Security at Cireson has always been a priority. Since our early days as an Independent Software Vendor (ISV) focused on on-premises IT Service Management (ITSM) solutions, we have implemented robust internal controls, including secure software development practices and tight change control protocols. Additionally, our highly skilled professional services team has always consistently provided expert guidance on implementation and integration and critical security matters such as identity federation, firewall configurations, and air-gapping environments.
But the IT world – and with it our world – has changed. While many organizations continue to prefer on-premise solutions and the control they have over these environments, many other organizations are realizing that managing IT systems and infrastructure is not their core business. They’d much rather leverage Cloud-based infrastructure or even offload the entire system stack of specific applications to a managed service provider. Enter Tikit: Cireson’s ITSM solution, provided as a Software as a Service (SaaS) application.
How Security at Cireson Takes Shape in Tikit
With Tikit, we took on a whole new set of Information Security responsibilities and obligations. With our on-prem products, not only are our customers in full control of all data, but they are also in full control of the entire system, from connectivity and hardware all the way up the stack to the application layer. We at Cireson are predominantly in an advisory role here. But with Tikit, we are now operating a SaaS solution where our customers entrust us with their data. While we do not restrict or monitor the types or categories of data our customers ingest into Tikit and lack visibility into our systems’ actual contents, we always assume that all data includes Personally Identifiable Information (PII). Regulatory obligations, such as HIPAA, CCPA, SOX, or GDPR add additional layers of obligations. Lastly, we need to be able to validate and measure our efforts to ensure that all implemented controls are effective and appropriate.
Security at Cireson Happens from the Inside Out
Following the time-tested approach of “people, process, and technology,” we have successfully implemented the following measures as part of our comprehensive information security program.
People are a critical component of any Information Security program. Cireson staff and their expertise are needed to configure, monitor, and manage these technologies. We strive to empower our staff to create a security-conscious culture where everyone protects the organization and our customers’ data.
Job descriptions with clear responsibilities and reporting lines are communicated to all employees. This clarity ensures that everyone understands their role in maintaining security and compliance, promoting accountability and effective communication within the organization.
Secure development training and tools are provided for our developers to ensure they are equipped with the knowledge to build secure applications. This training covers best practices and common vulnerabilities to prevent security issues during development.
Regular Security Awareness training is conducted for all employees to keep them informed about the latest threats and security practices. We also offer regular training on regulatory compliance obligations and requirements. This includes understanding the purpose of data processing and the associated legitimate business interests, as well as ensuring that all staff are aware of and adhere to relevant regulations.
Internal security probes, such as phishing campaigns, are regularly tested to improve our security posture. These exercises help identify potential weaknesses and educate employees on recognizing and responding to security threats.
On the process side, we started with a comprehensive control catalog based on frameworks like SOC, NIST and Zero Trust, ensuring robust security measures. All staff have acknowledged our Information Security Policy, reinforcing its importance. This documentation and Business Continuity and Disaster Recovery plans Incident Response Policies and vendor management controls are regularly validated.
We have implemented strong HR controls to manage employee access. These robust access controls protect customer data and are regularly monitored and audited. Privacy and compliance obligations are transparently communicated, and mechanisms are established to handle Data Subject Requests, ensuring adherence to privacy regulations.
A dedicated data protection official oversees and champions all our compliance efforts. This includes keeping up with regulations like GDPR, CCPA, and HIPAA, conducting regular risk assessments to identify and reduce privacy risks, and managing annual third-party audits to review the effectiveness of our controls and validate our efforts.
Implementing technical controls for our comprehensive information security program involved several key components. Aside from the obvious – Network security, firewalls, intrusion detection and prevention systems (IDS/IPS) – we’ve added a range of additional tools.
Strong identity controls, like multi-factor authentication (MFA) and role-based access controls (RBAC), ensure only authorized users access sensitive information. Logging and monitoring tools provide visibility into network activities, helping detect and respond to security incidents promptly.
Source code security tools are a key part of the development process and are crucial for detecting vulnerabilities in development. By integrating these tools into the development pipeline, our developers can automatically check for common vulnerabilities, enforce coding standards, and ensure compliance with security best practices.
Endpoint security protects devices through antivirus software, encryption, and regular updates. Extended Detection and Response (xDR) enhances this by integrating multiple security products into a cohesive system that provides broader visibility and faster response times.
Data protection involves encryption in transit and at rest and robust backup solutions to prevent data loss and maintain availability.
Our real-time controls and compliance monitoring tool continuously assesses security policies and regulatory requirements. Regular penetration tests and vulnerability assessments strengthen system defenses.
Finally, a Security Information and Event Management (SIEM) tool aggregates and analyzes all data collected to detect, respond to, and manage security incidents effectively.
Our thoughtful efforts around security at Cireson have put us in a strong position regarding Information Security and GRC. We validate the effectiveness of all our measures through an annual third-party SOC 2 Type 2 audit, which we have successfully completed every time without exception.
Be a Part of Security at Cireson
However, this doesn’t mean our work is done; security is an ongoing journey, the forefront of which Cireson strives to remain. We would love to hear from you at secadmin@cireson.com regarding any follow-up InfoSec or GRC questions or comments. We take security at Cireson seriously!
