Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data
1. SERVICE SECURITY CONTROLS:
1.1. Data transfers, data at rest and backups encrypted with TLS 1.2, SSL certificates and AES-256Bit;
1.2. Secure data disposal procedures, including but not limited to using secure erase commands, degaussing, and “crypto shredding” of data when required. Procedures follow industry standards (such as NIST 800-88 or ISO 27001) and recommendations;
1.3. User account passwords are stored as salted hash values as defined in RFC 2898. PBKDF2 with HMAC-SHA256 used as the hashing algorithm and salt length is 128-bit;
1.4. AWS S3 buckets use Server-Side Encryption with Amazon S3-Managed Keys (SSE- S3);
1.5. SOC as a service and SIEM tools for collecting internal logs and event data. Data importers utilise Amazon Web Services (AWS) as cloud provider and AWS is SOC 2 and ISO 27001 compliant. In addition, they also use AWS Shield for comprehensive protection against all known infrastructure (Layer 3 and 4) attacks, AWS Key Management Service (KMS) for key management systems and AWS WAF for a web application firewall that helps protect Invicti’s web applications and APIs against common web exploits;
1.6. Request, patch, and change management processes in line with industry leading products;
1.7. Application penetration tests conducted bi-annually by independent third parties and at least quarterly vulnerability scans;
1.8. The following security measures utilised in key management practices:
(A). Credentials for remote access to production servers created manually and rotated every 90 days;
(B). AWS IAM access keys only access to specified buckets and EC2 resources;
(C). Sensitive data shared between employees with PGP encryption;
(D). If an administrator leaves the company, the relevant account and IP addresses are to be removed and AWS IAM access keys are rotated within 24 hours.
1.9. Following security measures used in endpoint and environment security practices:
(A). install, configure, and maintain perimeter and network security controls to prevent unauthorized access to customer data. Examples of these security controls include firewalls, web application firewalls, anti-malware software and access control list;
(B). maintain and configure endpoint security software and hardware on environments, desktops, laptops, including encryption, data loss prevention (DLP), anti-malware and anti-virus software. Invicti ensures that such configurations generate alerts to appropriate personnel and logs accessible by appropriate personnel;
(C). implement and maintain a Security Operations Center as a service (SOC), Security Information and Event Management tool (SIEM), security logging, continuous security monitoring, and environment security configurations;
(D). implement and maintain security and hardening standards for cloud environments, including such as baseline configurations, patching, passwords, access control, VPN, multi-factor authentication and IP restriction;
use defense-in-depth techniques, including deep packet analysis and traffic throttling for the detection of and timely response to network-based attacks associated with anomalous ingress or egress traffic patterns (e.g., ARP poisoning attacks) and/or distributed denial-of-service (DDoS) attacks;
1.10. Use of AWS Shield, AWS CloudTrail, New Relic and ELK frameworks for monitoring purposes and a production performance monitoring tool;
1.11. System-level objects hosted on AWS. All AWS configurations including VPC, EC2, IAM, and S3 must be reviewed regularly.
2. ORGANIZATIONAL SECURITY AND AUTHORIZATION:
2.1. The parties information security roles and responsibilities are defined within the organization, as described below.
(A). The security team focuses on information security, global security auditing and compliance, as well as defining the security controls for protection of Invicti’s production and internal environments. The executive leadership team is responsible for approving and ensuring that the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization.
(B). The Chief Information Security Officer (CISO) is a senior-level employee of the Company that oversees the Company’s information security program. The Information Security Committee (ISC) is a forum for executives to discuss the Company-wide computing strategy and to support employees in contributing to the effectiveness of the information security management system.
(C). The parties follow applicable law and applicable industry standards regarding access management to authenticate and authorize users. The parties will not use shared or generic identification credentials to access customer data. Additionally, user rights are periodically reviewed and revoked, as needed. Furthermore, employee identification credentials are provided and revoked via documented technical and logical control procedures.
(D). Authentication to Invicti’s resources, including cloud environments, devices, servers, workstations, or applications, is not allowed with default passwords and, if available, role-based access control, single sign-on, and identity and access management (IAM) are used to restrict access. Invicti promptly revokes access from personnel and authorized third parties who no longer require access to customer data upon separation of their employment with the company.
(E). All access to customer data is via a secure connection (like SSL and TLS) between service locations (including access through cloud service providers) and customers.