SECURITY ORGANIZATION

The Information Security program is organized around and developed by our Chief Information Security Officer (CISO) and supported by company ownership/leadership and operational subject matter experts. boberdoo personnel maintain industry-recognized certifications including Certified Information Systems Security Professional (CISSP), ITIL, AWS certifications and others.

TRUSTED SECURITY PARTNERS

boberdoo partners with external service providers to enhance and support our security program.  We have retained a certified AWS partner, Trek10, to monitor our infrastructure 24/7 for system availability, performance and security compliance.  We work with nationally recognized security services firms to conduct vulnerability assessments, penetration testing and web application testing annually.  In addition to our annual tests and regular internal scanning, quarterly compliance scanning is conducted by SecurityMetrics to support us in best practices and compliance mandates. All systems are developed and hosted on Amazon Web Services’ SOC 2 & ISO 27001 compliant infrastructure.

POLICIES, PROCEDURES AND STANDARDS

boberdoo has developed policies and procedures and adopted standards intended to support our compliance with internationally recognized best practices and regulatory requirements. Our information security policies address network protection, systems monitoring & logging, endpoint protection, mobile device security, vulnerability management, patch management, access & audit, awareness, physical security, personnel security, acceptable use, third party management, disaster recovery, data protection and secure data management. Policies are reviewed annually.

RISK MANAGEMENT

boberdoo conducts formal information security risk assessments annually and as necessary when system or application changes result in changes to our risk exposure. The risk assessment evaluates the current threat landscape and identifies information security risks in our environment and their potential impact to our business and customer data.  Findings are discussed with stakeholders and we formulate a strategy and plans for risk treatment based on the assessment outcomes, risks identified and external compliance requirements.

SECURITY AWARENESS TRAINING

Security awareness is a foundational aspect of the boberdoo security program.  Awareness training is delivered to all employees annually and when first onboarded to the company.  Continuous awareness is also provided via a variety of communications channels throughout the year.  Employees are required to complete a training acknowledgment and test to validate their understanding of common security and privacy-related topics.

NETWORK PROTECTION

boberdoo systems are built for the cloud.  Our platform is hosted on Amazon Web Services (AWS). As such, clients benefit from the many certifications achieved by AWS.  To learn more, please visit the AWS Compliance Program site for information on applicable certifications. Our infrastructure is developed and deployed according to best practices and monitored for compliance with CIS-AWS benchmarks.  Furthermore, our infrastructure is monitored and supported by a leading AWS-managed security services partner to add an additional layer of oversight and assurance.

TECHNICAL SECURITY CONTROLS

boberdoo’s web application firewall protects your data against common web attacks including the OWASP Top 10. We monitor for malicious activity using intrusion detection systems and have capabilities for DDoS prevention to ensure the high availability of systems.  Other security controls include:

•  Logical access controls
•  Encryption of data in transit (TLS/SSL)
•  Encryption of data at rest
•  Multi-factor authentication
•  Review of third-party supplier security practices
•  Access reviews and audits
•  Continuous system patching and application updates
•  Disaster recovery planning and testing

ACCESS MANAGEMENT

All access at boberdoo must be requested, approved and authorized according to a user’s roles & responsibilities and we adhere to the principle of least privilege. Passwords, access keys and role-based authentication mechanisms are used to authenticate users and services. Multi-factor authentication is required to access infrastructure systems. Access is promptly removed when a user is terminated and adjusted based on changing roles & responsibilities. All access and privileged actions are monitored and logged. 

VULNERABILITY MANAGEMENT

boberdoo contracts with external vendors to conduct vulnerability scanning and penetration testing annually. Industry-standard tools are used to identify and analyze vulnerabilities, audit system configurations and monitor compliance. Internal vulnerability scanning of critical infrastructure is performed on a monthly basis and integrated with our development process.  Vulnerabilities are logged and remediated according to severity.  It is our goal to never release a system update with a critical vulnerability and to promptly fix vulnerabilities when they are identified in existing systems.

LOGGING AND MONITORING

boberdoo maintains a robust centralized logging environment. Logging is enabled in order to establish an audit trail for all system access. Logging is performed at the application level as well. Audit trails are implemented and secured to prevent unauthorized access.  All infrastructure is monitored in real-time and alerts on availability, performance and security-related anomalies. Logs are retained for at least 12 months.

INCIDENT RESPONSE

boberdoo maintains an incident response policy and procedures to ensure security events are promptly identified, investigated, contained, remediated, and reported internally and externally, as necessary when customer and regulatory notifications are required. Our process defines roles & responsibilities, the severity of the incident, notification procedures, and remediation steps. All security events are logged and assessed upon identification. In the event of an incident, we will notify impacted customers in a timely manner of any security incident or breach that impacts your data. 

To report a security incident, please contact security@boberdoo.com.

DISASTER RECOVERY

Data is replicated to multiple availability zones to support the high availability of systems and data. Critical business applications and systems are recoverable via failover to alternate regions in the event of a disaster. Disaster recovery procedures are documented and tested.