We have strict access controls in place for all users. Client data is only accessible to the employees who are authorized to see it. IT administrators are restricted from viewing the customer data unless it is required for performing troubleshooting function. Access to Customer data is enforced to be logged by audit policies.
Granular access control is in place within the application and access to a specific user is provided based on the Role of the user based on business requirement. There are different hierarchies defined in the system based on Access Rights and Role Management. Access control is responsible for content management for the users authorized to access the portal. User will only see the data according the role assigned to the user as defined in the Role Management.
All our employees and contract personnel are bound to our Information Security Policies with regards to protecting sensitive & organizational data.Personnel Practices
Kanverse carries out background checks on all employees before employment, and employees receive privacy and security training during onboarding as well as on an ongoing basis. All employees are required to read and sign Non-disclosure agreement covering the security, availability, and confidentiality of Kanverse services.Network Protection
Firewall at the perimeter has been configured to industry best practices such a way to only allow communication to the specific ports required by the application. The firewall is configured to "deny" any other traffic by default.
IDS/IPS systems that allow traffic flowing through the firewalls and LAN to be logged and protected always. IDS/IPS is configured to protect against network and application-level attacks, and to secure against intrusion attempts, malware, trojans, DoS and DDoS attacks, malicious code transmission, backdoor activity and blended threats.Compliance
The following security-related compliance certifications and attestations are applicable and maintained for Kanverse and the certificates can be obtained on request to account manager:
ISO 27001:2013 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization's information risk management processes.
ISO 20000-1:2011 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfil agreed service requirements.
We use SolarWinds tool as a measurement tool that actively monitors availability & performance of application services. Production environment has been designed in such a way to be resilient against any single or multiple failures in the application components services or the entire data center. Infrastructure management team tests disaster recovery procedures regularly. Network Operation team is available 24*7 to monitor and quickly mitigate any incident within the Infrastructure.Incident Management & Response
Kanverse has a well-defined Incident Management procedure which sets out a framework of governance and accountability in case of security incident. In the event of a security incident, Kanverse will promptly notify the customer.
Our privacy breach response plan ensures that we can swiftly identify privacy breaches and contain any privacy risk.Incident Response and Recovery Plan Testing
Kanverse tests the Business Continuity, Disaster Recovery, and Incident Response & Recovery Plan annually. These test results are reviewed, and any necessary corrective actions are taken. Types of tests done by Kanverse includes:
- Walk-through exercises
- Tabletop exercises
- Parallel simulations
Kanverse uses the industry standard encryption protocols & cipher suites. Customer data is encrypted in transit as well as at rest. All productions systems are hardened & regularly monitored to disable the use of weak ciphers.Authentication
We operate on the principle of least-privilege basis and access is enabled to the level to be able to perform the business function.
Duties and areas of responsibility are well segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s information or data.
All users have unique ID that provides individual accountability to all systems, and there is no shared ID used by multiple employees.
User authentication credentials are protected when stored using AES 254 encryption algorithm when at rest.
Single Sign On: Customers can integrate their instance with any single-sign-on providers using SAML.Vulnerability Assessment & Penetration Testing
Vulnerability Assessment & Penetration testing of all production systems & applications is done regularly as a process. This is done internally as well using third party security vendor. VAPT assessment is carried out in 4 phases:
- Conduct Assessment
- Identify Exposures
- Address Exposures
- Remediation and Compliance
All systems are installed with endpoint protection. Weekly process is defined to detect the devices not in compliance and NOC is responsible to take the actions on such devices.Information Security Audit
Audit is performed by 3rd party qualified accessors. Audit team (IA team) is entrusted with the responsibility of ensuring compliance with ISMS framework in all aspects. The IA team meet on annual basis. They have the following responsibilities:
- Conduct internal audits to assess conformance to the standard, organization’s policies, effectiveness of implementation and maintenance.
- Define and document procedures including responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records.
- Evaluates organization’s compliance with ISMS framework in all aspects.
- Detects any shortcomings in the implementation of ISMS framework within the organization
- To ensure deployment of robust information security framework.
- To recommend the necessary corrective and preventive actions.
- To ensure continuous improvement of information security controls.