- On this page:
- Securing Our Products and Services
- Compliance with Laws, Regulations and Standards
- Personnel Onboarding
- Identifying and Addressing Security Threats
- Technical and Organizational Measures (TOMS)
- Securing Our Ecosystem and Third-party Risk Management
Information Security Program Overview
SAI360 maintains a comprehensive Information Security and Data Protection Compliance Program to mitigate risks for our customers beginning with the design of our systems,and followed by ongoing oversight and monitoring. The Information Security Program foundation is based upon the ISO 27000 series of standards, NIST Cyber Security Framework (CSF), and leading cybersecurity practices. It complies with applicable data protection and privacy laws. SAI360 and the Information Security Program is ISO 27001:2013 certified with continuous monitoring and improvement processes that build upon those standard practices and security controls.
Administrative, technical, physical, organizational, and operational safeguards and other security measures are implemented to maintain a secure environment and the confidentiality, integrity, and availability of information within it from known and unknown threats.
Certifications and Attestations
The following certifications and attestations have been achieved for the applicable scope defined below.
|2022 Service Scope
|ISO 27001 Certification
|SAI360 organization and support services
|SOC 1 Type II Report
|SAI360 Healthcare GRC
|SOC 2 Type II Report
|SOC 2 Type II + HITRUST Report
|SAI360 Healthcare GRC
Securing our Environment: Landscape Overview
As the threat landscape continuously evolves, SAI360 takes a multi-facet approach to securing the environment, devices that connect to it, and our end users. The following highlights some of the major areas and security controls implemented.
Securing Our Infrastructure and Services
Cloud and application security are critical components to maintaining a secure environment. From establishing a secure architecture with operational processes for deployments, to maintenance and continuous monitoring and embedding security and privacy by design principles into the software development lifecycle, SAI360 has built our infrastructure and applications with leading security and privacy practices and continuously improves as the threat landscape evolves. The following highlights the measures that have been implemented throughout the environment.
Formal Security, data privacy and data classification policies and standards do apply and are actively enforced, monitored, and updated when appropriate.
Three-Tier Network Architecture which provides a dataflow-based network access dependent upon the workload classification
Multi-layer security deployment for web interaction, program logic, and database activities, protected by an elaborate security stack (which include redundant firewalls, NIDSs, virus and malware protection)
Encryption of data in transit is enforced, applying current market standards (SSL/TLS based encryption / TLS 1.2 and higher / 2048-bit RSA private keys with 256-bit encryption strength (SHA2)).
Encryption of data at rest is enforced.
Cloud Tenant Isolation entirely account based segregated data storage and encryption from non-risk workloads.
Multi-Factor Authentication administration security to manage servers and access network.
Application Security Assessments include static code (SAST), dynamic code (DAST) & software composition analysis as part of the software development life cycle (SDLC) prior to releasing to production.
External penetration testing through a CRESTA certified third-party which is performed on an annual basis to provide an objective review and independent testing reports.
Additional Cloud Security Controls:
- AWS Web Application Firewall
- AWS Shield Advanced (DDoS Mitigation)
- AWS GuardDuty
- AWS SecurityHub
- Cloud Security Posture Management (Wiz.io)
- Vulnerability Management / Incident Response (Rapid7)
- NextGen Firewall Integration (Fortinet/Palo Alto)
**All services implemented and integrated
SAI360’s customers entrust us with sensitive data and we take that responsibility very seriously. SAI360 invests heavily in highly skilled personnel and in thorough security processes to protect it.
Chief Executive Officer of SAI360
Product and Software Development Lifecycle
Product related software development is performed by dedicated SAI360 engineering personnel, which consists of system architects, application engineers and database developers. The engineering department is divided by area of expertise required by product and life cycle.
Following the finalization of functional specifications, general software architecture is determined by the product software architect and a hosting services architect. In some cases, architectural considerations may result in changes to functional specifications. These adjustments are communicated back to respective stakeholders and a final functional specification and architecture is determined. This architecture is documented and released to the development manager for review, project scoping and resource assignment.
Customer data is never used in development. Customer data is only used for load testing in a staging environment, with customer approval. That staging environment reflects the same security posture policies and controls in the production environment.
Software Release Processes
Authority to release software from development to Quality Assurance (QA) is restricted to the development manager responsible for the product line. Authority to release software from QA systems to final qualification systems is restricted to the assigned release manager, once software meets pre-defined acceptance criteria for release.
Quality Assurance and Qualification Processes
A dedicated quality control team ensures all software made available to customers is of the highest quality and performance. This team has final veto authority for all software packages moving to production systems.
An extensive and comprehensive testing matrix is applied to all software releases testing functionality and support for a wide variety of operating systems and browser versions. New functionality is tested extensively and existing functionality is additionally tested to safeguard against regressions.
Software Release Process
Following a formal release to SAI360 hosting services, the software release package is reviewed by SAI360 cloud operations and a deployment strategy is assessed.
The release is initially deployed to a small, pre-determined number of systems. Following this controlled release, a general release cycle is undertaken with all systems receiving the update over a series of scheduled maintenance windows.
Patch and Version Management
Continuous improvements to software occasionally result in patches available to SAI360 software product lines. All major and minor software releases, including patches, are uniquely versioned and this version is transparent to all operators. The release strategy for patch deployments models that of the general software release process described above.
Secure Development Training
All employees and contractors that develop or write code as part of their primary responsibilities go through appropriate secure development training on an annual basis. This includes but not limited to:
- Review of secure development coding practices and principles documented as part of the Information Security Management System (ISMS)
- Open Web Application Security Project (OWAS)P TOP 10 awareness of security risks
- Secure coding practices in the coding languages and frameworks of their respective application
Access to Source Code
All software access and versioning are strictly controlled through a software source control package. Access to source code is available on an as-needed basis and exclusively restricted to SAI360 software engineering.
SAI360 performs penetration testing and vulnerability scanning to detect, mitigate, and resolve security issues, using appropriate tools for the virtual environment. This assessment reviews firewall policies, intrusion detection and prevention policies, system patch levels, vulnerability to known software exploits, and brute force attacks.
SAI360 performs internal vulnerability scans of all corporate and customer facing systems and networks in real time by a local agent, Rapid7, which reports the vulnerability status of the system every six hours, based on change delta. No external access is provided.
SAI360 contracts leading information security consulting and services companies to run external network penetration tests against systems annually and web application penetration tests annually or as a result of significant change. Remediation plans are prepared after penetration testing and managed as a project to closure.
Customers can conduct their own external penetration testing by arrangement at their cost.
SAI360 complies with all applicable laws of the countries where it operates. The key legislation applicable to SAI360, in addition to other obligations and applicable national/state laws, is as follows:
- 201 CMR 17.00 (Massachusetts)
- Australian Privacy Act 1988 (C’th)
- California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)
- Colorado Privacy Act (CPA)
- Data Protection Act 2018 (UK) and UK General Data Protection Regulation (UK GDPR)
- General Data Protection Regulation (EU) 2016/679 (GDPR) and Regulation (EU) 216/679 of the European Parliament and of the Council
- Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009
- Health Insurance Portability and Accountability Act (HIPAA)
- Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada), S.C. 2000, c. 5
- Virginia Consumer Data Protection Act (VCDPA)
We monitor industry sources for changes to laws and regulations and follow proposed legislation to make sure our operations remain compliant. SAI360 subscribes to regulatory alerts, maintains memberships of relevant organizations and receives additional updates through seminars and briefings. This is a critical component of our Information Security and Data Protection program in order to identify and maintain applicable legal and regulatory requirements impacting our Information Security Management System (ISMS).
SAI360 subprocessor agreements are subject to all applicable laws and regulations.
Privacy at SAI360
Security Incident and Personal Data Breach Notifications
SAI360 will advise the customer within 3 business weekdays, or as otherwise agreed, upon becoming aware of any security event or incident which has impacted the confidentiality, integrity, or availability of the customer’s data. Such notification shall include the details of the information security incident, along with a description of the customer’s confidential information or personal data that may have been accessed, the effect of the information security incident on the customer’s confidential information or personal data, and the corrective action taken or to be taken by SAI360.
SAI360 shall promptly take all appropriate corrective actions and shall cooperate with the customer in all reasonable and lawful efforts to mitigate or rectify the information security incident, including, without limitation, cooperation in complying with applicable breach notification laws.
Internal and External Audits
An internal audit is executed using a staged plan throughout the year and prior to any external audits being performed. SAI360 is independently and externally audited against the following:
- ISO 27001:2013 annually to maintain certification
- SOC 1 Type 2 (AICPA SSAE 18 and AASB ISAE 3402 Standards)
- SOC 2 Type 2 (AICPA SSAE 18 and AASB ISAE 3000 Standards)
For environments hosting personal health information (PHI) in the Americas, compliance to the Health Information Portability and Accountability Act (HIPAA) Security Rule and the HITECH breach notification requirements is audited against and attested
SAI360’s ISO 27001 certificate is available to customers. SAI360 Information Security classifies SOC reports as confidential along with access to any ISMS documentation, view only, and therefore SAI360 can provide at any time under a Non-Disclosure Agreement (NDA) or existing customer agreement confidentiality clause(s). Please contact your account manager or sales representative.
Law Enforcement and Government Requests for Data
SAI360 will only share customer data if it is required to be disclosed by operation of law, government regulation, or court order. If a law enforcement agency or government body sends SAI360 a demand for customer data, SAI360 will attempt to redirect the law enforcement agency to request that data directly from customer. As part of this effort, SAI360 may provide customer’s basic contact information to the requesting law enforcement agency. If compelled to disclose customer data to a law enforcement agency or government body, then SAI360 will give the customer reasonable notice of the demand to allow the customer to seek a protective order or other appropriate remedy unless SAI360 is legally prohibited from doing so.
SAI360 holds commercial general liability, automobile liability, workers’ compensation, cybersecurity, crime, employment practices, and umbrella coverages in varying amounts at the levels expected of a global organization. We can provide additional details, including evidence of coverages, by request.
Securing Our People
As information security and data protection is everyone’s responsibility, SAI360 arms its personnel (employees, contractors, and sub-contractors) with appropriate resources and training in order to perform their job responsibilities with security and data protection in mind. Below are control areas implemented and managed by Human Resources (HR), Legal Counsel, and Information Security ensuring that SAI360 personnel are held accountable and comply with all applicable policies.
HR requires all SAI360 personnel complete SAI360 Code of Business Conduct training and Security Awareness \ Data Protection training within the first 30 days of employment or contractor engagement. Personnel are required to sign Confidentiality Agreements/Non-Disclosure Agreements (NDA’s), which require them to agree not to disclose, divulge, or reproduce confidential information that they receive or have access to during their employment or contract work period with SAI360.
SAI360 conducts reasonably appropriate background checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations. Where allowed, the following elements are included in the background check:
- Validation of personal references
- Validation of work references
- Confirmation of academic and professional qualifications
- CV work history verification
- Check on criminal records
Unsupervised physical access to SAI360’s premises or network ID’s is not provided until a full background check is completed.
In addition, Information Security requires that all SAI360 personnel are issued a SAI360 ID badge to access SAI360 facilities.
SAI360 Code of Conduct Certification
Annually, SAI360 requires that all personnel certify compliance with the SAI360 Code of Business Conduct.
Security Awareness Training
All SAI360 personnel are required to complete security awareness training during their onboarding as well as annually. Topics included, but not limited to, are as follows:
- Information Security and Data Protection policies, procedures, and other ISMS supporting documentation
- Techniques to identify and avoid social engineering and phishing attacks Process to report security and privacy incidents
- Leading practices and principles on selecting and protecting user credentials
- Remote working and traveling security
- Acceptable use
In addition, Information Security conducts training activities throughout the year, including simulated spear-phishing (email) attacks for all personnel and role-based security training for developers and information security staff. Information Security reviews the training program annually to assess whether it reflects industry leading practices and current risks for information security personnel training.
SAI360’s HR, Information Security and Information Technolgy (IT) departments work with managers to coordinate personnel exit upon termination or contract end date. Standard exit processes include:
- Termination of all system access on specified termination date and time
- Circulation of dis-enrollment messages amongst HR, Information Security and IT at the completion of each step of the exit process, to ensure personnel are dis-enrolled from SAI360’s systems accordingly
- Revocation of physical and remote access to SAI360 office locations and online systems
- Collection of all SAI360 property, including laptops, hard tokens, tablets and work from home kits
- Collection of SAI360 owned mobile devices, which are “wiped” clean before reassignment
- Distribution of confidentiality and non-solicit agreements at the time of exit to reiterate obligations
Identifying security threats and risks to the SAI360 infrastructure, applications, information assets, and overall environment is a continuous lifecycle which everyone at SAI360 has a responsibility to protect in order to maintain a secure environment. The following section will outline how SAI360 identifies security threats, mechanisms to protect against them and overall incident response process.
Security testing is a multi-faceted approach in which SAI360 does not depend on a single method, tool, service, or entity to identify security risks that affect our environment. Leveraging various methods and tools provides different attack angles in which SAI360 can identify potential security flaws and take appropriate steps to remediate or mitigate the risk prior to any threat actor exploiting it. This includes, but is not limited to, the following:
Application Security Testing – As part of the development process, a variety of tools and tests are executed to identify and prevent as many vulnerabilities, coding flaws, and bugs as possible prior to releasing to production and customers new or updated versions of our services. This includes, but is not limited to, static code analysis, dynamic code analysis, software composition analysis, code quality testing, and functional testing. As all application security risks are reviewed and taken seriously, SAI360 WILL NOT release if a critical or high-risk vulnerability is found.
External Penetration Testing – SAI360 partners with security consulting firms that specialize in external network and web application penetration testing by taking an ethical hacking approach that mimics adversarial methods with known and unknown information in order to identify security flaws across the environment. Web application penetration testing includes targeting common vulnerabilities as listed in the OWASP Top 10, such as including code injections and targeted attacks with the purpose of achieving elevated rights within the application. The penetration testing methodology is available to customers for review upon request and the latest results and remediation records are shared with customers with the appropriate NDA. SAI360 allows and welcomes customers to execute penetrating testing of their application instance by arrangement at their cost and will review any findings to be addressed as part of a remediation plan.
Infrastructure & Network Vulnerability Assessments – SAI360 uses a range of vulnerability detection utilities against the internal and external networks and infrastructure including network scans, asset discovery, and configuration monitoring across cloud service providers and host images against hardening baselines.
Continuous Vulnerability Assessments – Continuous internal vulnerability assessments of all corporate and customer facing systems and networks are executed using Rapid 7’s InsightVM services and deployed agents in real time which reports the vulnerability status of the system every six hours, based on change delta.
As the threat landscape is constantly evolving, it is critical to continuously monitor all assets within all environments along with any internal or external activities that stray from an established baseline. SAI360 has deployed and leverages Rapid 7’s InsightIDR SIEM and MDR services to serve as an extension of the Information Security team and overall operations function. This group works together to identify events of interest which require investigation and determine appropriate course of action to address any risks.
Security Incident Response
Responding to security events and incidents is a constant battle that every security and operations team faces on a daily basis. When, not if, an incident occurs, the primary role of the Information Security Incident Response Team (ISIRT) is to quickly respond to an incident, contain it, and mitigate the risks limiting the impact to the environment, information assets, and availability of services for our customers. SAI360 maintains a robust security incident response process to help ensure prompt notification and investigation of security incidents. SAI360’s security incident response process includes involvement from all Information Security, Data Privacy, Corporate IT, Cloud Operations, Development and support teams to ensure all required resources are available to address the incident and restore normal services. To help ensure the swift resolution of security incidents, the SAI360 Information Security team is available 24/7 to all SAI360 personnel.
Security Incident and Personal Data Breach Notification
SAI360 will advise the customer within three business days, or as otherwise agreed, of becoming aware of any security event or incident which has impacted the confidentiality, integrity, or availability, of the customer’s data. Such notification shall include the details of the information security incident, along with a description of the customer’s confidential information, or personal data that may have been accessed, the effect of the information security incident on the customer’s confidential information or personal data, and the corrective action taken or to be taken by SAI360.
SAI360 shall promptly take all appropriate corrective actions and shall cooperate with the customer in all reasonable and lawful efforts to mitigate or rectify such information security incident, including, without limitation, cooperation in complying with applicable personal data breach notification laws.
SAI360 maintains a ISO 27001:2013 certified Information Security program that complies with applicable privacy laws and is consistent with standard practices and security standards in the risk and compliance technology industry. including the International Standards Association (ISO 27001:2013). The program includes appropriate administrative, technical, physical, organizational, and operational safeguards and other security measures to maintain the security and confidentiality of customer and personal data and to protect it from known or reasonably anticipated threats or hazards to its security and integrity. SAI360 reviews its information security program at least annually, or after significant changes occur, to ensure its continuing compliance, suitability, adequacy, and effectiveness.
SAI360’s Information Security program includes, but is not limited to, the following:
Roles and Responsibilities: Established roles and responsibilities for information security, data protection, and compliance across the organization including assignment of Chief Information Security and Data Protection Officers, and Information Security Management Committee (ISMC) that consist of executive and senior leadership members who provide privacy, security, and compliance oversight
Risk Management: A risk management program which includes an analysis of the criticality of data, an annual assessment of risks to the privacy and security of data which is commensurate with the criticality of the data, and a remediation plan to address any identified vulnerabilities and risks
Security Policy: An Information Security Policy program which addresses creating and maintaining a comprehensive library of documented policies and procedures which support all aspects of the Information Security program and which is reviewed and approved by senior leadership annually or when significant changes to the regulatory or technical environment occur, to ensure that the policies and procedures are appropriate, accurate, and current, and in alignment with industry standards
Workforce Security: Comprehensive screening of new workforce members before being granted access to personal data, including background checks, as well as appropriate supervision during employment, procedures for personnel sanctions, and procedures for terminations and role change
Security Awareness Training: Training workforce about information security best practices, internal information security policies, and their obligations to protect personal data. Training should be required upon hiring and at a minimum frequency of annually thereafter
Physical and Environmental Security: Policies and standards specific to protecting physical areas which store data and systems as well as guarding against environmental damage and theft
Change / Test Procedures: Documented policies about system and application change control process, including appropriate segregation of test and operational data, system-supported segregation of duties, system planning, acceptance, and release
Third-Party Risk Management: Accurate and current accounting of all third parties, sub-processors, along with enforceable agreements which outline related security controls, audit rights, and compliance with applicable laws
Malicious Code Protection: Implementation of technical and procedural controls to guard against malicious software ensuring that the use of current software is configured and maintained according to suppliers’ recommendations
Back-up and Testing Procedures: Maintaining documented procedures for backing up and restoring data and testing those procedures regularly
Network Security Management: Implementation of technical and procedural controls to protect the confidentiality and integrity of restricted and confidential information passing over networks (internal and external), using well-defined industry standard perimeter controls and appropriate security zones, and the segmentation of internal networks
Media Handling: Procedures for media management including controls for portable media, media sanitization and disposal, and media accountability and tracking
Exchange of Information: Procedures for secure exchange of information being transmitted or physically shipped to external parties, including encryption of personal data, protection of information in transit, and policies governing appropriate disclosure of information to third parties
System Event Logging and Monitoring: Configuring systems to log critical system events and user activity to a central system, procedures for protecting, retaining, and accessing all logs. Automated and manual processes for appropriately monitoring logs
Access Controls: Documented policies for authorizing and provisioning user and system access to electronic resources which are based on the principle of least privilege, enforced industry standard authentication methods, and procedures for routine reviews of user and system accounts
Mobile Computing Controls: Policies governing the use of mobile devices and remote access
Encryption: Policies which address the use of cryptographic controls for information in a manner which is supported by current industry standards
Patching and Vulnerability Management: Implemented tools and procedures in a manner consistent with system developer recommendations and industry best practices for the following: routine vulnerability scanning; procedures for identification, mitigation procedures for and applying security patches and updates
Incident and Event Reporting and Management: Documented procedures for monitoring security events, identifying personal data breaches, responding to and mitigating personal data breaches, and providing required notifications
Disaster Recovery and Contingency Planning: Documented procedures for disaster response, data recovery, and emergency mode operations
Operations Security Management: focuses on establishing effective operations management of the SAI360 environments with respect to information security requirements and IT and cloud security leading practices
SAI360 considers its Policies, Procedures and Standards as confidential intellectual property and in some instances external access would pose a significant risk to our information security. As such we limit the availability of such documents directly to customers. SAI360 will allow customers and or the independent auditors of our current customers to view in full relevant Information Security Management System (ISMS) documentation on request either on SAI360 site, or via an online meeting screen share or ‘Read Only’ access via SAI360 SharePoint for nominated personnel for a limited period under a on-Disclosure Agreement (NDA) or existing Customer Agreement Confidentiality Clause(s).
SAI360’s supplier risk management and assessment requirements comply with ISO 27001 and are published in our Information Security Management System (ISMS).
This includes policies relating to pre-contract supplier due diligence and ongoing monitoring of existing supplier relationships. SAI360 has instituted a risk-based approach to performing due diligence on perspective suppliers. The assessments include evaluation of the third party’s controls relevant to the security and data protection of the services provided and the overall environment in which the services are provided from.
Information security requirements will vary according to the type of contractual relationship that exists with each supplier. The selection of controls is based upon a comprehensive risk assessment taking into account information security requirements, the product or service to be supplied, its criticality to the organization, and the capabilities of the supplier.
SAI360 has implemented ‘SAI360 GRC Vendor Risk’ Software as a Service (SaaS) as our assessment tool. All suppliers are assessed prior to production use and annually thereafter.
SAI360’s general legal counsel carries out the legal review process for contracts entered into by SAI360. Where applicable, information security conducts risk assessments of vendors that process SAI360 data (including customer data) and/or have access to SAI360 systems. Additionally, Information Security works with the general legal counsel to determine and negotiate with the applicable vendor appropriate contractual protections related to information security.