How does Input for You handle confidential data?

When organizations entrust their documents and data to Input for You, they are also entrusting their most sensitive information: customer data, financial data, medical records, HR documents, contracts, and so on. The logical question is, how do you ensure that this data remains secure and confidential?

We put this question to Pierre De Landsheere, external Security Officer at Input for You. Pierre has been advising the company on information security, privacy, and certification for more than ten years.

Input for You: “Pierre, to begin with, what is your general view of the way Input for You handles confidential data?”

Pierre De Landsheere: “Broadly speaking, there are two aspects that must always go hand in hand: policy and practice.

Policy is saying what you are going to do. Practice is doing what you said you would do. You cannot offer serious information security or confidentiality if one of those two is missing or if they are not aligned.

At Input for You, we organize ourselves around the ISO 27001 standard for information security. This means that we have implemented an Information Security Management System (ISMS). This system safeguards all important aspects, such as information security, compliance, privacy, data security, and risk management.

Once a year, an external accredited auditor checks whether our policy meets all the requirements of the ISO standard. This is an independent check of our entire policy framework. And then the most important part begins: ensuring that what is on paper is also put into practice every day.

Input for You: “How does that policy translate in concrete terms to our daily operations and the way we handle our customers' data?”

Pierre De Landsheere: “There are several layers involved here: organization, technology, and principles.

An important principle is risk-based working. We identify the risks and take measures to reduce them as much as possible. This can involve technical measures, processes, but also choices in infrastructure.

For example, we consciously limit the part of our operations that is visible on the public internet. The smaller the attack surface, the smaller the chance that someone will get in where they don’t belong.

Another principle is maintaining control. Input for You purchases its own hardware, uses its own equipment, and manages everything itself as much as possible. We handle the storage, processing, and transmission of customer data in-house as much as possible. This gives us maximum control over what happens to that data.

Finally, we are strongly committed to automation and system integration. The fewer manual interventions required, the lower the risk of human error. But again, everything is based on that risk approach and embedded in the ISO 27001 management system, so that we have no blind spots in our operations.”

Input for You: “Regulations surrounding data and ICT are becoming increasingly stringent. Think of GDPR and, more recently, DORA in the financial sector. How do we deal with this?”

Pierre De Landsheere: “Within the ISO framework, there is an explicit focus on legal and contractual obligations. This means that we not only look at our own house, but also at the regulations that apply to our customers.

Take DORA (Digital Operational Resilience Act), for example, a new regulatory framework for the financial sector, specifically around ICT and outsourcing. Input for You is an outsourcing partner for many players in that sector. That means we have to help them meet their obligations.

We are therefore building up targeted expertise around these regulations. We follow what concerns our customers, what requirements their regulators impose, and how we can proactively provide information and evidence for this.

In short, we do not limit ourselves to our own perimeter; we also look over our customers’ shoulders at their obligations and how we can be a reliable link in this process.

Input for You: “Our customers are often large organizations with many stakeholders involved. How do we ensure that everyone is comfortable with confidentiality and security in their own way?”

Pierre De Landsheere: “That’s right. Input for You itself is relatively small, but our customers are often major players. In a typical call, there are two people on our side and eight to ten on the customer side. These are profiles from business, project management, security officers, information security, compliance, and purchasing, all with their own perspectives.

So an important part of our job is stakeholder management. It’s almost an art to get the right information to the right person at the right time. A Security Officer wants to see different details than a project manager or someone from purchasing.

That’s why we work with a combination of:

Standard documentation describing our policies and processes around information security and confidentiality.
Project-specific answers, tailored to the type of data, the nature of the process, the criticality, and the risks.

And if customers want even more certainty, we also provide transparency on site. Some customers want to see our data center for themselves. So we change into our protective clothing, walk together to the server room, and literally show them where their data is stored and where it is processed. That kind of openness inspires a lot of confidence.”

Input for You: “If a new customer, such as an insurance company, wants to start working with us, what is the approach in terms of confidential data and security?”

Pierre De Landsheere: “Actually, it often starts before the actual project kick-off. In the pre-sales phase, we regularly receive extensive security assessments, especially from the financial world. These are often voluminous spreadsheets with hundreds of questions about information security, data privacy, infrastructure, processes, you name it.

In addition, there are NDAs (non-disclosure agreements) and additional rounds of questions before there is even talk of an initial pilot. That’s normal. Customers want to know exactly where their confidential data is going.

Once the project is actually launched, we look at:

Which documents and data we will process.
How critical the process is, for example, a six-month archiving project or processes with a four-hour SLA.
Whether the processing is fully automated or whether manual steps are required.

Based on this, we dimension the infrastructure, determine measures, and ensure that the approach matches the risk profile of the project. This way, we avoid unpleasant surprises in terms of capacity, security, or reliability.”

Input for You: “We sometimes work with external technology or partners, for example for specific automation or tools. How do we ensure data confidentiality in such cases?”

Pierre De Landsheere: “That’s a very important point, because we remain responsible for the data we process, even when we work with third parties.

We try to do two things:

Do as much as possible ourselves. That’s why we have our own data center, our own servers, and our own infrastructure.
When we work with external parties, we prefer to choose parties with whom we have direct contact, not anonymous public clouds where you disappear into the crowd.

We want to avoid dropping data “somewhere in the cloud” without a clear view of where it physically ends up and what exactly happens to it.

We work with third parties on the basis of clear agreements. For example, if we use an external service, we ask that no data be permanently stored by that party. The data is processed, returned to us, and then remains with us. This limits the impact of a possible incident at that third party.

All of this falls under third-party risk management, something that regulators are also strongly committed to. We look at this in two directions: us towards our suppliers and us as a supplier towards our customers.

Input for You: “Cybercrime is becoming increasingly sophisticated. Attackers are constantly looking for new ways to access data. Where do we set our priorities in this battle?”

Pierre De Landsheere: “The biggest risk is often not the highly sophisticated hack, but the human factor. Someone clicking on the wrong link, not recognizing a suspicious email, or being approached by phone with a credible story.

That is why we are strongly committed to:

Raising awareness among our employees about what you should never do, how to recognize suspicious signs, and what to report.
Compartmentalizing systems so that an incident remains limited and cannot spread like wildfire across the entire network.
Monitoring tools that constantly monitor what is happening on our servers, our network, and our systems and detect suspicious activity.

In addition, we apply the principle of multiple layers of defense. You can never access our systems in a single step. Access is granted, for example, via:

A VPN with two-factor authentication.
A separate login to internal systems, with its own rights and controls.

If a layer is breached somewhere, you are still not “at the heart” of the system. The risk is never zero, but this type of layered security greatly reduces the chance of serious incidents.

Input for You: “How do we stay informed about new threats and developments in cybercrime?”

Pierre De Landsheere: “Not everything you read in the newspaper is relevant to an organization like Input for You. The risk to a nuclear research center is different from that to a document processing company.

We work with a combination of:

Security products with built-in intelligence, such as antivirus, threat detection, and network security. These are continuously updated with new threat information.
Monitoring solutions at different levels of the infrastructure, which detect suspicious patterns without us having to analyze everything ourselves.

You don’t have to be a virus expert to use good antivirus software. The same applies here: we purchase the right expertise through tooling and combine it with our own risk analysis and infrastructure design.

Input for You: “Once a customer is live, how do we ensure that the security and protection of confidential data remain at the required level in the long term?”

Pierre De Landsheere: “That’s a combination of periodic checks and continuous processes.

Every year, we carry out the following, among other things:

Penetration tests, to check for new vulnerabilities.
Network scans, to systematically check the infrastructure.
The external ISO 27001 audit, which checks whether our entire management system still complies.

In addition, internal processes such as risk management, incident management, monitoring, backup, and disaster recovery run continuously.

It is also important that we standardize our IT infrastructure as much as possible. One approach for backups, one approach for disaster recovery, one global monitoring system. This way, we avoid a tangle of exceptions and ensure that everything falls under the same layer of protection.

We distinguish ourselves in our services through customization. At the core of IT and infrastructure, we strive for standardization, precisely because it is safer and more manageable.”

Input for You: “Finally, how do you see the future of data security and confidentiality in our context?”

Pierre De Landsheere: “The future will certainly bring more integrations and automation with third parties. That is almost inevitable. The big challenge then becomes how to maintain control over what happens to data, contractually, legally, and operationally.

AI and new tools make a lot possible, but often the model is that you throw data over the fence and get something back, without knowing exactly what happens along the way. That is a fundamental problem for confidential data.

At Input for You, we try to maintain that control. Either we do things ourselves, or we ensure that we have sufficient say and insight into the processing, fully in line with GDPR, which refers to the purpose and means of data processing.

One thing is certain: further integration and automation will take place. Our role is to ensure that our customers can entrust their confidential data to us with confidence during this evolution, because we monitor control, oversight, and security as part of our service.

About Pierre De Landsheere

Pierre De Landsheere has been Input for You’s external Security Officer for over ten years. He advises several companies on information security, ISO 27001 certification, and GDPR compliance. In this role, he helps Input for You keep pace with new regulations, technological developments, and customer expectations, without losing sight of data confidentiality and security.