We have strict access controls in place for all users. Client data is only accessible to the employees who are authorized to see it. The operation of the Sakon services requires IT Administrators to have access to the systems which store and process Client Data. IT administrators are restricted from viewing the customer data unless it is required for performing troubleshooting function. Access to Customer data is enforced to be logged by audit polices. Granular access control is in place within the application and access to a specific user is provided based on the Role of the user based on business requirement. There are different hierarchies defined in the system based on Access Rights and Role Management. Access control is responsible for content management for the users authorized to access the portal. User will only see the data according the role assigned to the user as defined in the Role Management.
All of our employees and contract personnel are bound to our Information Security Policies with regards to protecting sensitive & organizational data.
Sakon carries out background checks on all employees before employment, and employees receive privacy and security training during onboarding as well as on an ongoing basis. All employees are required to read and sign Non-disclosure agreement covering the security, availability, and confidentiality of Sakon services.
Firewall at the perimeter has been configured to industry best practices such a way to only allow communication to the specific ports required by the application. The firewall is configured to "deny" any other traffic by default. IDS/IPS systems that allow traffic flowing through the firewalls and LAN to be logged and protected always. IDS/IPS is configured to protect against network and application-level attacks, and to secure against intrusion attempts, malware, trojans, DoS and DDoS attacks, malicious code transmission, backdoor activity and blended threats.
The following security-related compliance certifications and attestations are applicable and maintained for Sakon Services and the certificates can be obtained on request to account manager:
We use CAIQ to outline our security capabilities to customers, publicly or privately, in a standardized way using the terms and descriptions considered to be a best practice by the CSA. Most useful aspect of CAIQ is that it is mapped to many other industry standards and controls framework like CoBiT, HIPAA, PCI and FedRAMP. ISO 27001, FedRAMP, COBIT, PCI ,HIPAA and HITECH Act ,NIST SP800-53 R3.https://downloads.cloudsecurityalliance.org/star/self-assessment/Global-Sourcing-Group-Inc-Sakon-Application-Platform-CAIQ-3.0.1-2017-10-06.pdf
We use Nagios and PRTG as a measurement tools that actively monitors availability & performance of application services. Production environment has been designed in such a way to be resilient against any single or multiple failures in the application components services or the entire data center. Infrastructure management team tests disaster recovery procedures regularly. Network Operation team is available 24*7 to monitor and quickly mitigate any incident within the Infrastructure.
Sakon Services has a well-defined Incident Management procedure which sets out a framework of governance and accountability in case of security incident. In the event of a security incident, Sakon will promptly notify the customer.
Our privacy breach response plan ensures that we are able to swiftly identify privacy breaches and contain any privacy risk.
Sakon tests the Business Continuity, Disaster Recovery, and Incident Response & Recovery Plan annually. These test results are reviewed and any necessary corrective actions are taken. Types of tests done by Sakon includes:
Sakon services uses the industry standard encryption protocols & cipher suites. Customer data is encrypted in transit as well as at rest. All productions systems are hardened & regularly monitored to disable the use of weak ciphers.
We operate on the principle of least-privilege basis and access is enabled to the level to be able to perform the business function.
Duties and areas of responsibility are well segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s information or data.
All users have unique ID that provides individual accountability to all systems, and there is no shared ID used by multiple employees.
User authentication credentials are protected when stored using AES 254 encryption algorithm when at rest.
Single Sign On: Customers can integrate their Sakon Services instance with any single-sign-on providers using SAML.
Vulnerability Assessment & Penetration testing of all production systems & applications is done regularly as a process. This is done internally as well using third party security vendor. VAPT assessment is carried out in 4 phases:
All systems are installed with endpoint protection. Weekly process is defined to detect the devices not in compliance and NOC is responsible to take the actions on such devices.
Audit is performed by 3rd party qualified accessors. Audit team (IA team) is entrusted with the responsibility of ensuring compliance with ISMS framework in all aspects. The IA team meet on annual basis. They have the following responsibilities: