Security & Privacy
at ISoft Data Systems
Security is at the core of our operations—ensuring the safety of our customers and users begins with our own recipe for compliance and care.
ISoft Data Systems's Systems and Compliance teams institute policies and controls, monitor compliance of those controls, and validate our security measures to third-party auditors.
Our policies are based on the following foundational principles:
1.
Access should be restricted to those with valid business purposes and permissioned by principle of least privilege.
2.
Security mechanisms should be implemented within the principle of defense-in-depth.
3.
Security controls should be applied invariably across all areas of the organization.
4.
Implemented security controls should be continuously maturing in efficacy, improved auditability, and reducing inconsistencies with each iteration.
ISoft Data Systems is currently seeking SOC 2 Type II attestation, defined by AICPA.
Data Protection
Data at Rest
All customer data in our cloud environment is encrypted at rest by default. Sensitive data is safeguarded with field-level encryption and data stored in our cloud infrastructure is protected at rest by the Advanced Encryption Standard algorithm, AES-256.
Data in Transit
Our sites are secured with HTTPS (Hypertext Transfer Protocol Secure), requiring TLS or SSL for encryption. Where TLS is used for serving traffic across the public internet, it must be TLS 1.2 or higher.
Secret Management
Encryption keys at ISoft Data Systems are stored securely in accordance with industry standards, including NIST SP 800-57. Application secrets are strictly restricted and multi-factor authentication is required to access sensitive resources.
Product Security
ISoft Data Systems requires vulnerability scanning as part of our Software Development Lifecycle (SDLC). Scans are performed via GitHub and Google Cloud Web Vulnerability scanners constantly and at least weekly, respectively. Our product security is designed following industry-standard Open Worldwide Application Security Project (OWASP) recommendations.
Enterprise Security
Endpoint Protection & Secure Remote Access
All company devices are equipped with anti-malware protection and a lightweight, security-driven monitoring software. ISoft Data Systems internal resources accessed remotely are secured with a VPN.
Security Education
ISoft Data Systems provides security training upon onboarding and annually to all employees. In addition, throughout the year, all employees are updated on the current threat landscape and tested on their individual abilities to detect (simulated) attacks.
Our Systems and Compliance teams attend security-oriented conferences throughout the year and facilitate team-preparedness with simulated emergency drills.
Identity & Access Management
Our employees are provided access to applications in accordance with their role, and automatically removed from system access upon termination of employment. Additional access must be approved in line with policies set for each application. Individual user accounts may be granted additional permissions as needed with approval from the system owner or authorized party.
Vendor Security
ISoft Data Systems uses a risk-based approach for assessing vendors. Vendors are evaluated according to their own risk assessments.
