The purpose of this policy is to emphasize our commitment to providing our users a secure environment. PerXL’s security policy incorporates guidance from the Federal Information Security Modernization Act of 2014 (FISMA), NIST Federal Information Processing Standards (FIPS) and is dedicated to keeping your data secure from unauthorised access, disclosure, accidental loss, destruction, or alteration. Security risk is one of the many components of organizational risks. Risk management is a holistic activity across the organization and addresses risks from the strategic level to the tactical level, so as to incorporate and encompass all activities within the organization in its framework. It involves foresight, strategic planning and operational management in ensuring all possible and probable risks are identified and the required risk response measures are initiated if necessary. All measures need necessarily be monitored over time to establish and incorporate new measures in keeping with environmental or legislative changes.
Scope
This policy outlines the security measures implemented to secure critical and sensitive PII, and other data, including but not limited to physical security of hardware and storage devices, data encryption, password protection, threat management, access control, logical security of software applications, organizational policies, and procedures in compliance with global standards and laws and in keeping with the CIA triad, Confidentiality, Integrity and Availability, sometimes referred to as the AIC triad, to avoid confusion with the Central Intelligence Agency. It also includes remediation plans in the event of a breach. It may be added here that no physical, electronic storage or any method of transmission is failproof, hence we cannot guarantee or warrant the security of the data or that they will not be any breaches. Our Security Policy is based on the following principles:
Measures to ensure Data Confidentiality
Measures to ensure Data Integrity
Data Integrity is a crucial part of ensuring data accuracy and consistency. Human errors have known to be one of the major areas that need to be plugged in. According to a study by IBM, 95% of cyber security breaches result from human errors.
To prevent corruption in data or unintentional changes, whether it is at rest, in transit, at the end point, or during retrieval several measures are in place:
We prioritize the security of your data. To protect your information, we use robust encryption and security measures throughout its lifecycle. Here's how we ensure your data stays safe:
Data in Transit All data transmitted over our network is encrypted using SSL (Secure
Sockets Layer) to protect it from unauthorized access.
Data at Rest Sensitive data is encrypted using SHA-256, a widely recognized and secure
hash algorithm.
We use these industry-standard encryption methods to safeguard your information, ensuring it remains confidential and secure at all times.
Measures to ensure Availability
Availability is to ensure ease of access and continued usage or a no disruption service to authorized users. We have, as enumerated above, taken all reasonable measure to ensure service, network, server, and application redundancy and avoid hardware or software failure, or human errors. A disaster recovery plan is part of our contingency measures, in the event of natural disasters, or other unforeseeable factors.
Business Continuity and Disaster Recovery
In today’s ever-changing and ever accelerating digital world where all your data is in a digital form it is imperative to establish and sustain an effective digital preservation infrastructure. We value our Subscribers and their Data and Data Preservation, and Restoration are our primemost responsibilities to our Subscribers.
To ensure this, a robust business continuity plan has been designed, and implemented.
Our Business Continuity Plan (BCP) includes a three-pronged approach. Controls include:
- measures to foresee and prevent
- measures to detect and mitigate
- measures to restore
Measures to foresee and prevent include
Risk Assessment of all critical business functions internally as well as externally, identification of potential risks and disasters, and prioritizing the risks based on their severity. Risk Assessment of all critical business functions is performed annually. This process includes identifying of new parameters if any, evaluating or re-evaluating potential risks that impact business operations and objectives, evaluating the likelihood and impact of those risks.
Measures to detect and mitigate
Validation of established processes and procedures is performed to check the
efficacy of established systems, validate all appropriate risk mitigation measures identify
potential weaknesses, bridge gaps and make it a more robust BCP.
Our data resides in Amazon Web Servers, and we have multiple paths for data transmission to
reduce network redundancy and multiple backup systems to ensure continued availability of
critical systems and applications.
Disaster recovery drills and testing
Disaster recovery drills are performed at regular intervals to validate the recovery plans, identify potential weaknesses, and ensure that the necessary personnel and resources are available in the event of a disaster.
Data backup and replication
Our data resides on AWS, regular backups and cloud-based alternate site solutions are some of the means to ensure data availability in case of a disaster. Our Recovery Time Objectives (RTO) are targeted at 6 hours and RPO (Recovery Point Objective) is set for 12 hours.
Crisis communication plan (CCP)
A critical component of an organization's disaster recovery plan our CCP include.
Communication channels
Training and testing
Key personnel are trained on CCP. Communication channels and procedures are tested to ensure that they are working effectively.
Security incident process
PerXL will take all reasonable measures and employs a coordinated approach to
ensure the security and integrity of Subscriber data. While security is primemost for PerXL, for
its own as well as Subscriber’s data, there could be inadvertent security incidents or breaches.
We have a set of well-defined processes and procedures to notify the Subscribers of the incident
or breach, minimize the impact of security incidents, ensure that incidents are managed in a
timely, effective, and consistent manner, from detection to resolution and restoration of
operations.
In the event of a security incident or breach, whether by PerXL or its subprocessors, where the
security breach could be loss of data, including PI, alteration of data, unauthorized
disclosure, or accidental destruction PerXL will promptly notify the Subscriber of the
‘Subscriber Data Incident’. PerXL will make reasonable efforts to determine the cause of the
incident and take necessary and reasonable steps to remedy the cause of the incident to the
extent that PerXL can control. However, this obligation does not apply to incidents that are
caused by the Customer or its users.
Security analytics
Security analytics help in identifying and mitigating potential attacks, and include activities related to Subscriber identity and behavior, and Network.
Subscriber identity and behavior activity
Include improper subscriber account usage, unauthorised access, identification of compromised accounts, stateful session tracking, authentication.
Network activity
Includes monitoring network traffic, threat detection, data exfiltration, access certifications.
Awareness and Training
As stated earlier, an IBM study shows 95% of cyber security breaches result from human errors. NIST also states that the understanding in the IT community is that people are the weakest link. To safeguard your data against this perception, PerXL invests significant time and effort in awareness and training programs of all of its staff members to meet the following requirements:
