The PTC is committed to supporting UPU members in socio-economic development through the efficient and effective use of Information Technology, in line with the UPU Strategy. As part of this, the PTC has been working to ramp up security, achieving ISO 27002 certification in November 2019 after a thorough review of the new information security management system for its cloud services.
“By adopting the best practices for secure software development, new services will be even more secure on release to the UPU members,” says PTC Director Lati Matata.
The standard sets requirements for the data protection, including a methodology for identifying cyber threats; managing and controlling risks associated with information held by the PTC; and establishing measures to ensure the confidentiality, availability and integrity of this information.
Achieving the certification demonstrates the PTC’s continuing dedication to ensuring the security of data – particularly commercial and personal data – as it moves toward providing cloud technologies.
“All the PTC customers adopting cloud services will benefit from a reduction in IT infrastructure costs and its management, with the knowledge their commercial and personal data is highly secured,” Matata explains. “The PTC benefits from more stable and consistent work processes resulting in higher quality products and services delivered to its customers.”
Though the UPU’s technological body has always done the utmost to ensure data security. To further guarantee to its customers that their data is safe, the PTC has adopted a strategy to implement internationally recognized best practices. It shows that the PTC is fully aware of possible risks to data security and is actively protecting itself from them.
To prepare for the certification, the PTC’s Information Security (InfoSec) team devoted considerable time and effort to implementing a new information security management system (ISMS), featuring both physical and technological protections against hacking and other security breaches. This ISMS was applied to all information systems, software development processes and individuals involved data exchange and storage. The process took a total of two years, including preparatory internal and external security audits to gauge the PTC’s readiness for certification.
InfoSec’s mission for developing the new system was threefold. The first step was to establish a security framework covering the UPU’s cloud services. In a second step, the team implemented controls and measures that would help it assess the PTC’s ability to manage potential security threats. Finally, the team set a procedure for regular monitoring and performance reviews to ensure the PTC could continuously improve the system.
This work included a full analysis of data security needs across the UPU’s International Bureau, the development of new processes to detect possible security events and ensure a quick response, and a campaign to educate staff on best practices.
Staff were given specific roles and obligations for protecting information security, as well as training to this effect.
A new set of metrics will help the InfoSec team monitor the PTC’s performance on the new security measures going forward.
These measures have come with added benefits for the team. In addition to securing the trust of clients using the PTC’s products and services, the exercise has helped the PTC harness its staff’s skills and help to further develop them. Optimized work process and more clearly defined roles have also led to increased productivity.
Given the benefits for the certification, Matata explains that the PTC will move forward with standardizing other services as well.
“To ensure robust security, data needs to be secured, end-to-end across all the platforms and systems managed by the PTC,” he says.
The certification will be extended to other critical services, such as Post*Net and the UPU’s big data platform. The team will also work towards special certifications for the management of personal data and business continuity.