Censinet and Information Security
Censinet respects the data that you entrust to us. We invest in security controls and training, keep updated on legal and regulatory areas applicable to our business and have an information security officer on staff. Censinet’s written information security program consists of several policies that we follow to reduce information security risks. We automate our risk management program using the Censinet platform to measure, track and reduce financial, regulatory, cybersecurity, availability, and resiliency risks. We are transparent about sharing assessment information including supporting evidence with our customers. We regularly reflect updates as our investments in technical, administrative and operational controls and process improvements are implemented. And, of course, we use Censinet to assess the risk of our vendors.
Learn more about how Censinet’s security program addresses risk by clicking on any of the links below to learn more:
Information Security Program
Our security program is based on the NIST CSF reference framework. It covers a wide array of security related topics ranging from general policies with which every employee must comply, such as authentication, data protection and physical security, to more specific security controls and processes covering internal applications and information systems.
Censinet’s written Information Security policies define employee responsibilities and acceptable use of information system resources. The organization receives signed acknowledgement from employees indicating that they have read, understand, and agree to them before providing authorized access to information systems. The policies that are included in the Information Security program are periodically reviewed and updated as necessary. The program is audited by a third-party on an annual basis.
Role based access controls are implemented for access to technical infrastructure and by our customers. Authorized administrator-level users are responsible for assigning proper roles to their users of the Censinet platform. Censinet has processes and procedures in place to address employees who are voluntarily or involuntarily terminated. Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis. Security policies limit our users to authorized behaviors.
Corporate and customer assets are inventoried and tracked throughout their lifecycle. Censinet’s authorized personnel who have access to these assets are required to comply with the procedures and guidelines defined by Censinet’s security policies.
Auditing and Logging
Audit logging is enabled in our technical infrastructure. These logs provide an account of which users and personnel have accessed which systems. Access to our auditing and logging tool is controlled by limiting access to authorized individuals. Security events are logged, monitored, and addressed by trained security team members.
Organizational responsibilities for responding to events are defined. Security or other infrastructure events that cross configured thresholds alert administrators for proper response. Retention schedules for the various logs are defined in our security controls baseline configuration policies.
Authentication and Authorization
We require that authorized users be provisioned with unique account IDs, comply with our password policy and utilize multi-factor authentication when using single sign-on for authentication with all applicable information systems, applications, and databases.
We employ the concept of least privilege for Censinet employees, restricting baseline permissions to access company resources. Employees are granted access to certain additional resources or elevated permissions based on their specific job function. Requests for additional access follow a formal process that involves a request and an approval from the asset owner, manager, or other executives, as defined by our security policy. Audit logs capture any additions, changes, removals of access or permissions.
Business Continuity and Disaster Recovery
To minimize service disruption due to technical infrastructure failure, natural disaster, or other impactful event, Censinet will initiate its business continuity or disaster recovery plan, as applicable and appropriate. For business critical applications, application data is hosted with leading SaaS and IaaS vendors. Based on classification and sensitivity of information, data is replicated to secondary or backup data centers that are geographically dispersed to provide adequate redundancy and high availability.
Censinet designs its platform as a tightly integrated system built for reliability. Censinet’s PaaS provider provides services for server and infrastructure management, logging and monitoring, backups and other necessary maintenance on operational assets. Authorized personnel respond to monitoring alerts 24×7 and repair critical failures as soon as commercially feasible. All aspects of the platform are designed to be reliable and fault-tolerant to ensure continued availability in the event that any component or subsystem fails to operate as designed. Platform components are configured in a redundant manner that provides for high availability.
Censinet continually works to develop products that support the latest recommended secure cipher suites and protocols to encrypt traffic while in transit. We utilize recognized, best practice encryption standards for data at rest. We monitor the changing cryptographic landscape closely and work to upgrade our products to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve.
Data Security Management
We apply a common set of data management principles to customer data that we may process, handle, and store. We protect sensitive data using appropriate physical, technical, and administrative security controls.
As a function of the Censinet platform itself, data sharing and messaging between vendors and providers is constrained to those parties that have a connection within the platform. This means vendors have control over who they share their information and data with while collaborating on risk assessment workflows.
Malicious code protection is installed and configured to retrieve the most recently updated signatures and definitions available. Malicious code protection policies automatically apply updates. Anti-virus tools are configured to run scans, virus detection, real-time file write activity and signature file updates. Laptop and remote users are covered under anti-malware protection suites.
Censinet has a formalized incident response plan and associated procedures in case of an information security incident. The plan defines the responsibilities of key personnel and identifies processes and procedures for notification. Incident response personnel are trained, and execution of the incident response plan is tested periodically.
An incident response team is responsible for providing an incident handling capability for security incidents that includes internal and external communication (when applicable), detection and analysis, containment, eradication, and recovery.
Infrastructure System Backups
Censinet has backup standards and guidelines and associated procedures for performing backup and restoration of data in a scheduled and timely manner. Controls are established to help safeguard backed up data. We ensure that customer data is securely transferred to and from backup locations. All backup data is encrypted at rest and in transit. Periodic tests are conducted to test whether data can be safely restored from backup devices.
Our infrastructure servers reside behind high-availability firewalls and are monitored for the detection and prevention of various network security threats. Firewalls are utilized to help restrict access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are allowed based on business need.
Censinet maintains separate development and production environments to logically segment security zones that control the flow of network traffic. Automated tools are deployed within the infrastructure to support near-real-time analysis of events to support detection of system-level attacks.
Censinet follows a change management process to ensure that all changes made to the production environment follow a structured process. Changes to our platform, information systems, security controls and other system components, as well as physical and environmental changes are monitored and controlled through a formal change control process. Changes; are reviewed, approved, tested and monitored post-implementation to ensure that the expected changes are operating as intended.
Information security roles and responsibilities are defined within the organization. Responsibility focuses on information security and training, compliance with applicable legal and regulatory requirements, as well as defining, validating and measuring the effectiveness of security controls implemented to safeguard customer data and the protection of our technical infrastructure. Information security-related notifications and alerts are reviewed on a regular basis and applicable security advisory information is provided to the organization after risk assessment and impact analysis, as appropriate.
Censinet’s layered security controls and defined processes help identify, detect, prevent and respond to security incidents. Using simple workflows within our own risk management platform, Censinet tracks and resolves findings from self-assessments and customer assessments, mitigates or remediates risk in our processes and controls and produces internal and external communications as appropriate.
Censinet strives to apply the latest security patches and updates to operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities. Patch management processes are in place to implement security patch updates as they are released by vendors. Patches are tested prior to being deployed into production.
Censinet employees are required to conduct themselves in a manner consistent with the company’s policies, including those regarding confidentiality, business ethics, appropriate usage, and professional standards. All newly hired employees are required to sign confidentiality agreements and to read, understand and acknowledge the Censinet Employee Handbook. The Handbook outlines the company’s expectation that every employee will conduct business lawfully, ethically and transparently, with integrity and respect for each other and the company’s customers, partners, and competitors. Processes and procedures are in place to address employees who are on-boarded and off-boarded from the company.
Physical and Environmental Security
Our information systems and infrastructure are hosted in world-class data centers that are geographically dispersed to provide high availability and redundancy to Censinet and its customers. The standard physical security controls implemented the data centers include electronic card access control systems, fire alarm and suppression systems, interior and exterior cameras, cage locks and security guards.
Access to areas where systems, or system components, are installed or stored are segregated from general office and public areas. Data centers have backup power supplies and can draw power from diesel generators and backup batteries. These data centers have completed a Service Organization Controls (SOC) 2 Type II audit.
Secure Network Connections
HTTPS encryption is configured for customer web application access. This helps to ensure that user data in transit is safe, secure, and available only to intended recipients. The level of encryption is negotiated to the appropriate version of TLS and is dependent on what the web browser can support.
Software Development Lifecycle
We follow a defined methodology for developing secure software that is designed to increase the resiliency and trustworthiness of our products. Our products are deployed on an iterative, rapid release development lifecycle. Security controls and security testing are implemented throughout applicable stages of the software development lifecycle. Quality Assurance is involved at each phase of the lifecycle and security best practices are a mandated aspect of all development activities.
Our secure development lifecycle follows standard security practices including static application security testing, vulnerability testing, regression testing, penetration testing, and product security assessments. The Censinet security officer and engineering personnel review our development methodology regularly to incorporate evolving security awareness, recognized defensive coding practices and to measure its effectiveness.
Supplier and Vendor Relationships
Censinet’s suppliers and vendors are assessed using the Censinet platform prior to establishing formal business relationships. Our information security officer performs vendor reassessments within the platform to assess, mitigate and remediate information security, availability and resiliency obligations of products/services as well as review vendor organizations from governance, process and policy control, and operational risk perspectives. Corrective action plans, if applicable, are assigned to the appropriate resource and scheduled activities to remediate or mitigate any findings are tracked by the business/asset owner in concert with the information security officer.
Security assessments are done to identify vulnerabilities in our infrastructure and platform and to determine the effectiveness of our patch management program. Each vulnerability is reviewed to determine if it is applicable, prioritized based on risk, and assigned to the appropriate resources for remediation.