By Kuljit Singh Hooda, VP – Technology & Core Systems
At Xceedance we have categorized the security of our network and systems into three control areas: Administrative, Technical and Physical. This article provides a glimpse of our organizational commitments to data security, privacy, and IT compliance to safeguard our operations and those of our clients.
Administrative controls at Xceedance include the policies, procedures, standards, and guidelines which we adhere to for safeguarding both customer and internal data. Our administrative controls are aligned with recognized international standards, like ISO27001/9001, as well as various IT compliance guidelines from the global markets in which we operate, including GDPR, NYDFS, CCPA, and APRA to name a few.
These policies include information security specifications as an overall umbrella that guide the policies required for various departments within Xceedance. These department-specific policies are approved by the relevant departmental heads – for example, an IT incident management policy would be created/reviewed/approved by the IT infrastructure leader. There are other policies, for example Data Privacy Protection, which guide how to handle data subject privacy and address the data subject rights as well.
As 2nd layer of data protection, we have technical controls which meet industry standards, as well as several more stringent ones. Industry standards control we utilize include data encryption at-rest/in-motion, AES-256-bit encryption algorithms, annual penetration testing, admin control on least privilege, access granted on a need-to-know basis, and a managed security operations center for real-time alerting and speedy remediation. Special emphasis is placed on addressing the threats emanating from malicious emails, which are the primary threat vector being utilized at present. We conduct regular phishing tests and provide feedback to our team members to ensure compliance.
Additionally, we have controls in place to scan our internet-facing assets at regular intervals on top of our regular PT protocols. Our team monitors social media sites, and other areas to identify anything related to Xceedance being discussed. This initiative helps us in identifying emerging threats and preparing necessary actions.
Other controls we utilize which exceed industry standards include the disabling of USB drives on company devices and filtered Internet access.
Any security controls we put in place only work if a protected device or asset is not physically in the hands of malicious actors. The information being protected can be extracted if the threat actor has physical control of the device, making physical security measures just as critical as administrative and technical ones.
At Xceedance we have also implemented multi-layer physical security. Our office locations are protected by security systems installed to control access to buildings and Xceedance office spaces, both manned & electronic. Additionally, our office spaces have security stationed at access-controlled doors and 24-hour surveillance.
The security of our corporate and client data is critical to our success as a company. To make sure we are abiding by the controls highlighted above we conduct regular internal audits to maintain our organization’s ISO 27001/9001 certification. To provide further assurance to our customers and internal stakeholders, our data security team regularly explores new and additional safeguards. With these safeguards in place, Xceedance receives an annual review of security protocols by an independent 3rd party for SOC1 Type II and SOC2 Type II.
With Xceedance as your partner, you can be sure that your data is in safe hands.