyjnej. Specyficzne dla tej bran\u017cy motoryzacyjnej. Ten standard jest jak najbardziej sp\u00f3jny ze wspomnianym wcze\u015bniej ISO 27001, bo tak naprawd\u0119 opiera si\u0119 na tym standardzie. Zosta\u0142 po prostu rozbudowany o takie cechy charakterystyczne. Mamy jeszcze wiele innych okre\u015ble\u0144. S\u0105 to chocia\u017cby standardy opracowane przez r\u00f3\u017cnego rodzaju stowarzyszenia. Chocia\u017cby standardy TAPA- s\u0105 to standardy bezpiecze\u0144stwa w \u0142a\u0144cuchu dostaw. Dotycz\u0105 one bezpiecze\u0144stwa ju\u017c chocia\u017cby w transporcie drogowym, bezpiecze\u0144stwa w magazynowaniu. Wszelkiego rodzaju te skr\u00f3ty, te okre\u015blenia s\u0105 na naszej stronie porozwijane. Jest ich tak wiele, \u017ce nie byliby\u015bmy w stanie ich tutaj wszystkich przytoczy\u0107.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>Just to make it clear, we\u2019ll show you a chart in a moment with these abbreviations and explanations.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\">Of course.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>Nowadays, a loyalty scheme cannot function without an IT system. How can the developers of such a scheme ensure security?<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>Yes, the concept of security and information security is a very broad one here. We must bear in mind that, in traditional parlance, the term \u2018security\u2019 is very often understood to mean solely confidentiality, which is in fact just one aspect \u2013 one of the three main aspects \u2013 as we also have to deal with the other two, which are equally important: availability and integrity. After all, what\u2019s the point of having highly secure data if, for example, the system operators of this loyalty scheme cannot access it because it is too heavily secured? So availability is just as important, as we would be unable to carry out our core business activities. And then there is integrity, understood in the broadest sense as the reliability, consistency and non-repudiation of this information. What\u2019s the point of having information available to those who need it to carry out their professional or official duties, or to participants in these loyalty programmes so that they can access, for example, information about their account? What is the point of having this access, or of ensuring confidentiality \u2013 that is, protecting this information from outsiders and third parties \u2013 if, for example, the information in the system is distorted, unreliable or inconsistent? You get out what you put in. So, in reality, all three of these aspects must be guaranteed.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>So we have security, integrity and availability.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\">We have confidentiality, availability and integrity.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>Thank you for clarifying that.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>And now, when we\u2019re actually developing this type of software \u2013 in fact, even at the stage where we\u2019re defining its functionalities \u2013 the company has already defined those security-related functionalities, those features that this software should have, aimed at ensuring security in precisely these three aspects. Availability, confidentiality and integrity. Why at this stage? Because it is essential to avoid a situation where the programme is developed \u2013 a superb system is created \u2013 and only then do we add certain security functionalities and elements to it. This must be planned for at the pre-design stage. It must then be incorporated during the design phase, when all these functionalities are defined in great detail. And, of course, during the subsequent stages of software development and maintenance. So what has been done \u2013 and what should always be done \u2013 is to pay attention at this very stage, when we are only just approaching the subject, rather than waiting until the programme or system is ready.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>There is no need to convince anyone of the importance of security. But what are the main components of such a system?<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>Yes. As I have already mentioned, these are the three fundamental aspects of information security: confidentiality, availability and integrity of that information. However, if we now focus on the specific requirements that must be met here, these are set out in the ISO\/IEC 27001 standard. We explained these terms and abbreviations right at the start. They simply indicate who issued the standard. And now this standard has its own structure of requirements. This structure of requirements is characteristic of all recently published ISO standards that focus on any kind of management system. They follow a 10-point structure. This structure has grouped the requirements into appropriate thematic blocks. First and foremost, the sections listed are those requirements that must be met in order to understand the organisation, so that the organisation can understand itself, its environment and, indeed, its context. All external and internal factors that have, or may have, an impact on the management system, as well as the interested parties. And the requirements and expectations of these interested parties, which should be met within the framework of this very management system. With this information, we can then proceed to the risk assessment. A risk assessment both from the perspective of information security and in terms of the information security management system\u2019s ability to achieve its objectives. So we have the next stage, whilst all these issues are covered within this planning phase. In other words, we are really only just preparing to define our management system. Having established the foundations, we move on to implementation; that is, based on the results of the risk assessment, we have identified what changes need to be made within our organisation. Naturally, we also take into account the requirements of the ISO 27001 standard. With all this information, we draw up security policies, procedures and guidelines. In essence, we define the internal regulations we must comply with. Whilst, of course, also taking into account the requirements of those stakeholders I mentioned earlier, as well as the relevant legislation. Let\u2019s remember that, after all, legislation on the protection of personal data is very important in the case of loyalty programmes, as a great deal of such data is processed there. Once we have implemented what we planned \u2013 that is, we have a plan and the internal regulations resulting from this planning process \u2013 we must then put in place mechanisms that will allow us to determine whether what we are doing actually complies with what we set out to do. So we need to put verification mechanisms in place, such as internal audits. This approach verifies the compliance and effectiveness of the management system, but we also need to look a little more closely \u2013 we must verify the effectiveness of the individual safeguards we have implemented as part of this system. In other words, we check whether the backup copy we created in accordance with the backup policy actually enables us to recover, for example, the system or the resources covered by that backup copy. There is a great deal that could be said about assessing the effectiveness of these security measures. I would also refer you to a very worthwhile read on this subject: the ISO 27001 standard. Among the activities aimed at verifying this system, there is another measure that is very important for management systems \u2013 a process characteristic of ISO-compliant management systems known as the top management review. In other words, from time to time, on a regular and planned basis, top management must examine the outcomes achieved by the system and the results of individual actions \u2013 their own actions. And it must determine whether this system remains useful to it, whether it is appropriate to the situation in which the company finds itself, and whether it meets its expectations. And, of course, what is characteristic \u2013 and I will repeat this again for all ISO systems \u2013 is continuous improvement. It cannot be the case that, once a system has been introduced, it provides us with such safety that we no longer need to do anything about it.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>Let me ask: is that precisely the aim of these audits \u2013 to check whether a given system is adequate, but also to see how we can improve it?<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>Yes, that too, of course. That is certainly the role and purpose of these internal audits. However, let us bear in mind that these opportunities for improvement should also stem, for example, from the information we gather from our wider environment. Technology is evolving; we should keep pace with that technology, and we should ensure that our security measures are appropriate and effective in light of these technological developments. So this continuous improvement is, in fact, something that must be implemented by the organisation. We must constantly develop our system; we must simply keep improving.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>Rafale, how would you describe the role of information security management within a company?<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>It is becoming increasingly important, if I may put it that way. Why? It is clear how the way businesses operate \u2013 or, more generally speaking, the way organisations operate \u2013 has changed over the years. Just think of how much information is currently being processed, not least because, to a very large extent, this data is processed electronically. Given that we have an ever-increasing amount of this data, we must also ensure it is properly secured. After all, we are not focusing solely on personal data \u2013 which has been the most high-profile issue for some time now, namely the GDPR and the protection of personal data \u2013 but when discussing information security, we must identify all information that is significant to the organisation from the perspective of strategy, development, from a business perspective \u2013 such as trade secrets. And it is precisely this information that we should protect. Protect, as I mentioned, by ensuring appropriate confidentiality so that this data does not fall into the hands of people who are not authorised to access this information or these data. But also to ensure that staff responsible for specific areas have access to it so that they can carry out their work. And, once again, as we\u2019ve already discussed, we have: confidentiality, availability, and also integrity \u2013 so that the data and information we use in our operations are reliable, consistent, accurate and not distorted, ensuring that the results of our activities are of the appropriate quality. And the results will always be commensurate with the input we have.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>Let\u2019s move on, then, to the objectives of ISO 27001.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>Yes. Objectives and standards set out the requirements for an information security management system. And there is more that could be said here about what the objectives of this information security management system are. I would put this proactive approach to management at the top of the list. Namely, the approach I have already mentioned. First and foremost, we should identify what could go wrong within our organisation. We need to identify all possible vulnerabilities, all possible breaches and incidents relating to information security. And then do everything we can to counteract them. Naturally, our first priority should be to eliminate these threats, but if we are unable to do so \u2013 because, after all, we have to carry on with our business operations \u2013 then we simply cannot. If we wanted to protect ourselves completely, we would simply have to cease trading. That would not be consistent with our business objectives, so at this stage, if we are unable to eliminate them, let us reduce the level of risk \u2013 in other words, let us put measures in place that will, first and foremost, reduce the likelihood of these adverse situations occurring. And if there is nothing more we can do here either, then let us at least consider what we can do to minimise the consequences should this undesirable event materialise. Finally, if we are unable to do anything further, we must simply accept a certain level of risk. This is a proactive approach \u2013 this is what we should focus on above all else. However, of course, there is also another objective of this system. When an undesirable event does occur \u2013 because only those who do nothing make no mistakes \u2013 If they do occur, we need to have a properly prepared response in place. What might such a response look like? Let\u2019s consider, for example, situations that receive a lot of media attention. A fire in a server room somewhere, or a data breach somewhere. So let us have procedures in place which will allow us, in the first instance at least, to restore operations to normal as quickly as possible \u2013 that is, to activate our business continuity plans in this regard \u2013 and in the second instance, let us endeavour to minimise the impact of the incident that has occurred. If data is leaked, we must ensure that the people affected by that data \u2013 for example, if it is personal data \u2013 do not suffer the consequences. Or, at the very least, that we minimise any harm that might befall them. So this response \u2013 this reactive, post-event approach \u2013 is certainly also essential from the perspective of an information security management system.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>I\u2019d like to offer a brief summary, because we\u2019re at risk precisely because we\u2019re taking action and because technology is advancing \u2013 as you\u2019ve already mentioned. Well, that shouldn\u2019t stop us from taking action, provided we have a very well-prepared contingency plan.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>Yes, you could put it that way, certainly. But let\u2019s remember that a contingency plan is a last resort, and we should, above all, focus our efforts on prevention \u2013 in other words, on ensuring that it doesn\u2019t happen in the first place.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>To ensure that this plan is not implemented.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>Yes, because let\u2019s just consider, for example, i360\u2019s operations \u2013 the portal itself that we have. After all, this portal serves some very significant clients, and it also manages the loyalty programmes for those very clients. It is, after all, vital that neither the reputation of these clients nor, ultimately, that of i360 is damaged. So a great deal of effort has been put into this \u2013 and continues to be put in \u2013 primarily to prevent incidents from occurring in the first place. And that is, without a doubt, the fundamental objective of the information security management system. But of course we also have contingency plans in place in case something goes wrong \u2013 for example, if the system were to become unavailable \u2013 to ensure that its full functionality can be restored as quickly as possible, so that the business objectives of both i360\u2019s clients and i360 itself are maintained.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>Let us also clarify whether the ISO standard applies to the software or only to the manufacturer.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM:<\/strong>\u00a0It is true that one might infer from my earlier comments that the standard applies to software, but under no circumstances does it apply solely to software-related issues as they arise at i360. In this case, the company has adopted the view that the ISO 27001 standard applies to all of its operations. This means that it also applies to activities relating to the design, development and maintenance of this software, as well as its delivery to business partners. However, the standard has a broader scope, as it also covers, for example, information constituting trade secrets, as well as the personal data of employees working for the company and its associates. In fact, it covers all data and information relevant to the company\u2019s operations that must be processed in order for the organisation to function at all and achieve its business objectives.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>Rafa\u0142, I\u2019m wondering whether, now that I have ISO certification, I can feel safe and sleep soundly. What I mean is, we need to clarify whether we can equate ISO certification with secure software.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>By\u0142oby idealnie, natomiast oczywi\u015bcie, \u017ce nie. Dlaczego? Norma zawiera wymagania. To s\u0105 pewnego rodzaju ramy, kt\u00f3re trzeba dopiero wype\u0142ni\u0107. Czyli wprowadzaj\u0105c system zarz\u0105dzania bezpiecze\u0144stwem informacji, my musimy te wymagania spe\u0142ni\u0107, ale w pewien okre\u015blony dla nas spos\u00f3b. Spos\u00f3b, kt\u00f3ry jest charakterystyczny dla wielko\u015bci naszej organizacji i z\u0142o\u017cono\u015bci, aktyw\u00f3w. W og\u00f3le wszelkiego rodzaju zasob\u00f3w, informacji, kt\u00f3re w tej naszej dzia\u0142alno\u015bci wykorzystujemy. Czy mo\u017cna powiedzie\u0107, \u017ce maj\u0105c certyfikat no, bo te\u017c trzeba o tym powiedzie\u0107, \u017ce s\u0105 wystawiane certyfikaty zgodno\u015bci z t\u0105 norm\u0105 przez r\u00f3\u017cnego rodzaju jednostki certyfikuj\u0105ce. Tutaj chocia\u017cby i360 ten certyfikat posiada ju\u017c od kilku \u0142adnych lat jednej z bardziej rozpoznawalnych, jednej z bardziej renomowanych jednostek. I w tym momencie w \u017cadnym wypadku nie mo\u017cna powiedzie\u0107, \u017ce ten certyfikat \u015bwiadczy o tym, \u017ce ten poziom jest czy te\u017c najwy\u017cszy, czy te\u017c nic z\u0142ego nam si\u0119 nie mo\u017ce sta\u0107. Po pierwsze, audyt przeprowadzany jest zawsze metod\u0105 pr\u00f3bkowania, czyli audytor, kt\u00f3ry przyje\u017cd\u017ca weryfikuje pewn\u0105 pr\u00f3bk\u0119 opart\u0105 na chocia\u017cby jakich\u015b dokumentach, zapisach, rozmowach z pracownikami. To oznacza, \u017ce nie przeprowadza kontroli. On przeprowadza badanie, przeprowadza audyt. Druga strona &#8211; pami\u0119tajmy o tym, co m\u00f3wi\u0142em. To nie jest tak, \u017ce raz wdro\u017cony system, jak raz wdro\u017cymy ten system to potem ju\u017c mamy z g\u0142owy, mo\u017cemy spocz\u0105\u0107 na laurach, ju\u017c nic z\u0142ego si\u0119 nie stanie. W \u017cadnym wypadku nie. Ca\u0142y czas wszystko si\u0119 zmienia. Nasze otoczenie si\u0119 zmienia. Ten rozw\u00f3j technologii. To bym musia\u0142, to tutaj pragn\u0119 podkre\u015bli\u0107 powoduj\u0105, \u017ce my musimy zatem nawet nie tyle nad\u0105\u017ca\u0107, my powinni\u015bmy stara\u0107 si\u0119 to wyprzedza\u0107. Czyli my w my\u015bl samych wymaga\u0144 norm musimy ten nasz system ci\u0105gle doskonali\u0107, ci\u0105gle rozwija\u0107 po to, \u017ceby zapobiega\u0107 wyst\u0105pieniu sytuacji niepo\u017c\u0105danych, a i tak niestety cz\u0119sto si\u0119 zdarza, \u017ce co\u015b wyst\u0105pi tak, jak wspomnia\u0142em. No i wchodz\u0105 w tym momencie te plany reakcji.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>And how long does it take to implement a security system like this? Perhaps you could explain, step by step, how it\u2019s done and how long it takes.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>Of course. It obviously also depends on the size of the organisation, as the situation will be different for a small firm with just a few employees, a single location and most of the data it processes \u2013 perhaps even still in paper form these days. It will be quite different, when we have a multi-site organisation, with a larger workforce, where such volumes of data are processed \u2013 as is the case with i360, for example \u2013 and this data consists of personal data classified as \u2018special categories\u2019 which are indeed subject to this specific level of protection. So at this stage, it all depends. How short could the implementation period for such a system be? To be honest, it would depend on the extent to which the organisation already meets the requirements of the ISO 27001 standard from the outset. It is precisely for this purpose that an initial audit and a gap analysis are carried out first, so that we can identify what is in place and what is missing. Once an inventory has been carried out, and based on this information, we are then able to determine how quickly this process can be completed. Of course, it is also possible to outline a preliminary framework for such a project based on certain key information \u2013 the organisation\u2019s specifications \u2013 but the project schedule can only be finalised in detail following this preliminary audit.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>I asked you to explain it step by step, so can we safely say that this first step is precisely this stock-taking exercise?<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>Yes, that initial audit, that gap analysis, that inventory. Exactly. Next, you need to ensure that the staff involved in this project are aware of what\u2019s going on and have the necessary knowledge \u2013 in other words, give them a bit of an overview of what we\u2019ll be doing and the direction we\u2019ll be taking. And, as I mentioned later, we need to plan the system \u2013 that is, to consider the organisation\u2019s context, define it, and identify all the external and internal factors that do or may affect our system and our organisation. Identify the interested parties \u2013 that is, those stakeholders who may present us with certain requirements, or who may have a role to play in our information security management system. And, with regard to this data, carry out a risk assessment \u2013 an information security risk assessment, or what we refer to as a \u2018systemic\u2019 risk assessment \u2013 to determine what could go wrong that might prevent our system from achieving the planned outcomes. Once we have carried out this risk assessment, based on these results and taking into account the requirements of the ISO 27001 standard \u2013 particularly the security requirements set out in Annex A of that standard \u2013 we draw up the necessary internal regulations; that is, we introduce procedures and policies and guidelines to ensure that it is clearly defined exactly how things are to be carried out, so that the level of security is adequate. This ensures that the level of risk does not exceed the acceptable risk level. Once the documentation has been drawn up and implemented \u2013 and this is where the entire team, in fact, plays a very significant role, as does senior management, because it is always their responsibility to ensure that staff, that the company\u2019s employees, are engaged in this process, that they are aware of the threats, and aware of how important it is to apply these information security regulations, a cycle of training and a range of activities must simply be provided to ensure this awareness. And once we have achieved this \u2013 although in reality it is a continuous process, it never ceases \u2013 of maintaining and developing this awareness \u2013 we can proceed to check whether, as it currently stands, the system meets the requirements of the ISO 27001 standard and, if this is the organisation\u2019s objective, whether we are ready to undergo this external audit, this certification audit. Once the results indicate that this is indeed possible, and that when the external auditors arrive there will be no embarrassment or slip-ups, then of course these auditors are invited, and they come to they carry out the acceptance of the system; that is, as I mentioned, they use a sampling method to verify the system\u2019s compliance. They verify whether the system is achieving its planned objectives and whether the planned results are being achieved. And if everything is in order, the certification body awards the relevant certificate.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>And that is precisely the final step \u2013 the acceptance process. But as we keep saying, this is not a process that ever ends, because we have to keep improving it.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>Yes. And this is where the role of the certification body actually comes in handy, so to speak, as it exercises constant oversight of the system. \u2018Constant\u2019 might be too strong a word, but at least it is carried out on a regular basis. It visits periodically to carry out so-called verification audits and supervisory audits. It checks whether anything has gone wrong in the meantime, whether the system is indeed still being maintained and improved as it should be, or whether something has gone wrong.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>Rafale, what role does the certification body play in this whole process?<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>Rol\u0105 jednostki certyfikuj\u0105cej w tym przypadku jest przeprowadzenie niezale\u017cnej, w pe\u0142ni niezale\u017cnej, weryfikacji zgodno\u015bci czy ten system zarz\u0105dzania, kt\u00f3ry zosta\u0142 wdro\u017cony spe\u0142nia wymagania ISO 27001 oraz, czy ten system jest skuteczny. Bo te audyty przeprowadza si\u0119, \u017ceby sprawdzi\u0107 i zgodno\u015b\u0107 i skuteczno\u015b\u0107 tego systemu, czyli czy s\u0105 osi\u0105gane przez ten system zak\u0142adane cele. Jednostka certyfikuj\u0105ca, jak wspomnia\u0142em i podkre\u015bl\u0119 &#8211; niezale\u017cna, przeprowadza audyt sprawdzaj\u0105cy. Pierwszy nazywa si\u0119 audytem certyfikuj\u0105cym. Natomiast przyznany w jego wyniku certyfikat zgodno\u015bci jest przyznawany na okres trzech lat. M\u00f3wimy oczywi\u015bcie o certyfikatach ISO 27001. Jest przyznawany na okres trzech lat, jednak wa\u017cno\u015b\u0107 tego certyfikatu jest utrzymywana tylko i wy\u0142\u0105cznie je\u017celi firma, kt\u00f3rej ten certyfikat zosta\u0142 przyznany, b\u0119dzie poddawa\u0142a si\u0119 okresowym audytom nadzoru, audytom sprawdzaj\u0105cym, tzn. audytorzy jednostki certyfikuj\u0105cej zostan\u0105 wpuszczeni i zostanie im umo\u017cliwione przeprowadzenie takiego audytu sprawdzaj\u0105cego po okresie dwunastu miesi\u0119cy i kolejnych 12 miesi\u0119cy funkcjonowania tego systemu zarz\u0105dzania. Po up\u0142ywie tych trzech lat, ale przed wyga\u015bni\u0119ciem wa\u017cno\u015bci tego certyfikatu firma musi zdecydowa\u0107, czy ten certyfikat odnowi\u0107, wznowi\u0107, czy te\u017c przed\u0142u\u017cy\u0107 jakiegokolwiek by\u015bmy tego okre\u015blenia tutaj nie u\u017cyli. I je\u017celi jest decyzja na tak, wtedy jest przeprowadzany audyt recertyfikuj\u0105cy, kt\u00f3ry rozpoczyna kolejny trzyletni cykl utrzymywania tego certyfikatu. I tam ju\u017c jest, potem dok\u0142adnie wygl\u0105da ten mechanizm tak samo, czyli kolejne audyty nadzoru, po trzech latach kolejna recertyfikacja, bo warto zwr\u00f3ci\u0107 uwag\u0119, \u017ce rzeczywi\u015bcie ten system zarz\u0105dzania w i360 zosta\u0142 certyfikowanych ju\u017c kilka lat temu i je\u017celi by\u015bmy por\u00f3wnywali ten system wzgl\u0119dem tego co by\u0142o wcze\u015bniej i co jest teraz to zmiany s\u0105 naprawd\u0119 diametralnie. A norma si\u0119 nie zmieni\u0142a.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>All right, then. So we\u2019ve now implemented the ISO 27001 standard, passed the audit and received the certificate. What next? Is a certificate like this valid for life?<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>Tak. I tak jak rzeczywi\u015bcie wspomnia\u0142em on jest przyznawany na okres trzech lat. Po up\u0142ywie tych trzech lat firma decyduje, czy przed\u0142u\u017cy\u0107 wa\u017cno\u015b\u0107 tego certyfikatu i podda\u0107 si\u0119 recertyfikacji, czy te\u017c nie. Natomiast tu bym nawi\u0105za\u0142 jeszcze do jednej istotnej sprawy co zrobi\u0107. No wdro\u017cyli\u015bmy, certyfikowali\u015bmy, co mo\u017cemy z tym zrobi\u0107. Bo m\u00f3wienie te\u017c o ci\u0105g\u0142ym doskonaleniu mo\u017ce tak troszeczk\u0119 pusto brzmie\u0107, ale co zrobi\u0107 w ramach tego ci\u0105g\u0142ego doskonalenia? Tutaj te\u017c mamy narz\u0119dzia, kt\u00f3re zapewnia nam ISO, czyli ten mi\u0119dzynarodowy komitet normalizacyjny jak chocia\u017cby inne normy z tej\u017ce serii. ISO 27002 z kolei przedstawia, w jaki spos\u00f3b zabezpieczenia przedstawione w za\u0142\u0105czniku do tej normy 27001 mog\u0105 zosta\u0107 wdro\u017cone. Sposoby wdro\u017cenia, sposoby rozwoju tak naprawd\u0119 stosowanych w firmie zabezpiecze\u0144. To taka dobra lektura, dobry materia\u0142 do tego w\u0142a\u015bnie w jaki spos\u00f3b mogliby\u015bmy ten nasz system zarz\u0105dzania bezpiecze\u0144stwem informacji udoskonali\u0107. Ale pami\u0119tajmy o tym, \u017ce raz przyznany certyfikat nie \u015bwiadczy o tym, \u017ce on ju\u017c b\u0119dzie wa\u017cny zawsze. Na ka\u017cdym certyfikacie jest podana jego data wa\u017cno\u015bci. Czyli je\u017celi chcemy zweryfikowa\u0107, czy nasz kontrahent posiada aktualny certyfikat zobaczmy, sp\u00f3jrzmy na ten certyfikat, poprosimy aby on nam go okaza\u0142, bo zobaczymy do kiedy on albo by\u0142 wa\u017cny, albo do kiedy jest wa\u017cny. Niestety w dzisiejszych czasach, kiedy ten post\u0119p jest naprawd\u0119 tak diametralny, musimy pami\u0119ta\u0107 o tym, \u017ce je\u017celi certyfikat uzyskali\u015bmy pi\u0119\u0107 lat temu i on by\u0142 wa\u017cny przez okres gdzie\u015b tam tych trzech lat &#8211; do powiedzmy roku 2019, to przez ten okres dw\u00f3ch, trzech lat mog\u0142o si\u0119 zmieni\u0107 naprawd\u0119 bardzo wiele.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>And finally, I get the impression that you\u2019ve answered my last question. That\u2019s because I wanted to ask in which directions a company that has successfully achieved such certification should develop?<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>Tak. Tak, jak wspomnia\u0142em, mo\u017cna u\u017cy\u0107 tych narz\u0119dzi dost\u0119pnych, natomiast najistotniejsze tu jest obserwowanie tego naszego otoczenia, tego post\u0119pu. Zidentyfikowanie, czy nie wyst\u0119puj\u0105 jakie\u015b nowe podatno\u015bci. Podatno\u015bci, kt\u00f3re mog\u0105 by\u0107 wykorzystane przez zagro\u017cenia i tym samym zmaterializuje si\u0119 jakie\u015b zdarzenie niepo\u017c\u0105dane, wyst\u0105pi jaki\u015b incydent bezpiecze\u0144stwa, naruszenie przetwarzanych danych osobowych &#8211; jak wspomnia\u0142em obecnie dosy\u0107 medialny temat. Wi\u0119c pami\u0119tajmy o tym, \u017ce to doskonalenie to jest zar\u00f3wno odpowiadanie na zmiany jakie wyst\u0119puj\u0105, ale r\u00f3wnie\u017c zwracajmy uwag\u0119 na to, jak wykorzysta\u0107 ten system do uzyskiwania wynik\u00f3w biznesowych, osi\u0105gania cel\u00f3w biznesowych. Czyli co mogliby\u015bmy usprawni\u0107, mo\u017ce przyspieszy\u0107, aby rzeczywi\u015bcie ten nasz biznes si\u0119 rozwija\u0142. Takim przyk\u0142adem mog\u0105 by\u0107 chocia\u017cby plany ci\u0105g\u0142o\u015bci i to co ostatnio zosta\u0142o zrobione w sp\u00f3\u0142ce. Bardzo zosta\u0142 skr\u00f3cony czas wznowienia dzia\u0142alno\u015bci w przypadku problem\u00f3w z infrastruktur\u0105 sieciow\u0105. Czyli bardzo zosta\u0142 skr\u00f3cony czas odzyskiwania dzia\u0142alno\u015bci w przypadku zmaterializowania si\u0119 ryzyka akurat awarii w tym przypadku. Te rozwi\u0105zania, kt\u00f3re zosta\u0142y wprowadzone spowodowa\u0142y, \u017ce ten czas skr\u00f3ci\u0142 si\u0119 dwu- albo nawet trzykrotnie. To pokazuje, \u017ce firma jest w stanie po takim zdarzeniu niepo\u017c\u0105danym dwu-, czy trzykrotnie szybciej podnie\u015b\u0107 si\u0119 i wr\u00f3ci\u0107 do swojej normalnej dzia\u0142alno\u015bci.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>Rafale, thank you very much for the interesting conversation and for clearing up all my doubts.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM: <\/strong>Thank you.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>I\u2019m saying to you: see you later.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>RM:<\/strong> See you later.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN: <\/strong>And I\u2019d like to invite you all to the next episode.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>","protected":false},"excerpt":{"rendered":"<p>KN: Katarzyna Nawrocka &#8222;O programach lojalno\u015bciowych noc\u0105&#8221;.. Bezpiecze\u0144stwo tworzonego przez i360 oprogramowania do zarz\u0105dzania programami lojalno\u015bciowymi jest jednym z g\u0142\u00f3wnych filar\u00f3w naszego rozwoju. Dzisiaj mam przyjemno\u015b\u0107 go\u015bci\u0107 Rafa\u0142a Malona, z kt\u00f3rym porozmawiam o najwa\u017cniejszych wyzwaniach w zakresie zapewniania bezpiecze\u0144stwa informacji. Dobry wiecz\u00f3r. . RM: Dobry wiecz\u00f3r. . KN: Rafale, b\u0119dziemy rozmawia\u0107 o bezpiecze\u0144stwie informacji. Ale&#8230;<\/p>","protected":false},"author":2,"featured_media":2532,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[67],"tags":[],"class_list":["post-2531","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-o-programach-lojalnosciowych-noca"],"taxonomy_info":{"category":[{"value":67,"label":"O programach lojalno\u015bciowych noc\u0105"}]},"featured_image_src_large":["https:\/\/i360.com.pl\/wp-content\/uploads\/2021\/06\/22_Rafal_Malon_PLANSZA-1024x576.jpg",1024,576,true],"author_info":{"display_name":"Tomasz Makaruk","author_link":"https:\/\/i360.com.pl\/en\/author\/autor\/"},"comment_info":0,"category_info":[{"term_id":67,"name":"O programach lojalno\u015bciowych noc\u0105","slug":"o-programach-lojalnosciowych-noca","term_group":0,"term_taxonomy_id":67,"taxonomy":"category","description":"","parent":0,"count":26,"filter":"raw","term_order":"0","cat_ID":67,"category_count":26,"category_description":"","cat_name":"O programach lojalno\u015bciowych noc\u0105","category_nicename":"o-programach-lojalnosciowych-noca","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/posts\/2531","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/comments?post=2531"}],"version-history":[{"count":0,"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/posts\/2531\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/media\/2532"}],"wp:attachment":[{"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/media?parent=2531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/categories?post=2531"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/tags?post=2531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}