Our Organization’s Commitment to security

Organizational Security

  • Information Security Program
    • We have an Information Security Program in place that is communicated throughout the organization. Our Information Security Program follows the criteria set forth by the SOC 2 Framework. SOC 2 is a widely known information security auditing procedure created by the American Institute of Certified Public Accountants.
  • Third-Party Penetration Testing
    • We perform an independent third-party penetration at least annually to ensure that the security posture of our services is uncompromised.
  • Roles and Responsibilities
    • Roles and responsibilities related to our Information Security Program and the protection of our customer’s data are well-defined and documented. Our team members are required to review and accept all the security policies.
  • Security Awareness Training
    • Our team members are required to go through employee security awareness training covering industry standard practices and information security topics such as phishing and password management.
  • Confidentiality
    • All team members are required to sign and adhere to an industry-standard confidentiality agreement prior to their first day of work.

Cloud Security

  • Cloud Infrastructure Security
    • All our services are hosted with leading cloud providers. They employ a robust security program with multiple certifications. For more information on our provider’s security processes, please email us.
  • Encryption at Rest
    • All databases are encrypted at rest.
  • Encryption in Transit
    • Our applications encrypt in transit with TLS/SSL only.
  • Vulnerability Scanning
    • We perform vulnerability scanning and actively monitor for threats.
  • Logging and Monitoring
    • We actively monitor and log various cloud services.
  • Business Continuity and Disaster Recovery
    • We use our data hosting provider’s backup services to reduce any risk of data loss in the event of a hardware failure. We utilize monitoring services to alert the team in the event of any failures affecting users.
  • Incident Response
    • We have a process for handling information security events which includes escalation procedures, rapid mitigation and communication.

Access Security

  • Permissions and Authentication
    • Access to cloud infrastructure and other sensitive tools are limited to authorized employees who require it for their role.
  • Least Privilege Access Control
    • We follow the principle of least privilege with respect to identity and access management.
  • Quarterly Access Reviews
    • We perform quarterly access reviews of all team members with access to sensitive systems.
  • Password Requirements
    • All team members are required to adhere to a minimum set of password requirements and complexity for access.
  • Password Managers
    • All company-issued laptops utilize a password manager for team members to manage passwords and maintain password complexity.

Vendor and Risk Management

  • Annual Risk Assessments
    • We undergo at least annual risk assessments to identify any potential threats, including considerations for fraud.
  • Vendor Risk Management
    • Vendor risk is determined, and the appropriate vendor reviews are performed prior to authorizing a new vendor.

Contact Us

If you have any questions, comments, concerns, or if you wish to report a potential security issue, please contact security@citizensdisability.com.