Is the KNIME Software Certified in regard to security risks? My company was quite reserved about implementing KNIME as they did not find anything. NIS2 or ISO27001 were mentioned internally but any other relevant certificate would be nice
Hello @JacMP,
First of all welcome to the world of KNIME.
Both NIS2 and ISO 27001 are no certification for software security.
They both target to information security of organisations.
ISO/IEC 27001 requires that management:
* Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts; * Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and * Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.
From ISO/IEC 27001 - Wikipedia
NIS-2 is a directive of the EU valid for the states in the European Union.
Here you may find the English version https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02022L2555-20221227
In terms of software security an organisation shall make an assessment of the whole inventory (e.g. KNIME) to understand it’s risks both in terms of business, processes, vulnerability for non-availability and manipulated data. Furthermore it is important to understand the criticality for the business.
From that point you have to classify the inventory and define adequate protection methods. This covers e.g. physical protection, access control, encryption and backup and recovery strategies.
To make a simple example: Software with high security standards is not really secure if e.g. everybody can access all data (e.g. login without password or shared password).
HTH
Hello @knimediger
Thanks for the quick response, you are right, I was a bit imprecise in my wording. However the underlying question remains, is KNIME working according to ISO 27001 or the European NIS2 standards or any related standard which I could forward internally and which KNIME is accredited to. We use a scoring system for new software and KNIME performed well in many areas, but for the compliance topic it received 0 points.
My work is especially concerned with the Microsoft Authentication node (which I was intending to use) as it needs some kind of Microsoft Graph permission (sorry I am not an expert in this)
Here KNIME Software Framework and Security | KNIME you have maybe a first entry for answers to your question.
This is more a questions the guys and ladies from KNIME.
Maybe you get in direct contact with them to get the required information.
Hi, @JacMP !
I’m on the same path, did you get the answers?
yes, KNIME has been certified according to ISO 27001since July 14th 2024.
The certificate can be found here: Box | Login
A trust page listing this and other information is in the making.
Best regards
Steffen
4 Likes