Trust Center

The CYE Risk Management program is an essential management function and is critical for implementing and maintaining a high standard of security. The process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level is an iterative process followed by CYE risk and control teams, covering initial assessments, risk mitigation and evaluation activities. The entire process is managed and tracked via CYE’s platform, to provide a comprehensive, continuous view of the organizational risk landscape, as well as facilitate an informative, data-driven decision-making process of the mitigation aspects.

Private data that belongs to CYE’s employees, customers, or clients will be protected as detailed in our full data privacy policy.  Available upon request.

All confidential or sensitive data is protected via access controls to ensure that data is not improperly disclosed, modified, deleted, or rendered unavailable. Logs track all access to such data and identify who and when the data was accessed.

Employees who have been authorized to view information at a particular classification level will only be permitted to access information at that level or at a lower level on a need-to-know basis. All access to systems is configured to deny all but what a particular user needs to access per their business role.

Access to systems or applications handling confidential, sensitive, or private information follows the CYE data access request process. All requests require approval by the Information Security Team and a valid Authorization Request Form. Access to data exceeding an employee’s authorized role also follows the data access request process and includes documented limits around such access (e.g. access source, access time limits, etc).

All confidential and sensitive data, regardless of storage location, is retained only as long as required for legal, regulatory, and business requirements. The specific retention length is addressed in a separate data policy established by the data creator or Chief Information Security Officer.

Audit and security logs are retained in accordance with defined retention requirements and are centrally available for investigation.

All confidential or sensitive electronic data, when no longer needed for legal, regulatory, or business requirements, is removed from CYE systems using an approved method as documented in the CYE policy. This includes all data stored in systems, temporary files, or contained on storage media.

All confidential or sensitive hardcopy data, when no longer needed for legal, regulatory, or business requirements, is removed from CYE systems using an approved method as documented in the CYE policy.

CYE’s platform security strategy for dealing with advanced continuous and emerging cyber threats while using advanced cloud technology capabilities is based on the concept of Zero tolerance for security breach.

CYE provides a secure, reliable, and resilient software-as-a-service platform that has been designed from the ground up based on industry best practices. The following addresses the network and hardware infrastructure, software, and information security elements that CYE delivers as part of this platform, database management system security, application controls and intrusion detection monitoring software.

CYE relies on Amazon Web Services for global infrastructure, including the facilities, network, hardware, and operational software (e.g., host OS, virtualization software, etc.) that support the provisioning and use of basic computing resources and storage.

AWS infrastructure is designed and operated in alignment with multiple industry compliance frameworks (e.g., ISO 27001, SOC), under AWS’s shared responsibility model.

The environmental protection managed by the vendors policies are:

• Redundancy – The data centers are designed to anticipate and tolerate failure while maintaining service levels with core applications deployed to multiple regions.
• Fire Detection and Suppression – Automatic fire detection and suppression equipment has been installed to reduce risk.
• Redundant Power – the data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and Uninterruptable Power Supply (UPS) units provide back-up power in the event of an electrical failure. Data centers use generators to provide back-up power for the entire facility.
• Climate and Temperature Controls – maintain a constant operating temperature and humidity level for all hardware.
• Physical access – AWS recognizes the significance of physical security controls as a key component in its overall security program. Physical access methods, procedures, and controls have been implemented to help prevent unauthorized access to data, assets, and restricted areas.

• End-to-End Network Isolation – the Virtual Private Cloud is designed to be logically separated from other cloud customers and to prevent data within the cloud being intercepted.
• External & Internal Enforcement Points – All servers are protected by restricted AWS firewall rules. The configuration of AWS firewall rules is restricted to authorized personnel.
• Server and container Hardening – All servers are hardened according to industry best practices.
• Segregation Between Office and Production Networks – There is a complete separation between the CYE corporate network and the production network. Access to the production environment is granted to authorized personnel only, and traffic between the networks is sent over an encrypted tunnel.
• Vulnerabilities scanning – Vulnerability scans are performed on CYE’s images to detect potential security breaches. Vulnerabilities are tracked and remediated according to defined severity-based SLAs, with regular review meetings. Tickets are opened, and vulnerabilities are tracked until resolution.
• Penetration Testing –  Penetration testing is performed yearly to identify security vulnerabilities and possible attack vectors on CYE’s infrastructure. Findings are documented and receive treatment in the form of a security plan or dedicated tickets.

• Penetration Testing – The penetration tests include, among other things, procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own.
• SSDLC – CYE has developed an extensive SSDLC process to ensure the secure development of its product. The system undergoes design review for key and sensitive features, all PR are reviewed and approved by designated team leaders, a SAST solution is in place to identify vulnerabilities before they appear in production, developers receive security training through a dedicated platform, and more.
• Vulnerabilities Management – Web application architecture and implementation follow OWASP guidelines. The application is regularly tested for common vulnerabilities (such as CSRF, XSS, SQL Injection).
• Segregation of Customer Data – CYE employs a login system and authorization mechanism based on industry best practices. During each user request, a validation process is performed through encrypted identifiers to ensure that only authorized users gain access to the specific data.

• Configuration and Patch Management – CYE employs a centrally managed configuration management system, including infrastructure-as-code systems through which predefined configurations are enforced on its servers, as well as the desired patch levels of the various software components.
• Security Incident Response Management – CYE has a security incident response management policy and a dedicated internal IR team ready to investigate any suspicious activity on CYE’s infrastructure.
• Endpoint and resource protection – CYE uses a set of tools to protect its endpoint including, an XDR solution, monitored by its security team, ZTNA solution to validate and monitor all access to internal services, URL filtering capabilities, etc. Cloud resources are monitored by a CNAPP solution which also covers the Kubernetes cluster.
• Unified Endpoint Management – CYE uses a dedicated set of tools to monitor and control updates, data, content, configuration, and encryption of all of its asset.
• Security Monitoring – CYE has dedicated personnel to oversee its monitoring suite and tools, and the required playbooks and procedures to support an effective response to all security related events.

• Employee onboarding and offboarding process – Both process are implemented to validate only credible employees join CYE, while making sure leavers do so in a secure manner.
• Security Awareness Training – CYE’s employees undergo information security awareness training upon joining the company, as well as periodically to comply with CYE’s information security policy. The training ensures that each group of employees receives security training according to their technical knowledge and needs.

• Data in Transit – All traffic between customer endpoints and the CYE platform, as well as inter-service and inter-site communications, is encrypted using TLS 1.2 or TLS 1.3 with strong, industry-approved cipher suites only. Secure HTTPS connections are enforced, and encryption in transit is implemented to protect data confidentiality and integrity. Encryption keys are managed and protected through defined key management processes covering generation, storage, use, rotation, and destruction.
• Data at rest – Data at rest is encrypted in accordance with AWS data-at-rest encryption standards. Production databases hosted on Amazon RDS, including automated backups and snapshots, are encrypted using AES-256 symmetric encryption managed by AWS Key Management Service (KMS). RDS snapshots stored in private Amazon S3 buckets are also encrypted using AWS-native encryption mechanisms, ensuring confidentiality and integrity of stored data.

CYE’s production environment is fully managed as part of the AWS services and monitored by CYE’s operations team using the tools provided by AWS as well as internal tools. CYE has implemented the operations management controls described below to manage and execute production operations.