Security

Security is paramount at RecordPoint.

RecordPoint has a rigorous set of technical and policy-based controls in place to ensure that customer data is kept secure and confidential. These controls aim to comprehensively to cover the following areas:

  • Incident management & reporting
  • Security incident management & reporting
  • Vulnerability management & reporting
  • Change management
  • Employee security awareness training
  • Access control
  • Data segregation & isolation
  • Infrastructure, application & network hardening
  • Patch management
  • Logging and auditing
  • Malware detection & prevention
  • Intrusion detection & prevention
  • Encryption standards
  • Physical security standards

Technical Controls & Policies

The following controls are enforced by RecordPoint as part of operating the standard Records365 service:

Security AreaControl
Incident Management & Reporting
  • RecordPoint maintains an incident management & reporting policy
  • Incidents are managed by an incident manager who triages them based on severity and policy and determines how incidents are handled, escalated and communicated
Security Incident Management & Reporting
  • RecordPoint maintains a security incident-specific management & reporting policy
  • Security incidents are managed by an incident manager who based on severity and policy determines how incidents are handled, escalated and communicated
Vulnerabilities Management & Reporting
  • Web application penetration testing is conducted on a regular basis by a 3rd party
  • Internal network penetration testing is conducted on a regular basis by a 3rd party
  • External network penetration testing is conducted on a regular basis by a 3rd party
Change Management
  • RecordPoint maintains a Change Control Board that assesses the risks of any changes to production systems
  • Change Requests are logged, have detailed risk assessments, deployment steps and rollback procedures
Employee Security Awareness Training
  • Employees are required to formally acknowledge the RecordPoint Information Security policy
  • Employees are required to formally acknowledge the RecordPoint Employee Handbook
  • Employees in an engineering capacity are required to undergo OWASP Top 10 awareness training
Access Control
  • Production access is only granted to authorized RecordPoint personnel
  • Authorized personnel are allocated unique named credentials for specifically designed for privileged access
  • Unique named credentials allocated to authorized personnel are least privilege domain accounts
  • Multi-factor authentication is used to authenticate all privileged users and any other positions of trust
  • Privileged access to systems, applications and information is validated when first requested and re-validated on an annual basis
  • Police background checks are conducted on all authorized personnel with privileged access
  • All privileged access is based on the principle of least access
Data Segregation & Isolation
  • Customer data is logically separated at the storage layer
  • A dedicated database is provisioned for each Records365 customer
  • A dedicated blob storage account is provisioned for each Records365 customer
Infrastructure, Application & Network Hardening
  • Perimeter network firewall configuration standards are defined, audited and enforced on a regular basis
  • Host-based firewall configuration standards are defined, audited and enforced on a regular basis
  • Baseline operating system and application configuration are automatically enforced on a periodic basis
  • Virtual network segmentation isolates production environments
  • Distributed Denial of Service (DDoS) protection is in-place for public-facing service endpoints
Patch Management
  • All virtual infrastructure is part of a regular automated patching cycle
  • Operating system and application patches addressing security vulnerabilities are assessed for criticality and applied based on policy
  • Patch management events are audited to ensure that patches are successfully being applied
Logging & Auditing
  • All production access attempts are logged & audited and regularly reviewed
  • Logs are retained for 90 days
Malware Detection & Prevention
  • All virtual infrastructure have anti-malware protection installed
  • All virtual infrastructure have regular anti-malware scan schedules configured
  • All virtual infrastructure have regular anti-malware signature configured
Intrusion Detection & Prevention
  • Intrusion detection and prevention systems are deployed and configured for all production environments
  • Automated security alerts notify RecordPoint operations personnel when:
    • Abnormal/suspicious access patterns are detected
    • Abnormal/suspicious network traffic is detected
    • Abnormal/suspicious application behavior is detected
Encryption Standards
  • All data is encrypted at rest using 256-bit AES encryption
  • All inbound and outbound traffic is encrypted via HTTP over TLS
  • All HTTP-based service endpoints only accept TLSv1.2 and above
Physical Security Standards
  • The Records365 service is delivered on Microsoft Azure. This platform provides many of the underlying infrastructure, security, networking and management services that support the application workloads.
  • All Records365 data centers are audited against SSAE 16, SOC 1 and SOC 2.