BriefingIQ Security Policy & FAQ

BriefingIQ employs robust physical, administrative, and technical measures in alignment with industry benchmarks. Our primary goal is to ensure the confidentiality, integrity, and security of Customer’s data, guarding against threats, unauthorized access, and unlawful activities. We’ve established and continually maintain a robust network firewall to shield data, regularly conducting system and software updates, including patches, fixes, and other necessary modifications. All Customer Information remains securely behind our defenses, and state-of-the-art anti-malware software ensures that threats from viruses, spyware, and other harmful entities are countered. Furthermore, data at rest and in transit are encrypted, echoing the best practices in the industry. Routine security tests confirm the robustness of our systems against this Security Policy’s criteria.

Our emphasis on access control is paramount. Unique IDs are assigned to each individual granted access, and only those essential to the Permitted Purpose can access Customer’s Information. We maintain strict password protocols, ensuring the use of strong combinations, regular updates, and prompt response to potential breaches. We always keep Customer’s Information segregated from other data, and diligent monitoring of access logs identifies any unusual activities.

BriefingIQ’s organizational policy maintains a comprehensive information and network security blueprint encompassing employees, subcontractors, and suppliers. Regular checks ensure adherence to our established guidelines, and without the customer’s explicit written consent, BriefingIQ will not delegate or subcontract obligations under this Security Policy. Our protocols for external access to our systems require multi-factor authentication, offering an added layer of security, showcasing our unwavering commitment to safeguarding Controller Information and upholding the highest standards of data security.

How frequently is your Infrastructure’s security assessed to identify and address potential weaknesses?

Our security assessment schedule involves a combination of automated security scans, manual vulnerability assessments, and penetration testing. These assessments are conducted on a quarterly basis, which allows us to maintain a proactive and vigilant stance against emerging security threats.

Furthermore, in addition to these quarterly assessments, we perform immediate assessments in response to significant changes in our infrastructure, such as major updates or system changes.

What measures are in place to ensure data isolation between different customers?

Due to varying requirements for each customer and to have greater control on the environment, resources and configurations, each customer data is completely isolated in a dedicated cloud account.

Why do you use isolated environment for each customer?

Enhanced Data Isolation and Security

Each customer’s data is completely isolated within their customers dedicated account.

Data breaches or vulnerabilities in one customer’s environment are less likely to impact others.

Security measures can be tailored to the specific needs of each customer.

Customization and Control

Customers have greater control over their environment, resources, and configurations.

They can choose the services, security settings, and infrastructure that align with their unique requirements.

Regulatory Compliance

Different customers might have varying compliance needs and regulatory requirements.

Isolating customers in separate AWS accounts allows you to tailor compliance controls to each customer’s needs.

Resource Allocation and Performance

Dedicated AWS accounts prevent resource contention between customers.

Each customer can scale resources based on their own usage patterns without affecting others.

Enhanced Agility and Flexibility

Customers can rapidly deploy, test, and iterate on new features or configurations without affecting others.

Releases and updates can be carried out independently.

Isolation of Service Dependencies

Customer-specific billing and usage data are clearly separated.

Account management and financial tracking become simpler.

Scalability and Performance

Resources can be allocated dynamically based on each customer’s demand, ensuring optimal performance.

Smooth Onboarding and Off-boarding

Provisioning and de-provisioning of customer accounts become well-defined processes. Customer onboarding and off-boarding are streamlined.

Which members of the BriefingIQ staff are granted access to the infrastructure?

Access to BriefingIQ’s infrastructure is tightly controlled and granted only to authorized individuals based on their roles and responsibilities. The access is governed by the principle of least privilege, which means that individuals are granted the minimum level of access necessary to perform their specific tasks. The specific staff members who are granted access to the infrastructure can vary based on their roles and the needs of the organization.

Infrastructure and Devops team

Access to manage, provisioning, configuring, auditing, monitoring of the infrastructure in addition to necessary previliges to ensure, availability and performance

Development and Support team

Access to specific environments for Development, testing, debugging in addition to on demand access to restricted environments to analyze and assist with customer issues.

Management and Leadership team

Access to monitor overall health of the infrastructure and make informed decisions.

  • Access to infrastructure is determined by job roles and responsibilities.
  • Only staff members who require access to perform their duties are granted permission.
  • Access controls, such as user accounts, passwords, and multi-factor authentication (MFA), are enforced to ensure only authorized individuals can access infrastructure resources.
  • Access permissions are regularly reviewed to ensure they remain appropriate and necessary.
  • Any unnecessary or outdated access is promptly revoked.
  • Access to infrastructure is continuously monitored and logged.
  • Audit trails are maintained to track who accessed what and when.
  • Access is promptly revoked when staff members change roles, leave the organization, or when access is no longer required.

 

Could you provide information about the hosting location and the compliance certifications that your infrastructure holds?

ISO 27001: This certification verifies that AWS has implemented and maintains comprehensive information security controls according to the ISO 27001 standard.

SOC 1/SSAE 18/ISAE 3402: These certifications validate AWS’s controls over financial reporting and are often required for organizations handling financial data.

CSA STAR: AWS is part of the Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) registry, which provides transparency into security practices.

Is the transmission of data from users’ browsers to your servers conducted securely over the network?

HTTPS Encryption: We enforce the use of HTTPS (Hypertext Transfer Protocol Secure) for all communications between users’ browsers and our servers. HTTPS uses SSL/TLS protocols to encrypt the data transmitted over the network, preventing unauthorized access and eavesdropping.

SSL/TLS Protocols: We use modern and secure versions of SSL/TLS protocols to establish an encrypted connection between the user’s browser and our servers.

Certificate Authority: We obtain SSL/TLS certificates from reputable Certificate Authorities (CAs) to verify the authenticity of our servers and establish a trusted connection with users’ browsers.

HSTS (HTTP Strict Transport Security): We implement HSTS to ensure that browsers communicate with our servers over HTTPS only, preventing downgrade attacks and enhancing security.

What specific version of TLS is employed?

TLS 1.2

Is data adequately secured when at rest within your systems?

Yes, data is adequately secured when at rest within our systems. We employ a combination of encryption, access controls, and security best practices to ensure the confidentiality and integrity of data stored within our infrastructure.

Do you have antivirus software deployed within your environment, and does it perform periodic scanning?

BriefingIQ uses tools like Inspector to find software vulnerabilities and unintended network exposure real time on our application servers, which helps in reducing the mean time to remediate any vulnerabilities.

We also leverage AWS Shield Standard and WAF to protect the systems from SQL injection attacks, cross site scripting and to enforce any other boundary restrictions with in which the system should operate.

Vulnerability Assessments: The platform undergoes regular vulnerability assessments and penetration testing. These tests help identify and remediate security weaknesses, ensuring that the system remains resilient against potential threats.

Could you outline your procedure for notifying customers about security issues as well as the corresponding solutions?

  1. Detect and confirm the security issue through monitoring, threat intelligence, or incident response procedures.
  2. Assess the severity and potential impact of the security issue on your customers’ data, systems, and operations.
  3. Assemble a cross-functional team that includes representatives from security, communication, technical, and management teams.
  4. Collaborate to identify appropriate solutions, including mitigation steps, to address the security issue.
  5. Develop a detailed communication plan that outlines the key elements of the notification process.
  6. Draft clear and informative communication content that includes details about the security issue, its impact, and the actions being taken to resolve it.
  7. Determine the appropriate communication channels, such as email, website announcements, customer portals, or direct notifications through your application.
  8. Decide on the timing for notifications, considering urgency, time zones, and the specific circumstances of the security issue.
  9. Craft messages that are transparent, honest, and free from technical jargon. Use language that your customers can easily understand.
  10. Provide clear, actionable steps that affected customers can take to protect themselves, their data, and their systems.
  11. Provide regular updates to customers on the progress of resolving the security issue, keeping them informed about developments
  12. After the issue is resolved, prepare a post-incident report that outlines the root cause, actions taken, and lessons learned.
  13. Offer customers channels to provide feedback, ask questions, and seek clarification about the incident and its resolution.
  14. Conduct a thorough review of the incident response process and identify areas for improvement. Implement changes to enhance future responses.