• Data & Information Security

Customers across many different verticals, from aerospace to manufacturing, trust Assent with their data. Assent relies on industry best practices, robust security infrastructure and comprehensive policies built on the ISO 27001 framework to protect its information and data, along with that of its clients and partners.

Our internet communications are encrypted via HTTPS, SFTP and TLS, and customer data is secured using standard database encryption.

Assent has a SOC 2 Type II report available upon request.

Assent uses Amazon Web Services (AWS) to host the Assent Compliance Platform and data.

APPLICATION SECURITY

Encryption:

  • Data in Transit: Internet communications are encrypted via Secure Hypertext Transfer Protocol (HTTPS), Secure File Transfer Protocol (SFTP) and Transport Layer Security (TLS).
  • Data at Rest: Customer data is secured using Advanced Encryption Standard (AES).

Separate Environments (DEV, QA, Staging, UAT, PROD): Development, testing and staging environments are separated from the production environment, both physically and logically.

Data Segregation: All customer data is segregated by state-of-the-art security controls that can only be accessed by designated individuals who have been assigned unique credentials and privileges. Additionally, separate SFTP directories are created for each customer to enable data transfer to Assent.

Penetration Testing: An independent third party performs web and network penetration tests on the production environment annually. Tests are performed every six months by internal teams.

Application Vulnerability Scanning: An application vulnerability scan is run on every code release before it is pushed to user acceptance testing (UAT) environments. Only code that has passed the scan is moved to production.

PHYSICAL & CLOUD SECURITY


AWS Security: Assent leverages AWS to host its services. AWS security is backed by numerous certifications, including SOC 2 and ISO 27001.

NETWORK SECURITY


Intrusion Detection and Prevention: Network Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are in place at application ingress and egress points to detect, prevent and mitigate potential security events.

Network Data Loss Prevention: Customer data is fingerprinted when received via Assent’s SFTP, then tracked using our Network Data Loss Prevention solution.

Data Loss Prevention: Assent uses a layered approach to data loss prevention on endpoint, network and cloud using next-gen security tools in combination with more traditional approaches.

Architecture: Assent’s network architecture follows high availability and topology practices to ensure customer data is isolated from edge network traffic.

Network Vulnerability Scanning: Assent performs regular, in-depth vulnerability scans to monitor network and endpoint security.

Security Incident Event Management (SIEM): A SIEM solution monitors, analyzes and alerts the security team to potential security events.

Network Access: Access to the Assent network is restricted to authorized users and devices.

OPERATIONAL SECURITY


Security Incident Response: Assent has a documented incident response plan that covers all aspects of an incident, from detection to post-incident analysis.

Disaster Recovery: Assent has a disaster recovery plan designed to ensure minimal disruption in the event of a disaster. The production environment, including customer data, is replicated to a secondary site that is available if the primary site goes offline. The disaster recovery plan is tested annually.

Change Management: Production changes are subject to documented testing, validation and approval.

Two-Factor Authentication: Two-factor authentication is used for administration of the production environment and for remote access to the Assent network.

Backups: Full backups are performed weekly, while log and differential backups are performed hourly.

Monitoring: All systems are monitored 24/7 for performance and capacity.


Server Protection:

  • Patching and Maintenance: System security patches are applied monthly.
  • Anti-Malware: All servers are protected using endpoint protection software.

  • User Workstation Protection:

  • Full Disk Encryption: All Assent-owned mobile devices, including phones or laptops, are encrypted.
  • Anti-Malware: All workstations are protected using endpoint protection software.
  • Central Management: All workstations are centrally managed for patching and configuration.
  • SECURITY COMPLIANCE


    SOC 2: Assent has a SOC 2 Type II report, available upon request.

    ADDITIONAL SECURITY PRACTICES


    Dedicated Security Team: All members of Assent’s security team hold appropriate security certifications and clearances.

    Policies: Assent has a comprehensive set of security policies, based on the ISO 27001 framework, which are reviewed annually. These policies are made available to all personnel with access to Assent information assets.

    Training: All new personnel attend security awareness training before gaining network access and are required to complete security awareness training annually thereafter. Additionally, the security team provides periodic awareness updates via email.

    Background Checks: Assent performs background and criminal reference checks on all new personnel.

    Confidentiality Agreements: All new personnel are required to sign confidentiality agreements.

    ITAR Compliant Offering: Assent has an available ITAR-compliant Assent Compliance Platform environment hosted in the AWS GovCloud. Please ask your sales representative for more information.

    If you have any questions or would like to know more about our data and information security policies and procedures, please contact us at info@assentcompliance.com.

    © 2020 Assent Compliance Inc.