Key Components of our information security program include:
The Information Security program is organized around and developed by our Chief Information Security Officer (CISO) and supported by company ownership/leadership and operational subject matter experts. boberdoo personnel maintain industry-recognized certifications including Certified Information Systems Security Professional (CISSP), ITIL, AWS certifications and others.
boberdoo partners with external service providers to enhance and support our security program. We have retained a certified AWS partner, Trek10, to monitor our infrastructure 24/7 for system availability, performance and security compliance. We work with nationally recognized security services firms to conduct vulnerability assessments, penetration testing and web application testing annually. In addition to our annual tests and regular internal scanning, quarterly compliance scanning is conducted by SecurityMetrics to support us in best practices and compliance mandates. All systems are developed and hosted on Amazon Web Services’ SOC 2 & ISO 27001 compliant infrastructure.
boberdoo has developed policies and procedures and adopted standards intended to support our compliance with internationally recognized best practices and regulatory requirements. Our information security policies address network protection, systems monitoring & logging, endpoint protection, mobile device security, vulnerability management, patch management, access & audit, awareness, physical security, personnel security, acceptable use, third party management, disaster recovery, data protection and secure data management. Policies are reviewed annually.
boberdoo conducts formal information security risk assessments annually and as necessary when system or application changes result in changes to our risk exposure. The risk assessment evaluates the current threat landscape and identifies information security risks in our environment and their potential impact to our business and customer data. Findings are discussed with stakeholders and we formulate a strategy and plans for risk treatment based on the assessment outcomes, risks identified and external compliance requirements.
Security awareness is a foundational aspect of the boberdoo security program. Awareness training is delivered to all employees annually and when first onboarded to the company. Continuous awareness is also provided via a variety of communications channels throughout the year. Employees are required to complete a training acknowledgment and test to validate their understanding of common security and privacy-related topics.
boberdoo systems are built for the cloud. Our platform is hosted on Amazon Web Services (AWS). As such, clients benefit from the many certifications achieved by AWS. To learn more, please visit the AWS Compliance Program site for information on applicable certifications. Our infrastructure is developed and deployed according to best practices and monitored for compliance with CIS-AWS benchmarks. Furthermore, our infrastructure is monitored and supported by a leading AWS-managed security services partner to add an additional layer of oversight and assurance.
boberdoo’s web application firewall protects your data against common web attacks including the OWASP Top 10. We monitor for malicious activity using intrusion detection systems and have capabilities for DDoS prevention to ensure the high availability of systems. Other security controls include:
All access at boberdoo must be requested, approved and authorized according to a user’s roles & responsibilities and we adhere to the principle of least privilege. Passwords, access keys and role-based authentication mechanisms are used to authenticate users and services. Multi-factor authentication is required to access infrastructure systems. Access is promptly removed when a user is terminated and adjusted based on changing roles & responsibilities. All access and privileged actions are monitored and logged.
boberdoo contracts with external vendors to conduct vulnerability scanning and penetration testing annually. Industry-standard tools are used to identify and analyze vulnerabilities, audit system configurations and monitor compliance. Internal vulnerability scanning of critical infrastructure is performed on a monthly basis and integrated with our development process. Vulnerabilities are logged and remediated according to severity. It is our goal to never release a system update with a critical vulnerability and to promptly fix vulnerabilities when they are identified in existing systems.
boberdoo maintains a robust centralized logging environment. Logging is enabled in order to establish an audit trail for all system access. Logging is performed at the application level as well. Audit trails are implemented and secured to prevent unauthorized access. All infrastructure is monitored in real-time and alerts on availability, performance and security-related anomalies. Logs are retained for at least 12 months.
boberdoo maintains an incident response policy and procedures to ensure security events are promptly identified, investigated, contained, remediated, and reported internally and externally, as necessary when customer and regulatory notifications are required. Our process defines roles & responsibilities, the severity of the incident, notification procedures, and remediation steps. All security events are logged and assessed upon identification. In the event of an incident, we will notify impacted customers in a timely manner of any security incident or breach that impacts your data.
To report a security incident, please contact firstname.lastname@example.org.
Data is replicated to multiple availability zones to support the high availability of systems and data. Critical business applications and systems are recoverable via failover to alternate regions in the event of a disaster. Disaster recovery procedures are documented and tested.
LEAD SYSTEM SECURITY
boberdoo has developed a lead system security and data management suite that allows you to build and implement a complete automated data security and retention strategy. Lead system security features include: