• Data & Information Security

Customers across many different verticals, from aerospace to manufacturing, trust Assent with their data. Assent relies on industry best practices, robust security infrastructure and comprehensive policies built on the ISO 27001 framework to protect its information and data, along with that of its clients and partners.

Our internet communications are encrypted via HTTPS, SFTP and TLS, and customer data is secured using standard database encryption.

Assent is SOC 2 compliant and has a SOC 2 Type II report available upon request.

We use a third-party, Tier III data center to host data at a facility that employs a two-stage biometric authentication process, video monitoring and individually-locked cages.

APPLICATION SECURITY

Encryption:

  • Data in Transit: Internet communications are encrypted via Secure Hypertext Transfer Protocol (HTTPS), Secure File Transfer Protocol (SFTP) and Transport Layer Security (TLS).
  • Data at Rest: Customer data is secured using Advanced Encryption Standard (AES).

  • Separate Environments (DEV, QA, Staging, UAT, PROD): Development, testing and staging environments are separated from the production environment, both physically and logically.

    Data Segregation: All customer data is segregated by state-of-the-art security controls that can only be accessed by designated individuals who have been assigned unique credentials and privileges. Additionally, separate SFTP directories are created for each customer to enable data transfer.

    Third-Party Penetration Test: An independent third party performs a web penetration test on the production environment annually.

    Application Vulnerability Scanning: An application vulnerability scan is run on every code release before it is pushed to user acceptance testing (UAT). Only code that has passed the scan is moved to production.

    PHYSICAL & CLOUD SECURITY


    Data Center Security: Assent uses a third-party, Tier III data center with its own SOC 2 Type II certification to host its servers. The facility employs a two-stage biometric authentication process, video-monitoring and individually-locked cages. Additionally, the facility has redundant power, cooling and internet access.

    AWS Security: Assent leverages AWS (Amazon Web Services) for select services. AWS security is backed by numerous certifications, including SOC 2 and ISO 27001.

    NETWORK SECURITY


    Intrusion Detection and Prevention: Network Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are in place at application ingress and egress points to detect, prevent and mitigate potential security events.

    Network Data Loss Prevention: Customer data is fingerprinted when received via Assent’s SFTP, then tracked using our Network Data Loss Prevention solution.

    Architecture: Assent’s network architecture follows high availability and topology practices to ensure customer data is isolated from edge network traffic.

    Network Vulnerability Scanning: Assent performs regular, in-depth vulnerability scans to monitor network and endpoint security.

    Security Incident Event Management (SIEM): A SIEM solution monitors, analyzes and alerts the security team to potential security events.

    Network Access: Access to the Assent network is restricted to authorized users and devices.

    OPERATIONAL SECURITY


    Security Incident Response: Assent has a documented incident response plan that covers all aspects of an incident, from detection to post-incident analysis.

    Disaster Recovery: Assent has a disaster recovery plan designed to ensure minimal disruption in the event of a disaster. The production environment, including customer data, is replicated to a secondary site that is available if the primary site goes offline. The disaster recovery plan is tested annually.

    Change Management: Production changes are subject to documented testing, validation and approval.

    Two-Factor Authentication: Two-factor authentication is used for administration of the production environment and for remote access to the Assent network.

    Backups: Full backups are performed weekly, while log and differential backups are performed hourly.

    Monitoring: All systems are monitored 24/7 for performance and capacity.


    Server Protection:

  • Patching and Maintenance: System security patches are applied monthly.
  • Anti-Malware: All servers are protected using endpoint protection software.

  • User Workstation Protection:

  • Full Disk Encryption: All Assent-owned mobile devices, including phones or laptops, are encrypted.
  • Anti-Malware: All workstations are protected using endpoint protection software.
  • Central Management: All workstations are centrally managed for patching and configuration.
  • SECURITY COMPLIANCE


    SOC 2: Assent has a SOC 2 Type II report, available upon request.

    ADDITIONAL SECURITY PRACTICES


    Dedicated Security Team: All members of Assent’s security team hold appropriate security certifications and clearances.

    Policies: Assent has a comprehensive set of security policies, based on the ISO 27001 framework, which is reviewed annually. These policies are made available to all employees and contractors with access to Assent information assets.

    Training: All new employees attend security awareness training before gaining network access and are required to complete security awareness training annually thereafter. Additionally, the security team provides periodic awareness updates via email.

    Background Checks: Assent performs background and criminal reference checks on all new employees.

    Confidentiality Agreements: All new employees are required to sign confidentiality agreements.

    ITAR Compliant Offering: Assent has an available ITAR-compliant Assent Compliance Platform environment hosted in the AWS GovCloud. Please ask your sales representative for more information.

    If you have any questions or would like to know more about our data and information security policies and procedures, please contact us at info@assentcompliance.com.

    © 2019 Assent Compliance Inc.