Security
We think our approach to cyber security is key to maintaining both trust and our status as an industry leader and this content provides an overview of how we approach cyber security as an organization.
Overview
ComplianceMetrix, Inc. (CMX) believes in a robust, active and continually improving cyber security program to help ensure that our organization and products are secure. To this end, CMX employs a number of technical & operational controls to help ensure our cyber security & the safety of the customer’s data handled by our SaaS Platform.Key features of our program include:
- A security program aligned with industry best practice standards & audited under the SOC 2 Trust Service Criteria for Security.
- The use of cloud platforms that are compliant with trusted security benchmarks including ISO27001, SOC 2, & PCI DSS 3.2.1.
- A focus on getting the basics right, & recognizing that the fundamentals of security remain the most critical. This includes but is not limited to:
Workforce training on the importance of cyber security.
Robust mechanisms to ensure that access to CMX’s systems and customer data is carefully controlled.
Encrypting the customer data both in transit and while at rest.
Ensuring we apply patches within our IT environment and to our products as quickly as possible.
Actively monitoring and testing our environment and products for vulnerabilities and remedying any issues as a priority.Using account takeover prevention services to ensure that we are alerted to employee credentials that may become exposed in an external data breach.
Having a defined process in place to provide effective support and response in the event of a security incident.
The content below provides an overview of the various parts of our security program.
Organizational Security Practices
Our approach to security is focused on aligning with recommended best practices and standards required by and audited under the SOC 2 Trust Service Criteria for Security. Our SOC 2 Report is available upon request at https://trust.cmx1.com
Security Governance
CMX has a documented set of policies and procedures that defines our approach to security as an organization. These policies and procedures are shared with staff and reviewed and updated at least annually, or as needed in order to ensure our approach to security remains current.
We focus on ensuring accountability for security throughout our company. To this end, we have an information security management forum set up with key stakeholders from across CMX that regularly meet to review and discuss security related matters, and make any decisions that have an influence on our approach to cyber security.
Access to Internal Systems and Cloud Platforms
We ensure that access to systems in our IT environment & the cloud platforms that we use, is restricted to a limited set of employees who specifically require this access based on their role.
All administrator access requires multi-factor authentication and employees accessing our Amazon environment must be requesting access from approved IP addresses.
Access permissions to our systems are regularly reviewed on an employee-by-employee basis and modified according to their role. As part of our off-boarding process, all access to systems and services for departing employees is revoked.
Account Takeover Protection
Account takeover is a security risk that occurs when attackers use stolen logins to gain access to corporate accounts. CMX uses Account Takeover Prevention services to ensure that we are protecting our organization from breaches and BEC due to password reuse.
Third-Party Security
We carefully review the security practices of third parties we engage – initially and on an on-going basis to ensure their practices meet industry standards and are compliant with our own privacy and security policies and procedures.
As Amazon Web Services (AWS) is one of our primary providers, we engage with them using the Shared Responsibility Model for security and compliance, ensuring there is a clear definition of who assumes responsibility for what when it comes to security. AWS is accredited by and compliant with a large number of the latest industry standards.
For the processing of credit cards, CMX uses several partners (Chargify, & Stripe) whose security practices are compliant with the Payment Card Industry Data Security Standard (PCI-DSS). CMX does not store any Credit Card data, but instead references information in Chargify via their API.
Network Security
CMX networks are entirely in the cloud and we exclusively use Amazon Web Services (AWS) who provide a multi-layered strategy to defend from external attacks. At an infrastructure level, AWS employs strategies such as network device access control, data segregation using firewalls and virtual private clouds to filter out malicious traffic and make use of extensive logging and monitoring to prevent network-based attacks. At an application level we take advantage of Amazon’s Web Application Firewall (WAF) and Distributed Denial of Service (DDoS) protection to prevent web-based and denial of service attacks against our products.
Logging and Monitoring
CMX makes use of a centralized logging system which includes application access audit events. These logs are retained for 30 days. We also use Amazon Elastic Load Balancing (ELB) logs to track all web access requests. Logs stored in AWS are retained for 1 year, are not able to be modified, and access is restricted to those who require it for their role requirements.
We recognize the importance of reviewing logs regularly to identify malicious user activity and identify potential vulnerabilities with our products; we have automated monitoring in place that alerts us to specific types of potentially malicious events within our global infrastructure.
Security Awareness Training
All CMX personnel undergo regular security awareness training for technical and non-technical roles. Additional security training material is provided to individual staff where required to ensure they are equipped to handle the specific security-oriented role challenges of their role. We also simulate phishing exercises with all staff on a recurring basis using extremely realistic phishing emails.
Patching and Vulnerability Management
Patching of our IT environment is one of the most fundamentally important measures we take to stay secure against a potential security breach.
To achieve this:
- Autoscaling server groups that use the newest, freshly patched images on a weekly basis.
- Vulnerability scans are performed regularly and in accordance with our SOC 2 controls.
- Penetration Testing is performed by a 3rd party on accordance with our SOC 2 controls
- An automated software patching solution is used to automatically apply patches using a defined schedule, with patches being deployed to non-production environments for initial testing prior to being rolled out across our environment.
Protecting Customer Data
CMX takes the security of our customer’s data extremely seriously. We take a number of steps to ensure customer data is carefully protected.
Restricting Access to Data
CMX takes a number of measures to help protect customer data from inappropriate access or use by unauthorized persons (either external or internal). Customer data is only stored in our production environment, and access to that data by CMX employees is limited only to the employees who require access to perform their standard duties. Access to customer data is managed using access control and authentication tools (including the use of two-factor authentication) provided by Amazon Web Services and our other cloud partners.
Customer data is only used for purposes that are compatible with providing the contracted services, such as troubleshooting technical support requests. For full details please refer to the CMX Privacy Policy found here: https://www.cmx1.com/privacy.
Physical Access to Customer Data
Customer data is not stored at our physical office locations. Instead, all customer data is hosted on infrastructure provided by Amazon Web Services which maintains physical security of their sites using industry best practice controls as outlined in their security and compliance website found here: https://aws.amazon.com/architecture/security-identity-compliance.
Encryption of Data
CMX has mechanisms in place to ensure that our customers’ data is protected both at rest and when in transit. At rest, all customer data stored in systems is encrypted using AES-256 with keys managed through Amazon Web Services’ Key Management Service. All data is stored securely and subject to the security policies and procedures of AWS.
To protect data in transit, CMX uses Transport Layer Security (TLS) and enforces a minimum standard of TLS v1.2 using 128-bit cipher keys. We support connections with up to 256-bit cipher keys for use with an Advanced Encryption Standard (AES) cipher.
Backups of Data
CMX data is backed up at regular intervals to disparate encrypted data storage solutions provided by Amazon Web Services.
Access to data backups is restricted to only those specific employees of CMX where that access is needed as part of their role requirements. Backups are encrypted and are stored in a read-only mode.
Deletion and Disposal of Data
Our customer data is principally stored in, and subject to the deletion and disposal procedures of Amazon Web Services. These procedures include a secure process to logically wipe retired media. Wiped media is then inspected to ensure the successful destruction of data.
Secure Software Development Practices
As part of our product development process, every code and infrastructure change is reviewed prior to the release of the change into production. This review includes observance of security best practice. We also segregate our development, test and production environments, and do not use customer data in our non-production environments.
Static Application Security Testing
CMX uses Static Application Security Testing(SAST) tools to evaluate our source code & 3rd party libraries for security vulnerabilities so that they can be identified and remedied as soon as possible in order to ensure the most secure platform possible.
Change Control
All changes to CMX’s products are actively tested during their development to ensure the impact to end users is evaluated prior to deployment. Any significant changes are included in the production release notes.
CMX employs change tracking and version control systems to actively monitor and manage changes to the code base or configuration of our infrastructure. We use automated processes to deploy changes to our environments and have separate and segregated non-production environments.
Vulnerability Identification and Patch Management
We work hard to minimize vulnerabilities that arise in our products, and we recognize that it is important to take steps to address them as quickly as possible. To that end, CMX actively tests and monitors for vulnerabilities in our environment using Rapid7 InsightVM in an agent based deployment. Where a vulnerability is identified the issue is tracked and prioritized according to the potential severity of impact to our customers. Patches for issues are developed and released into the production environment through a continuous integration process (CI/CD) and applied as soon as possible.
Handling Security Incidents
While we strive our utmost to prevent any security incidents, it is necessary that we recognize the need to be prepared to handle any such incidents should they arise in order to minimize potential impact to CMX and our customers.
We have a range of measures in place including:
A documented Incident Management Procedure that defines our process for handling the confidentiality, integrity and availability of our IT environment and products.Established disaster recovery plans and contingency strategies which can be executed to help us maintain the continuity of operations during an incident. This includes the use of Disaster Recovery as a Service(DRaaS) solutions to replicate our cloud environment in an alternate account and region.
CMX promptly alerts affected clients of major incidents impacting the availability of CMX’s services or data and of any incidents affecting the confidentiality and integrity of user data as per our CMX Privacy Policy found here: https://www.cmx1.com/privacy.
You may report security incidents & concerns by contacting security@cmx1.com.