Organization and Product Security FAQ

Workstation Security

Mobile Device Management – All our workstations have MDM agent installed which applies control from a centralized management portal. With the help of MDM software, we achieved most important CIS (Center for Internet Security) benchmark security standards control for all Workstations.

Disk Encryption – We enforce all Mac workstation with FileVault 2 disk encryption.
Anti-Malware Protection – All workstations are protected with Next Generation EDR / Antivirus program installed, protected, and managed through centralized management console.

Remote Access – We use FortiClient VPN client to connect to our corporation and Cloud hosted “Virtual Private Cloud” Infrastructure. Again, this VPN server authentication is integrated with Google SSO which then enabled with MFA enforced.

Support – We do have an internal IT/Network team available 24/7 to provide a support to employees/users.

Checklist – All workstations are verified with security checklist before ship/handover to employee

Asset Inventory – We do have dynamic asset inventory updated automatically on a 5 minute interval.

Vulnerability – We regularly perform (weekly) vulnerability assessment scans and based on identification (Vulnerability Severity) will plan remediation accordingly. Operation systems & Apps are monitored for Vulnerability and other Security events.

Corporate Organization Security

Network Protection – Firewall installed and protected the corporate network with all essential security modules protections – IPS, Firewall, DDoS, Content Filtering, etc.

Physical Access Control – Physical access control is restricted with Biometric access controls with both side (in and out).

Server Room – Network & Server rooms are protected with an additional layer of security device with restricted access control.

Physical Surveillance – CCTV cameras are deployed to capture all the movements within the office premises.

Remote Access – We use FortiClient VPN client to connect to our corporation and Cloud hosted “Virtual Private Cloud” Infrastructure. Again, this VPN server authentication is integrated with Google SSO which then enabled with MFA enforced.

Audit and Scan – Regularly perform monthly audit and Bi-weekly Vulnerability scans are performed to identify any risk/attack vector.

Security Awareness Program – All employees should take a mandatory security awareness training part of their onboarding. We do have a security awareness program approved by our management team. Quarterly all employees are expected to take and complete a regular security and compliance trainings.

Employee Background Checks – Employee verification is performed on all employees (US and India). We only recruit full time employees. We perform background verification to ensure their performance, education, critical case, and prior work experience. Undergo various Security & Compliance training. Complete training program to learn our policies and procedures.

Application Security

DAST – Dynamic Application Security Testing being performed regularly using “Burp Suite Professional edition”. This test performed bi- weekly, also part of software releases and additionally when new features get releases.

Coding Practice – OWASP application security coding best practices are adopted during the early phase of application development. Secure coding trainings are provided to all R&D engineering department.

External 3rd party VAPT Assessment – Quarterly external security vendors engaged with web application penetration testing performed, remediation performed, and reports are shared with clients and prospects.

SAST – SonarQube (SAST) scanned with application source code for vulnerabilities and hotspot at early stages – dev, preprod, sandbox & production.

Software Composition Analysis – OWASP dependency checker tool implemented to detect the publicly disclosed vulnerabilities.

Web Application Firewall – Application endpoints are protected by Web Application Firewall; all the application requests are scanned for malicious and inappropriate – only clean requests are allowed through WAF.

SIEM – Cloud native Security Information and Event Management are enabled for monitoring and alerting for violations, unauthorized access, privileges access attempt, etc.

Security Headers – Application are enabled with additional security headers in it, which instruct clients to follow certain security controls /restrictions – such HSTS, CSP, CORS to prevent OWASP top application vulnerabilities.

Bug Bounty Program – We deployed a responsible security disclosure program and listed on our company website for a security researcher to report us vulnerability and mis configuration etc.

SDLC Security

Software Assurance Model – All engineering R&D team ensure security measures are followed at each phase on SDLC by adhering CWE (Common Weakness Enumeration) & OWASP SAMM.

Security Training – All Engineering R&D team are enabled with regular Security coding best practices training program.

Security Guidelines – All Engineering R&D team should go through and understand BuyersRoad various Guidelines and Policies – Secure Code, Code Quality, Secret Sharing & Handling, Document Sharing & Quality Assurance.

Code Review – All Engineering R&D team should go through strict code review process to retain the code quality and security. Software & QA Checklist – Each software release must pass all the acceptable criteria defined.

Data Security

Data Accessibility – As we hosted our platform on public cloud (AWS IAAS), we enabled multi-layer approach to enforce the security. We do have IPS/Threat Detection/DDoS/Firewall/Access Control level enforcement in place. Private access is only allowed through IPsec VPN in order to access the resource access management.

Who are all got access to customer Data – Access to the customer data is granted using role-based access, as necessary to complete their individual job function. Access is granted a need to know the basis to perform business support and operation to maintain and manage our platform. System & data access are very limited to support group job functional individuals. Again, this access is enabled only through multi factor authentication as well as monitoring for audit purpose.

Data Center – We hosted our platform in the AWS IAAS – US East & West Location. AWS – US West Amazon PDX1 73575 Lewis and Clark Drive Boardman, OR 97818 AWS – US East Amazon 21155 Smith Switch Road, Ashburn, VA, USA.

Encryption – Data in rest as well as Data in transit/motion are enabled with industry grade encryption. All our cloud storage EBS volumes are enabled AES-256-bit grade encryption enabled.

Data Classification – Data Classification enabled & tagged and access to backend are monitored.
Data Access Monitor – Privilege access & access to secret data/servers/network are monitored using SIEM/CloudTrail tools.

Data Retention – We follow data retention as per our data retention policy. We are fully complaint with CCPA/CPRA & SOC 2 Type II complaint. Clients are authorized to request us for to see what sort of data we store & process, request for modification, unsubscribe and delete the record through our company website itself.

Access control – We strictly follow “Role based Access Control” along with “Least Access Control” and “Separation of Duties”. Access Audit – We perform regular monthly audit program where we review accessed audit and access control policy review

Device Disposal – We have a management approved disposal program and procedures in place which is in line with NIST guidelines.

Data Type – We provide online reputation services for our client, we need client transaction detail to begin our services – it typically requires the transaction reference, our client’s name and email and along with whom the service was provided to (client’s customer) name and email address.

Data Availability and DR

Backup – We have regular 3 mode (hourly, daily, and weekly) of scheduled backup for all our data store and mission critical systems.

DR – We have hot DR set up configured on another AWS availability zone which gets immediate sync and keep a mirrored copy as like as production system. Bi-Annually we are exercising DR drill fail over to ensure the efficiency and outcome. DR Last Drill – Last DR test completed on 8th Dec 2022.

Redundant – We deployed our infrastructure in a redundant mode, which is means even if two AWS Availability zone (out of 3 configured AZ) impacted then we continue to deliver our service without any service impact.

RPO / RTO – Recovery Point Objective (RPO) is 1 hour and Recovery Time Objective (RTO) is 6 hours. Email & DNS Security

Domain – Domain level protections are enabled at the industry grade and monitoring for blacklist, failure.
Email Authentication – We enforced SPF, DKIM and DMARC with a policy enabled to Reject when an email not complaint with these standards.

TLS – Email communication channels are 100% “Enforced TLS” than Opportunistic TLS.
Email Scan – All our inbound and outbound emails are scanned for Spam, Phishing, Malicious and Data Loss/Leak Prevention.

Cloud Security

Cloud Config Audit – Perform monthly Cloud configuration and security parameter scan to ensure CIS and other cloud recommendations are met.

Encryption – Encryption everywhere 100% achieved for all AWS services – S3, EBS, RDS, SNS, SQS, Lambda, EKS, and all other services.

Monitoring – We enabled multi-platform services to monitor out cloud activity. NewRelic external APM enabled tool integrated and monitoring our cloud. AWS provided Cloud Watch and Config are enabled to monitor logs and services.

Cloud Native SIEM – Enabled with the cloud native Sumo Logic (SIEM) to analyze all Cloud trails along with all other services access. IAM – All the users are enabled with Multi Factor Authentication enabled and granted with least privileges based on their RBAC.

Access Control – Cloud resource access is granted based on strict Access Control. Only certain source-based accesses are granted. Only IPsec VPN remote network is allowed to access the system/resource management access within AWS Cloud Infrastructure.

Compliance

External VAPT – Yeah – Quarterly engage external cyber security vendor CyberHunter to perform.

Security Awareness Program – We do have management approved Security awareness program. Part of that we engage all our new employees to undergoing basic security awareness training part of onboarding. Quarterly provide regular security and compliance trainings. Additionally, we provide employee role & job function related trainings. Perform regular Phishing Campaigns to test the employee security awareness and vigilance.

MFA Adoption – We adopted 100% MFA enforcement for all our AWS Cloud account & Corporate Google Workspace account. We regularly review our integrated and dependency systems are enabled with MFA.

Vendor Management – We perform due diligence of the BuyersRoad service providers about how they provide service securely, company information, operation processing & risk, cyber security incident response, employee background screening, regular audits, data security & redundancy and regulations along with compliance standards. All existing vendors are re-evaluated on an annual basis.

EDR / Anti Malware – We deployed 100% anti malware next generation Endpoint Detection and Reporting software deployed and managed through centralized portal.

Vulnerability Management – We have a management approved vulnerability management program in place. We are using both open source and commercial tools to perform Vulnerability and Remediation Scan.

Disposal Management – We have NIST guideline-based disposal policy and procedures being followed. We have a printing policy to not to print any secret, credentials on paper. Only printing is authorized to certain departments as we maintain everything digitally. Again, we follow paper disposal strictly where appropriate.

Audit Program – We have been undergoing SOC2 Type II since 2020. Part of these SOC2 Type II, all our Physical/Logical Security, Availability and Confidentiality controls are reviewed and reported by an AICPA auditor.

We are CCPA (CPRA starting 1st January 2023) complaint, which facilitate our client/user to request certain (Right to know, Request to modify, Request to delete) request through our company websites

How to report Security Issue – We have management approved Bug bounty program “responsible security disclosure” listed on our company website for a security researchers to report us vulnerability and mis configuration.

Incident Response – BuyersRoad organization has approved incident response program as per NIST industry standards. Also, we formed a CSIRT committee team and train regularly to handle security incidents.

GRC – BuyersRoad has a GRC committee formed along with various department stakeholders are part of it, aiming to align IT with business goals while managing risks and meeting all industry and government regulations.

GDPR/CPRA Requirement – Does your platform supports right to be forgotten? Yes. We provided such options available within our company website privacy policy.

3rd Parties scope part of Experience.com deliverables – We are using very few 3rd party service provider part of our Platform. Following is the details

  1. AWS Public Cloud – We are hosted on AWS (IAAS) Public Cloud within US geographic location. This is used for underlying hardware /infrastructure to host our application Platform.
  2. New Relic – We are using cloud-based monitoring tool to evaluate Application Performance Monitoring.
  3. Twilio/SendGrid – We are using cloud-based text/email sending SaaS application to send our platform emails/text to our end-users /customer.

Employee Checks – We perform background verification to ensure their performance, criminal, education, critical case, and prior work experience.

Risk management – We perform quarterly risk assessment exercise and submit the report to management to remediate them timely.

How Often do you update and review your Policies and Procedures – We do Quarterly update, review, and release to clients & prospects.

How does a new product change gets delivered – We have a business strategic team identify the most needed features/enhancement to be delivered, this request handoff to product team further to grooming the requirement along with dependency needs are documented, further its get reviewed and to approved by product and business teams about product changes/functions & features. Next the product team raise the ticket with Jira to review the amount of work involved to amend the changes (code & infra level) and assign to engineers with priority to complete the tasks. Finally, we have the Change advisory Board to approve the changes to be rolled out to production.

page3image12273072