Saas Security Statement
Public statement about information security at Level Access
Level Access (“Level”) is committed to protecting its information assets to satisfy the company’s business objectives and meet the information security requirements of its customers while maintaining the safety of individuals and protecting their right to privacy. The Information Security Policy expresses the company’s intentions and commitment towards these goals.
This Statement complements Level’s Information Security Policy and provides a summary of the company’s internal security policies and procedures which constitute the security baseline that governs the company’s Software as a Service (SaaS) Platform. The Statement’s aim is to provide assurance to interested parties about the security of the SaaS applications, as well as the data contained within them.
If you have any questions about the below, please contact us at firstname.lastname@example.org.
Level has implemented an ISO 27001 Information Security Management System (ISMS) to manage and continually improve information security posture.
The company has over 10 discrete internal policy documents governing information security at Level.
Level takes a risk-based approach to information security aligned with ISO 27001 and NIST 800-37.
Organization of Information Security
Level takes information security very seriously and has representation and sponsorship at the executive level by the Senior Vice President (SVP) of Engineering, with support from the CEO.
The company employs a Director of Information Security, who is dedicated to directing information security and data protection activities.
The company has trained and experienced staff developing and operating information systems.
Level has implemented segregation of duties to protect critical functions.
Security is considered in all projects the company undertakes.
Mobile Device Management (MDM) and other controls are in place to reduce the risks of Level employees working remotely and with mobile devices.
Level carefully screens people who do work for, or on behalf of, the company. Everyone at Level is trained on information security and data protection.
The company requires confidentiality and nondisclosure from all those who work for Level, both during and after employment.
Disciplinary action is enforced for noncompliance with corporate policy.
The company maintains high ethical standards that are defined and enforced through Level’s code of conduct.
Level inventories and labels all information assets and information systems to manage appropriate access and facilitate effective patch management and incident response.
Customer data is classified at the highest classification level to facilitate proper identification and handling as defined in the company’s Information Classification Policy which is regularly communicated through training.
Personal data/PII is treated with the highest confidentiality and take appropriate measures to protect it.
Staff are trained on the dangers of physical media and avoid using it wherever possible. Approval is required before storing or printing customer data on physical media.
Identify and Access Management
The Principle of Least Privilege (POLP) is enshrined at Level in policy and in culture.
Access is granted on a Need to Know or Need to Use basis only.
User access procedures are documented, and access is revoked the moment it is no longer required.
The company conducts user access audits and review administrative logs periodically. Level publishes and enforces an internal Password Standard Policy.
Level has an internal Encryption Standard used to protect information at rest and in transit.
The company supports the use of TLS 1.2 preferentially on all software products.
AES-256 is used to protect data at rest.
Industry standard hashing algorithms are used to protect authentication information.
Access to Level’s sites is restricted with additional layers of security around information and communications infrastructure.
The company monitors site access, and third parties require business justification and an escort for access.
Level utilizes AWS’s highly protected data centers for hosting the SaaS platform. See https://aws.amazon.com/compliance/data-center/controls/ for more information.
The company employs controls to protect assets that are off-premises.
Level enforces a clear desk and clear screen policy.
Level has documented procedures for all standard operations and tight control over Change Management governed by the Change Management Policy.
A dedicated DevOps team monitors and manages the production platform. Level deploys malware controls to reduce the chance and impact of infections.
Audit and event logs are captured, protected and regularly reviewed, as defined by the Logging Policy.
Level regularly takes and tests backups and build multiple layers of redundancy into the company’s platform, as defined by the Backup and Retention Policy.
The deployment process makes it impossible to install software on live production systems.
Level runs a vulnerability management program based off the CVSS.
Networks and Communications
Level hardens all network services and firewalls.
Continuous compliance monitoring for changes are ran to secure configurations.
Segregation principles are used at multiple levels for security, redundancy and performance.
Level provides guidance on the safe methods of information transfer and train users on the risks.
NDAs are required from all parties that have or may have access to sensitive information resources.
Level considers security requirements for every piece of work that goes through the company’s SDLC.
The company regularly scans public APIs for vulnerabilities.
All development activity follows Level’s secure SDLC, which is actively monitored and governed by the Secure Development Policy.
Security testing is conducted as a part of all tasks with security requirements and for all software deployments which includes testing against known standards, such as OWASP.
Multiple security gates are baked into the SDLC processes and are enforced by the 2-person rule.
Level minimizes outsourced development and applies additional controls to manage risks of code produced by third parties.
Level mandates and enforces the separation of development, testing and production environments to improve code quality and reduce errors.
Level closely manages suppliers using risk management principles.
Level performs additional vulnerability checking on dependencies in the supply chain and address them in accordance with the Information Security Policy.
Incident awareness is ingrained in Level’s company culture through regular communication and corporate policy.
Level has dedicated roles and documented procedures for responding to incidents as and when they occur.
All incidents are assigned a lead, who is responsible for following the procedures and documenting the incident.
Level’s pre-defined procedures specify reporting requirements for breaches of personal data to match regulatory requirements.
The company incorporates lessons learned feedback loops into the incident lifecycle for continuous improvement.
Level has a documented Business Continuity Plan, recovery procedures and a trained response team.
The Business Continuity Plan and recovery procedures are tested twice annually, at a minimum, and incorporate any improvements into the Plan.
Redundancy is ensconced as an engineering principle, including self-healing features built-in to the platform to automatically adjust to outages wherever possible.
Level identifies and tracks regional security requirements to ensure compliance. Staff are required to observe intellectual property rights.
Level’s Data Protection Program, backed by the Data Protection Policy, ensures the company maintains privacy compliance within regional regulatory contexts.
Care is taken with the use of cryptographic techniques and methods to ensure compliance with laws and regulations.
External audits to review the company’s information security implementation annually, at a minimum.
Level’s Platform is penetration tested by a specialist third-party firm annually, at a minimum.