Security Practices

At Agital, we pride ourselves on protecting our business, clients, partners, and our people by ensuring the information, data, and technology assets we oversee is done so with the utmost care. We take the security of all data seriously and consider this one of our primary responsibilities. This is in our DNA; therefore, we aim to be open and transparent about our security practices. 

Please feel free to contact us at [email protected] and a member of our cybersecurity practice will reach out to you ASAP. 

Agital has established and maintains a formal Information Security Program. This program is mandated and supported through an executive charter that ensures the program is aligned to our business objective. The charter is reviewed and accepted annually by Agital’s leadership to re-affirm our commitment and stay current with the evolving cybersecurity landscape. A copy of the charter can be provided upon request. 

It is our policy that: 

• Agital will always seek to protect our company and clients from information security threats to information, data, technology, and people. 
• A formal information security program and Information Security Management System (ISMS) will be operated to ensure we effectively meet the cybersecurity security needs of Agital, our clients, and other interested parties. 
• The program will be maintained by an Information Security Officer – a dedicated role – with accountability for its ongoing direction and purpose. 
• The program and its objectives will be derived from business objectives prioritized and approved by executive leadership – these include Agital’s overall business strategy, contractual and regulatory requirements, and responsible use of technology. 
• The program will enable the governance, strategy, standards, principles, and technical and organizational measures (controls) necessary to secure the organization. 
• Agital will proactively invest in the program; it will be sufficiently resourced to collectively manage needs across compliance, risk, and security. 
• The program objectives will be approved and regularly reviewed by executive leadership via Agital’s Information Security Oversight Board. 

Agital’s Information Security Program addresses the technical, organizational, administrative, and human aspects of security as a critical first step ensuring these are well-established elements woven into the fabric of our business.  

CONFIDENTIALITY

Agital establishes confidentiality by ensuring only those employees who require access to client data are provided access, and that the level of access provided is consistent with their job function. Access to client data is assigned based on the level of data classification and minimum level of access required, i.e., “least privilege” access. 

The operation of Agital services requires that some employees have access to the systems which store and process client data. For example, IT staff such as systems administrators may be able to access client data to effectively support a system or diagnose a problem. These employees have separate user accounts for administrative and non-administrative duties, and they are not authorized to view or access systems with client data unless is it required for their privileged job function, i.e., “role-based access.” Technical controls are in place to ensure such access is logged where feasible. 

The controls that support confidentiality are extended by Agital to our vendors and suppliers and validated through our Third-Party Risk Management (TPRM) program. 

Agital has invested in industry leading security technologies providing an elevated level of assurance and trust for our clients. Security controls are regularly reviewed and updated internally, and they are validated by external partners on an annual basis through audits and penetration testing. 

PERSONNEL PRACTICES

All Agital employees, contractors, and suppliers must adhere to our information security policies regarding protection of client data. 

Candidates for employment undergo background checks and are required to sign confidentiality agreements before joining Agital. All candidates are screened for competency for their role. Job responsibilities related to security within the organization are defined and communicated prior to employment. 

Upon hire, all employees are provided cybersecurity orientation training and are required to read and acknowledge their understanding of Agital’s information security policies for data protection and acceptable use. Our training has been designed and created in-house so that it is tailored to our business and people for greatest effectiveness. 

Employee and third-party onboarding and offboarding processes have been developed to ensure accurate and effective controls are followed for provisioning and deprovisioning access. These processes are systematically employed and use automation wherever possible to minimize human error and provide timely execution and reporting. 

SECURITY AWARENESS TRAINING

In addition to orientation, all employees are provided security awareness training on a regular basis that reminds and reinforces Agital’s policies. The training measures all employee’s sentiment, engagement, and knowledge of security best practices and concepts. The Agital Infosec team uses this training to create additional focused training sessions that may include topics like emerging threats or regulatory requirements such as GDPR, CCPA, and HIPAA. 

OUR TEAM

Agital employs experienced security professionals providing operational effectiveness of its Information Security Management System (ISMS). These individuals comprise diverse roles within Agital’s Information Security Team and Incident Response Team. Dedicated roles include our Chief Information Security Officer (CISO), Compliance Officer, Risk and Compliance Analysts, and technical and operational security staff. Together these teams oversee the following aspects of Agital’s ISMS and information security program: 

• Security governance, strategy, and policy 
• Security architecture 
• Operational risk management 
• Security engineering and operations 
• Incident detection and response 
• Vulnerability management 
• User education and awareness 
• Compliance and privacy 

An Information Security Oversight Board governs and authorizes security strategy. This is to align the Infosec Team’s mission with overall company goals and provides necessary resources and budget for execution of the strategy by the CISO and security teams. 

COMPLIANCE

To ensure the effectiveness of Agital’s ISMS and related security controls, we have aligned our security practices to common industry standards and control frameworks including NIST and ISO 27001/27002, and SOC. 

Service Organizations Controls (SOC): All Agital services whether internal or client-facing are hosted and managed by major service providers that hold multiple security and data protection accreditations for their operations and data centers, including SOC. For information regarding their compliance, please visit AWS Security website, AWS Compliance website, Google Security website, Google Compliance website, and Microsoft Service Trust website. 

MANAGEMENT POLICIES AND STANDARDS

Agital’s policies, standards, procedures, and guidelines provide overall governance and rules for security within the organization. Each of these exists and is documented within Agital’s Information Security Management System (ISMS). This includes but is not limited to: 

• Code of ethics and conduct 
• Information technology acceptable use policy 
• Agital’s house rules for security 
• Information security policy 
• Information security exceptions policy 
• Risk management policy and process 
• Access control policy 
• Asset management policy 
• Information classification policy 
• Data retention policy 
• Change management policy. 
• Secure workplace (physical security, clear desk, and screen) policy 
• Network and communications security policy
• Compliance policy 
• Encryption policy 
• IT assets and services acquisition policy 
• Cloud services policy 
• Security roles and responsibilities policy 
• Incident response policy and process 
• Mobile device and remote working policy 
• System development policy 
• Open-source software policy 
• Operations security policy 
• Third-party and supplier relationships policy 
• Ransomware response policy 
• Vulnerability management policy 

These policies are living documents and reviewed and updated on an annual basis. They are available to all employees via our company intranet. While these are internal-only documents, redacted copied can be requested by clients as needed by contacting [email protected]. 

AUDITS AND ASSESSMENTS

Agital evaluates the design and operational effectiveness of its ISMS through internal assessment and self-validation and/or independent external audits. This ensures compliance with internal and external standards. On a periodic basis, Agital engages qualified and credentialed third-party assessors to review our controls. The reports from these audits are shared with the Information Security Oversight Board and executive leadership. All findings are tracked to resolution. 

LEGAL AND PRIVACY COMPLIANCE

Agital employs dedicated legal and compliance professionals with extensive expertise in data privacy and security. Along with the security team, these individuals are embedded in the development lifecycle for new services and technologies, and they review products and features for compliance with applicable legal and regulatory requirements. They work closely with development teams, IT, and security teams to ensure client, third-party, and regulatory requirements are met on an ongoing basis.

PENETRATION TESTING  

On a periodic basis Agital engages a qualified and credentialed external security services provider to perform penetration testing of the network and systems that support Agital’s corporate and client-facing technology services. Testing includes Agital-managed infrastructure and systems underlying customer services. The requirement for testing is extended into our supply chain through Agital’s Third Party Risk Management (TPRM) program. Findings from Agital and third-party test reports are tracked to resolution.

ENCRYPTION IN TRANSIT AND AT REST

All information transmitted to or from Agital over public networks uses industry standard encryption. This includes communications via e-mail where strong encryption protocols are supported by both parties. Agital’s standard for encryption is TLS version 1.2 or later with AES-256 and SHA2.

Agital classifies all client data as Confidential. Such data is always encrypted while at rest or in transit where technically and commercially feasible to do so.

User devices including laptops, smartphones, tablets, and other media are prohibited from transferring, storing, or processing Confidential data unless fully encrypted. These devices are encrypted at rest using IT-managed encryption technologies with AES-256. This includes removable media such as USB drives.

Data backups are encrypted both on-site and off-site.

Key management ensures keys for backups are stored separately from the systems they protect. Agital hosts its services including backups with industry-leading data center providers in facilities that are ISO 27001, HIPAA / HITRUST, PCI, and SOC 2 Type 2 compliant. This ensures best-in-class protection for physical and virtual assets located within these centers. All providers encrypt all technology and data assets, including data in transit and at rest, for services used by Agital.

LOGICAL ACCESS CONTROL

All electronic data stored by Agital has strict access controls enforced through multiple layers of security. Agital’s access control methodology adheres to the following core tenets of access management:

• Role-based access: access is provided only to those who require it.
• Separation of duties: employees with privileged access must have this access granted independently through a separate set of credentials from their non-privileged access.
• Least privilege: the minimum amount of access required to perform one’s job function is granted.
• Conditional access: access is dependent on certain conditions, for example time of day, location, or means of authentication.

To this end, Agital employees the following measures:

• All systems used at Agital require users to authenticate using a unique set of credentials assigned to each user.
• Multifactor authentication (MFA) is used for all systems and services that support it – this includes all Agital corporate employee accounts.
• System administrators have unique credentials for privileged and non-privileged accounts.
• Access is logged, and suspicious logon attempts are systematically reviewed and alerted to the security team.
• Access levels are regularly reviewed as part of Agital’s internal risk assessment processes; this includes supplier access, privileged access, and inactive account.
• IT administrator access is reviewed regularly to ensure the level of access granted is still appropriate for the employee’s current job function.

Agital has implemented safeguards to protect secrets including the creation, storage, retrieval and destruction of service account credentials, access codes, and encryption keys. Secure password vaults are used within IT to store credentials and delegate access to staff as needed.

PHYSICAL ACCESS CONTROL

Agital offices have access control mechanisms in place such as key cards and numeric keypads which are fitted to all ingress/egress points and secure internal locations.

Areas housing sensitive information or systems for the storage, transfer, or processing of data are restricted to ensure only authorized employees are permitted access.

Visitors to Agital facilities must have an employee sponsor their visit and provide supervision while in any area that contains sensitive information.

NETWORK SECURITY

Agital has adopted a “zero-trust” model for network security. This model requires that any worker, in any location, using any device must have access control and application sessions authorized by a network policy. Details of this model can be shared with clients as requested.

Connections to the internal Agital network are strictly controlled and require authentication regardless of ingress point. Wireless network connections require two factors of authentication and are restricted to Agital devices only.

All devices connected to the Agital network must meet an initial security baseline; once connected, they receive regular patches and updates for vulnerabilities even if they are later disconnected from the network.

Networks are segregated physically and logically based on security classification of systems and data made available on each segment. Network access controls on devices such as firewalls, routers, and servers ensure only traffic that is required for a given services is accessible within or between network segments.

Network monitoring is performed at the data center edge to detect anomalies and inbound network-based attacks. In keeping with the zero-trust model, monitoring is also performed on end-user devices.

AUTHENTICATION

Agital has strong policies and controls for user authentication and password management. These policies reduce the overall number of accounts required across applications and services thus reducing risk of multiple accounts and password re-use.

Multi-factor authentication is mandated for all employee’s corporate IT user accounts including third-party and administrative accounts. A company-wide password management tool is deployed to all employees and contractors for efficient and secure storage and sharing of credentials.

Where technically feasible and appropriate, Agital uses encryption keys for authentication. For example, access may require access using an SSH key in additional to Agital username and password.

All user and administrative passwords are required to incorporate four factors of complexity and be created without references to common dictionary words or patterns.

Agital conducts sophisticated real-time analysis of every corporate user logon attempt, and it alerts the security team when suspicious logon attempts or anomalies are detected.

DATA CLASSIFICATION AND LABELING

Agital classifies all data we control or process, including client data, to ensure appropriate levels of protection and control. Client data is classified as Confidential and requires the following measures:

• Role-based access
• Sharing authorization by owner only (no transitory sharing)
• Strict access controls (least privilege)
• Encryption at rest and in transit
• Logging of all access
• Data Loss Prevention (DLP) and Information Rights Management (IRM), where appropriate and technically and commercially feasible
• Daily backups
• Defensible destruction

DEVICE AND WORKSTATION SECURITY

Agital workstations run monitoring and configuration tools to enforce security baselines and to prevent suspicious activity or unsafe configurations. End-users are limited in the administrative actions that can be taken on a workstation.

Malware detection occurs in real time through inspection of code in storage and in memory as code is executed.

All workstations use full disk encryption to prevent data loss resulting from loss or theft of the device.

MOBILE DEVICE MANAGEMENT

All mobile devices used within Agital are encrypted. Agital uses a Mobile Device Management (MDM) platform to control configuration and policy for devices including laptops, smartphones, tablets, and removable media. MDM provides ability to lock or wipe data from devices remotely.

It is Agital’s policy that mobile devices and removable media are not permitted for use for storage, transfer, or processing of any sensitive data.

DATA AND ASSET DISPOSAL

Client data is removed and deleted when no longer required. Agital’s policies and standards require all physical assets and media to be properly destroyed (if no longer required for use) or sanitized (if being repurposed for use).

OPERATIONAL SECURITY

Agital’s operational security practices include processes for service and change management which aligned to the ITIL framework, centralized logging & monitoring, on-site and off-site data backups, technical vulnerability management, operational and security risk management, incident management, and asset management. Together these ensure a reliable and effective baseline from which to protect Agital and client assets.

Agital’s security team performs frequent scans on a continual basis for our network, systems, and application assets. Findings are documented, reported, and tracked to remediation. The team collects and stores network, system, and application logs for analysis. These logs are stored in a dedicated platform that is protected from modification by IT staff. Analysis of logs is automated to the extent feasible technically and commercially.

RISK MANAGEMENT

Agital employs an internal risk assessment process to review its business units for technical, operational, and administrative threats and weaknesses. This process includes an audit of systems, data, and processes used within the business to ensure alignment with Agital policy and control requirements. Where gaps or risks are discovered, these are documented, reported to accountable stakeholders, and tracked to resolution.

SECURITY DEVELOPMENT LIFECYCLE

For systems and applications developed by Agital, we take a variety of measures to prevent the introduction of malicious or erroneous code to our environments and to protect against unauthorized or prevention of access and modification, destruction, or disclosure of data. This includes:

• Separation of production and non-production environments
• Change management
• Developer training
• Secure code repositories and version control systems
• Secure code analysis
• Application vulnerability management, e.g., OWASP 10
• Policies regarding open-source software
• Security hardening of host systems and infrastructure

COMPLIANCE ASSURANCE PROGRAM

Agital follows a “Plan, Do, Check, Act” cycle for security and risk management. In support of this, an internal Compliance Assurance Program (CAP) has been enacted to help us address the most common threats and vulnerabilities cybercriminals use today. The CAP is an internally developed program that ensures we continuously check the effectiveness of our processes related to security controls so improvements can be made and so any erosion of these processes is readily identified.

At Agital, we maintain steadfast awareness of our role as a service provider to our customers. Through the CAP, we also self-check and validate our processes and controls to ensure these are met in accordance with o

Agital has established and maintains a third-party vendor and supplier risk assessment program (TPRM). New vendors in scope with our technology-based services including the storage, processing, transfer, or analysis of data is reviewed by Agital’s security team. All third parties are assessed and tracked within a risk platform that captures key elements of each assessment and provides for effective risk processes and reporting. 

Third-party assessments are conducted during vendor or supplier onboarding to through manual interrogation by Agital’s information security team. This occurs prior to vendors participating in any live projects and periodically thereafter. 

A third-party assessment is a detailed process that requires vendors and suppliers to provide evidence of security controls no less effective than Agital’s own controls and demonstrating due care and diligence for sensitive assets and data. Any gaps are reported to management and required to be remediated before the vendor or supplier is authorized for use by Agital. 

AVAILABILITY 

Agital’s internal systems and those that house or support client-facing technology and data follow robust technical standards for resiliency to ensure maximum uptime. This technology includes: 

• Redundancy and high availability by design eliminating single points of failure. 
• Geographically segregated facilities/computing locations including backups stored in different regions from primary data. 
• Service provider, network, and supplier diversity 
• Strict use of technology platforms that are recognized as best-of-breed within their service areas, providing a high degree of availability, software updates and patches, and support. 
• Virtualization providing for rapid portability and provisioning of systems and data. 
• Remote working technologies 

DISASTER RECOVERY 

Agital’s formal disaster recovery program is based on ISO 27031 standard and defines a purposeful and relevant approach to ensure survivability of internal and client-facing systems during a disaster event. The program includes the technical, administrative, and procedural measures required for effective preparation and response, including: 

• Required policies and standards. 
• The program leadership and teams 
• Objectives for availability and recovery including RTO and RPO 
• Classification of systems and assets for recoverability 
• Planned processes and standards for operations and execution including communications, critical decision-making, change management, and security incident response. 
• Risk impact assessment aligned with Agital’s security risk assessment processes. 

Together these measures constitute Agital’s disaster recovery planning. Plans are updated annually to ensure effectiveness. Agital maintains backup copies of production data in remote locations from primary data. Recovery tests for data are performed on a periodic basis. 

PANDEMIC AND REMOTE WORKING 

In addition to our technology availability and continuity plans, Agital maintains a pandemic and remote working plan. Through this plan, Agital is capable of efficiently transitioning our core business operations to a 100% remote workforce while sustaining customer services.