Trust & Security

Product and Software Development Lifecycle

Product related software development is performed by dedicated SAI360 engineering personnel, which consists of system architects, application engineers and database developers. The engineering department is divided into areas of expertise required by product and life cycle. Following the finalization of functional specifications, general software architecture is determined by the product software architect and a hosting services architect. In some cases, architectural considerations may result in changes to functional specifications. These adjustments are communicated back to respective stakeholders and a final functional specification and architecture is determined. This architecture is documented and released to the development manager for review, project scoping and resource assignment.

Customer data is never used in development. Customer data is only used for load testing in a staging environment, with customer approval. That staging environment reflects the same security posture policies and controls in the production environment.

Software Release Processes

Authority to release software from development to Quality Assurance (QA) is restricted to the development manager responsible for the product line. The authority to release software from QA systems to final qualification systems is restricted to the assigned release manager, once software meets pre-defined acceptance criteria for release.

Quality Assurance and Qualification Processes

A dedicated quality control team ensures all software made available to customers is of the highest quality and performance. This team has final veto authority for all software packages moving to production systems.

An extensive and comprehensive testing matrix is applied to all software releases testing functionality and support for a wide variety of operating systems and browser versions. New functionality is tested extensively and existing functionality is additionally tested to safeguard against regressions.

Software Release Process

Following a formal release to the SAI360 Cloud Services, the software release package is reviewed by SAI360 Cloud Operations and a deployment strategy is determined utilizing their orchestration platform. The release is initially deployed to a small, pre-determined number of systems. Following this controlled release, a general release cycle is undertaken with all systems receiving the update over a series of scheduled maintenance windows.

Patch and Version Management

Continuous improvements to software occasionally result in patches available to SAI360 software product lines. All major and minor software releases, including patches, are uniquely versioned and this version is transparent to all operators. The release strategy for patch deployments models that of the general software release process described above.

Secure Development Training

All employees and contractors that develop or write code as part of their primary responsibilities go through appropriate secure development training on an annual basis. This includes but is not limited to:

• Review of secure development coding practices and principles documented as part of the Information Security Management System (ISMS)
• Open Web Application Security Project (OWASP TOP 10) awareness of security risks
• Secure coding practices in the coding languages and frameworks of their respective application

Access to Source Code

All software access and versioning are strictly controlled through a software source control package. Access to source code is available on an as-needed basis and exclusively restricted to SAI360 software engineering.

Penetration Testing and Threat and Vulnerability Management

SAI360 performs penetration testing and vulnerability scanning to detect, mitigate, and resolve security issues, using appropriate tools for the virtual environment. Internal assessments include reviews of firewall policies, intrusion detection and prevention rules and policies, system patch level compliance, handling of vulnerabilities with known software exploits, and remediation rules for brute force and DDoS attacks. SAI360 performs continuously automated internal vulnerability scans of all corporate and customer-facing systems and networks utilizing both external scanners and systems agents as provided by Rapid7. These agents report the vulnerability status of each system every six hours. This information is accessible by the Information Security teams and SAI360’s system operators for immediate follow-up. Information Security ensures critical issues are registered within the ticketing system for immediate follow-up.

SAI360 contracts leading information security consulting and services companies to run external network penetration tests against systems annually and web application penetration tests annually or in case of a significant change. Remediation plans are prepared after penetration testing and managed as a project to closure.

Customers can conduct their own external penetration testing by arrangement at their cost.

SAI360 complies with all applicable laws of the countries where it operates. The key legislation applicable to SAI360, in addition to other obligations and applicable national/state laws, include among others:

• 201 CMR 17.00 (Massachusetts)
• Australian Privacy Act 1988 (C’th)
• California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)
• Colorado Privacy Act (CPA)
• Data Protection Act 2018 (UK) and UK General Data Protection Regulation (UK GDPR)
• General Data Protection Regulation (EU) 2016/679 (GDPR) and Regulation (EU) 216/679 of the European Parliament and of the Council
• Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009
• Health Insurance Portability and Accountability Act (HIPAA)
• Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada), S.C. 2000, c. 5
• Virginia Consumer Data Protection Act (VCDPA)

We monitor industry sources for changes to laws and regulations and follow proposed legislation to make sure our operations remain compliant. SAI360 subscribes to regulatory alerts, maintains memberships of relevant organizations and receives additional updates through seminars and briefings. This is a critical component of our Information Security and Data Protection program in order to identify and maintain applicable legal and regulatory requirements impacting our Information Security Management System (ISMS).

SAI360 sub-processor agreements are reviewed for compliance to the applicable laws and regulations.

Privacy at SAI360

SAI360’s privacy policy is informed by industry standards and tailored to SAI360’s custom applications and operations environment. SAI360’s Privacy Information Management System (PIMS) is combined with the ISMS which is defined in the ISO 27001:2013 framework and certified to that standard. Roles and responsibilities are clearly defined within the system.

SAI360’s privacy policy can be publicly viewed at Privacy Policy – SAI360

Security Incident and Personal Data Breach Notifications

SAI360 will advise the customer within 3 business weekdays, or as otherwise agreed, upon becoming aware of any security event or incident which has impacted the confidentiality, integrity, or availability of the customer’s data. Such notification shall include the details of the information security incident, along with a description of the customer’s confidential information or personal data that may have been accessed, the effect of the information security incident on the customer’s confidential information or personal data, and the corrective action taken or to be taken by SAI360.

SAI360 shall promptly take all appropriate corrective actions and shall cooperate with the customer in all reasonable and lawful efforts to mitigate or rectify the information security incident, including, without limitation, cooperation in complying with applicable breach notification laws.

Internal and External Audits

An internal audit is executed using a staged plan throughout the year and prior to any external audit being performed. SAI360 is independently and externally audited against the following:

• ISO 27001:2013
• SOC 1 Type 2 (AICPA SSAE 18 and AASB ISAE 3402 Standards)
• SOC 2 Type 2 (AICPA SSAE 18 and AASB ISAE 3000 Standards)

For environments hosting personal health information (PHI) in the Americas, compliance to the Health Information Portability and Accountability Act (HIPAA) Security Rule and the HITECH breach notification requirements is audited against and attested. All attestations and certifications are renewed annually. The SAI360’s ISO 27001 certificate and the HIPPA, SOC 1 Type II and SOC 2 Type II reports can be provided at any time under a Non-Disclosure Agreement (NDA) or existing customer agreement confidentiality clause(s). Please contact your account manager or sales representative.

Law Enforcement and Government Requests for Data

SAI360 will only share customer data if it is required to be disclosed by applicable laws, government regulation, or court order. If a law enforcement agency or government body sends SAI360 a demand for customer data, SAI360 will attempt to redirect the law enforcement agency to request that data directly from customer. As part of this effort, SAI360 may provide customer’s basic contact information to the requesting law enforcement agency. If compelled to disclose customer data to a law enforcement agency or government body, then SAI360 will give the customer reasonable notice of the demand to allow the customer to seek a protective order or other appropriate remedy unless SAI360 is legally prohibited from doing so.

Cyber Insurance

SAI360 holds commercial general liability, automobile liability, workers’ compensation, cybersecurity, crime, employment practices, and umbrella coverages in varying amounts at the levels expected of a global organization. We can provide additional details, including evidence of coverage, upon request.

Securing Our People

As information security and data protection is everyone’s responsibility, SAI360 arms its personnel (employees, contractors, and individuals provided by sub-contractors) with appropriate resources and training to perform their job responsibilities with security and data protection in mind. Controls are implemented and managed by Human Resources (HR), Legal Counsel, and Information Security to ensure that all SAI360 personnel are held accountable and comply with all applicable policies.

HR requires all SAI360 personnel complete SAI360 Code of Business Conduct training and Security Awareness \ Data Protection training within the first 30 days of employment or contractor engagement. Personnel are required to sign Confidentiality Agreements/Non-Disclosure Agreements (NDA’s), which require them to agree not to disclose, divulge, or reproduce confidential information that they receive or have access to during their employment or contract work period with SAI360.

Background Screening

• SAI360 conducts reasonably appropriate background checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations. Where allowed, the following elements are included in the background check:
• Validation of personal references
• Validation of work references
• Confirmation of academic and professional qualifications
• CV work history verification
• Check on criminal records

Unsupervised physical access to SAI360’s premises or network ID’s is not provided until a full background check is completed.

SAI360 Code of Conduct Certification

Annually, SAI360 requires that all personnel certify compliance with the SAI360 Code of Business Conduct.

Security Awareness Training

All SAI360 personnel are required to complete security awareness training during their onboarding as well as annually. Topics included, but not limited to, are as follows:

• Information Security and Data Protection policies, procedures, and other ISMS supporting documentation
• Techniques to identify and avoid social engineering and phishing attacks Process to report security and privacy incidents
• Leading practices and principles on selecting and protecting user credentials
• Remote working and traveling security
• Acceptable use

In addition, Information Security conducts training activities throughout the year, including simulated spear-phishing (email) attacks for all personnel and role-based security training for developers and information security staff. Information Security reviews the training program annually to assess whether it reflects industry leading practices and current risks for information security personnel training.

Personnel Off-boarding

SAI360’s HR, Information Security and Information Technology (IT) departments work with managers to coordinate personnel exit upon termination or contract end date. Standard exit processes include:

• Termination of all system access on specified termination date and time
• Circulation of dis-enrollment messages amongst HR, Information Security and IT at the completion of each step of the exit process, to ensure personnel are dis-enrolled from SAI360’s systems accordingly
• Revocation of physical and remote access to SAI360 office locations and online systems
• Collection of all SAI360 property, including laptops, hard tokens, tablets and work from home kits
• Collection of SAI360 owned mobile devices, which are “wiped” clean before reassignment
• Distribution of confidentiality and non-solicit agreements at the time of exit to reiterate obligations

Identifying security threats and risks to the SAI360 infrastructure, applications, information assets, and overall environment is a continuous lifecycle which everyone at SAI360 has a responsibility to protect to maintain a secure environment. The following section will outline how SAI360 identifies security threats, mechanisms to protect against them and overall incident response process.

Security Testing

Security testing is a multi-faceted approach in which SAI360 does not depend on a single method, tool, service, or entity to identify security risks that affect our environment. Leveraging various methods and tools provides different attack angles in which SAI360 can identify potential security flaws and take appropriate steps to remediate or mitigate the risk prior to any threat actor exploiting it. This includes, but is not limited to, the following:

• Application Security Testing – As part of the development process, a variety of tools and tests are executed to identify and prevent as many vulnerabilities, coding flaws, and bugs as possible prior to releasing to production and customers new or updated versions of our services. This includes, but is not limited to, static code analysis, dynamic code analysis, software composition analysis, code quality testing, and functional testing. As all application security risks are reviewed and taken seriously, SAI360 WILL NOT release if a critical or high-risk vulnerability is found.
• External Penetration Testing – SAI360 partners with security consulting firms that specialize in external network and web application penetration testing by taking an ethical hacking approach that mimics adversarial methods with known and unknown information to identify security flaws across the environment. Web application penetration testing includes targeting common vulnerabilities as listed in the OWASP Top 10, such as including code injections and targeted attacks with the purpose of achieving elevated rights within the application. The penetration testing methodology is available to customers for review upon request and a summary of the latest results and remediation records are shared with customers with the appropriate NDA. SAI360 allows and welcomes customers to execute penetrating testing of their application instance by arrangement at their cost and will review any findings to be addressed as part of a remediation plan.
• Infrastructure & Network Vulnerability Assessments – SAI360 uses a range of vulnerability detection utilities against the internal and external networks and infrastructure including network scans, asset discovery, and configuration monitoring across cloud service providers and host images against hardening baselines.
• Continuous Vulnerability Assessments – Continuous internal vulnerability assessments of all corporate and customer facing systems and networks are executed using Rapid 7’s InsightVM services and deployed agents in real time which reports the vulnerability status of the system every six hours, based on change delta.

Security Monitoring

As the threat landscape is constantly evolving, it is critical to continuously monitor all assets within all environments along with any internal or external activities that stray from an established baseline. SAI360 has deployed and leverages Rapid 7’s InsightIDR SIEM and MDR services to serve as an extension of the Information Security team and overall operations function. This group works together to identify events of interest which require investigation and determine appropriate course of action to address any risks.

Security Incident Response

Responding to security events and incidents is a constant battle that every security and operations team faces on a daily basis. When, not if, an incident  occurs,  the primary role of the Information Security Incident Response Team (ISIRT) is to quickly respond to an incident, contain it, and mitigate the risks limiting the impact to the environment, information assets, and availability of services for our customers. SAI360 maintains a robust security incident response process to help ensure prompt notification and investigation of security incidents. SAI360’s security incident response process includes involvement from all Information Security, Data Privacy, Corporate IT, Cloud Operations, Development and support teams to ensure all required resources are available to address the incident and restore normal services. To help ensure the swift resolution of security incidents, the SAI360 Information Security team is available 24/7 to all SAI360 personnel.

Security Incident and Personal Data Breach Notification

SAI360 will advise the customer within three business days of becoming aware, or as otherwise agreed, of any security event or incident which has impacted the confidentiality, integrity, or availability, of the customer’s data. Such notification shall include the details of the information security incident, along with a description of the customer’s confidential information, or personal data that may have been accessed, the effect of the information security incident on the customer’s confidential information or personal data, and the corrective action taken or to be taken by SAI360. SAI360 shall promptly take all appropriate corrective actions and shall cooperate with the customer in all reasonable and lawful efforts to mitigate or rectify such an information security incident, including, without limitation, cooperation in complying with applicable personal data breach notification laws.

SAI360 maintains a ISO 27001 certified Information Security program that complies with applicable privacy laws and is consistent with standard practices and security standards in the risk and compliance technology industry. including the International Standards Association (ISO 27001). The program includes appropriate administrative, technical, physical, organizational, and operational safeguards and other security measures to maintain the security and confidentiality of customer and personal data and to protect it from known or reasonably anticipated threats or hazards to its security and integrity. SAI360 reviews its information security program at least annually, or after significant changes occur, to ensure its continuing compliance, suitability, adequacy, and effectiveness.

SAI360’s Information Security Management System (ISMS) includes, but is not limited to, the following:

• Roles and Responsibilities: established roles and responsibilities for information security, data protection, and compliance across the organization including assignment of Chief Information Security and Data Protection Officers, and Information Security Management Committee (ISMC) that consist of executive and senior leadership members who provide privacy, security, and compliance oversight
• Risk Management: a risk management program which includes an analysis of the criticality of data, an annual assessment of risks to the privacy and security of data which is commensurate with the criticality of the data, and a remediation plan to address any identified vulnerabilities and risks
• Security Policy: an Information Security Policy program which addresses creating and maintaining a comprehensive library of documented policies and procedures which support all aspects of the Information Security program and which is reviewed and approved by senior leadership annually or when significant changes to the regulatory or technical environment occur, to ensure that the policies and procedures are appropriate, accurate, and current, and in alignment with industry standards
• Workforce Security: comprehensive screening of new workforce members before being granted access to personal data, including background checks, as well as appropriate supervision during employment, procedures for personnel sanctions, and procedures for terminations and role change
• Security Awareness Training: training workforce about information security best practices, internal information security policies, and their obligations to protect personal data. Training should be required upon hiring and at a minimum frequency of annually thereafter
• Physical and Environmental Security: policies and standards specific to protecting physical areas which store data and systems as well as guarding against environmental damage and theft
• Change / Test Procedures: documented policies about system and application change control process, including appropriate segregation of test and operational data, system-supported segregation of duties, system planning, acceptance, and release
• Third-Party Risk Management: accurate and current accounting of all third parties, sub-processors, along with enforceable agreements which outline related security controls, audit rights, and compliance with applicable laws
• Malicious Code Protection: implementation of technical and procedural controls to guard against malicious software ensuring that the use of current software is configured and maintained according to suppliers’ recommendations
• Back-up and Testing Procedures: maintaining documented procedures for backing up and restoring data and testing those procedures regularly
• Network Security Management: implementation of technical and procedural controls to protect the confidentiality and integrity of restricted and confidential information passing over networks (internal and external), using well-defined industry standard perimeter controls and appropriate security zones, and the segmentation of internal networks
• Media Handling: procedures for media management including controls for portable media, media sanitization and disposal, and media accountability and tracking
• Exchange of Information: procedures for secure exchange of information being transmitted or physically shipped to external parties, including encryption of personal data, protection of information in transit, and policies governing appropriate disclosure of information to third parties
• System Event Logging and Monitoring: configuring systems to log critical system events and user activity to a central system, procedures for protecting, retaining, and accessing all logs. Automated and manual processes for appropriately monitoring logs
• Access Controls: documented policies for authorizing and provisioning user and system access to electronic resources which are based on the principle of least privilege, enforced industry standard authentication methods, and procedures for routine reviews of user and system accounts
• Mobile Computing Controls: policies governing the use of mobile devices and remote access
• Encryption: policies which address the use of cryptographic controls for information in a manner which is supported by current industry standards
• Patching and Vulnerability Management: implemented tools and procedures in a manner consistent with system developer recommendations and industry best practices for the following: routine vulnerability scanning; procedures for identification, mitigation procedures for and applying security patches and updates
• Incident and Event Reporting and Management: documented procedures for monitoring security events, identifying personal data breaches, responding to and mitigating personal data breaches, and providing required notifications
• Disaster Recovery and Contingency Planning: documented procedures for disaster response, data recovery, and emergency mode operations
• Operations Security Management: focuses on establishing effective operations management of the SAI360 environments with respect to information security requirements and IT and cloud security leading practices

SAI360 considers its Policies, Procedures and Standards as confidential intellectual property and in some instances external access would pose a significant risk to our information security. As such we limit the availability of such documents directly to customers. SAI360 will allow customers and or the independent auditors of our current customers to view in full relevant Information Security Management System (ISMS) documentation on request either on SAI360 site, or via an online meeting screen share or ‘Read Only’ access via SAI360 SharePoint for nominated personnel for a limited period under an Disclosure Agreement (NDA) or existing Customer Agreement Confidentiality Clause(s).

SAI360’s supplier risk management and assessment requirements comply with ISO 27001 and are published in our Information Security Management System (ISMS).

This includes policies relating to pre-contract supplier due diligence and ongoing monitoring of existing supplier relationships. SAI360 has instituted a risk-based approach to performing due diligence on perspective suppliers. The assessments include a risk classification based on the projected usage of services taken from this supplier, an evaluation of the third party’s controls relevant to the security and data protection of the services provided and the overall environment in which the services are provided from.

Information security requirements will vary according to the type of contractual relationship that exists with each supplier. The selection of controls is based upon a comprehensive risk assessment considering information security requirements, the product or service to be supplied, its criticality to the organization, and the capabilities of the supplier.

SAI360 has implemented ‘SAI360 GRC Vendor Risk’ module as a Service (SaaS) as our assessment tool. All suppliers are assessed prior to production use and annually thereafter.

SAI360’s general legal counsel carries out the legal review process for contracts entered into by SAI360. Where applicable, information security conducts risk assessments of vendors that process SAI360 data (including customer data) and/or have access to SAI360 systems. Additionally, Information Security works with the general legal counsel to determine and negotiate with the applicable vendor appropriate contractual protections related to information security.