Search

Successware Platform - Security Framework

  • Updated

1. Background

This document outlines the Successware IT department’s security best practice framework, how it is applied to systems that are supported, and the process and techniques used to secure the systems.

 

 

2. NIST Security Framework

Successware's IT department has chosen the National Institute of Standards and Technology (NIST) Security Framework as the basis of its security governance framework to align its resource and security practices. The image below provides a high-level view of the Framework’s Core.
 

NIST_Cybersecurity_Framework_Core.png

 

Key Framework Attributes

Principles of Current and Future Versions of the Framework

  • Common and accessible language
  • Adaptable to many technologies, lifecycle phases, sectors and uses
  • Risk-based
  • Based on international standards
  • Living document
  • Guided by many perspectives - private sector, academia, public sector

 

 

3. Successware IT Application of the NIST Framework

The section below shows the processes and activities Successware's IT department takes within the NIST framework to provide security services to protect the applications under its domain of coverage, such as the Successware application suite.


3.1. Identify

We work to develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. 

The activities in the Identify function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. 

  • Security Policies
    These are sets of corporate policies defining the rules and expectations of people and systems such as acceptable use policies, systems access, and control etc. These policies are the foundation of standards that are built within the systems we support to protect data and the operations of the company.
  • Employee Security Training and Awareness
    Regular security training and awareness is conducted by corporate employees, educating them on security best practice and raising awareness of threats and risks.
  • Board level Risk management Monitoring
  • Technology Asset Management


3.2. Protect

The Protect function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome categories within this Function include Identity Management and Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.

  • System level Identity and Access Management –
    • Single Sign On for infrastructure - Microsoft Azure Active Directory with Single Sign On allows for faster user on/off boarding, access management auditing and rights assignments particularly for privileged accounts.
    • JWT token-based authentication & authorization for Successware applications.
       
  • Security Standards –
    • AWS Security Tools – Identifies and alerts on network level and workload level security threats and known vulnerabilities.
    • Microsoft 365 Security tools and alerting – Identifies and alerts on risky-users, risky sign-ins, phishing attacks, and advanced threat analytics with Microsoft Security E3.
    • Employee Security Training and Awareness – All corporate employees are expected to complete security awareness training every quarter through our learning management system.
    • Secureworks Taegis XDR – Provides extended detection and response capabilities across endpoints, servers, and integrated security products, enabling advanced threat detection, investigation, and automated response actions.
       
  • Software Code Management –
    • Source Code Management and Versioning - We use software code version management (Bitbucket) to securely store and update application source code.
    • Static code analysis – Before any code is pushed to production applications, we expect proven code analysis using Sonarcube for any security concerns and potential vulnerabilities.
    • Data Encryption at rest and transit – Volume level encryption using industry-standard AES-256 and TLS 1.2 encrypts data at rest and transit.
    • Vulnerability scanning – We use a variety of techniques and tools to scan application workloads for vulnerabilities and compliance monthly.


3.3. Detect

The Detect Function enables timely discovery of cybersecurity events. Examples of outcome categories within this Function include Anomalies and Events, Security Continuous Monitoring, and Detection Processes.

  • Anomalies and Events
    • Firewalls
    • Spam filters
    • Intrusion Detection / Prevention
    • Endpoint Anti-Virus for Successware employees
    • AWS tools - Control Tower, Guard Rails, Guard duty
  • Security Continuous Monitoring
    • AWS Cloud Watch, Cloud Trails
    • Centralized Logging
  • Detection Processes
    • Inspector
    • Macie
    • Nessus
    • OWASP ZAP
    • Burp Suite Professional


3.4. Respond

The Respond function supports the ability to contain the impact of a potential cybersecurity incident. It is meant for developing and implementing appropriate activities to execute regarding a detected cybersecurity incident. Examples of outcome Categories within this function include Response Planning, Communications, Analysis, Mitigation, and Improvements.

  • Security Incident Planning – The Successware IT team periodically conducts exercises to assess its preparedness and scenario planning to effectively manage incidents. Incident management requires clear communication, and we have established a crisis management committee which is tasked with managing the communication process and coordination of events.
  • Systems recovery and continuity of operations – The Successware IT team has identified the business criticality and uptime / recovery time expectations of systems. Business Continuity / Disaster Recovery runbooks have been developed to leverage depending on the nature of the incident.


3.5. Recover

The Recover function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident. It consists of appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. Examples of outcome categories within this function include Recovery Planning, Improvements, and Communications.

  • Incident Response Team – The Successware IT security team is responsible for the technical coordination and assessment of the incident. Their activities are coordinated with the crisis management function to select the most expedient path to contain the incident and restore IT services.
  • Change Management Process – The Successware IT team has a change management process in place that encapsulates reviewing production system changes. This process is utilized for security incidents as well. Once an incident is resolved a Root Cause Analysis process is conducted to improve service levels and identify areas of improvement to avoid similar situations or close any gaps that may be uncovered.

 

 

4. Summary

Successware partnered with AWS to host the Successware services and following AWS security best practices and by using a very robust ecosystem of tools and development best practices. Technology landscape and nature of cyber security threats is always evolving and so is the nature of the threat actors. We watch and monitor them closely to make ongoing adjustments in our security practices and procedures.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request