Data & Information Security

Application Security

Encryption:

• Data in Transit: Internet communications are encrypted via Secure Hypertext Transfer Protocol (HTTPS), Secure File Transfer Protocol (SFTP) and Transport Layer Security (TLS).
• Data at Rest: Customer data is secured using Advanced Encryption Standard (AES).

Separate Environments (DEV, QA, Staging, UAT, PROD): Development, testing and staging environments are separated from the production environment, both physically and logically.

Data Segregation: All customer data is segregated by state-of-the-art security controls that can only be accessed by designated individuals who have been assigned unique credentials and privileges. Additionally, separate SFTP directories are created for each customer to enable data transfer to Assent.

Penetration Testing: An independent third party performs web and network penetration tests on the production environment annually. Tests are performed every six months by internal teams.

Application Vulnerability Scanning: An application vulnerability scan is run on every code release before it is pushed to user acceptance testing (UAT) environments. Only code that has passed the scan is moved to production.

Physical & Cloud Security

Service Provider

Assent’s platform, data, and server security is provided by Amazon Web Services (AWS). Amazon Web Services has a long history in data security, and is used by many industry leaders, such as Verizon, Capital One, and others. It also carries numerous certifications, including SOC 2 and ISO 27001.

Locations

Assent has three hosting locations available to its clients:

• The North America commercial environment, hosted by AWS U.S.-East in Northern Virginia.
• The European Union (EU) hosting environment in Frankfurt, Germany.

Data is housed by default in the North America commercial environment; however, clients may request a different option. The features and frameworks outlined here are applicable to all locations.

Network Security

Intrusion Detection and Prevention: Network Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are in place at application ingress and egress points to detect, prevent and mitigate potential security events.

Data Loss Prevention: Assent uses a layered approach to data loss prevention on endpoint, and cloud using next-gen security tools in combination with more traditional approaches.

Architecture: Assent’s network architecture follows high availability and topology practices to ensure customer data is isolated from edge network traffic.

Network Vulnerability Scanning: Assent performs regular, in-depth vulnerability scans to monitor network and endpoint security.

Security Incident Event Management (SIEM): A SIEM solution monitors, analyzes and alerts the security team to potential security events.

Network Access: Access to the Assent network is restricted to authorized users and devices.

Operational Security

Security Incident Response: Assent has a documented incident response plan that covers all aspects of an incident, from detection to post-incident analysis.

Disaster Recovery: Assent’s U.S. disaster recovery site is AWS U.S.-West (Oregon), and its EU disaster recovery site is AWS Ireland. Our disaster recovery plan is designed to ensure minimal disruption in the event of a disaster. The production environment, including customer data, is replicated to a secondary site that is available if the primary site goes offline. The disaster recovery plan is tested annually.

Change Management: Production changes are subject to documented testing, validation and approval.

Two-Factor Authentication: Two-factor authentication is used for administration of the production environment and for remote access to the Assent network.

Backups: Full backups are performed weekly, while log and differential backups are performed hourly.

Monitoring: All systems are monitored 24/7 for performance and capacity.

Availability: Assent guarantees an uptime of 99.5 percent (details available in our master subscription agreement).

Server Protection:

• Patching and Maintenance: System security patches are applied monthly.
• Anti-Malware: All servers are protected using endpoint protection software.

User Workstation Protection:

• Full Disk Encryption: All Assent-owned mobile devices, including phones or laptops, are encrypted.
• Anti-Malware: All workstations are protected using endpoint protection software.
• Central Management: All workstations are centrally managed for patching and configuration.

Security Compliance

SOC 2: Assent has a SOC 2 Type II report, available upon request. You can request a copy in our document center.

Additional Security Practices

Dedicated Security Team: All members of Assent’s security team hold appropriate security certifications and clearances.

Policies: Assent has a comprehensive set of security policies, based on the ISO 27001 framework, which are reviewed annually. These policies are made available to all personnel with access to Assent information assets.

Training: All new personnel attend security awareness training before gaining network access and are required to complete security awareness training annually thereafter. Additionally, regular phishing simulation tests and awareness trainings are conducted to train the personnels against emerging cyber threats.

Background Checks: Assent performs background and criminal reference checks on all new personnel.

Confidentiality Agreements: All new personnel are required to sign confidentiality agreements.

If you have any questions or would like to know more about our data and information security policies and procedures, please contact us at info@assentcompliance.com.