We are committed to protect Confidentiality, Integrity and availability of the data of its interested parties by adopting security measures as appropriate in its production environment.
The following sections below detail the stringent security practices that are adopted when we develop and host Enframe for our clients.
Every customer’s application is hosted in a dedicated VPC. Security groups act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level.
Access to applications is through IAM following the principle of least privilege. Role-based access through IAM is enforced for the segregation of duties. Access to the production is restricted to a very limited set of users based on job roles. Access to the production environment for developers and Quality Assurance team members are restricted based on their job responsibilities.
Data at rest is encrypted using AES 256 bit encryption and FIPS 140-2 compliant TLS encryption for data in transit. Unique Encryption per customer is followed and encryption keys are managed via AWS Key Management Service (AWS) and are rotated on a yearly basis.
The product road-map is defined and reviewed periodically by the Technical Product Manager. Security fixes are prioritized and are bundled in the earliest possible sprint.
All changes are tested by the Quality Assurance team and criteria are established for performing code reviews, web vulnerability assessment, and advanced security tests.
Vulnerability assessment and penetration testing is done by a Third-party independent vendor annually as per industry standards.
Source Code is managed centrally with version controls and access restricted based on various teams that are assigned to specific sprints. Records are maintained for code changes and code check-ins and check-outs.
Our DevOps sprints are powered by a multi-disciplinary Squad of members including the Product Owner, Squad Lead, Tribe Lead and Members, and Quality Assurance.
Route users to the best endpoint based on geo-proximity, latency, health, and other considerations.
Automatically distribute application traffic across multiple availability zones that support high availability, auto-scaling, and robust security.
Near real-time backups taken across multiple availability zones in encrypted and access controlled containers. Mirrored multiple Availability Zones are set up and serve customers in real-time thereby providing seamless DR capability.
High Resilient and fault-tolerant architecture with the ability to be hosted in AWS & Azure Clouds.
The executive leadership team comprising of principals and partners sets the tone and commitment toward information security objectives.
Principal Information Security Officer (PISO) is responsible for information security initiatives. The information security team reports to the ISSG and takes care of newer initiatives and projects, ensuring compliance on steady-state and delivering continuous improvements to the security posture.
The information security team assesses security risks annually and on an ongoing basis when major changes occur. The various feeder channels that are factored for risk management include findings from audits, incidents, changing threat landscape, and changing contractual/regulatory.
Policies and procedures in line with ISO 27001:2013 standards are defined and regularly audited. The processes are reviewed annually and any changes are communicated to all relevant employees.
All employees undergo mandatory background verification checks before being on-boarded to their teams. Empaneled third-party service providers perform background verifications covering identity, whereabouts, education history, employment history, and criminal history.
Requirements for the responsible handling of data including any types of personal information are communicated to all employees as part of their induction into the organization and an annual refresher training is conducted for all employees
All processes and controls are audited by independent audit entities either from the internal organization or from independent external bodies. Audit Plans are formulated in such a way that all departments are audited at least once in a year. The audit’s findings are reported directly to the ISSG and the Information Security team tracks and report the remediation of the audit findings until its closure.
Procedures are established for reporting incidents and tracking it for timely communication, investigation, and resolution.