Technical and Organizational Security Measures
This document is a high-level overview of technical and organizational security measures and controls implemented by CARET to protect personal data and ensure the ongoing confidentiality, integrity and availability of CARET’s products and services.
CARET reserves the right to revise these technical and organizational measures at any time, without notice, so long as any such revisions will not materially reduce or weaken the protection provided for personal data that AbacusNext processes in providing its various services.
Organization of Information Security
Organization and management of Information Security and dedicated staff responsible for the development, implementation, and continuous monitoring of CARET’s Information Security Program.
Policies and Procedures
Maintain Information Security policies and procedures and make sure that policies and procedures are regularly reviewed, updated where necessary, and communicated and made available to all CARET employees.
Implement a formal organizational Risk Management program which includes periodic Risk Assessments along with its procedures for the purposes of periodic review and assessment of risks to the CARET organization, monitoring and maintaining compliance with CARET policies and procedures, and reporting the condition of its information security and compliance to Senior Management.
Physical and Environmental Security
Deploy a defense-in-depth strategy of physical and environmental security controls at all CARET data centers. CARET’s data centers are designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of AbacusNext’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
All CARET data centers adhere to vetted and known industry standards and regulatory requirements.
Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
Password controls designed to manage and control password complexity requirements and usage, including prohibiting users from sharing passwords.
Data security controls which include logical segregation of data, restricted (e.g. role-based) access and monitoring, and where applicable, utilization of commercially available and industry-standard encryption technologies.
Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
Communication with CARET’s applications utilizes cryptographic protocols such as TLS to protect information in transit over public networks. At the network edge, firewalls, web application firewalls, and DDoS protection are used to filter attacks. Within the internal network, applications follow a multi-tiered model which provides the ability to apply security controls between each layer.
Monitoring and Logging
System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
Change management procedures and tracking mechanisms to designed to test, approve and monitor all changes to CARET technology and information assets.
Incident Management procedures design to allow CARET to investigate, respond to, mitigate and notify of events related to CARET technology and information assets. In the event of any security breach of personal data, CARET will notify customers promptly.
Vulnerability assessment, patch management, and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
CARET conducts quarterly penetration tests conducted by CARET personnel. CARET is periodically subject to publisher audits using their own third-party companies. In addition, CARET conducts periodic self-assessments on the overall security posture of the organization and its products.
Business Continuity/Disaster Recovery
Business continuity and disaster recovery procedures, as appropriate, designed to maintain service and/or recovery from foreseeable emergency situations or disasters. BC/DR plans are reviewed and tested periodically for accuracy.