Get started with a 30-day free trial! Sign up now

Overview

Platform Security

Company Overview

• GroupSolver Inc., is in the final stages of preparation for the certification audit of ISO27001 norm which will be completed, and the company expects to be certified in 1H2023

• Company appointed formal role CISO responsible for ISMS project

Data Security

  1. Data classification
    • We apply a data classification policy for all our data, which forms the basis for an additional security policy.
  2. Data storage
    • For data storage, we use cloud storage services on public Cloud Platforms. This gives us performance and scalability of our storage. By default, all data are stored in the US region. We are able to store and deploy in the selected supported region on request.
  3. Data encryption
    • We only use secure encryption techniques for encryption for data at REST and for data in transit.
    • To add additional security to our data we use several methods as:
      • Access Control – to define who has access to storage
      • Signed URLs – time-limited read or write access to an object through a generated URL
      • Retention Policies – to ensure that all current and future objects in the storage cannot be deleted or replaced by accident.
  4. Sensitive data
    • All customer-sensitive data (e.g., passwords) are stored in our database in hash value created with Security Hashing Algorithm.

System Security

  1. Endpoint protection
    • We use network security services to protect our network endpoints from multiple types of threats and attacks.
  2. Role-Based Access Control
    • In all our systems within an organization, we have defined Role-Base Access Control levels of access that employees have to the network and systems. This helps us to secure access to sensitive data and essential components of the platform. User access is reviewed periodically to ensure that access control principles are fulfilled.
  3. Backup, Recovery
    • We have a clear backup policy for all our data across all parts of the system. Backup snapshots are taken and retained according to our and client’s needs as per the backup policy and business continuity strategy requirements.

Internal Security

  1. Authentication
    • Secure authentication by integration with Microsoft Azure AD, allowing secure authentication to sign in using one set of credentials to multiple independent systems (SSO).
    • Part of our password policy is that Multi-Factor Authentication is enabled for all internal/external users where it is technically possible. Passwords are never stored in clear text.
  2. Audit management
    • We established and use an audit management process in the company, to get information about compliance with internal requirements and international standard requirements. These audits are performed periodically.
  3. Change management
    • The change management process is established, with the purpose to control all proposed changes of company’s infrastructure and minimize adverse impact of these changes.
  4. Incident management
    • We established an Incident management process to describe the necessary actions taken by our company to analyze, identify and correct and prevent problems. We also engaged external subject matter experts to provide us with security logging and monitoring of our services including SIEM services.
  5. Business continuity management
    • We developed a detailed business continuity plan to recognize and deal with potential threats and difficult situations, so we can ensure that our company can maintain normal business operations with as little disruption as possible.
  6. Internal employee training
    • Our employees have completed Security awareness training with SAT materials and final test which contained: information about the possibility of attacks, phishing, stealing passwords, work with sensitive data.
  7. Security principles
    • We documented all security principles in ISMS documents (policies, procedures) that are available to all employees in the company. We have also prepared overview of main security principles within one ISMS Summary Card that is part of our awareness training.
  8. Formal information security processes
    • Periodic Risk re-assessment process and management review to ensure security goals and KPIs are fulfilled
    • Formal Onboarding and Offboarding process
    • Asset inventory and maintenance & Information Classification and secure data transfer process
    • Vendor management and due diligence

Testing

  1. Penetration tests
    • Every year our platform passes 4 penetration tests:
      • 3x Black-box penetration test which determines the vulnerabilities in our system that are exploitable from outside the network.
      • 1x White-box penetration test which provides us a comprehensive assessment of both internal and external vulnerabilities.
  2. Load tests
    • Several times a year we are testing our platform with a load test. It helps us estimate sustainability of the platform and determine whether the current infrastructure is sufficient.
  3. Development Lifecycle
    • Our Development Lifecycle is secured with baseline minimum-security requirements that developers must follow. Code we write is double-checked, always tested, and analyzed for known vulnerabilities.

A better way to smarter insights starts now

Request a free demo. Someone from our dedicated team will get right back to you.

Talk to the team