CYE’s Security Assurance
As a strategic partner to our customers, we are committed to securing our data, our proprietary assessment methodologies, our algorithms, our technology platforms, and our people. As such, we conform to industry-recognized processes, procedures, protocols, and certifications. This is an assurance to our customers of our ability to not only deliver quality services, but to protect all manner of customer-related data, infrastructure, applications, and people in our execution of CYE’s portfolio of services.
The CYE Executive Management Team (EMT) is ultimately accountable for corporate governance. The management and control of information security risks is an integral part of the CYE corporate governance culture, and the EMT provides overall strategic direction. It accomplishes this by approving and mandating the information security principles and axioms, with operational responsibilities for physical and information security delegated to the respective accountable CYE business functions.
The EMT depends heavily on the CISO and the security team leader to coordinate activities throughout CYE, ensuring that suitable policies are in place to support CYE’s security principles. The EMT relies on feedback loop-driven processes from the security information officer, risk management, compliance, legal and other functions to ensure that the principles and policies are being complied with in practice.
The EMT demonstrates its commitment to information security by:
- Reviewing and approving the core principles by which we operate and secure our business every year
- Reviewing and approving the IT requirements and budget, including a specific element set aside for the information security technology and process controls
- Performing a management review, i.e. receiving and acting on management reports concerning information security KPIs, security incidents and investment requests, etc.
- Ensuring the integration of the CYE ISMS 27001 framework into the organization’s processes
- Ensuring that the resources needed for the ISMS framework will be available to satisfy all applicable requirements related to information security
- Promoting the continual improvement of the ISMS framework
- Identifying, exploring and making decisions about the adoption of other industry-relevant certifications such as SOC2.
CYE’s Chief Information Security Officer
The Chief Information Security Officer is responsible for coordinating and overseeing CYE’s compliance with policies and procedures regarding the confidentiality, integrity, and security of its information assets.
The Chief Information Security Officer works closely with the Chief Information Officer and other CYE managers and staff involved in securing the company’s information assets to enforce established policies, identify areas of concern, and implement appropriate changes as needed.
Responsibilities of the Chief Information Security Officer include:
- Making high-level decisions about the information security policies and their content, and approving, in advance, exceptions to these policies on a case-by-case basis.
- Coordinating formal risk assessments to identify new threats and vulnerabilities and identify appropriate controls to mitigate any new risks.
- Reviewing the information security policies and procedures to maintain adequacy considering emergent business requirements or security threats.
- Making sure that all third parties, with whom cardholder data is shared, are handled according to the Third Parties and Third-Party Agreements Policy.
- Maintaining, updating, and distributing the Response Plan and Procedures.
- Completing tasks as required by the Periodic Operational Security Procedures.
CYE’s Risk Management Approach
The CYE Risk Management program is an essential management function and is critical for implementing and maintaining an acceptable level of security. The process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level is an iterative process followed by CYE risk and control teams, covering initial assessments, risk mitigation and evaluation activities.
CYE uses risk assessment to determine the extent of the potential threats and the risks associated with systems throughout the System Development Life Cycle (SDLC). The output of this process helps to identify appropriate controls for reducing and/or eliminating risk during the risk mitigation process. Risk assessments are performed regularly or when there have been significant changes to the systems or operational environment.
The Executive Management Team is responsible for scheduling risk assessment activities and determining what events constitute risk assessments outside of the normal cycle.
The CYE Chief Information Security Officer is responsible for conducting the risk assessment according to NIST SP 800-30 (R1) guidance for carrying out each of the steps in the risk assessment process, such as planning, executing, communicating results, and maintaining the assessment.
CYE risk mitigation involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process. These controls are designed to close vulnerabilities, maintain continuity of operations at specified performance levels, and achieve document compliance with CYE policy requirements.
CYE’s risk evaluation is ongoing, evolving, and emphasizes a sound practice to developing and improving on the CYE Risk Management program. It influences progressive changes to existing systems, integrating into CYE’s operational functions, as well as the SDLC for new systems and applications.
Critical Cyber Operations
C2OPS provides additional cyber-related services and support focusing on aiding CYE’s customers during critical incidents addressing the following functions:
- Crisis management and incident response
- Cyber threat intelligence
- Architecture mitigation group
- Executive security
C2OPS hosts CYE’s internal security team. The security team is in charge of all CYE’s security aspects: security operations and monitoring, secure SDLC process, security compliance and policies, etc.
Research and Development (R&D)
Research and Development is responsible for developing, testing, and validating CYE’s products and the business services implemented within the production environment through the following development groups:
- Dev & QA – responsible for the development and testing of CYE’s platform and major services
- DevOps – responsible for DevOps services, among them the production environment
- Data Science – responsible for the development of CYE’s unique quantification and optimization algorithms and machine learning models
- Research – responsible for developing new tools and techniques for the Hyver platform
Data Privacy
Private data that belongs to CYE’s employees, customers, or clients will be protected as detailed in CYE’s data privacy policy. Available upon request.
Data Access
All confidential or sensitive data is protected via access controls to ensure that data is not improperly disclosed, modified, deleted, or rendered unavailable. Logs track all access to such data and identify who and when the data was accessed.
Employees who have been authorized to view information at a particular classification level will only be permitted to access information at that level or at a lower level on a need-to-know basis. All access to systems is configured to deny all but what a particular user needs to access per their business role.
Access to systems or applications handling confidential, sensitive, or private information follows the CYE data access request process. All requests require approval by the Information Security Team and a valid Authorization Request Form. Access to data exceeding an employee’s authorized role also follows the data access request process and includes documented limits around such access (e.g. access source, access time limits, etc).
Data Retention
All confidential and sensitive data, regardless of storage location, is retained only as long as required for legal, regulatory, and business requirements. The specific retention length is addressed in a separate data policy established by the data creator or Chief Information Security Officer.
All system and network audit logs are retained for one year with the capability to immediately restore the last three months’ logs for analysis.
Data Disposal
All confidential or sensitive electronic data, when no longer needed for legal, regulatory, or business requirements, is removed from CYE systems using an approved method as documented in the CYE policy. This includes all data stored in systems, temporary files, or contained on storage media.
All confidential or sensitive hardcopy data, when no longer needed for legal, regulatory, or business requirements, is removed from CYE systems using an approved method as documented in the CYE policy.
Hyver
The Hyver security strategy for dealing with advanced continuous and emerging cyber threats while using advanced cloud technology capabilities is based on the concept of Zero tolerance for a security breach.
“We insist on secure by design procedures for the infrastructure and the application; we execute on this with our seasoned security architects and developers, all trained and practiced in SDLC methods, with an inherent knowledge and years of experience as state level actors in the Israeli Defense Force. We include continuous Red Team activities to verify the Hyver platform’s resilience and we proactively act to identify cyber vulnerabilities and emerging incidents in advance. Our incident response team is always active and ready 24/7 to handle any emerging suspicious activity in real-time.” – Shmuel Yehezkel, Chief Information Security Officer, CYE
CYE provides a secure, reliable, and resilient software-as-a-service platform that has been designed from the ground up based on industry best practices. The following addresses the network and hardware infrastructure, software, and information security elements that CYE delivers as part of this platform, database management system security, application controls and intrusion detection monitoring software.
Data Center Security
CYE relies on Amazon Web Services global infrastructure, including the facilities, network, hardware, and operational software (e.g., host OS, virtualization software, etc.) that support the provisioning and use of basic computing resources and storage. This infrastructure is designed and managed according to security best practices as well as a variety of security compliance standards: FedRAMP, HIPAA, ISO 27001:2015, AICPA SOC 1, SOC 2, SOC 3 and PCI-DSS and more.
The environmental protection managed by the vendors policies are:
- Redundancy – The data centers are designed to anticipate and tolerate failure while maintaining service levels with core applications deployed to multiple regions.
- Fire Detection and Suppression – Automatic fire detection and suppression equipment has been installed to reduce risk.
- Redundant Power – the data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and Uninterruptable Power Supply (UPS) units provide back-up power in the event of an electrical failure. Data centers use generators to provide back-up power for the entire facility.
- Climate and Temperature Controls – maintain a constant operating temperature and humidity level for all hardware.
- Physical access – AWS recognizes the significance of physical security controls as a key component in its overall security program. Physical access methods, procedures and controls have been implemented to help prevent unauthorized access to data, assets, and restricted areas.
Infrastructure Security
- End-to-End Network Isolation – the Virtual Private Cloud is designed to be logically separated from other cloud customers and to prevent data within the cloud being intercepted.
- External & Internal Enforcement Points – All servers are protected by restricted AWS firewall rules. The configuration of AWS firewall rules is restricted to authorized personnel.
- Server Hardening – All servers are hardened according to industry best practices.
- Segregation Between Office and Production Networks – There is a complete separation between the CYE corporate network and the production network. Access to the production environment is granted to authorized personnel only, and traffic between the networks is sent over an encrypted tunnel.
- Vulnerabilities scanning – Vulnerability scans are performed on CYE’s images to detect potential security breaches. Vulnerabilities are documented and reviewed during a monthly treatment meeting. Tickets are opened and vulnerabilities are tracked until resolution.
- Penetration Testing – Penetration testing is performed yearly to identify security vulnerabilities and possible attack vectors on CYE’s infrastructure. Findings are documented and receive treatment in the form of a security plan or dedicated tickets.
Application Security
- Penetration Testing – The penetration tests include, among other things, procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own.
- Vulnerabilities Management – Web application architecture and implementation follow OWASP guidelines. The application is regularly tested for common vulnerabilities (such as CSRF, XSS, SQL Injection).
- Segregation of Customer Data – CYE employs a login system and authorization mechanism based on industry best practices. During each user request, a validation process is performed through encrypted identifiers to ensure that only authorized users gain access to the specific data.
Operational Security
- Configuration and Patch Management – CYE employs a centrally managed configuration management system, including infrastructure-as-code systems through which predefined configurations are enforced on its servers, as well as the desired patch levels of the various software components.
- Security Incident Response Management – CYE has a security incident response management policy and a dedicated IR team ready to investigate any suspicious activity on CYE’s infrastructure.
- Antivirus – Anti-virus definition updates are performed and monitored on a regular basis by the IT and Operations teams. The employees’ laptops are encrypted with the use of a 256-bit AES encryption. Furthermore, CYE elevates AWS Malware protection service on its production servers to identify suspicious activity.
- Unified Endpoint Management – CYE uses a dedicated tool, i.e., Microsoft Endpoint Manager (Intune) that implements an agent in advance on the company’s endpoints to monitor and control the updates, data, content, configuration, and encryption of the asset. The company security policy is enforced using the same tool.
Human Resource Security
- Security Awareness Training – CYE’s employees undergo information security awareness training upon joining the company, as well as periodically to comply with CYE’s information security policy. The training ensures that each group of employees receives security training according to its technical knowledge and its needs.
- Secure Coding Standards and Training – CYE’s R&D team is regularly trained in secure coding practices such as CERT Oracle Secure Coding Standard for Java and the OWASP top 10. Furthermore, it is involved with analyzing penetration test results and defining the “lessons learned.”
Data Encryption
- Data in Transit – All traffic between the customer’s endpoint and the CYE platform is encrypted through TLS with only the most secure algorithms enabled. Encryption between CYE customers and the application as well as between CYE sites is enabled using an authenticated TLS tunnel. Clients’ sessions and interactions are encrypted using 256bit SSL V3/TLS HTTPS. CYE uses encryption to supplement other measures used to protect data-at-rest, when such protections are deemed appropriate based on assessed risk. Processes are in place to protect encryption keys during generation, storage, use, and destruction.
- Data at rest – Encrypted based on AWS’s data at rest encryption policies which adhere to the following: Several layers of encryption protect customer data at rest in Amazon Web Services products. Specifically, RDS DB, as well as its backups, are encrypted using an AWS-256-GCM key. This asymmetric algorithm is based on Advanced Encryption Standard (AES) in Galois Counter Mode (GCM) with 256-bit keys, an industry standard for secure encryption. The ciphertext that this algorithm generates supports additional authenticated data (AAD), such as an encryption context, and GCM provides an additional integrity check on the ciphertext. It is worth mentioning that the RDS snapshots which are hosted on a private S3 bucket are encrypted as well using AWS encryption capabilities.
Availability Procedures
CYE’s production environment is fully managed as part of the AWS services and monitored by CYE’s operations team using the tools provided by AWS as well as internal tools. The application level is fully managed by the CYE security team. CYE has implemented the operations management controls described below to manage and execute production operations.
Disaster Recovery Plan (DRP)
CYE has developed a disaster recovery plan to enable the company to continue to provide critical services in case of a disaster. CYE maintains a backup server’s infrastructure at a separate location within the AWS environments. The backup server’s infrastructure has been designed to provide clients with business-critical services until the disaster has been resolved and the primary system is fully restored. The alternative processing environment is wholly managed by appropriate CYE personnel, as is the case with the primary production environment. Furthermore, CYE is prepared for a catastrophic event in which an AWS Availability Zone (AZ) fails and has a dedicated procedure to handle such a scenario.
Database Backup
CYE’s databases are hosted on AWS and are backed up manually every two months and automatically, every five minutes using snapshots. Each manual backup is validated by the DevOps team. The company holds a replica of the database for high-availability standards in case of a disaster on a separate region on AWS.
Restoration – Backup data is restored every two sprint cycles as part of the deployment procedure. It is validated against integrity of data and potential data recovery issues. The restoration process is a crucial part of the deployment process, and without it, it will fail, effectively requiring a restart of the entire process. Additionally, once a year, as part of the disaster recovery plan (DRP), database failure simulation and restoration process are tested thoroughly to verify the current process is indeed effective, as well as to train the relevant personnel in the event of catastrophic event.
Data center availability procedures – AWS provides CYE with a secured location implementing security measures to protect against environmental risks or disaster. Furthermore, CYE has a disaster recovery plan (DRP) which details a scenario of an availability zone (AZ) failure and the procedures needed to recover from such an event.
Monitoring Usage – The management team is updated on an annual basis on security, confidentiality and availability non-compliance issues that may come up and address them as needed. Such issues are documented as part of a support process and if necessary, notifications are sent to the security team, DevOps team and CYE’s CISO department. Change reports, vulnerability reports from production, and monitoring tools as well as support metrics are reviewed and discussed in relation to organization’s system security, availability, and confidentiality policies. In addition, environmental, regulatory, and technological changes are monitored. Their effects are assessed, and their policies are updated accordingly. A summarized protocol is made available to relevant managers and team members.
Confidentiality Procedures
Customer confidentiality is a key factor in CYE. CYE’s implemented information classification model TLP, and customer data is defined as TLP RED. As such, CYE has implemented security measures to ensure the confidentiality of its customers’ sensitive corporate and/or personal information. The security measures aim to prevent unauthorized access, disclosure, alteration, or destruction of sensitive personal information. In addition, only a handful of key personnel are authorized to access the production environment and the customer’s data. It is important to mention that customers’ sensitive data such as passwords are hashed in the database using SHA256 algorithm. Furthermore, all business partners are required to sign an agreement containing a confidentiality clause, prior to engagement. Finally, at the end of a contract and upon customer request, CYE disposes of all the customer’s confidential information.