Detail about how we protect your data
Confidentiality, Integrity, and Availability of Organization and Customer data is the topmost priority, we as leading SaaS based solution provider understand how Data Security plays a vital role for our customers and their businesses. Our services focus not only on technology but also on business processes and techniques that Aritic has found effective in the real world as well.
Our ISMS framework is developed based on ISO 27001:2013 structure and to address appropriate other PCI-DSS, HIPAA and GLBA requirements for us and our customers.
We are also aware of the European Union’s (EU) new data protection framework, the General Data Protection Regulation (GDPR). The team is working on integrating GDPR requirement into existing ISMS framework.
Information security policies
We have a well-defined Information security policy driven by the CIO office under CEO supervision to ensure Information Confidentiality, Integrity, and Availability for Company, Customers, Associate Partners, and Third-Party vendors.
Office of Information Security
We have a designated group CISO responsible for Information security framework designing, planning and implementing. The very mission of CISO office is to protect information of stakeholders of Company, Investors, Customers, and Associates.
Other designated roles under group CISO are child/sister company CISOs, ISOs, Privacy and Compliance officers.
We have well-implemented strong cryptography controls in our system. Be it Data at Rest or Data at Transit, our all public communication interfaces are secured via HTTPs and TLS encryption. Also, the data stored on the servers are encrypted by Disk-level encryption and database level encryption.
Qualified application security testers ensure:
– Regular App scans against the latest vulnerabilities and threats
– Schedule and conduct application penetration testing for selective systems
– OWASP vulnerability identification and mitigation
– Regular third-party assessments
– Network vulnerability scans and penetration testing performed regularly
– Well Defined Role-based logical access on application
– Multilayer firewall systems implemented to filter public, DMZ network, and internal traffic
– Secure VPN access for IT administration work
– Customized IDS and IPS rules to prevent network attacks
– Regular network device hardening
– HA firewall systems
– DDoS enabled protection for servers
Our dedicated security operation team is primarily responsible implementing security system:
– Writing and Publishing IT security manuals
– Perform regular security audits on systems and users
– Conducting Information security training
– Monitor server log and activities
– Enforcing password policies
– Performing regular VA/PT scans
– Incident management
Strong implementation of logical and physical access control in place to ensure all the access is uniquely created, rightly modified and appropriately removed by authorized personnel.
All system accesses are monitored, tracked and investigated.
We have a pre-onboarding process for all employees which includes extensive background checks before onboarding. Also, mandatory information security training as a condition of employment. As part of the continual improvement, we also conduct regular information security training often at minimum once a year and all employees required to complete.
Applicable third-party vendors and subcontractors are also required to complete HR security checks.
Physical and environmental security:
Our servers are deployed on dedicated infrastructure entirely managed by only us. The servers are hosted on top-tier data center providers.
Some of the key controls:
– Biometric access controller at datacenter premises
– Security camera coverage for restricted zones
– All time physical security staff at entry and exit gates
– N+1 UPS power subsystem with zero failover
– Fire suppression system
– Humidity and Water leakage sensors to monitor environment threats