CyberCNS Information Security
CyberCNS Information Security
Security By Design
Several hundred partners and customers across the globe trust us with their IT Infrastructure data being processed by our product. We back ourselves up with robust data security and privacy practices that form an integral part of our product engineering and service delivery principles. We are in the final stages of getting the following certifications.
Behind the scenes
CyberCNS being a custodian of partners customers data, a multi-fold model of security architecture, robust product delivery and highly resilient service platform, are the key tenets of our service delivery.
Protecting your data- Multi-tiered data security model
Secure Product Build - End-to-end security in product lifecycle
Highly Resilient Architecture - Always lights-on for your business
Protecting your data
We understand the value of data. With our robust system of data safeguards, we allow you to focus on the data rather than on its security
Our secure hosting partner
Virtual Private Cloud
Hosted in dedicated VPCs in non-promiscuous mode that are further segmented for increased security and manageability.
Perimeter Security
Routing rules hardened based on pre-established criteria for various permissible transactions across all resources.
Access Controls
Role-based access through IAM that enforces segregation of duties, two-factor authentication and end-to-end audit trails ensuring access is in accordance with security context.
Encryption
AES 256 bit encryption for data at Rest and HTTPS with TLS 1.2 encryption for data in transit.
Management Plane
Secure administrative tunnel with whitelisted IP addresses for secure connection to the servers for administrative purposes, through a bastion host.
Malware & Spam Protection
Malware and Spam protection applied based on latest threat signatures and supports real-time scanning and security.
Secure Product Build
Information security and data privacy requirements are baked into every release cycle and form part of the blueprint considerations of the product.
Product Roadmapping
Product road-map is defined and reviewed periodically by the Product Owner. Security fixes are prioritised and are bundled in the earliest possible sprint.
DevOps Squad
Our DevOps sprints are powered by a multi disciplinary Squad of members including the Product Owner, Squad Lead, and Quality Assurance.
Code Review
All changes are tested by the Quality Assurance team and criteria are established for performing code reviews, web vulnerability assessment, and advanced security tests.
Quality Assurance
Builds are put through stringent functionality tests, performance tests, stability tests, and Ux tests before the build is certified "Good to go".
Version Control
Source Code is managed centrally with version controls and access restricted based on various teams that are assigned to specific sprints. Records are maintained for code changes and code check-ins and check-outs.
Segregation of Duties
Access to the production is restricted to a very limited set of users based on the job roles. Access to the production environment for developers and Quality Assurance team members are restricted based on their job responsibilities.
Blue-Green Deployment
We follow a blue-green deployment strategy for deployment of changes to production environment that allows us to deploy upgrades in a seamless manner.
Highly Resilient Architecture
The architecture is built with resiliency in mind that ensure high availability for the product and data.
Component Redundancy
All components are deployed in ‘n+1’ mode across multiple availability zones configured in active - active mode behind a load balancing service.
Highly Scalable DNS
Route users to the best endpoint based on geo-proximity, latency, health, and other considerations.
Platform Load Balancing
Automatically distribute application traffic across multiple availability zones that supports high availability, auto scaling and robust security.
Data Backup
Near real-time backups are maintained in another AWS Availability Zones. Cloud Snapshots are taken every day and retained for the last seven days.
Cross Geo Redundancy
Mirrored multiple Availability Zones are setup and serves customers in real-time thereby providing seamless DR capability.
Incident & Breach Management
Procedures are established for reporting incidents, and tracking it for timely communication, investigation and resolution.
Content Distribution Network
Geographically distributed network of proxy servers and their data centers. The goal is to distribute service spatially relative to end-users to provide high availability and high performance.
Security Operations
Situation awareness through the detection, containment, and remediation of any suspected or actual security incidents. Tactical rules and data sensors are configured to provide suitable early warnings and alerts.
Capacity Management
Proactive capacity monitoring based on conservative thresholds and on-demand capacity expansion capability through our highly elastic hosting partners.
Policies and procedures
Policies and procedures in line with ISO 27001:2013 standards are defined and regularly audited.
The processes are reviewed annually and any changes are communicate to all relevant employees.
Training and awareness
Requirements for responsible handling of data including any types of personal information are communicated to all employees as part of their induction into CyberCNS.
Further any changes to any of these requirements are communicated as and when it is rolled out and an annual refresher training is conducted for all employees.
Confidentiality agreements
All employees sign an agreement of data confidentiality when they join CyberCNS. Data includes all information including any client information that they become aware of.
Confidentiality agreements are also signed with all its vendors or sub-processors along with appropriate services contracts with them.
Code of conduct
Our Code of Conduct is a set of common rules and standard of ethics that every CyberCNS employee is expected to follow in letter and in spirit.
These are basic principles of appropriate conduct that will bind every person in our company.
It sets out our values, responsibilities and ethical obligations. It is intended to act as a guidance for our employees for handling difficult ethical situations related to the business - to do the right thing!
CyberCNS takes its work culture and any deviation from it seriously. So employees are encouraged to speak up about any violations.
Technical Security Compliance
Responsible for ensuring that information security requirements are adhered to in the application architecture, and technology landscape. Application security assessments such as Code reviews, Vulnerability Assessment, and Penetration Testing (VAPT) are carried out on a periodic basis both internally and by independent third-party accredited firms.
Under implementation
ISSC
CyberCNS is the process of establishing an Information Security Steering Committee (ISSC) comprising of the executive leadership members sets the tone and drives the agenda for information security practices. The ISSC will drive the following
Information Security Road-map
Ensure that the information security road-map is well thought through factoring all customer, regulatory and contractual requirements and is adjusted for internal and external threat vectors.
Information Security Governance
On a half-yearly basis, the ISSC reviews information security initiatives, projects, current security posture and provides recommendations on the direction or resolves any roadblocks.
Information Security Expertise
The ISSC ensures that adequate expertise is available for all the information security initiatives, leverages the guidance of security mavens from internal and external sources.
Key Resource Allocation
Ensure that adequate people and financial resources are made available to various initiatives for effective execution.
Governance, Risk & Compliance (GRC)
Inclusive and transparent governance that is risk-aware and customer-centric.
Information Security Team
A dedicated group of information security professionals (GRC experts, Security Architects, Technical Security Engineers, Security Operations Specialists, and Security Advisors) handles information security duties. The information security team reports to the Chief Risk Officer (CRO) and takes care of newer initiatives and projects, ensuring compliance on steady-state and delivering continuous improvements to the security posture.
Risk Management
The information security team assesses security risks annually and on an ongoing basis when major changes occur. The various feeder channels that are factored for risk management includes findings from audits, incidents, changing threat landscape, and changing contractual / regulatory.
Audit and Compliance
CyberCNS gets audited by audit specilists either from the internal organization and/or from independent external bodies.
CyberCNS audits its products, processes, and vendors based on a risk-based cadence such that all entities are audited at least once a year.
The audit findings are reported directly to the ISSC and the Information Security team tracks and reports the remediation of the audit findings till its closure.