Security & Compliance - Securiti (2023)

Overview

Securiti respects our customers' privacy and keeping our customers' data protected at all times is our highest priority. This security policy provides a high-level overview of the security practices put in place to achieve that objective.

(Video) AI-Powered Data Intelligence for Data Privacy & Security | Securiti

Have questions or feedback? Feel free to reach out to us at [emailprotected]

Dedicated security team

Our security team comprises security experts dedicated to improving the security of our organization. Our team has played lead roles in designing and building highly secure Internet facing systems at companies ranging from startups to large public companies like Symantec, BlueCoat, Cisco, Qualys, Elastica and WiChorus. Our employees are trained on security incident response and are on call 24/7.

Infrastructure

Securiti has taken a simple, no nonsense approach to security.

Our solution is hosted on Amazon Web Services. AWS is responsible for the security of the underlying cloud infrastructure and SECURITI takes the responsibility of securing workloads we deploy in AWS. AWS computing environments are continuously audited, with certifications from accreditation bodies across geographies and verticals, including ISO 27001, FedRAMP, DoD CSM, and PCI DSS. You can read more about their practices here.

Securiti is SOC2 Type II certified. A copy of the SOC2 certificate can be made available upon request to prospective and current customers. Securiti also holds the ISO 27001:2013 certification.

Our solution is engineered to make use of multiple availability zones in a given AWS region and autoscales as needed to provide a high available and reliable service.

Network level security monitoring and protection

Securiti's network architecture consists of multiple security zones with different tiers confined to their own zones. In particular, internet-facing endpoints are in their own zone and do not have direct access to the database tier or other internal services.

(Video) Cookie Consent Management for Global Cookie Compliance | Securiti

AWS GuardDuty is used to actively monitor all cloud trail and VPC flow logs for any anomalies or security incidents. AWS Security Hub is used to check all the infrastructure policies and configuration against best practices and raise alerts. A well-known open-source Host-based Intrusion Detection (HIDS) is used to monitor both the hosts and containers. AWS Shield provides the Web Application Firewall protection. The host and container images are scanned periodically for vulnerabilities - any vulnerabilities found are patched as per industry and SOC2 guidelines.

DDoS protection

We use AWS Shield as the Distributed Denial of Service (DDoS) mitigation service.

Encryption

Encryption in transit

All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS).

Encryption at rest

Any device storing any data is subjected to data-at-rest encryption. Thus, a decommissioned device cannot be misused. The encryption keys for at-rest encryption are periodically rotated.

Any customer data that is identified and cataloged by SECURITI as personal data is subjected to a one-way, irreversible hash and stored in the virtual database instance of the customer. At no point, such cataloged personal data is captured in clear-text in logs or databases.

All sensitive configuration data (e.g. passwords, database or SaaS credentials) is encrypted using best practice encryption algorithms in the database.

Data retention and removal

We retain our customers' data for a period of one business week after a deletion request is received. All data is then completely removed from our systems. Every customer can request the removal of their account by contacting support.

(Video) Overview of Securities Law: Module 1 of 5

Business continuity and disaster recovery

We back up all our critical assets on a daily basis and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted. All critical assets are configured with redundancy and thus provide high availability. Daily backups are copied over to a different AWS region for disaster recovery. The securiti services are provisioned in the Disaster Recovery region using the pilot light strategy for a quick recovery.

Patch Management

  • We use AWS Inspector to check for vulnerabilities in our host images and Sysdig Anchore to check for vulnerabilities in our container images.
  • Critical and severe vulnerabilities are addressed in the current release under test. All other vulnerabilities are scheduled for future releases.
  • If a critical or severe vulnerability impacts any internet-facing application, we study the conditions under which the vulnerability can be exploited and, if we conclude that our applications are susceptible to exploitation, we patch our production systems immediately with a hot-fix, usually with a turn-around time of less than a day.

Application security monitoring

  • We use a security monitoring solution to get visibility into our application security, identify attacks and respond quickly to a data breach. We also use technologies to monitor exceptions, logs and detect anomalies in our applications.
  • We collect and store logs to provide an audit trail of our applications activity
  • Security events are logged and notifications are sent in case of critical attacks to allow for fast remediation.

Application security protection

  • We use AWS Shield as a Web Application Firewall to identify and block the OWASP Top 10 attacks in real-time.
  • We use security headers to protect our application from various attacks. Please check SecurityHeaders.io for our current grade.

Secure development

Our development methodology follows security best practices and frameworks (e.g. OWASP Top 10).

  • Developers participate in regular security training to learn about common vulnerabilities and threats
  • We review our code for security vulnerabilities
  • We regularly scan our host and container images to address the known vulnerabilities and also proactively update the dependencies.
  • We use static code analysis to identify defective code.
  • With every major release, we use the BURP Suite to check
    for vulnerabilities and remediate them as per the industry-standard best practices by taking their severity into
    account.

Responsible disclosure

Securiti is dedicated to keeping its cloud platform safe from all types of security issues thereby providing a safe and secure environment to our customers. Data security is a matter of utmost importance and a top priority for us. If you are a dedicated security researcher or vulnerability hunter and have discovered a security flaw in the Securiti platform including the cloud application and infrastructure, we appreciate your support in disclosing the issue to us in a responsible manner. Our responsible disclosure process is managed by the security team at Securiti. We are always ready to recognize the efforts of security researchers by rewarding them with a token of appreciation, provided the reported security issue is of high severity and not known to us. While reporting the security vulnerability to Securiti's Security team, please refrain from disclosing the vulnerability details to the public outside of this process without explicit permission. Please provide the complete details. We determine the impact of vulnerability by looking into the ease of exploitation and business risks associated with the vulnerability.

As a security researcher, if you identify or discover a security vulnerability in compliance with the responsible disclosure guidelines, Securiti's security team commits to:

Acknowledge the receipt of reported security vulnerability in a timely fashion

  • Notify you when the vulnerability is remediated
  • Extend our gratitude by providing a token of appreciation in supporting us to make our customers safe and secure
  • Please send the details of the discovered vulnerability or any security issue to: [emailprotected]

Accepted vulnerabilities are the following

  • Cross-Site Scripting (XSS)
  • Open redirect
  • Cross-site Request Forgery (CSRF)
  • Command/File/URL inclusion
  • Authentication issues
  • Code execution
  • Code or database injections

This bug bounty program does NOT include

  • Account/email enumerations
  • Denial of Service (DoS)
  • Attacks that could harm the reliability/integrity of our business
  • Spam attacks
  • Clickjacking on pages without authentication and/or sensitive state changes
  • Mixed content warnings
  • Lack of DNSSEC
  • Content spoofing / text injection
  • Timing attacks
  • Social engineering
  • Phishing
  • Insecure cookies for non-sensitive cookies or 3rd party cookies
  • Vulnerabilities requiring exceedingly unlikely user interaction
  • Exploits that require physical access to a user's machine

User protection

As with most cloud services, access to the Securiti platform requires a login ID and password or integration with a Single-Sign-On (SSO) provider. When an organization subscribes to the Securiti platform service, it is the customer's responsibility to manage which end users should be given access. Customers should also define when access should be taken away from the end users. For example, access should be revoked upon end user's separation from employment or as part of departmental changes that result in change of duties or responsibilities. Only valid account credentials should be used by authorized users to access the Securiti platform service.

Brute-force password attacks are thwarted by requiring users to answer a captcha if our application is not integrated with a single-sign-on vendor.

(Video) Operationalize CCPA Compliance with PrivacyOps Platform | Securiti

Single sign-on

Single sign-on (SSO) can be implemented by our enterprise customers. We recommend making use of the additional protections (such as 2FA) that are offered by SSO vendors.

Role-based access control

Advanced role-based access control (RBAC) is offered on all our customer accounts and allows our users to define roles and permissions.

Compliance

California Consumer Privacy Act (CCPA)

We're compliant to the California Consumer Privacy Act (CCPA). Our commitment towards CCPA is outlined here.

General Data Protection Regulation (GDPR)

We're compliant to the General Data Protection Regulation (GDPR). The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Contact us for more details on how we comply to GDPR.

Payment information

All self-serve payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. We don't collect any payment information and are therefore not subject to PCI obligations.

Employee access

Our strict internal procedure prevents any employee from gaining access to customer data. A subset of SECURITI's Personnel have access to customer data as necessary to support the platform. Individual access is granted based on the role and job responsibilities of the individual. Access to systems containing customer data is reviewed on a regular basis and is monitored on an ongoing basis. Our employees sign a Non-Disclosure and Confidentiality Agreement to protect our customers' sensitive information.

FAQs

What does securiti AI do? ›

SECURITI.ai is the leader in AI-Powered PrivacyOps, that helps automate all major functions needed for privacy compliance in one place. It enables enterprises to give rights to people on their data, be responsible custodians of people's data, comply with global privacy regulations like CCPA and bolster their brands.

What helps ensure sensitive data is protected? ›

Encryption is the most effective way to protect your data from unauthorized access. Encryption can be defined as transforming the data into an alternative format that can only be read by a person with access to a decryption key. There are various resources available to encrypt data that you store on your machine.

How do you manage data protection? ›

Protecting Data While Working Remotely and Working from Home
  1. Consider using a VPN. ...
  2. Maintain physical control over your devices. ...
  3. Use a personal hotspot. ...
  4. Maintain clear separation between personal and work devices. ...
  5. Implement a cyber security policy. ...
  6. Use encryption. ...
  7. Implement access control.
29 Aug 2022

Why is GDPR important? ›

It requires organizations to diligently protect personal data, as well as provide proof about how that data is protected. GDPR sets a high standard for consent, which will have a huge impact on the marketing industry. Customers will need to be given choice and control over how their data is handled.

Is Python good for security? ›

Python is a useful programming language for cybersecurity professionals because it can perform a variety of cybersecurity functions, like malware analysis, penetration testing, and scanning.

Can Python be used for security? ›

Python can be used for mostly everything in cybersecurity

Like python can be used in making payloads, used for malware analysis, decoding of packets, accessing servers, network scanning, port scanning and many more.

What are the 3 principles of data protection? ›

Accuracy. Storage limitation. Integrity and confidentiality (security)

What is the strongest way to protect sensitive customer data? ›

How to Protect Your Sensitive Data
  1. Take Control of Sensitive Data. ...
  2. Encrypt Your Data. ...
  3. Use a Password Manager. ...
  4. Backup Your Data. ...
  5. Ensure The Security of Physical Records and Devices. ...
  6. Use a VPN on Public Wi-Fi. ...
  7. Always Stay Up to Date.

What is the most effective method to protect data? ›

Tips to Improve Data Security
  1. Protect the data itself, not just the perimeter. ...
  2. Pay attention to insider threats. ...
  3. Encrypt all devices. ...
  4. Testing your security. ...
  5. Delete redundant data. ...
  6. Spending more money and time on Cyber-security. ...
  7. Establish strong passwords. ...
  8. Update your programs regularly.

How do you protect data examples? ›

Mobile Data Protection
  1. Enforcing communication via secure channels.
  2. Performing strong identity verification to ensure devices are not compromised.
  3. Limiting the use of third-party software and browsing to unsafe websites.
  4. Encrypting data on the device to protect against device compromise and theft.

What are the tools used to protect data security? ›

Antivirus software is one of the most widely adopted security tools for both personal and commercial use. There are many different antivirus software vendors in the market, but they all use pretty much the same techniques to detect malicious code, namely signatures and heuristics.

How do you secure information? ›

5 simple steps to protect your personal information online
  1. Stop giving away your personal information.
  2. Check your mobile app permissions.
  3. Review your security and privacy settings.
  4. Use passphrases.
  5. Use Antivirus software and install the latest software patches.

What are the 7 main principles of GDPR? ›

Broadly, the seven principles are : Lawfulness, fairness and transparency. Purpose limitation. Data minimisation.

What is the main point GDPR? ›

The purpose of the GDPR is to provide a set of standardised data protection laws across all the member countries. This should make it easier for EU citizens to understand how their data is being used, and also raise any complaints, even if they are not in the country where its located.

How do you ensure GDPR compliance? ›

11 things you must do now for GDPR compliance
  1. Raise awareness across your business. ...
  2. Audit all personal data. ...
  3. Update your privacy notice. ...
  4. Review your procedures supporting individuals' rights. ...
  5. Review your procedures supporting subject access requests. ...
  6. Identify and document your legal basis for processing personal data.

Why do hackers use Python? ›

Exploit Writing: Python is a general-purpose programming language and used extensively for exploit writing in the field of hacking. It plays a vital role in writing hacking scripts, exploits, and malicious programs.

Which language is best for cyber security? ›

The top cybersecurity languages include Java, JavaScript, Python, SQL, PHP, PowerShell, and C. Depending on your career path, you may find other languages useful as well.
...
PHP
  • PHP is used to build websites. ...
  • PHP is used in most web domains and helps cybersecurity professionals defend against malicious attackers.

Why do most hackers use Python? ›

Besides the given reasons, Python is the most loved programming language used by hackers since it's an open-source language which means that hackers can use the stuff that other hackers have previously made. Besides being free and high-level language, it also comes with a bank of genius support.

Do hackers need to learn Python? ›

Python is a must-know programming language for anyone seeking a career in penetration testing.

Do ethical hackers use Python? ›

These days, Python is a popular language among hackers. The availability of pre-built tools and libraries, which facilitate hacking, is the cause. In fact, the language is suitable for ethical hacking since smaller scripts are required for ethical hacking, and Python meets this requirement.

How much Python do I need for cybersecurity? ›

As an entry-level cybersecurity professional, it's not mandatory to know Python, and there are so many domains in cyber which do not include the usage of Python every day. However, it's always helpful to know the basics of Python. The biggest benefit to knowing Python for cybersecurity is the ability to write scripts.

What are the four 4 elements of data security? ›

Protection, Detection, Verification & Reaction.

These are the essential principles for effective security on any site, whether it's a small independent business with a single site, or a large multinational corporation with hundreds of locations.

What are the 8 rules of data protection? ›

What are the Eight Principles of the Data Protection Act?
1998 ActGDPR
Principle 2 – purposesPrinciple (b) – purpose limitation
Principle 3 – adequacyPrinciple (c) – data minimisation
Principle 4 – accuracyPrinciple (d) – accuracy
Principle 5 - retentionPrinciple (e) – storage limitation
5 more rows

What are 8 ways you can protect personal data? ›

8 Smart Ways to Protect Your Personal Data
  • Make It Harder for Other People to Get Credit in Your Name. ...
  • Put Passwords on Your Devices. ...
  • Use Stronger Passwords. ...
  • Set up Two-Factor Authentication on Your Financial and Email Accounts. ...
  • Don't Do Your Online Shopping and Banking at the Local Cafe. ...
  • Update Your Software Regularly.
2 May 2022

How do you ensure security of customer data? ›

There are five steps you can take to protect your customers' information:
  1. Only collect the most vital data.
  2. Limit access to that data.
  3. Use password management tools.
  4. Avoid data silos.
  5. Set minimum security standards.

How do you keep your customers secure? ›

Limit employees who can access data

Allow only authorized access to customer data and ensure data is regularly backed up in case it is deleted or changed by staff. Set secure logins with passwords for servers and computers, with different access levels for staff to ensure minimal access to critical data.

What are the fundamental principles of security? ›

The fundamental principles of security are confidentiality, integrity, and availability.

What are two techniques of security? ›

However, here are 7 of the most effective data security techniques that you can try to secure your data.
  • Data encryption. ...
  • Backup and recovery optimization. ...
  • Data masking. ...
  • Row level security. ...
  • Promote transparency and compliance. ...
  • Cyber insurance. ...
  • Work with experts in data.

How can security be improved in the workplace? ›

How to improve security in the workplace
  1. Know who's on-site at all times and why.
  2. Grant the right access to guests and employees.
  3. Invest in alarms and surveillance systems.
  4. Train your employees to help keep the workplace secure.
  5. Make improvements to the physical workplace.
14 Sept 2021

Why is data security important? ›

Why is data security important? Data security is the practice of protecting digital information from unauthorized access, corruption, or theft throughout its entire lifecycle.

What are data security methods? ›

Data security encompasses company activity on applications and platforms by using techniques like data masking, data erasure, and backup storage. Other tactics involve encryption, tokenization, authentication (like biometric verification), and key management.

What is security measures? ›

Security Measure means a generic, implementation-independent form of security control that dictates what the solution should do to provide a secure environment. It describes security in a behavioral sense, not as a design decision.

What are the two types of data security? ›

Authentication and authorization

Two processes are used to ensure only appropriate users can access enterprise data: authentication and authorization.

What are the three security Tools? ›

4 Types of Security Tools that Everyone Should be Using
  • Firewalls. A firewall is the first (of many) layers of defense against malware, viruses and other threats. ...
  • Antivirus Software. ...
  • Anti-Spyware Software. ...
  • Password Management Software.
15 Feb 2018

What is privacy and security? ›

Privacy is the right to control how your information is viewed and used, while security is protection against threats or danger. In the digital world, security generally refers to the unauthorized access of data, often involving protection against hackers or cyber criminals.

What are the two 2 key principles of data protection? ›

Integrity and Confidentiality: Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including protection against unauthorised or unlawful access to or use of personal data and the equipment used for the processing and against accidental loss, ...

What is GDPR explained simply? ›

GDPR stands for General Data Protection Legislation. It is a European Union (EU) law that came into effect on 25th May 2018. GDPR governs the way in which we can use, process, and store personal data (information about an identifiable, living person).

What is GDPR compliance? ›

At its core, GDPR Compliance means an organization that falls within the scope of the General Data Protection Regulation (GDPR) meets the requirements for properly handling personal data as defined in the law. The GDPR outlines certain obligations organizations must follow which limit how personal data can be used.

How do you summarize GDPR? ›

GDPR's seven principles are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. In reality, only one of these principles – accountability – is new to data protection rules.

What are the 4 steps in maintaining compliance? ›

  1. Step 1 :: Review the compliance and security features of your software in each of these categories. eDiscovery. ...
  2. Step 2 :: Identify your company's specific security and compliance needs and policies. ...
  3. Step 3 :: Implement your policies, settings, and management in your software. ...
  4. Step 4 :: Report & Audit.
16 Sept 2022

How do you comply with GDPR in the workplace? ›

Employers must demonstrate data protection compliance by training, auditing and documenting processing activities, and reviewing HR policies. They should also: Appoint a data protection officer (DPO) where appropriate – see below. Only collect personal data that is adequate, relevant and necessary.

What is Immuta used for? ›

Immuta is the market leader in cloud data access control, providing data engineering and operations teams one universal platform to control access to analytical data sets in the cloud. Only Immuta can automate access control for any data, on any cloud service, across all compute infrastructure.

Which is a benefit to applying AI in SOC? ›

The primary benefit of SOC automation is the ability to scale the scope and speed of threat analysis and response. Scale is not just important for traditional drivers, like cost, but also to keep up with attackers' tactics and potential reach.

Does defender use AI? ›

The company's purchase of RiskIQ means that Defender will soon get a powerful AI core under its hood.

Will security guards be replaced by robots? ›

An Oxford University study predicted with a very high probability that human security guards will be automated within 20 years. Here are some of the benefits of adding ASRs to your existing security; Security robots can work alongside human security, increasing capacity and effectiveness.

How big is Immuta? ›

Boston, Massachusetts-based Immuta claims to have over 250 employees currently, with plans to double headcount within the next 18 months.

How much is Immuta? ›

Pricing Information
UnitsDescription12 MONTHS
960 Immuta UnitsA monthly metric based on user subscription count and data store type$96,000

What is Rockset used for? ›

Rockset is a real-time analytics solution that enables low-latency searches and aggregations. Rockset automatically indexes structured, semi-structured, geo, and time-series data for real-time search and analytics at scale.

What are some examples of AI in security? ›

AI systems in cybersecurity – examples of use

possible threat identification. cyber incident response. home security systems. CCTV cameras and crime prevention.

Why is SOC so important? ›

Having a dedicated SOC provides an organization with multiple benefits, including continuous network monitoring, centralized visibility, reduced cybersecurity costs, and better collaboration. Cybercriminals will never take a break.

Is cybersecurity or AI better? ›

More than 80% of people suggest cyber security as the best career choice for the future. There's always something new that you can learn about or try out in the field. New security practices and technologies keep you interested in the field for the long run.

How accurate is Microsoft Defender? ›

Its AI accurately identifies legitimate attack patterns while allowing safe software to pass. In tests using over one million software samples, Microsoft Defender Antivirus correctly caught the malware with 100% accuracy.

Are resumes scanned by AI? ›

AI resume screening is the practice of using artificial intelligence to sort through resumes and applications and move the best candidates to the next round of the recruitment process. AI resume screening tools attempt to streamline the time-consuming process of sorting through resumes to find qualified candidates.

Is Microsoft Defender a real thing? ›

Windows Security is built-in to Windows and includes an antivirus program called Microsoft Defender Antivirus. (In early versions of Windows 10, Windows Security is called Windows Defender Security Center).

What is the latest technology in security? ›

  • Artificial Intelligence & Machine Learning.
  • Internet of Things.
  • Blockchain.
  • Cloud Computing.
  • Web security.
  • Application Security.
  • Intrusion Detection System (IDS) and Intrusion Prevention System.
  • Data loss prevention (DLP) & Data encryption.

What is the future of security technology? ›

The future of security technology will rely heavily on new ways to centralize data and automate operations. Cloud-based systems, AI-powered software, and stronger IoT connections are all key to navigating the new security landscape.

What job Cannot be replaced by robots? ›

Psychologists, caregivers, most engineers, human resource managers, marketing strategists, and lawyers are some roles that cannot be replaced by AI anytime in the near future”.

Videos

1. Life on the HSBC Securities Services programme - Ridhwan's story
(Life at HSBC)
2. Enabling Privacy Compliance Automation For CCPA, GDPR & More | Securiti
(Securiti)
3. What are Securities?
(Kalkine Media)
4. COMPLIANCE INTERVIEW Questions and ANSWERS! (Compliance Officer and Manager Job Positions)
(CareerVidz)
5. Securities Compliance: A New Approach Behind the Scenes
(TALG)
6. Third-Party Privacy Risk Assessments Automation | Securiti
(Securiti)
Top Articles
Latest Posts
Article information

Author: Kieth Sipes

Last Updated: 01/07/2023

Views: 5832

Rating: 4.7 / 5 (67 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Kieth Sipes

Birthday: 2001-04-14

Address: Suite 492 62479 Champlin Loop, South Catrice, MS 57271

Phone: +9663362133320

Job: District Sales Analyst

Hobby: Digital arts, Dance, Ghost hunting, Worldbuilding, Kayaking, Table tennis, 3D printing

Introduction: My name is Kieth Sipes, I am a zany, rich, courageous, powerful, faithful, jolly, excited person who loves writing and wants to share my knowledge and understanding with you.