²ÝÁñÉçÇø

Information Security Policy

²ÝÁñÉçÇø has defined and published a set of information security policies which is:

• Based on ISO 27001, ISO 27002, NIST SP 800-53, NIST SP 800-171, and NIST CSF
  
• Approved by management
• Communicated to all employees and relevant external parties
• Reviewed annually by stakeholders

Product Security Assessments

²ÝÁñÉçÇø regularly performs a variety of security assessments on both the application level as well as the environments that host our applications. These include:

• Product-on-product (PoP) testing¡ªeach release of a product is scanned for security vulnerabilities.
• In-depth internal security assessments¡ªfor major new features, we include a combination of penetration tests, code reviews, and architectural risk assessments.
• Threat modeling¡ªfor major new releases, ²ÝÁñÉçÇø creates and/or updates threat models that provide a baseline for other security testing activities.

Security for Software as a Service

• Our SaaS offerings utilize industry leading cloud service providers, known for their security and protections; and must meet or exceed a set of rigorous security assessments, and security control requirements at ²ÝÁñÉçÇø.
• In addition to the security provided by our cloud service provider (CSP), ²ÝÁñÉçÇø uses real-time monitoring tools for cloud configuration and container integrity, a web application firewall, and other security controls.

Incident Management

• ²ÝÁñÉçÇø has established policy, process, and procedure to ensure a quick, effective, and orderly response to information security incidents.
• The Information Security Incident Management Standard and Incident Response Plan are reviewed, tested, and updated (as appropriate) at a minimum, annually.
• ²ÝÁñÉçÇø will notify customers consistent with the Data Privacy and Protection Statement referenced by our Privacy Policy.

Network Security

• ²ÝÁñÉçÇø has deployed IDS/IPS, WAFs, Firewalls, and related technologies to protect against external threats.
• Network environments are physically and logically segregated; customer data are logically segregated.
• Security alerts are monitored 24x7 by a dedicated security team with a 5-min SLA for initial triage of critical alerts.
• Vulnerability scans are performed daily.

Encryption

• All customer data are encrypted in transit and at rest. Beyond mass storage encryption sensitive data is also secured using application layer encryption.
• All traffic is encrypted in transit by default via HTTPS/TLS (Transport Layer Security) 1.2 or better.
• All persistent data are encrypted at rest in the CSPs using AES 256-bit encryption or better.

Availability, Backup, and Disaster Recovery

• High availability is achieved using the native cloud orchestration capabilities of Azure.
• If individual VM containers fail within a CSP availability zone, they will recover automatically due to the cloud-native architecture. If there is an outage for a complete CSP availability zone or region, there is a process that will create a new instance in a different availability zone or region.
• In general, across all types of disaster situations, including failures beyond core infrastructure, ²ÝÁñÉçÇø¡¯ recovery time objective (RTO) is one (1) business day and the recovery point objective (RPO) is 24 hours.
• ²ÝÁñÉçÇø maintains a certification for Business Continuity Management System, ISO 22301:2019.

Access Management

• Only the customer has access to their own data. If ²ÝÁñÉçÇø employees need access to customer data for troubleshooting or support purposes, customer permission is required to grant access.
• Multi-factor authentication (MFA) capability is provided to customers for accessing ²ÝÁñÉçÇø applications.

Logging and Monitoring

• User and system administrator activities are logged and:
• Routed to a centralized SIEM for monitoring, analysis, and alerting
• Protected from tampering
• Retained for at least one year

Change Management

• Changes to the organization, business processes, cloud infrastructure, and systems affecting information security are performed per a defined change management policy, process, and procedure.
• All changes are logged via a ticketing system, and approvals are required and tracked. 
• The technical review includes a risk assessment and all other technical aspects of the change.