VGS Security Statement¶
Date Last updated: 12/08/2017
End-User Security and Access Management¶
The VGS Dashboard requires token based multi-factor authentication (MFA). The VGS Dashboard enables Role Based Access Control, which allows the customer to define authentication policies for increased security and granular access control. Sensitive data held in the VGS vault is logically segregated by tenant and account-based access rules. VGS Dashboard user and VGS Secure Proxy accounts require unique usernames and passwords which must be provided for each session.
The VGS dashboard issues a session cookie only to record encrypted authentication information for the duration of a specific session. Sessions are capped at a maximum of eight hours. Where risk levels are higher, sessions may time out at a much shorter duration. The session cookie does not include the password of the user. User application passwords have minimum complexity requirements. Passwords are individually salted and hashed.
We continuously monitor our platform and supporting infrastructure against threats, including system level vulnerabilities, configuration vulnerabilities, malware/viruses, and all other forms of potential exposures. We also employ the latest threat analytics techniques to identify and contain security anomalies and ensure that our platform and infrastructure have end-to-end event correlation and traceability.
Securing your data 24/7¶
Our platform and infrastructure operate on top of one of the world’s most secure and reliable cloud service providers. Additionally, our platform and infrastructure are continuously monitored to protect your data and make it available when you need it.
All employees receive regular information security and privacy training. Employees with access to production data receive additional training specific to their roles and background checks are mandatory for Employees with access to production data or production systems.
We have dedicated security staff, including a Chief Security Officer and Certified Information Systems Security Professionals.
We regularly conduct both internal vulnerability assessments (including architecture reviews by security professionals) and external vulnerability assessments (including vulnerability assessments and penetration tests by certified PCI QSAs and other managed security services providers.
IT Security Policies¶
Detailed internal policies dictate how we handle security and privacy incidents, including detection, response, forensics, and notification. We incorporate security into its platform development processes at all stages. From initial architecture considerations to post-release, security is built into all aspects of our platform and development workflow.
We maintain a robust incident response program with well-documented incident response, escalation, and notification plans with trained personnel available on a 24/7 basis to monitor and respond to any alerts or events that may indicate more serious security incidents.
Our response and escalation plans are tested on at least an annual basis and detailed customer post-mortems are made delivered within 3 business days of following any major incidents.
Secure Development Lifecycles - Code and Infrastructure¶
Guiding security principles and required security training help ensure VGS technologists make the best security decisions possible. Threat assessments on high-risk features help to identify potential security issues as early in the development lifecycle as possible.
Code vulnerability testing¶
To prevent and address code-level vulnerabilities, we utilized secure coding patterns and static code analysis tools to identify and prevent security flaws. In addition to static code analysis, we leverage language and framework dependency checks to assess dependencies for known vulnerabilities.
Internal and external penetration tests are conducted quarterly by a qualified independent security organization. Any vulnerabilities found are documented and immediately remediated. Post-mortem analysis is performed to identify root cause and implement future controls.
Prior to release, we validate that the functionality being developed and maintained meets its internal security requirements. Post-release, we utilize independent security service providers to analyze and monitor the product for potential security issues.
All new functionality requires extensive testing and peer-code review. Additionally, we provide explicit notice around any changes impacting customer experience or usage and are committed to working with our customers to minimize any negative impact from changes.
Platform Security Architecture¶
Data encryption via the VGS Vault¶
Sensitive data is managed in the VGS Vault. The VGS Vault encryption keys are stored and managed in a logically separate envelope, stored apart from the data. Role-based access control ensures that only the Vault application process’s business logic can access the encryption keys encrypt & decrypt operations. A data thief would not be able to make use of information stolen from a database without also having the key. Also, the VGS Vault’s backing data store cannot be connected to via the internet.
Encryption and Aliasing¶
When you perform secure transforms of your data or persist data within the VGS Vault we protect this data with multiple layers of security. For data in motion, we require Transport Layer Security 1.2 with Authenticated Encryption mode ciphers. Data at rest is protected using the latest Authenticated Encryption with Associated Data AEAD mode symmetric ciphers. Data aliasing can follow either the NIST SP800-38G (Format Preserving Encryption) standard or the ANSI X9.119-2-2017 (Tokenization) standard.
Platform Security Operations¶
Decryption keys are completely segmented: stored within a highly secured environment separate from vaulted data and all access potentially touching these requires multiple layers of authentication.
Strong Authentication and session management¶
We require users to authenticate every time they log into the VGS dashboard. Passwords are never stored directly in our database and all dashboard communication between users and VGS is conducted using TLS (Transport Layer Security) v1.2.
Activity monitoring and testing¶
We monitor and review employee, customer, and vendor behavior to guard against suspicious or unauthorized activity. We work with independently certified 3rd parties to conduct vulnerability scans at least quarterly and extended penetration tests at least once a year.
Vulnerability Management and Monitoring¶
Our first priority is to mitigate risk to your data and our systems. Where reasonable, we work to remediate issues and minimize customer impact and interaction.
Any new incidents or vulnerabilities are immediately escalated to our security team, reviewed for applicability, risk ranked, and assigned to be resolved by the appropriate VGS personnel.
The latest applicable security patches and secure configurations are applied to all operating systems, containers, applications, infrastructure, etc. to mitigate exposure to vulnerabilities. Our environments are scanned regularly using best of breed security tools. These tools are configured to perform application and network vulnerability assessments, which test for patch status and misconfigurations of systems and sites.
We’ve implemented tools to alert us when downtime thresholds have been reached. Additionally, we continuously monitor our availability and uptime by monitoring and evaluating our current processing capacity and usage so that we can best manage capacity demand and meet our availability commitments and system requirements.
We maintain a robust and well-documented recovery plan. We run daily backups of any changes and conduct a full backup on a weekly basis. Backups are replicated across multiple availability zones. Disaster recovery drills are conducted on at least a bi-annual basis.
We conduct annual internal risk assessments to identify, prioritize and reduce or mitigate known risks. High impact risks are remediated immediately upon discovery. The entire assessment process is thoroughly documented and audited annually by an independent party as part of our third party audit processes. Findings and remediation are reviewed, discussed and approved by our internal security team and leadership.
- EI3PA: VGS is EI3PA Level 1 Certified. We have succesfully completed a level 1 Experian Independent 3rd Party Assessment. Please contact us for more information. (see us on the EI3PA Service Providers List ).
- PCI: VGS is a PCI-DSS 3.2.1 level 1 Service Provider (see our Visa Global Service Provider Listing: Very Good Security, Inc).
- SOC2 with Type 2: VGS has succesfully completed a SOC2 Type 2. Please contact us for more information.