Protecting customer information is critical to RIVS. We understand the importance of customer information privacy and go to great lengths to ensure it is not exposed to unauthorized parties, inappropriately altered, or unavailable at the time it is needed. A well-defined structure is needed to provide the governance needed to maintain customer information privacy. RIVS continually works to maintain alignment with the International Standards Organization (ISO) 27002 cybersecurity framework to protect digital assets.
Roles and Responsibilities
RIVS has implemented an effective Cybersecurity Program to engage employees and maintain security of information as its processed, transmitted, and stored. The Information Security Oversight Board (Board) establishes security objectives and ensures the organization adjusts to the changing threat and technology landscape. The Board is comprised of business and IT leadership dedicated to the protection of customer data.
Technology Risk Controls Implementation
RIVS deploys several information security controls to protect customer data. These controls are designed, implemented and maintained by using industry leading practices and are reviewed periodically to ensure they are effective.
People Operations Security
Employees recognize their obligation to the privacy of customer data within RIVS’ custody and management. Employees acknowledge this responsibility by signing the Employee Handbook as a condition of employment. All RIVS candidates must pass a stringent background check conducted by a qualified third party before being offered a position. The background check includes criminal history.
Information Security Awareness Education and Training
Employees are the first line of defense in security. A comprehensive security and privacy employee awareness and training program has been developed. The goal of this program is to enhance employee awareness in order to ensure that data is handled in accordance with policies and standards.
Information Systems, Acquisition, Development and Maintenance
RIVS strives to incorporate security requirements prior to developing or acquiring new systems. Our goal is to consider RIVS security principles and guidelines, and build privacy and security in during the design of systems. RIVS applies leading software security practices as prescribed in OWASP Application Security Verification Standard (ASVS) to identify and resolve well-known web application vulnerabilities. Additionally, RIVS performs security testing during each stage of the development and deployment process to verify major weaknesses are eliminated.
Cloud and Infrastructure
RIVS isolates all services in a Virtual Private Cloud (VPC). Production systems are isolated and network traffic to hosts is controlled. Direct administrative access to cloud resources is highly restricted. Multi-factor authentication is enforced for cloud services administration and administrative access to provisioned resources.
In addition to access control, RIVS has implemented techniques to segregate customer environments and prevent data leakage. Isolation is addressed at each layer in the technology stack such as the network, storage, server, virtual infrastructure, database, and application.
The goal of access control is to restrict access to data by limiting user and administrative network access to system resources. A periodic review of access is conducted to verify user and administrative access is appropriate. RIVS requires two-factor authentication for privileged administrative access.
RIVS protects secrets by using leading practices to salt and hash credentials before they are stored.
Encryption is deployed to maintain the privacy of customer information. Data is encrypted at rest and in transit using secure ciphers and 256 bit key length. Leading key management practices are followed including periodic key rotation. Encryption of communications includes API calls, client communication, and replication of data to support disaster recovery.
The appropriate controls are in place to ensure the integrity of all changes within the RIVS Software-as-a-Service (SaaS) environment. All changes made to production systems are controlled by documented and approved change management processes.
Monitoring of system components is performed to identify well-known hardware and software vulnerabilities and the patches needed to address them. The RIVS DevOps schedules patch implementation in accordance with risk. Additionally, RIVS continually monitors to identify operational threats and implements the appropriate countermeasures in a timely manner. Adapting to the changing threat landscape is a critical component of the RIVS Cybersecurity Program.
Information Security Incident Management
Incidents can pose an immediate threat to the privacy of RIVS customer data. Our Information Security Incident Management process provides for monitoring, detecting, and responding to these incidents in the most effective and efficient manner. Incident remediation is the primary objective of security response. This includes containing the incident, determining root cause, and implementing corrective controls needed to prevent re-occurrence. We are committed to timely resolution to ensure customer data is protected.
RIVS replicates data across multiple Availability Zones (AZs) and has implemented processes to recover systems and data from regularly-completed backups in the event of catastrophic events. A disaster recovery exercise is performed quarterly to validate the effectiveness and efficiency of the recovery process.
RIVS engages external parties to conduct security vulnerability assessments and penetration tests to validate the effectiveness of security controls. Assessment results are used to prioritize security activities to ensure the confidentiality and integrity of data is maintained.
RIVS leadership is focused on providing the right governance to defend against customer data loss (accidental data leakage or targeted attacks), monitor and identify intrusions, and respond to security incidents in an effective and efficient manner. We are committed to maintaining effective controls in a constantly changing climate.
For additional information regarding this Security Statement, please contact email@example.com