This IndustryVault Security Policy (“Security Policy”) outlines the technical and procedural measures that IndustryVault undertakes to protect from unauthorized access or disclosure all Client Content provided to IndustryVault via the Services. IndustryVault maintains security measures for the IndustryVault Platform in a manner generally consistent with NIST 800-53 and the Center for Information Security (“CIS”) Benchmarks for Cloud Providers. The IndustryVault Platform is SOC 2 Type II compliant, and follows the “zero trust” cybersecurity principles outlined in NIST SP800-207.
This Security Policy is referenced in and made a part of the IndustryVault Terms of Service, as well as any Master Services Agreement with IndustryVault (the “Agreement”), and any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement or Documentation, as applicable. In the event of any conflict between the terms of the Agreement and this Security Policy, this Security Policy shall govern.
Client Content Access and Management
- IndustryVault controls User access to the Client’s Account on the IndustryVault Platform via usernames and passwords.
- IndustryVault Personnel do not have access to unencrypted Client Content unless the Client approves access pursuant to an Order Form or SOW authorizing access to IndustryVault Personnel. If such access is granted, IndustryVault Personnel are prohibited from storing Client Content on local desktops, laptops, mobile devices, shared drives, removable media such as USB drives, or on public facing systems that do not fall under the administrative control or compliance monitoring processes of IndustryVault.
- IndustryVault uses Client Content only as necessary to provide the Services to Client, as provided in the Agreement.
- Client Content is stored in dedicated Cloud Private Networks on the IndustryVault Platform in the Services Region(s) requested by Client.
- IndustryVault maintains flow diagrams indicating how Client Content flows through the IndustryVault Platform (“Data Flow Diagrams”) and shall provide the relevant Data Flow Diagram upon Client’s reasonable request. Data Flow Diagrams are IndustryVault Confidential Information.
Encryption and Logical Separation of Client Content
- The Services encrypt all Client Content while at rest with AES 256-bit encryption.
- The Services encrypt all Client Content in transit with Transport Layer Security (“TLS”) 1.2.
- The Services assign a unique Account Master Key (“AMK”) to each Account on the Cloud Provider(s) used by the Services, and the AMK and related encryption keys are logically separated from Client Content.
Services Infrastructure Access Management
- Password policy for the Services adheres to the PCI-DSS password requirements.
- Users connect to the IndustryVault Platform ONLY through single-sign-on (SSO) with multi-factor authentication (MFA) required, with access governed strictly by Role-based Access Controls (RBAC).
- Access to the Cloud Providers that support the IndustryVault Platform is restricted to IndustryVault Personnel who require such access as part of their job responsibilities.
- Unique User IDs are assigned to IndustryVault Personnel requiring access to these Cloud Providers.
- Access privileges of separated IndustryVault Personnel are disabled promptly. Access privileges of persons transferring to jobs requiring reduced privileges are adjusted accordingly.
- User access to the Cloud Providers that support the IndustryVault Platform is reviewed quarterly.
- Access attempts to the Cloud Providers that support the IndustryVault Platform are logged, monitored, and alerted for suspicious activities.
- Cloud Private Networks that support the IndustryVault Platform have deny-all default policies and only enable business-required network protocols for egress and ingress network traffic. The IndustryVault Platform only allows TLS 1.2 and SSH protocols from the public internet.
- IndustryVault’s Risk Management process is modeled on NIST 800-53 Tier 3.
- IndustryVault conducts risk assessments of various kinds throughout the year, including self- and third-party assessments and tests, automated scans, and manual reviews.
- Results of assessments, including formal reports as relevant, are reported to the Security Committe. The Security Committee meets quarterly to review reports, identify control deficiencies and material changes in the threat environment, and make recommendations for new or improved controls and threat mitigation strategies to senior management.
- Changes to controls and threat mitigation strategies are evaluated and prioritized for implementation on a risk-adjusted basis.
- Threats are monitored through various means, including threat intelligence services, vendor notifications, and trusted public sources. All IndustryVault-controlled endpoints (e.g., laptops, servers, etc.) are monitored on a 24/7/265 basis by a third-party Managed Detection and Response team.
Vulnerability Scanning and Penetration Testing
- Vulnerability scans are automatically performed weekly on all IndustryVault-controlled endpoints required to operate and manage the Services. The vulnerability database is updated regularly.
- Scans that detect vulnerabilities meeting IndustryVault-defined risk criteria automatically trigger notifications to security personnel.
- Potential impact of vulnerabilities that trigger alerts are evaluated by staff.
- Vulnerabilities that trigger alerts and have published exploits are reported to the Security Committee, which determines and supervises appropriate remediation action.
- Vulnerabilities are prioritized based on potential impact to the Services, with “critical” and “high” vulnerabilities typically being addressed within 30 days of discovery and “medium” vulnerabilities being addressed within 90 days of discovery.
- Security management monitors or subscribes to trusted sources of vulnerability reports and threat intelligence.
- Penetration tests by an independent third party expert are conducted at least annually.
Remote Access & Wireless Networks
- All access by IndustryVault Personnel to Cloud Providers that support the IndustryVault Platform requires successful authentication through a secure connection via approved methods (i.e., VPNs), and is enforced with mutual certificate authentication and multi-factor authentication (“MFA”).
- VPN access is further enforced by mutual TLS authentication.
- All networks, including remote offices and the LAN and WiFi networks within those offices, are considered to be untrusted networks.
System Event Logging, Monitoring & Alerting
- Monitoring tools and services are used to monitor the Services’s systems, including network activity, server events, API security events, availability events, and resource utilization.
- Security event logs are collected in a central system and protected from tampering. Logs are stored for a minimum of 30 days.
- All IndustryVault-provided user endpoints have Endpoint Detection & Response (“EDR”) tools to monitor and alert for suspicious activities and potential malware.
- All Cloud Providers that support the IndustryVault Platform leverage advanced threat detection tools to monitor and alert for suspicious activities and potential malware.
System Administration and Patch Management
- IndustryVault creates, implements and maintains system administration procedures for all IndustryVault-controlled endpoints with access to Client Content that meet or exceed industry standards, including without limitation, system hardening, system and device patching (operating system and applications) and proper installation of threat detection software, as well as daily signature updates of same.
- IndustryVault Security reviews US-Cert new vulnerabilities announcements weekly and assesses their impact to IndustryVault based on a IndustryVault-defined risk criteria, including applicability and severity.
- Applicable US-Cert security updates rated as “high” or “critical” are addressed within 30 days of the patch release and those rated as “medium” are addressed within 90 days of the patch release.
Security Training and Personnel
- IndustryVault maintains a security awareness program for IndustryVault Personnel, which provides initial education, ongoing awareness, and individual IndustryVault Personnel acknowledgment of intent to comply with IndustryVault’s corporate security policies. New hires complete initial training on security, sign a proprietary information agreement, and digitally sign the information security policy that covers key aspects of the IndustryVault Information Security Policy.
- All IndustryVault Personnel acknowledge they are responsible for reporting actual or suspected security incidents or concerns, thefts, breaches, losses, and unauthorized disclosures of or access to Client Content.
- All IndustryVault Personnel are required to review and acknowledge security guidelines annually.
- IndustryVault performs criminal background screening as part of the IndustryVault hiring process, to the extent legally permissible.
- IndustryVault will ensure that its subcontractors, vendors, and other third parties (if any) that have direct access to the Client Content in connection with the Services adhere to data security standards consistent with NIST 800-53.
The IndustryVault Platform is hosted only with Cloud Providers, and all physical security controls are managed by the respective Cloud Providers. IndustryVault reviews Cloud Providers' SOC 2 Type 2 reports annually to ensure appropriate physical security controls:
- Visitor management will include tracking and monitoring physical access, including use of CCTV cameras at all facilities.
- Doors used only as exit points will have only “one way” doorknobs or crash bar exit devices installed, and all doors will be equipped with door alarm contacts.
- Physical access point to server locations will be managed by electronic access control devices.
- Video capturing devices in data centers will have at least 90 days of image retention.
- All access and video systems will be tied in to generator or UPS backup systems.
Notification of Security Breach
- A “Security Breach” is (i) the unauthorized access to or disclosure of Client Content, or (ii) the unauthorized access to the systems within the Services that transmit or store Client Content.
- IndustryVault will notify Client in writing within seventy-two (72) hours of a confirmed Security Breach.
- Such notification will describe the Security Breach and the status of IndustryVault’s investigation.
- IndustryVault will take appropriate actions to contain, investigate, and mitigate the Security Breach.
Disaster Recovery & Business Continuity
- IndustryVault maintains a Disaster Recovery Plan (“DRP”) for the Services. The DRP is tested annually.
- The Services are managed in different Regions as standalone deployments which may be employed as part of Client’s DRP strategy. To effectively use the cross-regional availability of the Services for disaster recovery purposes, Client must designate a specific secondary Region to support its DRP. IndustryVault will backup Client Content across applicable regions.
- IndustryVault maintains a Business Continuity Plan (“BCP”). The BCP is assessed annually.
- Client acknowledges that IndustryVault does not assess the contents of Client Content, and that the Client is responsible for making appropriate use of the Services to ensure a level of security appropriate to the particular nature of Client Content; to manage and protect its accounts, roles and credentials; and to update its Client Software (if any) whenever IndustryVault announces an update impacting the secure use of such Client Software.
- Client will promptly notify IndustryVault if a User account or password has been compromised, or if Client suspects possible suspicious activities that could negatively impact security of the Services or Client’s Account.
- Client may not perform any security penetration tests or security assessment activities without the express advance written consent of IndustryVault.
- Clients must adopt IndustryVault-required IP whitelisting and MFA in the Services if required by an Order Form or SOW.