SmartVault Information Security
As a software developer and technology provider, SmartVault takes security seriously. The SmartVault security strategy is well-defined and implemented enterprise wide.
SmartVault’s Information Security Program is designed to protect the confidentiality, integrity and availability of both SmartVault and customer data, such as:
- The mission and business-critical systems that customers rely upon for cloud services, technical support and other services;
- Personal and other sensitive information that SmartVault processes during its business, including customer, partner, supplier and employee data residing in SmartVault’s internal systems and third-party platforms; and
- SmartVault source code and other sensitive data against theft and malicious alteration.
SmartVault’s information security policies and practices govern the management of security for SmartVault’s operations, and the services provided to its customers, and which apply to all SmartVault personnel, including employees, and contractors. These policies are aligned with the ISO/IEC 27001:2022 standard and guide security within SmartVault.
SmartVault has implemented a wide variety of preventive, detective, and corrective security controls with the objective of protecting information assets. SmartVault actively aligns to a variety of industry and regulatory frameworks, and best practices including the International Organization for Standardization (ISO), System and Organization Controls (SOC 2), National Institute of Standards and Technology (NIST), CIS v8 controls, Payment Card Industry Data Security Standard (PCI DSS), OWASP and other industry sources.
Organizational Information Security
SmartVault has a group Chief Information Security Officer (CISO) and a dedicated Cyber Security Team that oversee and drive corporate information security standards, practices, and controls to provide a high level of security across all critical company data and assets.
The CISO defines the policies for the management of information security across SmartVault in addition to providing the direction and advice to help protect SmartVault information assets as well as the data entrusted to SmartVault by our customers, partners and employees. The information security programs are designed to protect the confidentiality, integrity and availability of data developed, accessed, used, maintained, and hosted by SmartVault.
The CISO also co-ordinates the reporting of information security risk to senior leadership such as the SmartVault Management Review Team, Divisional Board and Board of Directors.
Cyber Security Team
The SmartVault Cyber Security Team are responsible for the IT security strategy, architectural design of security solutions, risk management, security infrastructure operations and support, standards and compliance, threat intelligence and remediation and security technical assessment for new infrastructure.
The Cyber Security Team helps set internal information-security technical direction and guides all departments towards deploying information security that progress SmartVault’s strategic information security goals.
SmartVault Management Review Team
The SmartVault Management Review Team (MRT) oversees the implementation of SmartVault-wide security programs, including security policies and data privacy standards. The MRT is chaired by SmartVault’s CISO.
SmartVault Product Security
The SmartVault Development and Engineering Teams are responsible for the management and improvement of the security of SmartVault products. Secure Software Development practices are embedded into the design, build, testing, and maintenance of its products throughout every phase of the product development lifecycle.
The Cyber Security Team works with these teams to develop, communicate, and implement secure architectures and practices, and improve the security of SmartVault products.
SmartVault’s CISO and Cyber Security Team conduct internal audits, oversee compliance of the security controls, processes, and procedures, and proactively work with independent third parties to assess the security posture and compliance for the organization.
SmartVault performs ongoing security evaluations as part of the company’s annual compliance audits. The results of these audits are reported to the Management Review Team and Divisional Board and are fed into a continuous improvement cycle that helps us keep maturing the overall security program.
SmartVault has formal requirements for use of the corporate network, computer systems, telephony systems, messaging technologies, internet access, enterprise data, customer data, and other company resources available to SmartVault employees, contractors and visitors.
Access to SmartVault information systems is governed by the Access Control Policy with access to information within SmartVault granted on a least privilege and need-to-know basis. SmartVault has implemented methods and procedures designed to prevent unauthorised access to data and the systems that host that data. Appropriate authentication and authorisation methods are used to control access to network and applications including Virtual Private Network (VPN), Multi-Factor Authentication (MFA), and other supporting technical controls.
The Access Control Policy is applicable to access control decisions for all SmartVault employees and any information processing facility for which SmartVault has administrative authority.
Measures are in place to enable the timely removal of systems access rights no longer required for business purposes.
SmartVault requires the use of Endpoint Detection and Response (EDR) solutions on all endpoint devices such as laptops, desktops and mobile devices that access sensitive data and/or infrastructure. The enterprise EDR solution is configured to perform daily threat-definition updates and malware scans.
All computers that store or access SmartVault data must have automated security updates enabled or where appropriate security updates must be installed upon notification of their availability. All devices that process SmartVault or customer information must be encrypted using approved software.
Employees are prohibited from altering, disabling, or removing endpoint security controls and the security update service from any computer. Any SmartVault employee or contractor who is identified as breaching this standard may be subject to disciplinary action up to and including termination of employment.
SmartVault utilises a wide range of tools to monitor its corporate and production network environments. Data is collected from devices and applications in the network and aggregated into the Security Incident and Event Management (SIEM) platform to identify, detect and respond to suspected or confirmed anomalies and threats. The SIEM is monitored by a dedicated 24/7 Cyber Security Operations Centre to respond to and mitigate threats.
Suspicious and malicious activities feed into the security-incident management process.
Security Audit Log Information
SmartVault logs certain security-related activities on operating systems, applications, databases and network devices.
SmartVault retains and reviews logs for forensic purposes and incidents. Access to security logs is provided based on need-to-know and least privilege.
Log files are protected by a variety of access controls, and access is monitored.
SmartVault has implemented network controls for the protection and control of both SmartVault and customer data for its storage and transmission. SmartVault’s technical policies enforce network access and network device management, including authentication and authorization requirements for both physical devices and software-based systems.
For administration of network security and network-management devices, SmartVault requires IT personnel to use secure protocols with authentication, authorisation and strong encryption.
Communications to and from the SmartVault corporate network must pass through on-premises or cloud hosted security services which form part of the corporate network. Remote connections to the SmartVault corporate network use virtual private networks (VPNs). Corporate systems available outside the corporate network are protected by additional security controls such as Multi-Factor Authentication and location-based controls.
SmartVault has implemented technical policies to enforce password requirements for the SmartVault network, operating systems, email, databases, and other accounts to reduce the risk of unauthorised access. SmartVault’s Password Policy is applicable to all areas of the business.
System-generated and assigned passwords are required to be changed immediately on receipt. Employees must keep their passwords confidential and always secured and are prohibited from sharing their individual account passwords with anyone, whether verbally, in writing, or by any other means. Employees are not permitted to use any SmartVault system or applications passwords for non-SmartVault applications or systems.
We have a relationship with an industry-recognized penetration testing service provider to deliver security testing of both SmartVault products and the internal corporate network infrastructure. Our approach is built on the concept of ‘Continuous Offensive Testing’ meaning we have an always-on testing model.
The security testing includes internal security reviews, penetration testing, Red Team assessments and vulnerability scanning.
SmartVault requires that appropriate security maintenance be performed against enterprise and production information systems. The company constantly works to reduce vulnerabilities in products and infrastructure, and to ensure that identified vulnerabilities are remediated as quickly as possible.
Security vulnerabilities are identified through automated scanners, internal security reviews, customer reports, and external security testing. Identified vulnerabilities are tracked and assigned to the relevant system or asset owner to progress where they are subject to ongoing review until a timely resolution.
The Cyber Security, Engineering and Management Review Teams convene to assess track and monitor open issues and remediation progress.
Human Resources Security
SmartVault places a strong emphasis on personnel security. The company maintains ongoing initiatives intended to help minimise risks associated with human error, theft, fraud and misuse of facilities, including personnel screening, confidentiality agreements, security awareness education and training, and enforcement of disciplinary actions.
SmartVault maintains high standards for business conduct at every level of the company and which apply to employees, contractors, and temporary employees, and cover legal and regulatory compliance and business conduct and relationships. Employees who fail to comply with SmartVault policies, procedures and guidelines may be subject to disciplinary action up to and including termination of employment.
SmartVault uses an external screening agency to perform pre-employment background checks to provide assurance around the trustworthiness and reliability for newly hired employees. Employee screening in other countries varies according to local laws, employment regulations and local SmartVault policy.
SmartVault employees are required to maintain the confidentiality of customer data. Employees must sign a confidentiality agreement and comply with company policies concerning protection of confidential information as part of their initial terms of employment. SmartVault obtains a written confidentiality agreement from each sub-contractor before that subcontractor provides services.
SmartVault employees are trained on company policies and security practices. This includes annual security training and ongoing security awareness updates. In addition, all SmartVault employees must take annual privacy training which covers privacy best practices and compliance requirements under applicable laws, including the General Data Protection Regulation (GDPR).
All new SmartVault employees attest to comply with SmartVault information security policies and attend training during the onboarding process.
Data Classification and Handling
The responsibility, inventory, and ownership of SmartVault’s Information Assets is governed by the Data Classification and Handling Policy which provides guidelines for all SmartVault information classification and minimum handling requirements for each data type.
This policy applies to all information assets held on any SmartVault system, including both enterprise systems and cloud services.
Asset Classification and Control
SmartVault categorises information into four types – Public, Internal, Restricted, and Confidential. Each classification requires corresponding levels of security controls:
- Public – information is not sensitive and there is no need with it remaining confidential to SmartVault.
- Internal – information must remain confidential to SmartVault.
- Restricted and Confidential – information must remain confidential to SmartVault and access within the company must be restricted on a “need to know” basis, with additional handling requirements for Restricted and Confidential information.
SmartVault’s Cyber Team is responsible for defining, developing, implementing, and managing all aspects of physical security for the protection of SmartVault’s employees, facilities, business enterprise, and assets. SmartVault regularly performs risk assessments to confirm that appropriate mitigation controls are in place and maintained. SmartVault currently has implemented the following protocols:
- Physical access to facilities is limited to SmartVault employees, contractors, and authorised visitors.
- SmartVault employees, sub-contractors, and authorised visitors are issued access cards that are used while on SmartVault premises.
- Cyber Security monitors the possession of keys/access cards and the ability to access facilities. Staff leaving SmartVault’s employment must return keys/cards and key/cards are deactivated upon termination.
- SmartVault uses a combination of 24/7 onsite security services who are responsible for patrols, alarm response, and recording of security incidents.
- SmartVault has implemented centrally managed electronic access control systems with integrated intruder alarm capability. The access logs are kept for a minimum of six months. Furthermore, the retention period for CCTV monitoring and recording ranges from 30 days.
SmartVault leverages Amazon Web Services (AWS) for production systems which follow standardised industry practices.
SmartVault maintains a formal Business Continuity Plan (BCP) that is regularly reviewed and updated. The BCP enables the company to respond quickly to most failure events, including natural disasters and system failures. The plan specifies the functional roles and responsibilities required to create, maintain, test and evaluate business continuity capability for SmartVault across all areas of the business.
The goal of the program is to minimise negative impacts to SmartVault and maintain critical business processes until regular operating conditions are restored.
SmartVault maintains a formalised Incident Response Plan which reflect the recommended practices in security standards issued by the International Organization for Standardisation (ISO), the United States National Institute of Standards and Technology (NIST), and other industry frameworks.
SmartVault has implemented a wide variety of preventive, detective, and corrective security controls with the objective of protecting information assets.
SmartVault will evaluate and respond to any event when SmartVault suspects that SmartVault-managed customer data has been improperly handled or accessed.
If SmartVault determines a confirmed security incident involving Personal Information processed by SmartVault has taken place, SmartVault will promptly notify impacted customers or other third parties in accordance with its contractual and regulatory responsibilities as defined in the Data Processing Agreement for SmartVault Services.
Information about malicious attempts or suspected incidents is SmartVault Confidential information and is not externally shared.
SmartVault’s Risk Management framework is based on the ISO 27001 Information Security Management Standard. This program takes both the company’s and customer’s security needs into consideration and arrives at a set of security requirements using controls listed across a range of international security standards.
The corporate Risk Register captures and tracks the risks faced by the business, their potential impact, likelihood of occurrence and the key controls and management processes to mitigate the risks.
Third Party Supplier Management
SmartVault is committed on making sure third-party supplier (including contractors and cloud service providers) engagements do not in any way jeopardise the company, our customers or their data. A review process is undertaken by the Cyber Security, Operations and Finance teams for any proposed third-party supplier engagements. For any engagements deemed high or critical risk, these are subject to additional security, compliance, and risk reviews.
Ongoing due diligence also occurs through periodic reviews – either upon contract renewal or annually depending on the risk level of the engagement.
SmartVault requires its suppliers to meet minimum security requirements as part of the engagement.