Security Policy

Last Updated: 8/30/2022

Introduction

As a security firm, we are deeply committed to security and privacy. Our goal is to make sure you have the information you need to feel confident in our ability to provide you with a secure platform.

Our program includes the governance and technical controls to ensure that the information we handle is secure and monitored. We’ve adopted a set of policies aligned to NIST 800-53 and NIST CSF to develop a comprehensive security program.

The list below outlines our security program and features.  A summary of our program and corresponding policies follows below.

  1. User access is protected through strong authentication.

  2. Internal system access controlled through the practice of least-privilege and multi-factor authentication (MFA).

  3. System access is logged and audited.

  4. Data is encrypted in transit and at rest.

  5. Front-end firewall and intrusion detection blocks unauthorized traffic.

  6. Tested Business Continuity Plan.

  7. Third party vendors and contractors are fully vetted.

  8. Customer data are logically separated.

  9. Comprehensive security training program for all employees.

  10. Security focused software development and change management processes.

  11. Incident response training and readiness program.

  12. Consistent system patching and vulnerability review.

  13. Annual risk assessment.

  14. Quarterly network vulnerability scans.

Security Program Details

Our security policy establishes its position on a range of security-related topics. While executive leadership is accountable for the execution of the program, the entire company works diligently to ensure that the security of our customers’ comes first. Our policies reflect our commitment to providing a trusted solution.

Alignment with NIST 800-53

We align our information security program to the NIST 800-53 framework. Maturation of the information security program is driven by alignment to this framework and an understanding of any potential or evolving threats.

Security Training

Our Security Training is a mandatory requirement for all employees. The training is structured to educate employees on the Information Security & Privacy Policies, provide an understanding of security in the context of our service and industry, instill the commitment to protect the security needs of our customers, and most of all, to ensure the safety and security of our customer’s data.

Application Security

Application security is of utmost importance. With applications running in the cloud, we know our cloud partner is responsible for infrastructure level security; but we, through their Shared Responsibility model are responsible for our application security. To ensure that we follow best practices for application security, we train on the OWASP Top 10 and do both internal and external code reviews for security.

Data Encryption

We secure all data in transit via TLS. Systems are configured to require the TLS protocol, meeting industry standards for externally facing systems. You can view an up-to-date assessment of our TLS configurations by visiting SSL Labs SSL Test.

Symmetric encryption (AES-256) is used to protect data at rest. This ensures that data is only viewable by authorized users.

Data Access and Handling

Our environment is highly-restricted by design. Access controls are in place to ensure that data is only available to appropriate parties. Internally, our employees may be granted access to the our platform for administration purposes only. All data is encrypted in transit and at rest in our systems.

Questions

Contact our security team at security[at]cruxsecurity.ai.