Last update to Security Policy – June 21, 2021
This Security Statement applies to the platforms and services offered by Black Professionals in Tech Network Inc. (“BPTN”). The protection and security of our customer data is critical to operating our business, and inherently built into our platforms from the ground up. To provide transparency into our security processes with our partners and customers, a detailed summary of our security posture is provided below.
Access Control Reviews
- -BPTN platforms are logically isolated at the network level in AWS into an AWS Virtual Private Cloud (VPC) where AWS resources are launched in a virtual network defined by BPTN. BPTN has complete control over its virtual networking environment, including the selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.
- AWS has identified critical system components required to maintain the availability of the system and recover service in the event of an outage. Critical system components are backed up across multiple, isolated locations known as Availability Zones (AZ). Each Availability Zone runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. Availability Zones are connected to each other with fast, private fiber-optic networking, enabling you to easily architect applications that automatically fail-over between Availability Zones without interruption.
- AWS Elastic Load Balancers are used to automatically distribute incoming application traffic across AWS ECS-managed containers, deployed on multiple Amazon EC2 instances in the cloud. This allows us to achieve greater levels of fault tolerance in the BPTN platforms, seamlessly providing the required amount of load balancing capacity needed to distribute application traffic.
- Firewalls, routers, switches and internet backbone connections are all maintained with redundancy and high availability on a 24/7/52 basis by AWS.
- AWS manages redundant power to all infrastructure routers and switches, as well as the data centers themselves; redundant fiber connections to Internet backbone connectivity providers; and advanced route optimization technology to provide efficient routing among the multiple backbone carriers connected to the data centers.
- BPTN utilizes AWS firewall-equivalent Security Groups and Route Tables to restrict traffic to servers and subnets based on source, destination, port and protocol.
- Databases are encrypted and deployed in private subnet tiers protected by AWS firewall-equivalent Security Groups.
- Access to platform servers, when required, is only available over encrypted, authenticated + MFA VPN access.
Server & Database Security
- BPTN uses AWS auto-scaling groups to automatically scale on-demand, replace failed instances, and seamlessly roll out new deployments.
- Hardware failures are replaced expeditiously using AWS native capabilities to spin up new servers or volumes in AWS on demand.
- Databases deployed on AWS RDS Managed Services help to reduce operational overhead and risk by automating common activities such as change requests, monitoring, patch management, security, and backup/restoration services, and provide full lifecycle services to provision, run, and support the infrastructure.
Monitoring & Logging
A central IT management system is used to track and maintain corporate IT assets and laptops.
BUSINESS CONTINUITY AND DISASTER RECOVERY
- BPTN platforms are deployed across multiple Availability Zones (data centers). A failure in one Availability Zone will natively and automatically redirect traffic to the other.
- In the event of catastrophic failures, terraform automation would be used to redeploy environments; continuous integration and deployment processes (CI/CD) is utilized to redeploy the services and databases; and data would be recovered from encrypted backups hosted in AWS.
Storage & Backups
- Database backups are performed at least daily, and stored for a minimum of seven days. All backups are encrypted during storage and transfer.
- Hard disks are stored on AWS SSD EBS volumes that are replicated across multiple servers in an Availability Zone to prevent loss of data.
- Data storage in AWS S3 buckets are replicated across multiple devices across at least Availability Zones, providing 99.999999999% durability over a given year. AWS S3 is designed to sustain concurrent device failures by quickly detecting and repairing any lost redundancy, and also regularly verifies data integrity using checksums.
- Customer data is encrypted in transit using HTTPS/TLS and encrypted at rest.
- Customer databases are located in data tiers in private subnets, and encrypted at rest.
- All database backups are encrypted in transit and at rest. Backups remain in AWS, and remain the country associated with the platform.
- Passwords are transmitted over TLS encrypted channels.
Hardware & Media Disposal
INFORMATION SYSTEMS (IS) POLICIES
Clean Desk & Removable Media Policies
Security Working Group
HR & ORGANIZATIONAL SECURITY
Background Checks & Confidentiality
- All employees undergo background checks covering 7+ years as part of the hiring process, including criminal, employment, reference and credential verification. The specific scope of any background checks shall always be subject to the applicable local laws and regulations.
- All employees are subject to confidentiality agreements as part of their employment agreement.
Employee Onboarding & Offboarding
- Employee onboarding and offboarding procedures utilize automated notifications, reminders and auditing by our HR management system.
- These processes include access control enablement and revocation, and equipment removal and data destruction.
Security & Privacy Training
AWS Data Centers: Physical Access
- BPTN platforms are fully hosted in AWS data centers in the United States.
- AWS security personnel are on duty 24/7/52.
- Physical access to AWS data centers is controlled at building ingress points by professional security staff utilizing surveillance, detection systems, and other electronic means. Authorized staff utilize multi-factor authentication mechanisms to access data centers. Entrances to server rooms are secured with devices that sound alarms to initiate an incident response if the door is forced or held open.
AWS Data Centers: Alarms, CCTV, Inspection
- Electronic intrusion detection systems are installed within the data layer to monitor, detect, and automatically alert appropriate personnel of security incidents. Ingress and egress points to server rooms are secured with devices that require each individual to provide multi-factor authentication before granting entry or exit. These devices will sound alarms if the door is forced open without authentication or held open. Door alarming devices are also configured to detect instances where an individual exits or enters a data layer without providing multi-factor authentication. Alarms are immediately dispatched to 24/7 AWS Security Operations Centers for immediate logging, analysis, and response.
- Electronic intrusion detection systems are installed within the data layer to monitor, detect and automatically alert the 24/7 AWS Security Operations Centers and teams.
- Closed circuit video surveillance (CCTV) at all entrance points on the interior and exterior of the building housing the data center facilities.
- AWS data centers security alarms are tested monthly, consistent with requirements for ISO 27001 and SOC.
AWS Data Centers: Access Cards, Badges, Visitors
- All AWS personnel and visitors are required to display their identity badges at all times when onsite at AWS facilities.
- Two-factor authentication is used to gain access to server rooms and sensitive areas of the data center.
- Only authorized AWS personnel have access to data center facilities.
- Visitor access control applies to all areas of the data centers, including business justification to access, least privilege, time-bound access, badges worn at all times, authorized staff escorts, and access limited only to justified areas.
AWS DATA CENTER INFRASTRUCTURE & REDUNDANCY
Climate and Temperature
- AWS data centers use mechanisms to control climate and maintain an appropriate operating temperature for servers and other hardware to prevent overheating and reduce the possibility of service outages.
- Personnel and systems monitor and control temperature and humidity at appropriate levels.
Fire Detection and Suppression
- AWS data centers are equipped with automatic fire detection and suppression equipment.
- Fire detection systems utilize smoke detection sensors within networking, mechanical, and infrastructure spaces.
- In order to detect the presence of water leaks, AWS equips data centers with functionality to detect the presence of water.
- If water is detected, mechanisms are in place to remove water in order to prevent any additional water damage.
- AWS data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day.
- AWS ensures data centers are equipped with back-up power supply to ensure power is available to maintain operations in the event of an electrical failure for critical and essential loads in the facility.
SOFTWARE DEVELOPMENT PROCESS
Agile SDLC Process
- BPTN Product-Engineering teams operate in an Agile environment with continuous delivery capabilities. Tasks go through our standard SDLC process, including sprint planning, task documentation, development, code reviews, QA, build server testing, multiple deployment environments, automated production deployment and rollback capabilities.
- These processes include version control, coding standards and security best practices.
Segregation of Duties
Patching and Anti-malware
Vulnerability & Penetration Testing
BREACH & INCIDENT RESPONSE
DDoS & Attack Prevention
- DDoS prevention is managed by BPTN and AWS. BPTN has premier enterprise support with AWS for immediate escalation and support of critical issues, including DDoS attacks. BPTN will also work with 3rd party cyber breach response teams in the event of a major incident.
- BPTN platforms use a combination of threat management and monitoring including AWS Shield, CloudWatch alarms, AWS CloudWatch centralized logging, AWS CloudWatch application & infrastructure monitoring, and other tools to help monitor and prevent attacks.
- In the event of a major or reportable breach, affected customers will be notified within 72 hours, or earlier as required by law. Customers may be notified directly by Support or Customer Success teams.
- Incident response procedures involve clear identification of roles and responsibilities. The incident is first classified by impact to the system and whether a breach has occurred, followed by escalation procedures and regular reporting intervals to affected customers. In the event of a major or reportable breach, BPTN may appoint a 3rd party independent auditor to assess the scope and impact of a breach, assist in remediation, and write a full report of its findings.
- Keeping your data secure is a shared responsibility that also involves you maintaining appropriate security on your accounts. This includes ensuring sufficiently complex credentials & password rotation policies.
- Do not share your accounts or credentials with others, and provide accurate self identification information for account validation or potential data requests in the future.
AWS Data Centers
- BPTN platform is fully hosted in AWS data centers in US regions.
- AWS maintains annual certifications and 3rd party audit reports including PCI DSS Level 1, ISO 27001, FISMA Moderate, FedRAMP, HIPAA, and SOC 1 & SOC 2.