Sakon Security Measures
We have strict access controls in place for all users. Client data is only accessible to the employees who are authorized to see it. The operation of the Sakon services requires IT Administrators to have access to the systems which store and process Client Data. IT administrators are restricted from viewing the customer data unless it is required for performing troubleshooting function. Access to Customer data is enforced to be logged by audit polices.
Granular access control is in place within the application and access to a specific user is provided based on the Role of the user based on business requirement. There are different hierarchies defined in the system based on Access Rights and Role Management. Access control is responsible for content management for the users authorized to access the portal. User will only see the data according the role assigned to the user as defined in the Role Management.
All of our employees and contract personnel are bound to our Information Security Policies with regards to protecting sensitive & organizational data.
Sakon carries out background checks on all employees before employment, and employees receive privacy and security training during onboarding as well as on an ongoing basis. All employees are required to read and sign Non-disclosure agreement covering the security, availability, and confidentiality of Sakon services.
Firewall at the perimeter has been configured to industry best practices such a way to only allow communication to the specific ports required by the application. The firewall is configured to "deny" any other traffic by default.
IDS/IPS systems that allow traffic flowing through the firewalls and LAN to be logged and protected always. IDS/IPS is configured to protect against network and application-level attacks, and to secure against intrusion attempts, malware, trojans, DoS and DDoS attacks, malicious code transmission, backdoor activity and blended threats.
The following security-related compliance certifications and attestations are applicable and maintained for Sakon Services and the certificates can be obtained on request to account manager:
• Service Organization Control (SOC1) Reports: A SOC 1 (Service Organization Controls Report) also known as SSAE 16 , It is a report on Controls at a Service Organization which are relevant to user entities' internal control over financial reporting
• Service Organization Control (SOC2) Reports: SOC 2 reports on suitability of design and operating effectiveness on controls that directly relate to the security, availability, processing integrity, confidentiality, and privacy at a service organization.
• PCI: Sakon is not currently a PCI-certified Service Provider. We are a PCI Level 4 Merchant and have completed the Payment Card Industry Data Security Standard’s SAQ-A, allowing us to use a third party to process customer credit card information securely.
• ISO27001:2013: ISO 27001:2013 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization's information risk management processes.
• CSA (Cloud Security Alliance): CAIQ/CSA compliance is widely used for cloud service providers and focusses on security controls in IaaS, PaaS, and SaaS offerings, providing security control transparencies.
We use CAIQ to outline our security capabilities to customers, publicly or privately, in a standardized way using the terms and descriptions considered to be a best practice by the CSA. Most useful aspect of CAIQ is that it is mapped to many other industry standards and controls framework like CoBiT, HIPAA, PCI and FedRAMP. ISO 27001, FedRAMP, COBIT, PCI ,HIPAA and HITECH Act ,NIST SP800-53 R3. https://downloads.cloudsecurityalliance.org/star/self-assessment/Global-Sourcing-Group-Inc-Sakon-Application-Platform-CAIQ-3.0.1-2017-10-06.pdf
Availability & Disaster Recovery
We use Nagios and PRTG as a measurement tools that actively monitors availability & performance of application services. Production environment has been designed in such a way to be resilient against any single or multiple failures in the application components services or the entire data center. Infrastructure management team tests disaster recovery procedures regularly. Network Operation team is available 24*7 to monitor and quickly mitigate any incident within the Infrastructure.
Incident Management & Response
Sakon Services has a well-defined Incident Management procedure which sets out a framework of governance and accountability in case of security incident. In the event of a security incident, Sakon will promptly notify the customer.
Our privacy breach response plan ensures that we are able to swiftly identify privacy breaches and contain any privacy risk.
Incident Response and Recovery Plan Testing
Sakon tests the Business Continuity, Disaster Recovery, and Incident Response & Recovery Plan annually. These test results are reviewed and any necessary corrective actions are taken. Types of tests done by Sakon includes:
• Walk-through exercises
• Tabletop exercises
• Parallel simulations
Data Encryption In Transit and At Rest
Sakon services uses the industry standard encryption protocols & cipher suites. Customer data is encrypted in transit as well as at rest. All productions systems are hardened & regularly monitored to disable the use of weak ciphers.
We operate on the principle of least-privilege basis and access is enabled to the level to be able to perform the business function.
Duties and areas of responsibility are well segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s information or data.
All users have unique ID that provides individual accountability to all systems, and there is no shared ID used by multiple employees.
User authentication credentials are protected when stored using AES 254 encryption algorithm when at rest.
Single Sign On: Customers can integrate their Sakon Services instance with any single-sign-on providers using SAML.
Vulnerability Assessment & Penetration Testing
Vulnerability Assessment & Penetration testing of all production systems & applications is done regularly as a process. This is done internally as well using third party security vendor. VAPT assessment is carried out in 4 phases:
• Conduct Assessment
• Identify Exposures
• Address Exposures
• Remediation and Compliance
Data Loss Prevention (DLP)
All systems are installed with endpoint protection. Weekly process is defined to detect the devices not in compliance and NOC is responsible to take the actions on such devices.
Information Security Audit
Audit is performed by 3rd party qualified accessors. Audit team (IA team) is entrusted with the responsibility of ensuring compliance with ISMS framework in all aspects. The IA team meet on annual basis. They have the following responsibilities:
• Conduct internal audits to assess conformance to the standard, organization’s policies, effectiveness of implementation and maintenance.
• Define and document procedures including responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records.
• Evaluates organization’s compliance with ISMS framework in all aspects.
• Detects any shortcomings in the implementation of ISMS framework within the organization
• To ensure deployment of robust information security framework.
• To recommend the necessary corrective and preventive actions.
• To ensure continuous improvement of information security controls.