CYBERSECURITY

Cybersecurity

Our Commitment To Security

We have a strong commitment to our customers and services. This includes a strong relationship with our partners; it is the key to our success. Building this kind of relationship requires many components, but none is as important as trust. In this digital age, a large part of that trust is our customers’ assurance that the data entrusted to us is safe and that we will be there when we are needed.

Fully understanding this, we invest significant time and assets to secure all instances of our Information Technology (IT). We implement tools and processes to monitor those assets and are committed to continuous improvement of our security landscape. This information gives you an introduction to the high-level controls we have put in place to protect information and the systems that host it. It is our hope that providing you this insight will help to strengthen the trust between our organizations.

Information Security Management System: To effectively apply information security principles, it is essential to first identify and document the goals, risks and controls. The result of these efforts is our global Information Security Management System (ISMS) that defines all facets of Information Security within our organization. The collection of policies and procedures is compliant with and certified to ISO 27001. Having a central group of governing policies ensures that our commitment to security is communicated effectively across our global network of countries, all facilities and business units.

Risk-Based Methodology

Understanding risks: In order to properly secure information assets, we must first understand the potential risks that exist. Our risk management process describes how to identify, communicate and document risks as part of our risk assessment. During the steps of this complex task, appropriate stakeholders are consulted, and risk owners are defined, ensuring that all potential risks are identified as inclusively as possible. The results of this assessment advise future processes and provide the business with the best decision-making information possible.

Controls that make sense: When protecting information resources, it is important to provide the needed security while maintaining the levels of accessibility and performance required to provide you a positive customer experience.

Using our risk-based approach, we can specifically tailor our controls to the actual risk without weighing down our systems and processes with unneeded overhead.

Review and improve: As an integral part of the risk-based approach, and our ISMS in general, continuous improvement is important for us. Technology, process, regulations, etc. all change with time, and so must our assessments and controls. Yearly reviews of our documents, assessments, exceptions, etc. are called for as part of the overall process. Making this effort keeps the considerations in those documents relevant over the years.

IT Processes

Change control: Change is a natural part of business as a whole, and in IT especially. This rate of change has brought countless advancements, but left uncontrolled, it can cause negative business impact. In acknowledgment of this, we have instituted a robust change control process, based on ITIL methodologies, to make sure changes are properly described, approved, announced and documented.

Development: When we need the perfect tool for the job, we make use of our skilled internal development teams or our 3rd party partners. To assure the quality and security of the products they provide, we have developed a detailed Software Development Lifecycle (SDLC) policy and related processes. In support of these documents, we have put tools in place to maintain and interrogate our source code before it goes live. Additionally, we make use of distinct development, test and production systems to allow for proper testing prior to go-live.

3rd party services: While we host the majority of our IT internally, where appropriate, we also make use of Software as a Service (SaaS) and other cloud-based solutions. Such usage is carefully considered and vetted with all appropriate teams, including legal, procurement, data protection, IT, etc.

End point control: To manage end points, we have implemented multiple policies. These include anti-malware, appropriate use, clear desk and screen, and other related topics. In addition, special consideration is given to our mobile platforms in order to meet their special requirements. These are managed by our mandatory Mobile Device Management (MDM) platform. Combined, these policies help safeguard our endpoints and employees from malicious actors and software.

Infrastructure and data centers: We maintain three primary data centers located in the United States, in Europe and in Asia. Each is physically divided between two regional facilities in order to provide redundancy. This concept is carried down to all levels of data center design, including networking, power, compute/storage and air conditioning.

Access Management

Centralized authentication: In any organization, the burden of managing user accounts is significant. To combat any risk, we have implemented a centralized “single sign-on” platform. With this in place, a new user is immediately available to be activated in any connected system, and any deactivated account is no longer able to login. For added security, we also make use of multi-factor authentication for our remote users.

Passwords: Our policy calls for complex passwords with specific lengths to be used on IT systems. Technical controls are in place to enforce this, in addition to rotation periods, deactivation after disuse and other metrics. Administrative accounts are required to be separate from user accounts and are held to higher control standards.

Account lifecycle: When managing a large user base, there is a regular need to add, modify and remove accounts and their access. To support these functions and our commitment to the concept of least privileged access and need to know, we have implemented policies to define the complete account lifecycle and how each phase of it must be managed.

Vulnerability and Patch Management

Internal scanning: We are using a best-of-breed vulnerability scanner to conduct scans on all of our IT assets constantly. Specific correction timeframes are set in policy based on the criticality of the vulnerability discovered.

3rd party penetration testing: We retain the services of 3rd parties to provide unbiased checks of our applications. These scans provide important data that helps us to direct our security efforts. As with our internal scanning, specific timeframes apply for the remediation of vulnerabilities based on their criticality.

Patching cycle: Keeping our software up-to-date and supported is an important housekeeping step that we take very seriously. All patching is done in conjunction with our change control process and in partnership with the business.

Network Security

Securing the edge: The Internet is the wonder of our age and has opened many opportunities, but it is also the gateway for multiple risks. We have therefore taken special care in securing our network and all the connections that need to pass through it. All our connections to the world are protected with state-of-the-art firewall technologies, allowing us to monitor all incoming and outgoing connections, segment based on access needs and block unwanted connections.

To watch for malicious activities within allowed connections, we’ve implemented both an Intrusion Detect and Prevention System (IDS/IPS), as well as a Web Application Firewall (WAF). This layered approach helps to keep us protected while still allowing us to leverage the benefits of the Internet.

Connecting with our partners: Maintaining secure communications with our partners is a key concern, and to that end, we support various encrypted methods of data transfer. These include VPN, SSL, SSH, AS2, SFTP, dedicated circuits and others. Regardless of the functional need, we can work with you to find a solution that fits.

Safety when remote: In today’s interconnected world, work is no longer confined to the office environment. Workers are on the road, at partner facilities and working from home. As we take advantage of this flexibility, it is crucial that we also apply appropriate levels of security. Our policy specifies many controls to keep our remote workers safe and to protect our infrastructure, along with the data it houses. Some of these include the use of multifactor authentication, endpoint detection and response solutions, laptop drive encryption and remote administration tools.

Training

On-boarding: Our robust on-boarding process includes training on information security and acceptable use of IT resources. Prior to hiring, pre-employment screenings are conducted.

Education: We provide regular internal training for our employees to keep them current with regulatory, functional and internal policy topics. Methods include in-person, computer-based, self-paced, as well as 3rd party provided trainings. Training records are maintained in a centralized HR learning platform that allows management to track training needs and status.

KPI’s, Logging and Monitoring

Centralized logging: Centralized logging is used to retain system logs and allow for easier analysis. These repositories also separate logs from the system generating them to avoid local issues affecting the system logs. This enables us to make use of automated monitoring of all systems, which helps us to identify unusual activities early on.

Robust monitoring: In order to provide the highest level of service to our customers and react quickly to issues if/when they occur, we have implemented a rigorous monitoring environment. With multiple levels of checks, we can identify issues, or potential issues, and automatically notify those who can correct them. Performance monitoring is also in place to advise capacity management and identify trends.

Tracking our performance: To improve our systems we track a variety of KPIs including those associated with our information security program (endpoint protection status, password age, and software version, et cetera).

Incident Management

Role of CIRT: We take information security very seriously. As a result of that, we have created an internal Cyber Incident Response Team (CIRT) with the sole mission of identifying and responding to cyber threats. To enable this, logs from across the globe are provided in near real time for their review. Industry-leading tools are used to help parse and analyse this data to keep the team’s focus on what matters most.

Partner communication: We value our customer relationships and the trust put in us. In the event of an information security incident, we have defined processes that assure our partners are notified in a timely manner.

Rapid response and recovery: Thanks to proactive steps, including predefined processes, our CIRT team, internal training and monitoring, we can respond rapidly to security or technical incidents. Additionally, the use of redundancies and regular backups allows us to recover failed systems and return them to production usage. These systems are regularly tested to assure they are ready when an incident occurs.

Data Protection

GDPR compliant around the globe: GDPR principles are implemented as a global standard within our organization in order to fully support the mission of protecting the personal information under our care. This program is administered by our global data protection team that has responsibility for assuring that our data assets are inventoried, understood and protected. In further support of this initiative, where appropriate, data processing agreements are in place with our 3rd party sub-processors to assure data is handled to our standards.

Classification and protection: We have established data classification policies, standards and guidelines to identify, catalogue and apply protections to our data assets. Within the policy documents, we define the information needed about a given data source, how ownership is managed, levels of classification and the controls needed at each level. This structure level sets expectations and helps to assure that data is properly handled and protected.

Need to know and least privileged: Our information security policies call for the concepts of “Need to Know” and “Least Privileged” with an eye towards making sure our employees and partners have access to the data they need and not to data that’s not relevant to their job functions. These goals are met via methods such as access controls, logical segregation and separation of duties.

Related Programs

QSHE: We maintain a thorough Quality, Safety, Health and Environment (QSHE) program that governs many factors of how we operate as an organization. The program includes functions such as providing job-based training, our green initiatives and our “Tool to Improve Processes (TIP)” program. Our QSHE team works hard to continuously improve our working environment.

Data Protection: With a focus on safeguarding our repositories of personal data, the global data protection team is critical to our efforts to protect our data and comply with regulatory requirements.**

Compliance: We operate across the globe and in a myriad of industries all with their own laws and regulations. Our compliance teams work tirelessly to stay abreast of this continuously changing landscape and to make sure we meet our obligations.

Internal auditing: Our commitment to continuous improvement would not be possible if we did not take the time to look in the mirror and see where we can improve. Our internal auditing team, which reports directly to our board, works regularly with our business and functional units to review current processes and challenge us to be better.

Finally

We value the trust placed in us by our business partners and appreciate your willingness to give it. To live up to that responsibility, we have implemented many programs to protect the assets and processes that are entrusted to our care.

We hope this document has given you a window into these programs. Please feel free to reach out to your customer relationship manager for further information. We look forward to working with you now and in the future.

WordPress Collection Abstrak – Agency & Portfolio WordPress Theme Abuild – Construction WordPress Theme AC Services | Air Conditioning and Heating Company WordPress Theme Academee | Education Center & Training Courses WordPress Theme Academia – Education Center WordPress Theme Academie – Education WordPress Theme Academist – Education & Learning Management System WordPress Theme Academix – Multipurpose WordPress Theme Academy LMS Offline Payment Addon Accalia | Dermatology Clinic & Cosmetology WordPress Theme + Elementor