Identifying and Addressing Security Threats

Identifying security threats and risks to the SAI360 infrastructure, applications, information assets, and overall environment is a continuous lifecycle which everyone at SAI360 has a responsibility to protect in order to maintain a secure environment. The following section will outline how SAI360 identifies security threats, mechanisms to protect against them and overall incident response process.

 

Security Testing

Security testing is a multi-faceted approach in which SAI360 does not depend on a single method, tool, service, or entity to identify security risks that affect our environment. Leveraging various methods and tools provides different attack angles in which SAI360 can identify potential security flaws and take appropriate steps to remediate or mitigate the risk prior to any threat actor exploiting it. This includes, but is not limited to, the following:

Application Security Testing – As part of the development process, a variety of tools and tests are executed to identify and prevent as many vulnerabilities, coding flaws, and bugs as possible prior to releasing to production and customers new or updated versions of our services. This includes, but is not limited to, static code analysis, dynamic code analysis, software composition analysis, code quality testing, and functional testing. As all application security risks are reviewed and taken seriously, SAI360 WILL NOT release if a critical or high-risk vulnerability is found.

External Penetration Testing – SAI360 partners with security consulting firms that specialize in external network and web application penetration testing by taking an ethical hacking approach that mimics adversarial methods with known and unknown information in order to identify security flaws across the environment. Web application penetration testing includes targeting common vulnerabilities as listed in the OWASP Top 10, such as including code injections and targeted attacks with the purpose of achieving elevated rights within the application. The penetration testing methodology is available to customers for review upon request and the latest results and remediation records are shared with customers with the appropriate NDA. SAI360 allows and welcomes customers to execute penetrating testing of their application instance by arrangement at their cost and will review any findings to be addressed as part of a remediation plan.

Infrastructure & Network Vulnerability Assessments – SAI360 uses a range of vulnerability detection utilities against the internal and external networks and infrastructure including network scans, asset discovery, and configuration monitoring across cloud service providers and host images against hardening baselines.

Continuous Vulnerability Assessments – Continuous internal vulnerability assessments of all corporate and customer facing systems and networks are executed using Rapid 7’s InsightVM services and deployed agents in real time which reports the vulnerability status of the system every six hours, based on change delta.

 

Security Monitoring

As the threat landscape is constantly evolving, it is critical to continuously monitor all assets within all environments along with any internal or external activities that stray from an established baseline. SAI360 has deployed and leverages Rapid 7’s InsightIDR SIEM and MDR services to serve as an extension of the Information Security team and overall operations function. This group works together to identify events of interest which require investigation and determine appropriate course of action to address any risks.

 

Security Incident Response

Responding to security events and incidents is a constant battle that every security and operations team faces on a daily basis. When, not if, an incident  occurs,  the primary role of the Information Security Incident Response Team (ISIRT) is to quickly respond to an incident, contain it, and mitigate the risks limiting the impact to the environment, information assets, and availability of services for our customers. SAI360 maintains a robust security incident response process to help ensure prompt notification and investigation of security incidents. SAI360’s security incident response process includes involvement from all Information Security, Data Privacy, Corporate IT, Cloud Operations, Development and support teams to ensure all required resources are available to address the incident and restore normal services. To help ensure the swift resolution of security incidents, the SAI360 Information Security team is available 24/7 to all SAI360 personnel.

 

Security Incident and Personal Data Breach Notification

SAI360 will advise the customer within three business days, or as otherwise agreed, of becoming aware of any security event or incident which has impacted the confidentiality, integrity, or availability, of the customer’s data. Such notification shall include the details of the information security incident, along with a description of the customer’s confidential information, or personal data that may have been accessed, the effect of the information security incident on the customer’s confidential information or personal data, and the corrective action taken or to be taken by SAI360.

SAI360 shall promptly take all appropriate corrective actions and shall cooperate with the customer in all reasonable and lawful efforts to mitigate or rectify such information security incident, including, without limitation, cooperation in complying with applicable personal data breach notification laws.

 

SAI360 maintains a ISO 27001:2013 certified Information Security program that complies with applicable privacy laws and is consistent with standard practices and security standards in the risk and compliance technology industry. including the International Standards Association (ISO 27001:2013). The program includes appropriate administrative, technical, physical, organizational, and operational safeguards and other security measures to maintain the security and confidentiality of customer and personal data and to protect it from known or reasonably anticipated threats or hazards to its security and integrity. SAI360 reviews its information security program at least annually, or after significant changes occur, to ensure its continuing compliance, suitability, adequacy, and effectiveness.