Security from a customer s perspective. Halogen s approach to security

Transcription

1 September 18, 2015

2 Security from a customer s perspective Using a cloud-based talent management program can deliver tremendous benefits to your organization, including aligning your workforce, improving performance and building better business results. Despite those advantages, many companies have concerns about the safety and security of their data in an online system. At Halogen we take the responsibility for your data very seriously, and understand that you may have questions that need to be answered. Our goal is to provide you with security services and information in a consistent and timely manner, so you understand how your data is protected and are confident that it is safe and secure. Halogen s approach to security Halogen has designed and implemented a multi-tiered approach to security. The first tier includes the security protections customers have come to expect of a leading cloud provider. These include: Firewalls Intrusion detection systems (IDS) Anti-Virus (AV) Encrypted storage and backups Multi-factor physical security Secure data centers The second tier consists of an organizational commitment to sound practices around security and IT operations. Halogen has a dedicated team of security professionals whose primary responsibility is to provide separate continuous oversight and review of IT operations at Halogen. Halogen s security organization practices separation of duties from our IT teams, and reports separately to Halogen s senior management. Halogen s security organization works with Halogen s operational IT and product development teams to ensure that our products and services are designed with security from a customer s perspective, as a top priority. The security organization is also responsible for the monitoring of Halogen s TalentSpace operational activities as they relate to Halogen s service offerings. The third tier in our approach centers on a commitment to independent assurance. We understand that our customers want to hear from independent third parties that the security measures we have taken not only make sense but are appropriate and working effectively. To assist our customers in meeting their compliance and security requirements, Halogen is committed to continuously investing resources to provide our customers with access to independent assessments and evaluations on the effectiveness of Halogen s security controls. 2

3 What do Halogen s Security services look like? Application Security Halogen has integrated consideration for web application security into our software development practices. These practices include the following: Education and awareness training for developers, testers, and other team members responsible for the quality of our application code. Our training materials are aligned with the OWASP Top 10 web application risks and are presented within the specific context of our application. Halogen engages with an industry-recognized third party web application vulnerability testing company to continuously assess each application end point. Third party results are reviewed by Halogen s Security, Risk and Compliance department. Confirmed defects are prioritized and entered into Halogen s defect management system for remediation. Data Center and Environmental Security Halogen has contracted with best-in-class data center providers. Halogen s TalentSpace environment is co-located in two physical sites: Primary data center (Rogers) Toronto, Ontario, Canada Backup and recovery data center (Q9 Networks) Calgary, Alberta, Canada Both sites are more than 2,600km apart (1,600 miles) Access to hardware located in secure and dedicated cages requires pre-authorization from Halogen s TalentSpace operations management team. The multi-layer physical security system includes the requirement for management pre-authorization, and authorized individuals must provide government issued Photo ID to a manned security desk. Additionally, controlled man-traps and two-factor authentication (including biometrics) are required to gain access to the data centre server room floor and Halogen s dedicated and secured cage. We perform on-site visits to each facility to validate the proper functioning of physical and logical access controls. We review the most recent assurance reports from our data center provider(s) on a continual basis. Service levels have been contractually defined with data center providers for availability and quality of service. Service levels are continually monitored by a range of applications which report on availability, performance and quality of service. Both data center facilities include redundant environmental protections, including considerations for cooling, power, physical security, network connectivity and natural disasters. 3

4 Backups, Redundancy, and Recovery At Halogen, we ve implemented backup and recovery processes and procedures that enable us to respond effectively to customer requests and recover quickly in the event of an incident. Key information, including customer data and infrastructure information, is backed up on a regular basis. There are formal processes in place for the replication of all customer data to a backup and recovery data center. To support full recovery, the backup and recovery data center is equipped with the same computing capacity as our production data center. Halogen also has a documented disaster recovery plan, which leverages Halogen s proprietary technology and replicated customer data to restore service in the event of a disaster Finally, Halogen s enterprise platform implements data retention to support investigation activities. We can also support customers investigation should it be required. Access Control Halogen s approach is based on (4) four main concepts: Separation of duties Least privilege Need-to-know Information classification Halogen has implemented an authorization and review process so that access rights are aligned with these four concepts. Access control is defined through compliance with Halogen s Information Security Policy and Access Control Policy, which is documented through the use of formal access control lists and a RACI 1 matrix. Management of access control includes management approval for access to the TalentSpace environment and regularly scheduled access reviews, to ensure they are accurate and up-to-date. Halogen s Access Control Policy defines the requirements for unique usernames and complex passwords. Access Control Standards are implemented and monitored through the use of a central authentication server which enforces the documented standards. Network Security Halogen s TalentSpace environment has a layered security architecture which includes: WAN and LAN perimeter firewalls with Intrusion Detection Systems (IDS) Host-based firewalls and IDS Traffic segregation enforced through the implementation of a specialized network topology Logical access to the TalentSpace environment is monitored by a dedicated security team and complemented by on-going point-in-time audits performed by the TalentSpace operations group. Security monitoring includes a daily review of security logs, privileged account usage and review and remediation of weekly security vulnerability scans, both internally and externally. 1 Responsible, Accountable, Consulted, Informed 4

5 Compliance with secure configuration standards is monitored, and compliance reports are reviewed and audited. Non-standard configurations are immediately reported, investigated and then remediated using the formal incident management process. Operational Security Halogen owns and manages all assets required to deliver our SaaS TalentSpace offering. All operational activities are carried out by full-time Halogen employees. Halogen has also implemented a control framework to help ensure consistency and integrity of the ongoing operations in the TalentSpace environment. Operational controls address requirements for the timely execution of activities and the ability to review operational effectiveness. These controls also help maintain proper segregation of duties and access. Operational controls in the TalentSpace environment include: Up-to-date documented processes and procedures Checklists to support the completion of daily, weekly and other time- based tasks Automated and scheduled tasks Continuous system, application, and task monitoring Security and Service Delivery Change management is a key operational control and Halogen has aligned with the ITIL v.3 change management process. Changes must be appropriately documented, tested and validated before being presented to Halogen s Change Advisory Board for risk evaluation and approval prior to implementation. Halogen has implemented a service incident management process, also based on the ITIL v.3 framework, to ensure that any failure in the production environment is addressed in a timely manner, based on the existing service level agreements. All changes related to customer-impacting incidents are treated as emergency changes in our change management process. Data Encryption Halogen s TalentSpace environment implements encryption at rest for all customer production data. This includes all data submitted by the customer or generated by Halogen TalentSpace such as customer entered data, system generated forms, reports, backups and logs. Security and Privacy Incident Response Halogen has a security and privacy incident response process designed to address possible security events or incidents. The process includes the procedures for the response to potential incidents and includes a dedicated Security Incident Response Team (SIRT). The SIRT is responsible for managing the response and remediation of any confirmed security incident or privacy breach. This includes coordinating all investigative processes, communication to customers and third parties, as well as documenting impact assessments and post incident improvements. 5

6 Third Party Evaluations Halogen is committed to continuously investing resources to provide our customers with access to independent assessments and evaluations on the effectiveness of Halogen s security controls. These third party evaluations are available upon request and include the following: AICPA SOC 2 Type II Web Application Vulnerability report Vulnerability scanning results Conclusion At Halogen we believe a comprehensive approach to security is an ongoing commitment. We are focused on maintaining a level of security that allows our customers to focus on achieving their goals instead of having to worry about the security of their data. If you have any additional questions or concerns we would be pleased to discuss them with you at your convenience. 6