No matter who you are or what you do, as a security leader, you have a constant need to protect your customers, data, and the reputation of your organization. These are not easy tasks to accomplish, especially with the added pressure of meeting evolving compliance requirements. Further, a growing landscape of security threats and ever-changing regulations can be challenging to keep up with – on top of trying to make sure your technology partners are also adhering to security best practices.
Developers in the P&C insurance industry need to facilitate their daily work with technology that is among the safest and securest available. That’s why Guidewire is proud to be a trusted, transparent, and innovative leader in security.
As you’ll see below, we fulfill this role in many ways. One important way is by giving our customers resources that provide guidance on security best practices and help ensure compliance. Here are seven resources you can use now that speak to who we are, what we do, how we help, and why you can count on us.
1. Trust is a Top Priority at Guidewire
At Guidewire Connections 2022, our panel of experts presented “Your Security and Compliance in 2022 and Beyond” where we discussed this idea of the importance of security and trust as a defining issue of our current macro-security environment, technology ecosystem, and that it has a far reach into many other areas.
For a high-level overview of our commitment to security, our presentation is the place to start. But as promised during the session, we wanted to provide an extensive selection of specific Guidewire Security resources to contribute to your Guidewire Cloud journeys. This is a partial list, and these resources are updated often, as there is never a finish line for security. We continually strive to evolve our security posture and guidance to reflect the ever-changing security environment. These resources focus on the “last mile” of security on your Guidewire Cloud journey.
2. We Take a Unique Approach
As Julie Andrews once said in The Sound of Music, “let’s start at the very beginning.” When it comes to Guidewire’s approach to Security, it starts with – you guessed it – trust.
Our strategic approach to Security in Guidewire Cloud revolves around three core principles:
- Continuously strengthening the baseline.
- Delivering value quickly and securely.
- Governing strongly and verifying compliance by third parties.
Each principle intertwines how our approach is built to earn your trust, from repeatedly investing in the basics of Security within the NIST CSF framework, to valued pen testing, expert consultations, and continuing to utilize industry standard compliance certifications such as ISO 27001, ISO27701, SOC 1 Type I, SOC 2 Type II, and PCI.
3 & 4. Our Shared Responsibility Model (Including SurePath) Works for Our Customers and Us
Nearly every software as a service (SaaS) provider has a Shared Responsibility model which combines accountability and ownership, including security and quality to equal responsibility. In other words, this model helps customers know where to invest in security within their organizations and where they can build additional skills and competencies.
Guidewire Security’s model consists of eight different parent categories that break down separate and shared responsibilities, from program delivery to monitoring.
A few key takeaways regarding why our model works:
- We help self-managed clients move to Guidewire Cloud with more shared responsibilities.
- Shared responsibilities also increase by subcategory when you are on Guidewire Cloud.
- Guidewire Documentation (login required) has an ever-growing collection of Guidewire Cloud Standards, such as our Gosu Secure Coding Standard, for example.
- We publish checksums with every new Guidewire Cloud release to ensure there have been no malicious code injections (more on this below).
Additionally, Guidewire SurePath is a powerful avenue for providing clarity, alignment and understanding of accountability and ownership between Guidewire and customers in the Shared Responsibility Model, particularly during early pre-project phases of implementation.
SurePath collateral goes a step further by providing more information at varying levels of detail for project teams that map back to the Shared Responsibility Model.
- Lead responsibilities for Guidewire customer-facing roles.
- Core delivery roles and responsibilities.
- Detailed activity-level RACIs to support execution.
We have touched on the “what” and the “who” of security on Guidewire Cloud. To help you with security in your implementations, the next three resources focus on the “how.”
5. Guidewire Security Cloud Standards Mitigate Risks
Designed specifically for Guidewire InsuranceSuite products, security standards provide guidance and help ensure consistent delivery quality using SurePath to minimize the total cost of implementation and ownership.
Users can find guidance on a wide variety of our Security Cloud Standards, including these:
- Personally Identifiable Information (PII)
- Payment Card Handling (PCI)
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
6. Checksums Validate Deliverables
Our checksums, which are blocks of data you can use to determine validity of deliverables, are made readily available for easy review.
Each checksum is listed by:
- Software Download
7. The SurePath Plugin Takes Inspections a Step Further
The final resource in this “last mile” guide focuses on our SurePath Plugin for Guidewire Studio, which provides additional source code inspections to detect, help correct, and better maintain anomalous code.
There are now several plugins available, which include:
- SurePath Plugin for InsuranceSuite 9.0
- SurePath Plugin (Cloud Assurance) for Guidewire Studio 5.x
- SurePath Plugin (Cloud Assurance) for Guidewire Studio 6.x
- SurePath Plugin (Delivery Assessment) for Guidewire Studio 5.x
- SurePath Plugin (Delivery Assessment) for Guidewire Studio 6.x
- SurePath Plugin (Java Assessment)
8. Bonus: We’ve Increased Security as a Founder of the Critical SaaS Special Interest Group (CSaaS SIG)
Guidewire is a co-founding member of the Critical SaaS Special Interest Group (CSaaS SIG), part of the Information Technology – Information Sharing and Analysis Center (IT-ISAC). The group aims to enhance the collective defense of its members’ customers and build increased security resilience in the SaaS industry.
CSaaS SIG serves as a forum for CSaaS companies to collaborate on the following:
- A collective defense strategy to improve security and operational resiliency of services.
- Shared intelligence information with the industry at large.
- An increased level of trust for customers to place in their organizations and the broader SaaS industry.
The P&C insurance industry has entered one of the most exciting, fast-moving, and incredibly innovative periods in its history, and the need for professional security in products and solutions is at an all-time high. We know that the organizations we serve are highly security-conscious on a global scale and need the right tools to succeed in the market.
This is how you can take ownership of your security initiatives:
- Use the security resources Guidewire makes available to guide you through your projects and processes.
- Focus on the value-added pieces of your security strategy.
- Think about secure development – always.
Reach out to your Customer Success Manager or Alliance Manager if you have questions. They will welcome your feedback and questions and point you in the right direction.
It takes all of us to get to your secure outcomes. Remember, security is an ongoing, never ending, exciting, value-adding opportunity!
There is no finish line, and that’s a good thing. We’re on this journey together.
About the Author
Director, Field Enablement, Technical & Security