AtData Security

Leadership

• AtData’s corporate leadership is committed to protecting our clients’ information assets through our ISO 27001 certified security program.
• Our Information Systems Management Committee, chaired by our VP of Operations & Compliance, is responsible for maintaining our security policies and systems.
• Annual risk assessment serves as a foundation for our information security efforts.
• The company works with industry experts to update policies and systems.
• AtData promotes cybersecurity awareness among employees.
• We offer additional security measures with trusted third-party providers.
• Our company regularly adjusts policies and procedures to meet or exceed industry standards.
• Our incident response protocols are designed for swift resolution of cybersecurity incidents.
• AtData stays ahead of potential threats with the latest cybersecurity technologies.

---

Physical Security

• AtData’s systems are hosted in the cloud by Amazon Web Services. We take advantage of AWS’s extensive physical security systems and multiple availability zone redundancy.
• AtData’s data centers are located in geographically dispersed locations.
• AtData’s offices have physical security measures in place to keep unauthorized personnel out.
• AtData and third-party providers use access control systems to prevent unauthorized access to facilities and data centers.
• Regular physical security assessments identify and remediate vulnerabilities.
• We employ a clear desk policy to keep sensitive information secure.
• Regular employee training and drills ensure preparedness.

---

Encryption

• All files submitted to AtData are encrypted at rest using AES-256 with keys managed by Amazon KMS.
• All data transfers to and from AtData are encrypted in transit using TLS or SFTP.
• Two-factor authentication is available to all clients and facilitates secure access to client confidential data.
• Regular security audits assess and identify vulnerabilities in encryption measures.
• Strict data handling procedures protect against data breaches.
• Access control lists restrict encrypted data access based on user roles and permissions.
• Encrypted backups of internal proprietary data are created regularly for data availability during disasters or outages.

---

Patching

• AtData uses automated patching to ensure systems always run the latest security updates from package managers.
• When manual patching is required, personnel subscribe to CVE announcements and apply patches quickly where necessary to lessen the impact of vulnerabilities.
• Regular vulnerability assessments are performed to detect flaws and plan how to address them.
• Prompt patching helps to reduce the risk of security breaches and data loss due to vulnerabilities in software.
• Automated patching and monitoring systems are updated regularly to stay informed about the latest security vulnerabilities and to ensure patches are applied promptly.

---

Hardening Servers

• We set each system’s firewall to reject all traffic by default and only allow intended traffic types from accepted sources. All non-Internet facing systems are restricted within private subnets.
• SSH access is restricted to modern protocols and only key-based authentication, using an IP whitelist, VPN, and Virtual Private Cloud (VPC).
• AtData protects against intrusions, vulnerabilities, and cyber attacks with intrusion detection, security patching, and vulnerability scanning.
• The company controls access to sensitive systems and data with scoped privileged accounts and network segmentation.
• Disk encryption on all servers, workstations, and mobile devices protects against physical theft.
• System logs and automated alerts are monitored and analyzed for security incidents, and regular vulnerability testing and hardening meet industry standards and compliance requirements.

---

Human Resources

• We maintain strong IT policies, well-explained and enforced.
• All employees and IT contractors undergo extensive background checks including criminal history, the terrorism watch list, financial crimes list, and drug screening.
• All employees and IT contractors complete regular security awareness training.
• In addition to understanding and complying with our privacy and acceptable use policies, employees are responsible for alerting management if they ever see signs of practices that might be inconsistent with the policy.
• Even when hiring for non-technical positions, we look for candidates with an appreciation for, and interest in, security.
• All employee accounts undergo quarterly access reviews to ensure that everyone has the minimum amount of access to do their jobs.

---

Multi-factor Authentication

• We use MFA for all administrative accounts and other accounts wherever possible.
• AtData uses industry-standard MFA protocols.
• MFA is an effective defense against common cyber threats.
• MFA is combined with RBAC to further limit access.
• AtData reviews MFA policies regularly to keep up with threats and vulnerabilities.

---

Secure Development

• Code reviews are required for all changes, with a focus on OWASP top ten vulnerabilities.
• AtData follows secure coding practices and uses extensive testing for its software to ensure it’s difficult to hack and remains free of security flaws.
• AtData uses the principle of least privilege to restrict access and privileges to its applications.
• Our company has a secure software development lifecycle with guidelines for secure coding, testing, and review procedures.

---

Intrusion Detection Systems

• Intrusion Detection Systems monitor network traffic and system logs for suspicious activity.
• AtData uses Amazon’s GuardDuty IDS to identify potential threats, such as unusual network traffic and Amazon’s CloudWatch to guard against compromised credentials.
• Custom software automates the review process to minimize false positives, and suspicious alerts may be further investigated.
• Intrusion Prevention Systems (IPS) may be used to block specific types of attacks when necessary.
• IPS triggers are implemented only after a thorough security assessment.
• AtData continually updates its security tools and systems to stay ahead of emerging threats and vulnerabilities.

---

Penetration Tests

• AtData checks for security holes by performing internal vulnerability scans every quarter and when major software releases are rolled out to keep systems secure.
• Special credentialed vulnerability scans are performed on critical systems monthly.
• AtData hires an outside agency to test its systems each year to keep the testing unbiased and ensure internal testing was comprehensive.
• Regular testing helps identify new security holes and improve AtData’s security.
• Penetration testers simulate real attacks to test AtData’s defenses.
• Penetration testing reveals high-priority issues that need fixing right away to keep customer and internal data safe.

---

Security Auditing

• AtData performs regular security audits to ensure compliance with policies.
• Internal security audits are conducted annually to ensure that AtData is following its own policies and is prepared for our external certification audit.
• External audits are completed annually by an independent agency to maintain ISO 27001 certification, which is crucial to maintaining AtData’s reputation as a secure and trustworthy company.
• Regular audits help AtData to identify areas where they can improve their security posture and address security risks before they become significant problems.
• Security audits are an essential component of a comprehensive security strategy as they help organizations to identify, prioritize and mitigate risks to their systems and applications.

---

Business Continuity and Disaster Recovery

• AtData has implemented a comprehensive Business Continuity and Disaster Recovery plan that is reviewed and tested annually by our Information Security Management Committee and Business Continuity/Disaster Recovery teams.
• AtData uses high-availability architecture across multiple geographic zones to ensure that its systems are always available to customers.
• Regular backups of important internal data are also performed to facilitate quick restoration in the event of an outage or disaster.
• AtData deliberately refrains from backing up customer data to reduce risk and complications in the unlikely event of a disaster.
• By implementing such measures, AtData can quickly respond to disasters and ensure business continuity.
• Business continuity and disaster recovery planning is an essential part of any security strategy as it helps to ensure that critical business operations can continue uninterrupted in the face of unforeseen events.