Technical

Comprehensive cybersecurity measures are paramount to our strategic and competitive position and are key to the long-term success of our products and services. We recognize that cybersecurity threats have become one of the defining technological concerns of our time. Even the most advanced cybersecurity efforts will not address all cyber risks that an enterprise like isolved will face over time.

However, at isolved we work diligently to infuse security principles into the design, development and deployment of our leading human capital management solution, isolved People Cloud™. We go to great lengths to ensure our employees are aware of risks and are empowered to act against threats, and we continue to make strategic investments to improve and evolve our cybersecurity and operational risk capabilities.

Quality management – isolved uses industry leading tools for intrusion detection, prevention and correction, and deploys a complement of software, hardware and endpoint agents along with these tools as part of a cybersecurity program that is designed, modeled and maintained following the NIST cybersecurity framework and ISO 27001 guidelines.

Cybersecurity management – isolved understands the importance of risk and security in today’s digital economy. We make continuous strategic investments in our cybersecurity management program to ensure we have appropriate levels of resources dedicated to the protection and care of our physical, digital and human assets.

• isolved maintains full-time employees staffed with sole function to provide oversight for cybersecurity monitoring, remediation and escalation.

• isolved maintains a documented incident response plan that the cybersecurity team follows in the event of issues / incidents and escalations.

• isolved provides employee training and has documented information security policies and procedures in place that adequately address key information security and privacy topics.

• isolved uses third-party cybersecurity firms for security testing, scans and threat detection, and isolved People Cloud is subject to a combination of black-box, white-box and gray-box testing.

• isolved operates from a position of least privilege access, where only a limited subset of employees has access to customer applications based on the principle of least privilege. Access is through feature-limited portals, over encrypted connections with multi-factor authentication (MFA) and all access is logged. The intent of providing access to a subset of employees is to provide effective customer support, troubleshoot potential problems and detect and respond to security incidents.

Cybersecurity controls – isolved implements the following controls in support of our cybersecurity management program:

• Administrative access to networks, applications, databases and source code is restricted to appropriate individuals.

• Roles, groups or access control lists are used to manage administrative rights or appropriate individual rights management is in place.

• Passwords for service accounts are managed through a vaulting or similar tool and are required to periodically be changed.

• Unique administrative IDs are utilized for each user.

• Next-generation identity and access management (IAM) is used for internal systems and for trusted access to isolved People Cloud.

• MFA or other appropriate authentication is required for administrative accounts to stop employees from recycling the same password on multiple platforms. Database access requires privileged access rights and accounts that require more stringent password requirements, MFA and multi-level roles-based privilege.

• Minimum password requirements are enforced for all internal as well as customer users.

• Application authentication takes place over encrypted channels, does not support weak encryption and all traffic between application tiers is encrypted (e.g., load balancer-to-web-servers; application servers-to-database).

• Databases and drives containing confidential information are encrypted at rest, and encrypted information transmission is enforced across public lines.

• isolved uses high-grade TLS and multi-layered encryption with AES-256 and RSA 2048-bit keys. All sensitive data is encrypted with 256-bit AES encryption, the highest standard available, and encryption keys are stored in a secure location and separate from connected data.

• Confidential information is only in secure file locations and not via unencrypted email or other non-secure methods.

• Confidential information sent via email is encrypted.

• Centralized antivirus solutions are used for devices.

Cybersecurity tools – as well as our cybersecurity management program and associated controls, isolved also leverages industry leading tools to provide security in and across the following areas:

• Multi-factor authentication (MFA)

• Mobile device management (MDM)

• Advanced threat protection (ATP)

• Intrusion detection system (IDS)

• Intrusion prevention system (IPS)

• Endpoint protection services (EPS)

• Transport Layer Security (TLS/SSL)

• Web application firewalls (WAF)

• Static application security testing (SAST)

• Identity and access management (IAM)

• Network access controls (NAC)

• Access control lists (ACL)

• Security information and event management (SIEM)

• Centralized access control system (CACS)

• Cloud access security broker (CASB)

• Data loss prevention (DLP)

• Spam and malware detection

• Email journaling and archiving

• Automated asset and patch management

• Password management system

• Network analyzer

Vulnerability scanning and penetration testing - isolved conducts periodic internal vulnerability tests and an annual external, formal vulnerability test against isolved People Cloud, and also performs annual external audits, which attest to the scans we conduct. Microsoft also regularly tests the underlying Azure infrastructure.

Antivirus and DDoS mitigation – isolved People Cloud offers best practice architecture and development, secure data centers, global support and CDN/WAF services to ensure customers are always supported by safe and secure solutions. isolved People Cloud is deployed on Microsoft Azure security hardened systems. Anti-malware and advanced threat protection (ATP) are enabled for Azure services. Availability and performance monitoring is provided, and all data-in-transit is encrypted via HTTPs/TLS. The provided content delivery network (CDN) protects origin servers, and together with the built-in web application firewall (WAF) it provides distributed denial-of-service (DDoS) mitigation and state-of-the-art protection against unusual and malicious traffic.

Secure and reliable datacenters – isolved People Cloud runs on secure Microsoft Azure datacenters. Each facility is designed to run 24x7x365 with protection from power failure, physical intrusion and network outages. Entry points are protected by perimeter fencing, cameras and biometric safeguards. Azure datacenters are certified to 90+ compliance standards, including for example ISO 27001, FedRAMP and SSAE 18 SOC 2.

Application, data and transaction monitoring – isolved utilizes advanced monitoring technologies on all levels of our applications and infrastructure. This includes integrated 24/7 on-call paging systems to ensure real-time alerting and response of any issues. isolved works to maintain a system of continuous monitoring that meets or exceeds the industry standards for security. There are regular reviews of the platform and the server environment, focusing on all levels of operation.

Transparent service health and continuity - isolved People Cloud provides up to 99.9% SLA at the application level. Customers can register to receive incident updates and request information on service health including uptime as needed.

System updates and patching – isolved People Cloud runs on Azure and is aligned with Microsoft’s Azure patch release cycle. People Cloud code follows a continuous release cycle with new releases delivered on a bi-weekly basis. Releases include both new features and fixes.

Operations security – isolved maintains routine operational security procedures to ensure that patches, changes to systems, including networks, operating systems, facilities and processing systems that may affect information security are managed and tested. The following operational security practices are implemented:

• Vulnerabilities, patches and updates are managed proactively by a dedicated team.

• Operating systems are proactively patched and managed.

• System provisioning includes removal of all unnecessary utilities, open ports and accounts.

• Server operating systems changes, and software installations are restricted to designated system administrators that follow appropriate governance for authority to make changes.

• Mobile devices that access corporate email are managed through MDM tools or other administrative access restrictions.

• Network vulnerability scanning is performed for internal and external addresses on a regular basis.

• Security testing is performed by an independent provider at least once / year.

• Static application security testing (SAST) scanning is performed on a regular basis.

• Audit logging, monitoring and alerting are in-place for potential incidents involving security or privacy.

• Centralized log management is utilized for event and log correlations and other purposes. Audit logs are maintained for a minimum of one year unless regulatory requirements define a different retention period which are maintained accordingly.

• VPN gateways and other connections between networks are configured according to best practices.

• Databases are segregated from other application tiers and are not running locally with other application or specialty tiers.

• Host and service-based tools are in place to measure and monitor system metrics, availability of system components and utilization.

• Alert notification and acknowledgement mechanisms are in place.