At Cloud-IAM, we believe that good security practices start with our own team, so we go out of our way to protect against internal threats and local vulnerabilities.
Cloud-IAM follows the risk management procedures outlined in NIST SP 800-30, which include nine steps for risk assessment and seven steps for risk mitigation.
All Cloud-IAM product changes must go through code review, CI, and build pipeline to reach production servers. Only designated employees on Cloud-IAM’s operations team have secure shell (SSH) access to production servers.
We perform testing and risk management on all systems and applications on a regular and ongoing basis. New methods are developed, reviewed, and deployed to production via pull request and internal review. New risk management practices are documented and shared via staff presentations on lessons learned and best practices.
Cloud-IAM performs risk assessments throughout the product lifecycle per the standards outlined in HIPAA Security Rule, 45 CFR 164.308:
- Before the integration of new system technologies and before changes are made to Cloud-IAM physical safeguards
- While making changes to Cloud-IAM physical equipment and facilities that introduce new, untested configurations
- Periodically as part of technical and non-technical assessments of the security rule requirements as well as in response to environmental or operational changes affecting security
The Cloud-IAM operations team includes service continuity and threat remediation among its top priorities. We keep a contingency plan in case of unforeseen events, including risk management, disaster recovery, and customer communication sub-plans that are tested and updated on an ongoing basis and thoroughly reviewed for gaps and changes at least annually.
Cloud-IAM maintains an internal wiki of security policies, which is updated on an ongoing basis and reviewed annually for gaps.
All new employees receive onboarding and systems training, including environment and permissions setup, formal software development training (if pertinent), security policies review, company policies review, and corporate values and ethics training.
All engineers review security policies as part of onboarding and are encouraged to review and contribute to policies via internal documentation. Any change to policy affecting the product is communicated as a pull request, such that all engineers can review and contribute before internal publication. Major updates are communicated via email to all Cloud-IAM employees.
Cloud-IAM follows the incident handling and response process recommended by SANS, which includes identifying, containing, eradicating, recovering from, communicating, and documenting security events. Cloud-IAM notifies customers of any data breaches as soon as possible via email and phone call, followed by multiple periodic updates throughout each day addressing progress and impact. Cloud-IAM plans starting from Big Bunny include a dedicated customer success manager who holds responsibility for customer communication, as well as regular check-ins and escalations.
Cloud-IAM maintains a live report of operational uptime and issues on our status page. Any known incidents are reported there, as well as on our Twitter feed.