ENGINE’s Information Security Program addresses the administrative, organizational, and human aspects of security as a critical first step to ensure data protection is a well-established cultural element to our business.
To ensure the effectiveness of ENGINE’s ISMS and related security controls, we have aligned our security practices to common industry standards and control frameworks including ISO 27001, HITRUST, and Cyber Essentials Plus.
ENGINE is audited by independent external assessors for each of these frameworks on an annual basis.
- ISO 27001: ENGINE’s Information Technology organization, related systems, and ISMS are certified for ISO 27001, certificate # 586101
- HiTrust: ENGINE’s Healthcare practice is certified for HITRUST CSF, account number HT-001985
- Cyber Essentials Plus: Engine is certified for Cyber Essentials Plus, registration # QGCE1597
- SOC: The environments and service providers that host ENGINE services maintain multiple security and data protection accreditations for their operations and data centers, including SOC. For information regarding their compliance, please visit AWS Security website, AWS Compliance website, Google Security website, Google Compliance website, and Microsoft Service Trust website.
ENGINE evaluates the design and operation of its ISMS through annual external audits. This ensures compliance with internal and external standards. On an annual basis, ENGINE engages qualified and credentialed third-party assessors to review our controls. The reports from these audits are shared with the Information Security Oversight Board and executive leadership. All findings are tracked to resolution.
ENGINE employs dedicated legal and compliance professionals with extensive expertise in data privacy and security. Along with the security team, these individuals are embedded in the development lifecycle for new services and technologies, and they review products and features for compliance with applicable legal and regulatory requirements. They work closely with development teams, IT, and security teams to ensure client, third-party, and regulatory requirements are met on an ongoing basis.
On an annual basis, ENGINE engages a qualified and credentialed external security services provider to perform penetration testing of the network and systems that support ENGINE’s corporate technology services. Testing includes ENGINE-managed infrastructure and systems underlying customer services. The requirement for annual testing is extended into our supply chain through ENGINE’s third-party supplier and risk assessment program. Findings from ENGINE and third-party test reports are tracked to resolution.
Any information transmitted to or from ENGINE over public networks uses strong encryption. This includes communications via e-mail where strong encryption protocols are supported by both parties. ENGINE’s standard for encryption is TLS 1.2 or later protocol with AES-256 and SHA2.
ENGINE classifies all client data as Confidential. Such data is always encrypted while at rest or in transit where technically and commercially feasible to do so.
User devices including laptops, smartphones, tablets, and other media are prohibited from transferring, storing, or processing Confidential data. These devices are encrypted at rest using IT-managed encryption technologies with AES-256. This includes removable media such as USB drives.
Data backups are encrypted both on-site and off-site.
Key management ensures keys are stored separately from the systems they protect.
ENGINE hosts its services with industry-leading data center providers in facilities that are ISO 27001, HIPAA / HITRUST, PCI, and SOC 2 Type 2 compliant. This ensures best-in-class protection for physical and virtual assets located within these centers. All providers encrypt all assets, including data in transit and at rest, for services used by ENGINE.
All electronic data stored by ENGINE has strict access controls enforced through multiple layers of security. ENGINE’s access control methodology adheres to the following core tenets of access management:
- Role-based access: access is provided only to those who require it
- Separation of duties: employees with privileged access much have this access granted independently, with a separate set of credentials, from non-privileged access
- Least privilege: the minimum amount of access required to perform one’s job function is granted
- Conditional access: access is dependent on certain conditions, for example time of day, location, or means of authentication
To this end, ENGINE employees the following measures:
- All systems used at ENGINE require users to authenticate using a unique set of credentials assigned to each user
- Multifactor authentication (MFA) is used for all systems and services that support it – this includes all ENGINE corporate employee accounts
- System administrators have unique credentials for privileged and non-privileged accounts
- Access is logged, and suspicious logon attempts are systematically reviewed and alerted to the security team
- Access levels are regularly reviewed as part of ENGINE’s internal audit function, specifically our Compliance Assurance Plan (CAP); included in the CAP is a review third-party supplier access, privileged access, and inactive accounts
- IT administrator access is reviewed at least quarterly to ensure the level of access granted is still appropriate for the employee’s current job function.
ENGINE has implemented safeguards to protect secrets including the creation, storage, retrieval and destruction of service account credentials, access codes, and encryption keys. Secure password vaults are used within IT to store credentials and delegate access to staff as needed.
ENGINE has adopted a “zero-trust” model for network security. This model requires that any worker, in any location, using any device must have access control and application sessions authorized by a network policy. Details of this model can be shared with clients as requested.
Connections to the internal ENGINE network are strictly controlled and require authentication regardless of ingress point. Wireless network connections require two factors of authentication and are restricted to ENGINE devices only.
All devices connected to the ENGINE network must meet an initial security baseline; once connected, they receive regular patches and updates for vulnerabilities even if they are later disconnected from the network.
Networks are segregated physically and logically based on security classification of systems and data made available on each segment. Network access controls on devices such as firewalls, routers, and servers ensure only traffic that is required for a given services is accessible within or between network segments.
Network monitoring is performed at the data center edge to detect anomalies and inbound network-based attacks. In keeping with the zero-trust model, monitoring is also performed on end-user devices.
ENGINE’s operational security practices include mature processes for service and change management aligned to the ITIL framework, centralized logging and monitoring, on-site and off-site data backups, technical vulnerability management, operational and security risk management, incident management, and asset management. Together these ensure a reliable and effective base from which to protect ENGNE and client assets.
Our security team performs frequent scans on a continual basis for our network, systems, and application assets. Findings are documented, reported, and tracked to remediation.
ENGINE’s security team collects and stores network, system, and application logs for analysis. These logs are stored in a dedicated platform that is protected from modification by IT staff. Analysis of logs is automated to the extent feasible technically and commercially.
ENGINE employs an internal risk assessment process to review its business units for technical, operational, and administrative threats and weaknesses. This process includes an audit of systems, data, and processes used within the business to ensure alignment with ENGINE policy and control measures. Where gaps and risks are discovered, these are documented, reported to accountable stakeholders, and tracked to resolution.
For systems and applications developed by ENGINE, we take a variety of measures to prevent the introduction of malicious or erroneous code to our environments and to protect against unauthorized access. This includes:
- Separation of production and non-production environments
- Change management
- Developer training
- Secure code repositories and version control systems
- Secure code analysis
- Application vulnerability management, e.g. OWASP 10
- Strict policies regarding open source software
- Security hardening of host systems and infrastructure
ENGINE abides by a “Plan, Do, Check, Act” cycle for security management. In support of this, an internal Compliance Assurance Program (CAP) has been enacted to help us address the most common threats and vulnerabilities attackers use today. The CAP is an internally developed program that ensures we continuously check the effectiveness of our processes related to security controls so improvements can be made and so any erosion of these processes is readily identified.
At ENGINE, we are keenly aware of our role as a service provider to our customers. Through the CAP, we also self-check our processes and controls to ensure these are met in accordance with our contractual obligations.
ENGINE has a formally established third-party vendor and supplier risk assessment program. New vendors in scope with any form of technology-based service including the storage, processing, transfer, or analysis of data is reviewed by ENGINE’s security team.
All third parties are assessed and tracked within a Governance, Compliance, and Risk (GRC) platform that captures key elements of each assessment and provides for effective risk processes and reporting.
Third-party assessment is conducted during vendor or supplier onboarding to ENGINE through manual interrogation by the ENGINE’s security team. This occurs prior to vendors participating in any live projects and thereafter on an annual basis.
A third-party assessment is a detailed process that requires vendors and suppliers to provide evidence of reasonable safeguards and security controls aligned with ENGINE’s own controls and that demonstrates due care of sensitive assets and data. Any gaps are reported to management and required to be remediated before the vendor or supplier is authorized for use by ENGINE.
ENGINE’s internal systems and those which house or support customer systems and data follow a robust technology standard aimed to ensure maximum uptime. This technology standard includes:
- Redundancy and high availability by design eliminating single points of failure
- Geographically segregated facilities / computing locations including backups stored in different regions from primary data
- Service provider, network, and supplier diversity
- Strict use of technology platforms that are recognized as best-of-breed within their service areas, providing a high degree of availability and support
- Virtualization providing for rapid portability and provisioning of systems and data
- Remote working technologies
ENGINE’s formal disaster recovery program is based on ISO 27031 standard and defines a purposeful and relevant approach to ensure survivability of internal and customer systems during a disaster event. The program includes the technical, administrative, and procedural measures required for effective preparation and response, including:
- Required policies and standards
- The program leadership and teams
- Objectives for availability and recovery including RTO and RPO
- Classification of systems and assets for recoverability
- Planned processes and standards for operations and execution including communications, critical decision-making, change management, and security incident response
- Risk impact assessment aligned with ENGINE’s security risk assessment processes
Together these measures constitute ENGINE’s disaster recovery planning. Plans are updated annually to ensure effectiveness.
ENGINE maintains backup copies of production data in remote locations from primary data. Recovery tests for data are performed on a regular basis.
In addition to our technology availability and continuity plans, ENGINE maintains a pandemic and remote working plan. Through this plan, ENGINE is capable of efficiently transitioning our core business operations to a 100% remote workforce while sustaining customer services.
This plan is tested annually and was successfully executed with no downtime during the 2020 Covid-19 outbreak.