SECURITY PRACTICES
SECURITY PRACTICES
Effective: June 16, 2020

At ENGINE, we pride ourselves on protecting our business, clients, partners, and our people by ensuring the information and data we handle is done so with the utmost care.  We take the security of all data very seriously and consider this as one of our primary responsibilities.  We aim to be as open and transparent as possible about our security practices.  You can find and download a copy of our externally published Technical and Organizational Measures here.  These measures are further outlined below.

If you have any questions, feel free to contact us at infosec@enginegroup.com, and one of our security professionals will reach out to you ASAP. 

OUR MISSION

ENGINE has established and maintains a formal Information Security Program. This program is resourced and empowered through an executive charter that outlines its purpose aligned to our business. The charter is reviewed and accepted annually by ENGINE’s leadership to re-affirm our commitment. A copy of this charter can be provided upon request.

It is our policy that:

  • ENGINE will always seek to protect our company and our ability to service clients from information security threats to our business and operations
  • A formal information security program and underlying Information Security Management System will be operated to meet the security needs of ENGINE, our clients, and other interested parties
  • The program will be maintained by an Information Security Officer with authority for its ongoing direction and purpose
  • The program and its objectives will be derived from business objectives prioritized and approved by executive leadership – these include ENGINE’s overall business strategy, contractual and regulatory requirements, and use of technology
  • The program will enable the standards, principles, governance structures, strategy, and technical and organizational measures necessary to secure the organization
  • ENGINE will proactively invest in the program; it will be sufficiently resourced to collectively manage needs across compliance, risk, and security
  • The program objectives will be approved and regularly reviewed by executive leadership via ENGINE’s Information Security Oversight Board
ORGANIZATIONAL SECURITY

ENGINE’s Information Security Program addresses the administrative, organizational, and human aspects of security as a critical first step to ensure data protection is a well-established cultural element to our business.

CONFIDENTIALITY

ENGINE establishes confidentiality by ensuring only those employees who require access to client data are provided with it, and that the level of access provided is consistent with their job function.  Access to client data is assigned based on level of data classification and minimum level of access required.

The operation of ENGINE services requires that some employees have access to the systems which store and process client data.  For example, IT staff such as systems administrators may be able to access client data to effectively support a system or diagnose a problem.  These employees have separate user accounts for administrative and non-administrative duties, and they are not authorized to view or access systems with client data unless is it required for their privileged job function.  Technical controls are in place to ensure such access is logged where feasible.

The controls that support confidentiality are extended by ENGINE to our vendors and suppliers and validated through our Third-Party Assessment Program.

ENGINE has invested in industry leading security technologies, which provide a high level of assurance and trust for our clients. Security controls are regularly reviewed and updated internally, and they are validated by external partners on an annual basis though audits and penetration testing.

PERSONNEL PRACTICES

All ENGINE employees, contractors, and suppliers must adhere to our information security policies regarding protection of client data.

Candidates for employment undergo background checks and are required to sign confidentiality agreements before joining ENGINE.  All candidates are screened for competency for their role.  Job responsibilities related to security within the organization are defined and communicated prior to employment.

Upon hire, all employees are provided security orientation training and are required to read and acknowledge their understanding of ENGINE’s information security policies for data protection and acceptable use.

Employee and third-party onboarding and offboarding processes have been developed to ensure accurate and effective controls are followed for provisioning and deprovisioning access.  These processes are systematically employed wherever possible to minimize human error and provide timely execution and reporting.

SECURITY AWARENESS TRAINING

All employees are provided with security awareness training on a regular basis (monthly) that reminds and reinforces ENGINE’s policies.  The training measures all our employees’ sentiment, engagement, and knowledge of security best practices and concepts.  The ENGINE Infosec team uses this training to create additional focused training sessions for major regulatory requirements for example GDPR, CCPA, and HIPAA.

OUR TEAM

ENGINE employs experienced security professionals ensuring its Information Security Management System (ISMS) is effectively owned and managed.  These individuals comprise ENGINE’s Information Security Team and Incident Response Team.  Dedicated roles include our Chief Information Security Officer (CISO), regional Compliance Officers, Risk and Compliance Analysts, and technical security staff.  Together these teams oversee the following aspects of ENGINE’s ISMS and information security program:

  • Security strategy, governance, and policy
  • Security architecture
  • Operational risk management
  • Security engineering and operations
  • Incident detection and response
  • Vulnerability management
  • User education and awareness

At an executive level, an Information Security Oversight Board governs and authorizes security strategy to ensure alignment with overall company goals and provides necessary resourcing and budget for execution of the strategy by the CISO and security teams.

COMPLIANCE

To ensure the effectiveness of ENGINE’s ISMS and related security controls, we have aligned our security practices to common industry standards and control frameworks including ISO 27001, HITRUST, and Cyber Essentials Plus.

ENGINE is audited by independent external assessors for each of these frameworks on an annual basis.

  • ISO 27001: ENGINE’s Information Technology organization, related systems, and ISMS are certified for ISO 27001, certificate # 586101
  • HiTrust: ENGINE’s Healthcare practice is certified for HITRUST CSF, account number HT-001985
  • Cyber Essentials Plus: Engine is certified for Cyber Essentials Plus, registration # QGCE1597
  • SOC: The environments and service providers that host ENGINE services maintain multiple security and data protection accreditations for their operations and data centers, including SOC. For information regarding their compliance, please visit AWS Security websiteAWS Compliance websiteGoogle Security website, Google Compliance website, and Microsoft Service Trust website.
MANAGEMENT POLICIES AND STANDARDS

ENGINE’s policies, standards, procedures, and guidelines provide overall governance for security within the organization, thus providing context-based application of security frameworks aligned to our internal systems and processes.  These documents and related processes comprise ENGINE’s Information Security Management System (ISMS) at a top-level, and they provide the guidelines for employees to observe and practice security in their day-to-day job roles.

These documents include, but are not limited to:

  • Code of ethics and conduct
  • Information technology acceptable use policy
  • ENGINE’s house rules for security
  • Information security policy
  • Information security exceptions policy
  • Risk management policy and process
  • Access control policy
  • Asset management policy
  • Information classification policy
  • Data retention policy
  • Change management policy
  • Secure workplace (clear desk and scree) policy
  • Network and communications security policy
  • Compliance policy
  • Encryption policy
  • IT assets and services acquisition policy
  • Cloud services policy
  • Security roles and responsibilities policy
  • Incident response policy and process
  • Mobile device and remote working policy
  • System development policy
  • Open source software policy
  • Operations security policy
  • Third-party and supplier relationships policy
  • Ransomware response policy
  • Vulnerability management policy

These policies are living documents and reviewed and updated on an annual basis.  They are available to all employees via our company intranet.  Redacted copied can be requested by clients as needed by contacting infosec@enginegroup.com

AUDITS AND ASSESSMENTS

ENGINE evaluates the design and operation of its ISMS through annual external audits. This ensures compliance with internal and external standards.  On an annual basis, ENGINE engages qualified and credentialed third-party assessors to review our controls.  The reports from these audits are shared with the Information Security Oversight Board and executive leadership.  All findings are tracked to resolution.

LEGAL AND PRIVACY COMPLIANCE

ENGINE employs dedicated legal and compliance professionals with extensive expertise in data privacy and security. Along with the security team, these individuals are embedded in the development lifecycle for new services and technologies, and they review products and features for compliance with applicable legal and regulatory requirements.  They work closely with development teams, IT, and security teams to ensure client, third-party, and regulatory requirements are met on an ongoing basis.

PENETRATION TESTING

On an annual basis, ENGINE engages a qualified and credentialed external security services provider to perform penetration testing of the network and systems that support ENGINE’s corporate technology services.  Testing includes ENGINE-managed infrastructure and systems underlying customer services.  The requirement for annual testing is extended into our supply chain through ENGINE’s third-party supplier and risk assessment program.  Findings from ENGINE and third-party test reports are tracked to resolution.

DATA PROTECTION
ENCRYPTION IN TRANSIT AND AT REST

Any information transmitted to or from ENGINE over public networks uses strong encryption.  This includes communications via e-mail where strong encryption protocols are supported by both parties.  ENGINE’s standard for encryption is TLS 1.2 or later protocol with AES-256 and SHA2.

ENGINE classifies all client data as Confidential.  Such data is always encrypted while at rest or in transit where technically and commercially feasible to do so.

User devices including laptops, smartphones, tablets, and other media are prohibited from transferring, storing, or processing Confidential data.  These devices are encrypted at rest using IT-managed encryption technologies with AES-256.  This includes removable media such as USB drives.

Data backups are encrypted both on-site and off-site.

Key management ensures keys are stored separately from the systems they protect.

ENGINE hosts its services with industry-leading data center providers in facilities that are ISO 27001, HIPAA / HITRUST, PCI, and SOC 2 Type 2 compliant.  This ensures best-in-class protection for physical and virtual assets located within these centers.  All providers encrypt all assets, including data in transit and at rest, for services used by ENGINE.

LOGICAL ACCESS CONTROLS

All electronic data stored by ENGINE has strict access controls enforced through multiple layers of security.  ENGINE’s access control methodology adheres to the following core tenets of access management:

  • Role-based access: access is provided only to those who require it
  • Separation of duties: employees with privileged access much have this access granted independently, with a separate set of credentials, from non-privileged access
  • Least privilege: the minimum amount of access required to perform one’s job function is granted
  • Conditional access: access is dependent on certain conditions, for example time of day, location, or means of authentication

To this end, ENGINE employees the following measures:

  • All systems used at ENGINE require users to authenticate using a unique set of credentials assigned to each user
  • Multifactor authentication (MFA) is used for all systems and services that support it – this includes all ENGINE corporate employee accounts
  • System administrators have unique credentials for privileged and non-privileged accounts
  • Access is logged, and suspicious logon attempts are systematically reviewed and alerted to the security team
  • Access levels are regularly reviewed as part of ENGINE’s internal audit function, specifically our Compliance Assurance Plan (CAP); included in the CAP is a review third-party supplier access, privileged access, and inactive accounts
  • IT administrator access is reviewed at least quarterly to ensure the level of access granted is still appropriate for the employee’s current job function.

ENGINE has implemented safeguards to protect secrets including the creation, storage, retrieval and destruction of service account credentials, access codes, and encryption keys.  Secure password vaults are used within IT to store credentials and delegate access to staff as needed.

PHYSICAL ACCESS CONTROLS

ENGINE offices are closed workspaces and are sole occupancy.  Access control mechanisms such as key cards and numeric keypads are fitted to all ingress/egress points and secure internal locations.

Areas housing sensitive information or systems for the storage, transfer, or processing of data are restricted to ensure only authorized employees are permitted access.

CCTV systems exist in ENGINE offices including at all ingress and egress points; these retain video recordings for at least 30 days.

Visitors to ENGINE facilities must show valid identification, have an employee sponsor their visit, sign a visitor log, and wear a visitor identification badge.

NETWORK SECURITY

ENGINE has adopted a “zero-trust” model for network security.  This model requires that any worker, in any location, using any device must have access control and application sessions authorized by a network policy.  Details of this model can be shared with clients as requested. 

Connections to the internal ENGINE network are strictly controlled and require authentication regardless of ingress point.  Wireless network connections require two factors of authentication and are restricted to ENGINE devices only.

All devices connected to the ENGINE network must meet an initial security baseline; once connected, they receive regular patches and updates for vulnerabilities even if they are later disconnected from the network.

Networks are segregated physically and logically based on security classification of systems and data made available on each segment.  Network access controls on devices such as firewalls, routers, and servers ensure only traffic that is required for a given services is accessible within or between network segments.

Network monitoring is performed at the data center edge to detect anomalies and inbound network-based attacks.  In keeping with the zero-trust model, monitoring is also performed on end-user devices.

AUTHENTICATION

ENGINE has strong policies and controls for user authentication and password management.  These policies reduce the overall number of accounts required across applications and services thus reducing risk of multiple accounts and password re-use.

To further the reduce the risk of unauthorized access, ENGINE employs multi-factor authentication for all employee user accounts including third-party and administrative accounts.

Where technically feasible and appropriate, ENGINE uses encryption keys for authentication.  For example, access may require access using an SSH key in additional to ENGINE username and password.

All user and administrative passwords are required to incorporate several factors of complexity and be created without references to common dictionary words or patterns.

ENGINE conducts sophisticated real-time analysis of every user logon attempt, and it alerts the security team when suspicious logon attempts, or anomalies are detected.

DATA CLASSIFICATION AND LABELING

ENGINE classifies all data we control or process, including client data, to ensure appropriate levels of protection and control.  Client data is classified as Confidential and requires the following measures:

  • Role-based access
  • Sharing authorization by owner only (no transitory sharing)
  • Strict access controls / least privilege
  • Encryption at rest and in transit
  • Logging of all access
  • Additional controls for Data Loss Prevention (DLP) and Information Rights Management (IRM)
  • Defensible destruction
DEVICE AND WORKSTATION SECURITY

ENGINE workstations run a monitoring and configuration tools to enforce security baselines and to prevent suspicious activity or unsafe configurations.  End-users are limited in the administrative actions that can be taken on a workstation.

Malware detection occurs in real time through inspection of code in storage and in memory as code is executed.

All workstations use full disk encryption to prevent data loss or theft.

MOBILE DEVICE MANAGEMENT

All mobile devices used within ENGINE are encrypted.  ENGINE utilizes a Mobile Device Management platform to control configuration and policy for remote devices used to transact company business including laptops, smartphones, tablets, and removable media.

It is ENGINE’s policy that mobile devices and removable media are not permitted for use for storage, transfer, or processing of any sensitive data.

DATA AND ASSET DISPOSAL

Client data is removed and deleted when no longer required.  Many of ENGINE’s processes for data removal are automated.  ENGINE defines policies and standards requiring all physical assets and media to be properly destroyed (if no longer required for use) or sanitized (if being repurposed for use).

OPERATIONAL SECURITY

ENGINE’s operational security practices include mature processes for service and change management aligned to the ITIL framework, centralized logging and monitoring, on-site and off-site data backups, technical vulnerability management, operational and security risk management, incident management, and asset management.  Together these ensure a reliable and effective base from which to protect ENGNE and client assets.

Our security team performs frequent scans on a continual basis for our network, systems, and application assets.  Findings are documented, reported, and tracked to remediation.

ENGINE’s security team collects and stores network, system, and application logs for analysis.  These logs are stored in a dedicated platform that is protected from modification by IT staff.  Analysis of logs is automated to the extent feasible technically and commercially.

RISK MANAGEMENT

ENGINE employs an internal risk assessment process to review its business units for technical, operational, and administrative threats and weaknesses.  This process includes an audit of systems, data, and processes used within the business to ensure alignment with ENGINE policy and control measures.  Where gaps and risks are discovered, these are documented, reported to accountable stakeholders, and tracked to resolution.

SECURE DEVELOPMENT LIFECYCLE

For systems and applications developed by ENGINE, we take a variety of measures to prevent the introduction of malicious or erroneous code to our environments and to protect against unauthorized access.  This includes:

  • Separation of production and non-production environments
  • Change management
  • Developer training
  • Secure code repositories and version control systems
  • Secure code analysis
  • Application vulnerability management, e.g. OWASP 10
  • Strict policies regarding open source software
  • Security hardening of host systems and infrastructure
COMPLIANCE ASSURANCE PROGRAM

ENGINE abides by a “Plan, Do, Check, Act” cycle for security management.  In support of this, an internal Compliance Assurance Program (CAP) has been enacted to help us address the most common threats and vulnerabilities attackers use today.  The CAP is an internally developed program that ensures we continuously check the effectiveness of our processes related to security controls so improvements can be made and so any erosion of these processes is readily identified.

At ENGINE, we are keenly aware of our role as a service provider to our customers. Through the CAP, we also self-check our processes and controls to ensure these are met in accordance with our contractual obligations. 

THIRD PARTY SUPPLIERS

ENGINE has a formally established third-party vendor and supplier risk assessment program.  New vendors in scope with any form of technology-based service including the storage, processing, transfer, or analysis of data is reviewed by ENGINE’s security team.

All third parties are assessed and tracked within a Governance, Compliance, and Risk (GRC) platform that captures key elements of each assessment and provides for effective risk processes and reporting.

Third-party assessment is conducted during vendor or supplier onboarding to ENGINE through manual interrogation by the ENGINE’s security team.  This occurs prior to vendors participating in any live projects and thereafter on an annual basis.

A third-party assessment is a detailed process that requires vendors and suppliers to provide evidence of reasonable safeguards and security controls aligned with ENGINE’s own controls and that demonstrates due care of sensitive assets and data.  Any gaps are reported to management and required to be remediated before the vendor or supplier is authorized for use by ENGINE.

DISASTER RECOVERY AND BUSINESS CONTINUITY
AVAILABILITY

ENGINE’s internal systems and those which house or support customer systems and data follow a robust technology standard aimed to ensure maximum uptime.  This technology standard includes:

  • Redundancy and high availability by design eliminating single points of failure
  • Geographically segregated facilities / computing locations including backups stored in different regions from primary data
  • Service provider, network, and supplier diversity
  • Strict use of technology platforms that are recognized as best-of-breed within their service areas, providing a high degree of availability and support
  • Virtualization providing for rapid portability and provisioning of systems and data
  • Remote working technologies
DISASTER RECOVERY

ENGINE’s formal disaster recovery program is based on ISO 27031 standard and defines a purposeful and relevant approach to ensure survivability of internal and customer systems during a disaster event.  The program includes the technical, administrative, and procedural measures required for effective preparation and response, including:

  • Required policies and standards
  • The program leadership and teams
  • Objectives for availability and recovery including RTO and RPO
  • Classification of systems and assets for recoverability
  • Planned processes and standards for operations and execution including communications, critical decision-making, change management, and security incident response
  • Risk impact assessment aligned with ENGINE’s security risk assessment processes

Together these measures constitute ENGINE’s disaster recovery planning.  Plans are updated annually to ensure effectiveness.

ENGINE maintains backup copies of production data in remote locations from primary data.  Recovery tests for data are performed on a regular basis.

PANDEMIC AND REMOTE WORKING

In addition to our technology availability and continuity plans, ENGINE maintains a pandemic and remote working plan.  Through this plan, ENGINE is capable of efficiently transitioning our core business operations to a 100% remote workforce while sustaining customer services.

This plan is tested annually and was successfully executed with no downtime during the 2020 Covid-19 outbreak. 

Start typing and press Enter to search