Policies, Processes, and Practices

Information security policies and processes form the backbone of our information security program. Diligent’s security policies set the tone and direction for the organization, assign and delegate roles and responsibilities for information security, establish control objectives, and demonstrate commitment and account ability to all constituents, including employees, business partners, and customers.

Information Security Policies and Processes

Our services are supported by various operational and security policies, standards, and procedures related to:
  • Personnel Security
  • Acceptable Use
  • Data Protection
  • Risk Management
  • Access Control
  • Cloud Computing
  • Physical Security
  • Asset Management
  • Third Party Management
  • Network and System Secure Design
  • Security Incident Response
  • Vulnerability Management
  • Change Management
  • Capacity Management
  • Secure Software Development
  • Business Continuity and Disaster Recovery

Physical and environmental security

Our corporate headquarters building is located in a shared physical facility. The building’s entrance is kept locked during non-business hours, and is further protected by a security guard service. Security cameras are visibly placed in high traffic or sensitive locations. Diligent office doors require badge access prior to granting entry. All employees, contractors, and visitors must wear a visible badge at all time. All doors are alarmed and will alert our vendor and the police if a disturbance is detected. Physical access is audited every quarter, however, no customer data is stored at our facility.

Logical security

We use a principle of least privilege for internal administration. Employees who require administrative access must be requested via a ticketing system. The request requires the approval of senior management before access is granted. Administrative access to all applications is granted to employees only based on user job responsibilities. Access to all production system and internal applications is removed immediately upon employee termination or contractor contract termination. On a quarterly basis, a review of access rights is conducted.

Secure Software Development Life Cycle (SSDLC)

At all phases in the application development process, security is a top priority. At Diligent, we build security into our software. Secure coding best practices are strictly followed. Common application layer vulnerabilities, including all OWASP Top 10 vulnerabilities, are explicitly addressed at all stages of the SDLC using industry standard counter-measures, such as explicit sanitization of all user input, use of parameterized queries, and use of secure libraries. All code changes are controlled and approved, and must go through strict peer review and Quality Assurance (QA) testing prior to production deployment.

Development and testing

We employ industry-leading development practices such as pair programming and code review, as well as continuous integration tools to perform automated testing, including static code analysis for security. Multiple staging environments have been established to facilitate manual and automated testing. Additionally, a formalized and independent QA function has been established to perform structured testing when a feature, bug fix, or higher risk change is to be introduced into our environment. As an agile development shop, we maintain processes and tools to roll back changes in case problems arise from a production deployment.

Program management and DevOps

Program management is the responsibility of our DevOps and Production Operations teams. These groups maintain the servers (provisioning, backups, OS updates and patches, logging, and monitoring) and oversee the deployment of all changes from our Development (R&D) team into production, ensuring that our change management process has been followed. DevOps and R&D work closely together to ensure the quality of our software service, but have separate responsibilities.

Segregation of duties

We have procedures, controls, and monitoring in place to ensure that a separation of duties exist between the define, design, built, test, and deploy phases of the software lifecycle. We also use 3rd party monitoring for development, test, and production to detect run-time errors and monitor performance so multiple stakeholders are informed on deploy or error.

Workstation and laptop security controls

Remediation is the post-incident repair and recovery of affected systems and or data, communication and instruction to affected parties, and analysis that confirms the threat has been contained. Apart from any formal reports, the post-mortem will be completed at this stage as it may impact the remediation and interpretation of the incident.
  • Full-disk encryption
  • Restricted privileged accounts
  • Managed detection and remediation (MDR) and endpoint detection and response (EDR)
  • Standardized password authentication requirements
  • VPN access
  • Secure source code management with remote backups

Application code repository

We maintain a source code repository exclusively for source code management. The source code repository is a complete copy of the source code (including all version history). The redundant nature of our source code repository significantly reduces risk to system availability from loss of source code. This repository is backed up on a regular basis.

Change management

Management has developed policies and procedures to control and manage changes to production systems. We use segregated development, test, and production environments. All program changes are tested in a development environment, a continuous integration environment, and then formally accepted in a staging environment prior to being deployed in the production environment. The deployment system has the capability to roll back any deployed changes so that even in the event an issue is encountered after deployment, the production application may be returned to a stable state quickly and efficiently.

Emergency change management

Emergency changes require the same testing and approval process as a standard change request. However, these activities may be performed and documented retroactive to the migration of the change to production, in order to make sure the production issue is resolved as quickly as possible.

Customer issues

Customer issues may be reported to Diligent Service by phone or support tickets. For details, see https://www.diligent.com/support/ The person receiving the request will attempt to immediately address the issue or route the issue to the appropriate person and document the resolution procedures. Customer experience issues may also be identified automatically through application layer errors. When an error occurs in an application, a programmatic notification is made which automatically generates an e-mail notification. Once the notification is received, the ticket is used to track resolution to the error.

Penetration testing

In addition to internal security testing, we use 3rd party independent penetration testing to check the Diligent services for security vulnerabilities. These tests are performed by an organization specializing in software security, and are used to probe the environment for vulnerabilities, such as cross-site scripting, SQL Injection, session and cookie management. We ensure exploitable vulnerabilities are resolved in a timely basis based on severity and impact. A copy of the most recent penetration test report can be provided, subject to a non-disclosure agreement (NDA).

Web scans and testing

We maintain a source code repository exclusively for source code management. The source code repository is a complete copy of the source code (including We use an independent 3rd party security provider to perform web application scanning and automated security testing. Vulnerability scans are performed to identify security flaws on all applications prior to a production release. Any findings are escalated immediately and resolved in a timely fashion.
Security Area Description
Port discovery Identifies and maps open ports across the production network.
Network services vulnerability scan Discovers, identifies, and monitors network devices, finds rogue devices, or identifies unauthorized services.
Network discovery Network discovery Interrogates each service on every available port to determine exactly what software is running and how it is configured matching to the vulnerability knowledge base for launching of service-specific tests.
Web applications vulnerability scan Checks all HTTP services and virtual domains for the existence of potentially dangerous modules, configuration settings, CGIs, and other scripts, as well as default-installed files. The website is then “deep crawled” including flash-embedded links and password-protected pages, to find forms and other potentially dangerous interactive elements. These are then exercised in specific ways to disclose any application- level vulnerabilities, such as code revelation, cross-site scripting, and SQL injection.

Terminating subscriptions

When you choose to terminate your subscription, we will extend access to the system for an additional 30 days to copy or extract any data you wish to retain. Once you have extracted your data, you have the full ability and responsibility to delete any or all of your remaining data in the system. Upon written request, Diligent will destroy the customer system and all data content after the extract process. If 90 days has passed without written request to destroy the customer system, Diligent reserves the right to destroy the customer system to regain system resources. For product specific terms, see https://www.diligent.com/governance-cloud-terms-conditions/