About InsideView’s Information Security Management System (ISMS)
InsideView’s information security management system (ISMS) is based on ISO/IEC 27002 best practices and is certified against ISO/IEC 27001:2013, aligned with ISO/IEC 27018:2019 (Code of practice for protection of personally identifiable information [PII] in public clouds). Our scope of registration covers InsideView’s market intelligence platform systems, development, and operations in both the US and at our wholly owned subsidiary, InsideView Technologies (India) Pvt. Ltd. InsideView is audited by Schellman & Company (formerly Brightline), an ANAB and UKAS-accredited certification body based in the United States. Additional details about InsideView’s ISO/IEC 27001 certification can be found at https://www.schellman.com/certificate-directory.
Information Security is sponsored by management
The requirement for an information security management system is sponsored by company management to identify and mitigate risks to our Customers’ and our company’s information. The information security roles report through Platform and Engineering management.
Information security policies are reviewed and updated when controls change, or at a minimum annually. Policies are communicated to personnel via the hiring process and annual awareness training, and are applied as controls across our company, including all Operations and Engineering staff located in the United States and at our subsidiary, InsideView Technologies (India) Pvt. Ltd.
Human resources security
A background check for criminal record, employment history, and academic qualifications is conducted on each employee. Upon hire employees sign confidentiality agreements and are presented with our Electronic Communications and Acceptable Use Policies. During employment all personnel are given Security Awareness Training. Human resources follows a formal process for terminating employment and informing IT to rescind access.
InsideView maintains inventories of physical and virtual IT assets, including support contract information. Handling of assets by third parties is subject to security requirements. Storage media are wiped with a multi-pass rewrite or physically destroyed prior to disposal. Return of assets at the end of employment is included in the formal termination process.
Access is based on the Principle of Least Privilege. New employee basic access is assigned following a formal HR onboarding process, in which new users are assigned unique accounts and corporate assets (i.e., laptop). Additional access must be requested via support case and approved by system owner. Access reviews are conducted regularly. Access rights to production hosts are limited to a small set of administrators.
Only InsideView personnel have administrative access to our systems and applications; our hosting provider, Amazon Web Services, manages only the physical infrastructure and physical security and does not have access to InsideView applications or Customer data. Customers only have access to our applications and API, there is no database or operating system level access available.
User passwords are hashed using SHA256 with salt. Keys and credentials internal to the service are encrypted and stored securely. InsideView customer connections are encrypted via TLS using a minimum 128-bit AES cipher with a 2048 bit public key. The user database is encrypted as well as its backup via AES 256. Employee workstations are also encrypted via AES 256. Minimum encryption cipher strength for other applications is 128 bits.
Physical and environmental security
Data center security is controlled by our hosting provider, Amazon Web Services, and includes strictly limited pre-approved physical access, and access mechanisms including access cards and biometric readers. On-site 24×7 security staff monitor the access control systems and video surveillance.
InsideView office entrances require badge access, and badges are deactivated upon termination as part of the HR Offboarding process.
Production (customer facing applications) environments are separate from test and development environments. Customer user data are not present in the test and development environments, and privileges to migrate code from staging to production are segregated by appropriate roles.
InsideView applications are written in Java and hosted on Linux. Systems are monitored for changes, and introduction of new software and changes to configurations must be conducted under approved change management process.
Backups of Customer Data are taken nightly to a separate encrypted repository. Encryption keys are managed only by InsideView Operations personnel. No media are sent offsite.
Logs are aggregated to a central logging facility with access control. Logs are protected from modification and are retained for a minimum of 90 days. Centralized time source in the production environment provides accurate log timestamps.
Infrastructure and third-party application vulnerabilities are identified via monitoring vendor mailing lists, US-CERT mailing list, vulnerability scanning tools, and manual testing. Applicable vulnerabilities are ranked according to the threat they represent to production services and assigned a priority for remediation.
Network and communications
Network security includes an intrusion detection system (IDS) that aggregates to a security information and event monitoring system (SIEM), which alerts InsideView Security and Operations personnel. A third party conducts continuous application assessment services.
All customer connections to the InsideView application are via TLS. Administrative access to the production environments are via encrypted connections (TLS) and secure management protocol (SSH). Connections to hosted business systems for corporate use are via TLS and authenticated via an Identity Management system that requires 2 factors.
Development security practices include formal change control managed with a version control system. New feature and systems designs are reviewed for security and privacy. Development includes secure coding practices, code review and automated scanning, and application vulnerability testing. A third-party application assessment service provides ongoing testing.
InsideView maintains confidentiality and service level agreements with our hosting provider, AWS, and monitors effectiveness of their controls by reviewing third-party audit reports.
Incident and Business Continuity management
InsideView follows formal processes and plans for Customer Support, security incident, and emergency management for disaster recovery and business continuity. Disaster recovery and business continuity plans are tested annually.
Legal and Compliance
As part of our continuous improvement efforts, our controls and processes may change without notice.