Information Security Policies and Processes
Our services are supported by various operational and security policies, standards, and procedures related to:
- Personnel Security
- Acceptable Use
- Data Protection
- Risk Management
- Access Control
- Cloud Computing
- Physical Security
- Asset Management
- Third Party Management
- Network and System Secure Design
- Security Incident Response
- Vulnerability Management
- Change Management
- Capacity Management
- Secure Software Development
- Business Continuity and Disaster Recovery
Physical and environmental security
Our corporate headquarters building is located in a shared physical facility. The building’s entrance is kept locked during non-business hours, and is further protected by a security guard service. Security cameras are visibly placed in high traffic or sensitive locations.
Diligent office doors require badge access prior to granting entry. All employees, contractors, and visitors must wear a visible badge at all time. All doors are alarmed and will alert our vendor and the police if a disturbance is detected. Physical access is audited every quarter, however, no customer data is stored at our facility.
Logical security
We use a principle of least privilege for internal administration. Employees who require administrative access must be requested via a ticketing system. The request requires the approval of senior management before access is granted.
Administrative access to all applications is granted to employees only based on user job responsibilities. Access to all production system and internal applications is removed immediately upon employee termination or contractor contract termination. On a quarterly basis, a review of access rights is conducted.
Secure Software Development Life Cycle (SSDLC)
At all phases in the application development process, security is a top priority. At Diligent, we build security into our software. Secure coding best practices are strictly followed. Common application layer vulnerabilities, including all OWASP Top 10 vulnerabilities, are explicitly addressed at all stages of the SDLC using industry standard counter-measures, such as explicit sanitization of all user input, use of parameterized queries, and use of secure libraries.
All code changes are controlled and approved, and must go through strict peer review and Quality Assurance (QA) testing prior to production deployment.
Development and testing
We employ industry-leading development practices such as pair programming and code review, as well as continuous integration tools to perform automated testing, including static code analysis for security.
Multiple staging environments have been established to facilitate manual and automated testing. Additionally, a formalized and independent QA function has been established to perform structured testing when a feature, bug fix, or higher risk change is to be introduced into our environment.
As an agile development shop, we maintain processes and tools to roll back changes in case problems arise from a production deployment.
Program management and DevOps
Program management is the responsibility of our DevOps and Production Operations teams. These groups maintain the servers (provisioning, backups, OS updates and patches, logging, and monitoring) and oversee the deployment of all changes from our Development (R&D) team into production, ensuring that our change management process has been followed.
DevOps and R&D work closely together to ensure the quality of our software service, but have separate responsibilities.
Segregation of duties
We have procedures, controls, and monitoring in place to ensure that a separation of duties exist between the define, design, built, test, and deploy phases of the software lifecycle. We also use 3rd party monitoring for development, test, and production to detect run-time errors and monitor performance so multiple stakeholders are informed on deploy or error.
Workstation and laptop security controls
Remediation is the post-incident repair and recovery of affected systems and or data, communication and instruction to affected parties, and analysis that confirms the threat has been contained. Apart from any formal reports, the post-mortem will be completed at this stage as it may impact the remediation and interpretation of the incident.
- Full-disk encryption
- Restricted privileged accounts
- Managed detection and remediation (MDR) and endpoint detection and response (EDR)
- Standardized password authentication requirements
- VPN access
- Secure source code management with remote backups
Application code repository
We maintain a source code repository exclusively for source code management. The source code repository is a complete copy of the source code (including all version history). The redundant nature of our source code repository significantly reduces risk to system availability from loss of source code. This repository is backed up on a regular basis.
Change management
Management has developed policies and procedures to control and manage changes to production systems.
We use segregated development, test, and production environments. All program changes are tested in a development environment, a continuous integration environment, and then formally accepted in a staging environment prior to being deployed in the production environment.
The deployment system has the capability to roll back any deployed changes so that even in the event an issue is encountered after deployment, the production application may be returned to a stable state quickly and efficiently.
Emergency change management
Emergency changes require the same testing and approval process as a standard change request. However, these activities may be performed and documented retroactive to the migration of the change to production, in order to make sure the production issue is resolved as quickly as possible.
Customer issues
Customer issues may be reported to Diligent Service by phone or support tickets. For details, see
https://www.diligent.com/support/
The person receiving the request will attempt to immediately address the issue or route the issue to the appropriate person and document the resolution procedures.
Customer experience issues may also be identified automatically through application layer errors. When an error occurs in an application, a programmatic notification is made which automatically generates an e-mail notification. Once the notification is received, the ticket is used to track resolution to the error.
Penetration testing
In addition to internal security testing, we use 3rd party independent penetration testing to check the Diligent services for security vulnerabilities.
These tests are performed by an organization specializing in software security, and are used to probe the environment for vulnerabilities, such as cross-site scripting, SQL Injection, session and cookie management.
We ensure exploitable vulnerabilities are resolved in a timely basis based on severity and impact. A copy of the most recent penetration test report can be provided, subject to a non-disclosure agreement (NDA).
Web scans and testing
We maintain a source code repository exclusively for source code management. The source code repository is a complete copy of the source code (including We use an independent 3rd party security provider to perform web application scanning and automated security testing. Vulnerability scans are performed to identify security flaws on all applications prior to a production release. Any findings are escalated immediately and resolved in a timely fashion.