An Interview with Thomas Fruhstuck — Chief Information Security Officer at 4me
Thomas Fruhstuck is the primary contact for 4me customer’s information security and compliance officers. In this role, Thomas makes sure that 4me is secure and also works with third parties to facilitate the regular security tests, SOC 2 and ISO 27001/27018 audits of the 4me service and organization. We interviewed him about the benefits of 4me when conducting an audit.
- What is your experience with audits and 4me so far?
Before joining 4me two years ago, I already had quite a bit of experience on how the service can support and help a company with its compliance efforts and audits. All certifications require you to establish processes, follow them, and then provide proof to the auditors that you have not only written these policies but that they are alive and followed. For many companies, this is the most difficult part of an audit, especially if they don’t have any support from a tool or service. This is where the 4me service comes into play – it makes it so much easier to facilitate all this.
- How can the 4me service help you with an audit?
4me’s functionalities ensure that you can easily create procedures (workflows) from your processes. And they are not limited to IT but can include all other departments in the company. A staff onboarding and offboarding process is not only an IT process but may need to include HR, IT, Facility Management, and others. Having to work on the same workflow in various tools makes it very difficult to follow through, audit it internally and prove workflow compliance to an external auditor. With 4me’s complete service management platform, this is no longer an issue. Auditors also love the audit trail function, which provides an overview of the record’s entire history. And built-in Risk Management and KPI Dashboards and reports are also very important. All these, plus the quick search, make it possible to work compliant with processes and easily prove it during an audit.
- What feature is the most valuable for you and why?
This is difficult to answer because all of the mentioned functions are very important, but if I had to choose the one I would miss most, it is workflows. Not only can you do what I described before, but you can also create recurring workflow templates that will start automatically at a specific time. Let’s say that according to a policy, you need to evaluate firewall rules every month. Instead of setting a reminder in a team calendar and hoping that someone will do it, you can simply create a recurring workflow and assign a task to the firewall team, followed by a task to compliance to review that check. All of this will be monitored on your security & compliance dashboard.
- What is your suggestion for customers on how to start using 4me for their compliance efforts?
Evaluate your last audit results to see which processes were the most difficult to prove or took too much manual effort. Then establish these processes in 4me using workflows and also scheduled/recurring workflows. Also, look into our demo system; we included some examples there. In addition, you can ask your partner some questions or post them in the 4me community forums, which are a great place to discuss best practices.