Public statement about information security at Tekkon Technologies
Tekkon Technologies (“Tekkon”) is committed to protecting its information assets to satisfy the company’s business objectives and meet the information security requirements of its customers while maintaining the safety of individuals and protecting their right to privacy. The Information Security Policy expresses the company’s intentions and commitment towards these goals.
This Statement complements Tekkon’s Information Security Policy and provides a summary of the company’s internal security policies and procedures which constitute the security baseline that governs the company’s Technical Staff Augment Services. The Statement’s aim is to provide assurance to interested parties about the security of the Companies services and practices.
If you have any questions about the below, please contact us at firstname.lastname@example.org.
Tekkon takes a risk-based approach to information security aligned with ISO 27001 and NIST 800-37.
Organization of Information Security
Tekkon takes information security very seriously and has representation and sponsorship at the executive level by the Chief Information Officer (CIO), with support from the CEO.
The company has trained and experienced staff developing and operating information systems.
Tekkon has implemented segregation of duties to protect critical functions.
Security is considered in all projects the company undertakes.
Tekkon carefully screens people who do work for, or on behalf of, the company.
The company requires confidentiality and nondisclosure from all those who work for Tekkon, both during and after employment.
Disciplinary action is enforced for noncompliance with corporate policy.
The company maintains high ethical standards that are defined and enforced through Tekkon’s code of conduct.
Tekkon inventories and labels all information assets and information systems to manage appropriate access and facilitate effective patch management and incident response.
Customer data is classified at the highest classification level to facilitate proper identification and handling.
Personal data/PII is treated with the highest confidentiality and take appropriate measures to protect it.
Staff are trained on the dangers of physical media and avoid using it wherever possible. Approval is required before storing or printing customer data on physical media.
Identify and Access Management
The Principle of Least Privilege (POLP) is enshrined at Tekkon in policy and in culture.
Access is granted on a Need to Know or Need to Use basis only.
User access procedures are documented, and access is revoked the moment it is no longer required.
The company conducts user access audits and review administrative logs periodically. Tekkon publishes and enforces an internal Password Standard Policy.
Tekkon has an internal Encryption Standard used to protect information at rest and in transit.
The company supports the use of TLS 1.2 preferentially on all software products.
AES-256 is used to protect data at rest.
Industry-standard hashing algorithms are used to protect authentication information.
Access to Tekkon’s sites is restricted with additional layers of security around information and communications infrastructure.
The company monitors site access, and third parties require business justification and an escort for access.
Tekkon utilizes AWS’s highly protected data centres for hosting the SaaS platform. See https://aws.amazon.com/compliance/data-center/controls/ for more information.
The company employs controls to protect assets that are off-premises.
Tekkon enforces a clear desk and clear screen policy.
Tekkon has documented procedures for all standard operations and tight control over Change Management governed by the Change Management Policy.
A dedicated DevOps team monitors and manages the production platform. Tekkon deploys malware controls to reduce the chance and impact of infections.
Tekkon regularly takes and tests backups and build multiple layers of redundancy into the company’s platform, as defined by the Backup and Retention Policy.
Networks and Communications
Tekkon provides guidance on the safe methods of information transfer and train users on the risks.
NDAs are required from all parties that have or may have access to sensitive information resources.
Tekkon considers security requirements for every piece of work that goes through the company’s SDLC.
Security testing is conducted as a part of all tasks with security requirements and for all software deployments which includes testing against known standards, such as OWASP.
Tekkon minimizes outsourced development and applies additional controls to manage risks of code produced by third parties.
Tekkon mandates and enforces the separation of development, testing and production environments to improve code quality and reduce errors.
Tekkon has a documented Business Continuity Plan, recovery procedures and a trained response team.
The Business Continuity Plan and recovery procedures are tested twice annually, at a minimum, and incorporate any improvements into the Plan.
Redundancy is ensconced as an engineering principle, including self-healing features built-in to the platform to automatically adjust to outages wherever possible.