Security Management
Dedicated to Keeping Our Customers Safe: Security Within a Project
When we embark on development, support, testing, and other projects, our customers’ cybersecurity becomes our highest-priority concern. For each project, we have a charter describing security management procedures tailored to the client’s business specifics, security and compliance requirements. Our certified internal auditors are ready to check how well our security management processes work during the project. As for specific measures we apply to secure customers’ IT resources we access, they may include:
Protecting our customers' intellectual property
- Signing a non-disclosure agreement to confirm we ensure full confidentiality of our customer’s trade secrets or other intellectual property.
- Acknowledging that our customers own all the information they entrust to us: ideas, designs, code, etc.
- Deleting the customer’s data from our ecosystem as soon as it is no longer needed for the project’s purposes.
Securing project environment
- Enterprise-level VPN tunnels to protect permanent interconnection between our and our clients’ infrastructures.
- Secure corporate devices, including the ones with encrypted disks.
- Secure virtual machines.
- A separate secure code repository for each project.
- The physical presence of our employees in a secure, controlled environment.
- A custom project environment: e.g., an isolated network infrastructure, dedicated physical servers, dedicated rooms for the project team.
Preventing unauthorized access to our customers’ data and IT systems
- Access to project data only for authorized employees strictly according to their roles.
- All the passwords granted by the client to access its systems are stored in the client’s password storage; passwords to access the client’s password storage are in ScienceSoft’s secure password storage.
- Multi-factor authentication.
Evaluating and improving the security of the customers’ apps and IT infrastructure components within the project scope
- Security-focused code review/audit.
- Vulnerability assessment.
- Black/grey/white box penetration testing.
- Social engineering testing.
- Security audit.
- Compliance assessment.
Four Pillars of Creinnode's Invincible Security
Secure IT asset management
- Full visibility: keeping a regularly updated inventory of all IT assets we handle, including our clients’ data and IT infrastructure components we access during a project.
- Prioritization: classifying IT assets according to their confidentiality and business criticality.
- Risk-based approach: Evaluating security risks for the IT assets to define and implement the optimal protection measures.
Secure environment
- Combining protective and detective security tools for utmost IT infrastructure protection. We use on-premises and cloud security solutions and services by reliable vendors like Cisco, F5, IBM, etc. They include firewalls with IDS/IPS functionality, an endpoint protection system for local and remote workers, an email protection solution, WAF, DLP, SIEM systems.
- Device management. Our corporate devices are properly secured and regularly checked by our security engineers. We have strict BYOD and MDM policies that ensure the safe use of employee-owned devices within the corporate IT environment.
- Physical security of our premises is ensured by video surveillance, access control systems, alarms, security guards on board, and other measures.
Secure operations
- Strict controls for internal and remote access: our employees get access to corporate systems and project assets strictly according to their roles. Also, we use multi-factor authentication, advanced endpoint protection solution, secure VPN, etc.
- Strong encryption algorithms and secure communication channels to guarantee the security of data at rest and in transit.
- A dedicated team for continuous IT infrastructure monitoring and incident response.
Security awareness
- “Security is everyone’s responsibility” mindset: our employees understand their roles in security management, while the executives empower them with the necessary knowledge, policies, and tools.
- Comprehensive and consistent security awareness training: from onboarding, our employees are continuously educated on the corporate security policies, and potential cyber threats, as well as on how to act in case of potential incidents, according to their nature and severity.
- Promoting the reduction of digital footprint among our employees.
- Regular check-ups of employees’ cyber resilience through interviews and social engineering testing.