Cybersecurity is a priority for eMaint and all of Fluke Reliability. Thanks to the Fluke Information Security Office’s dedication, Fluke Reliability was awarded ISO/IEC 27001:2013 certification in October 2021. Effectively managing information security risks is central to the success of Fluke Reliability and its customers.

ISO 27001 is the one of the internationally-recognized information security standards. It offers a framework for implementing an information security management system (ISMS) that ensures the confidentiality, integrity, and availability of corporate data. This includes data such as financial information, intellectual property, employee details, and even information managed by third parties. An effective ISMS protects against cyber attacks, data leaks, and hacking or theft efforts.

Matthew Hudon, director of information security for Fluke, explained that the Information Security Office team evaluated multiple certification options in 2020 before deciding on ISO 27001. “It has to do with the management system rather than any specific controls you might have in place,” he said. “Fluke is already ISO 9001 certified for their hardware engineering, so it kind of just fit with the theme.”

One of the early steps in the certification process was using NIST Special Publication 800-53 “in order to have a checklist of things that we needed to implement from a cloud security perspective,” Hudon added.

Another early step in the process was launching a governance, risk, and compliance (GRC) tool. “A GRC tool was where we could track all of our progress, the specific controls that we had to adhere to, and be able to provide evidence of those controls being followed,” said Josh Ciaramitaro, information security GRC lead for Fluke. This involved establishing the management information security forum (MISF), which is a collection of the departments and leaders who helped drive the cybersecurity initiatives. The MISF met regularly to collaborate on the tasks that had to be completed to achieve the ISO certification.

Achieving the certification, as well as all of the work that went into obtaining the certificate, reflect the mission statement of the Information Security Office:

The Fluke Information Security Office Mission is to protect the confidentiality, integrity, and availability of customer, employee, and organizational information by making information security programmatic and cultural across the organization.

Once the certification is granted, it lasts for three years. Maintaining the certification in that period involves regular audits to ensure all appropriate actions and controls remain in place.

“If you’re the owner of a system such as Salesforce, you want to make sure that on a quarterly basis at minimum, that system administrator is performing a review of everyone that’s still active in that environment,” Ciaramitaro explained. “So if there’s a terminated employee or transferred employee that no longer requires access, that’s being responded to within a timely manner.” Such reviews reduce the risk of potential breaches.

Other requirements cover areas such as training and awareness, site physical security, and product security testing.

With Fluke Reliability having earned a third-party certification, customers and potential customers can have added confidence in FRS cybersecurity standards and practices. “It’s not just us telling them that we’re doing something, it’s an independent third party,” Hudon said. “ISO is a worldwide body that takes this stuff very seriously, so the auditors have to be certified. There’s only a handful of companies in the world that can actually issue the certification. So, they’re ensured that an independent third party who’s very qualified has come in and verified that what we say is in fact true. But you can imagine that that just gives a lot of comfort to the security departments of our customers.”

The certification also covers processes related to disaster recovery. “Anything from a cyber event to a physical disaster to a hurricane, whatever,” Hudon said. “Disaster recovery’s a really big part of ISO, and it’s also a big customer concern, so they want to ensure that we have the appropriate processes in place so if something does happen, it doesn’t affect their services.”

“Our RPO and RTO, which are recovery point objective and recovery time objective, are 12 and 24 hours. So, we tell a customer, ‘If something happens, we have a ransomware event, we have some kind of disaster, we will be able to start your services back up within 24 hours, and we will be able to have the data that’s in that recovery environment no less than 12 hours old.’ So, every three months, they actually have to test that to make sure, yes, the backups are working, the process is working, and this can in fact occur if we do have a disaster.”

Interested customers and prospects can view the Statement of Applicability (SoA) through the FRS security portal. The SoA defines the scope as follows:

The FRS Information Security Management System (ISMS) is responsible for managing the internal and external security requirements for all Development, QA, and Production Environments supporting all Fluke Reliability Global SaaS Solutions.