Information Security Management System
Security is an important part of our reputation and is critical to earning our customer’s trust, vital to how we do business, and essential in delivering our product. Innovative strives to provide secure products and services for its customers. This is achieved through Innovative’s proprietary Information Security Management System (ISMS). The ISMS is comprised of polices listed in its Information Security Management System Program Document as well as standard operating procedures and various different logs and tracking spreadsheet. This web page summarizes the program and how it takes reasonable and appropriate administrative, technical and physical measures to protect the confidentiality, integrity and availability of the company’s sensitive information as required by both internal and external parties.
At its core Innovative’s ISMS strives to maintain the principles of “need to know” and “least privileged” as well as the assurance that there is accountability and segregation of job duties to ensure no one person has too much authority. Current roles and responsibilities are as follows:
|Everyone||Everyone is responsible for understanding and following company security requirements, reporting security incidents, protecting the company, and promoting a secure environment.|
|Executive Management||The Executive Management Team is responsible for providing the ISMS with resources and promoting the ISMS within the company and improvement of that system.|
|Information Security Management Team (ISMT)||The Information Security Management Team (ISMT) is responsible for directing and supporting persons to contribute to the effectiveness of the information security management system. They review the ISMS goals and objectives, discusses security topics, reviews key security metrics, and review the Information Security Management System Program Documentation.|
|Data Protection Officer (DPO)||The DPO is responsible for all issues relating to the protection of personal data. S/he will advise the organization on privacy impact assessments and monitor its performance and have due regard to risk with any associated processing activities. They are also responsible for ensuring compliance with respect to privacy laws (such as EU-US Privacy Shield and the General Data Protection Regulation) and serve as the primary contact point for any supervisory authority.|
|Security Compliance Engineer (SCE)||The Security Compliance Engineer is responsible for creating implementing and maintaining the ISMS Program Documents, ensuring the ISMS conforms to the standard and reports the performance and effectiveness of the program to top management. The security compliance engineer is also responsible for designing, implementing and enforcing; risk assessments, security incidents, audits, company certifications and change management as well as any and all other standard operation procedures related to the Information Security Management System.|
|Security Administrators||Security Administrators include systems administrators, database administrators, network administrators, and other application administrators. These functional teams maintain the responsibility for the management of security controls and configurations within the information systems they support. They implement security mechanisms and maintain the requisite technical expertise to support them. They ensure systems and services comply with all approved corporate information security policies, documents and standard operating and procedures (SOP).|
|Functional Managers (Data Owners)||Information Owners retain primary responsibility for their data whether it is in their custody or in the custody of others. These individuals provide appropriate security direction to include operations, management, and technical controls. They are responsible for the appropriate user access to their areas.|
|Customer Advisory Board on Security||Existing Innovative customers that will meet quarterly to help influence where the ISMS should focus its security posture based on customer needs and industry standards.|
Innovative’s ISMS is designed to be a living/breathing continually improving system based on ISO/IEC 27001:2013. It takes into account various different internal and external factors upon its creation and every time it’s updated: factors such as internal resources, key stakeholders, industry standards, customer requirements and any legal regulatory or compliance requirements.
As such, Innovative Interfaces is now ISO/IEC 27001:2013 certified. With the scope of the certification being: the information security management system (ISMS) supporting the hosted and cloud infrastructure managed by Innovative Interfaces’ Cloud Operations Team, in accordance with the statement of applicability dated January 20, 2017 that includes the following locations:
- Corporate Headquarters: 5850 Shellmound Way, Emeryville, California, 94608, United States
- New York Office: 103 Commerce Boulevard, Suite A, Liverpool, New York, 13088, United States
The current status (as well as a downloadable version) of Innovative Interfaces’ certificate can be found here.
All policies are reviewed by Innovative’s Security Compliance Engineer, Information Security Management Team (ISMT) and the functional managers (if necessary). Final approval of all ISMS policies are performed by Innovative’s designated Chief Information Security Officer (CISO).
The Information Security Management Team (which is comprised of various different Vice Presidents, Directors, Managers and Engineers pulled from every facet of the organization to ensure that all departments are represented) meets on a quarterly basis to approve new policies and perform other functions as outlined above.
Information Security Management System Policy Summary:
Innovative communicates the acceptable use of company technology, systems and data to its entire staff: forbidding personal use on corporate systems, outlining proper care of company equipment, addressing social media, and general guidelines and restrictions around corporate systems.
Innovative implements enterprise level door access and video surveillance at all of its ISO 27001:2013 certified locations. Special instructions must be followed when visitors, vendors and/or 3rd party access is required into the facility. The policy outlines requirements for isolated security zones and delivery areas, ensuring backup generators and HVAC systems are present and maintained to handle any potential environmental threats.
While Innovative aims at hiring the best and brightest talent it’s also important to remain secure when doing so. In conjunction with the Human Resources department Innovative’s ISMS implements a top of the line on-boarding and off-boarding procedure. These processes cover background and reference checks as well as removal or re-adjustment of access rights based on job function.
Network security is of the upmost importance, so much so that Innovative implements an industry standard policy and employs fulltime in-house Network/Security Engineers. The policy specifies how physical and virtual firewalls are configured to provide a highly available dual layer of protection on its infrastructure. The Engineers ensure that networks are configured in proper segments utilizing VLANs and DMZs as well as ensuring that infrastructure technology is configured using secure protocols and patches are kept up to date.
Security Awareness and Training
Perhaps one of the most daunting challenges today is increasing awareness around information security. However, Innovative has a security awareness and training policy that dictates requirements for educating, training and promoting information security throughout the company. Both during the onboarding and at least annually all Innovative employees undergo specialized security training focusing on a variety of topics such as; email security, how to protect customer information, physical security, privacy security and development security.
Innovative follows industry best practices as far as length and complexity, expiration and reuse for all of its passwords. The policy also takes it further by specifying things such as; changing default passwords, encrypting passwords in storage, and no passwords should be stored or sent in clear text.
Security related incidents are a top concern at Innovative. Incidents are reported and tracked using an enterprise level ticketing system ensuring prompt action and fast resolution. Evidence collection, root cause analysis and lessons learned are key components of Innovative’s incident response plan along with the ability to escalate issues to top executives if necessary. If you are experiencing a potential security incident related to Innovative products, please follow your normal support procedures informing them of the situation.
Managing risks is a key component of the ISO 27001 standard. Innovative’s risk management policy and procedure are based on NIST 800-30 Rev 1. The goal of Innovative’s risk assessment procedure is to prevent or reduce undesired effects and integrate the effectiveness of the risk treatment plan into the ISMS. Risks assessments are performed at least annually and are reported to Innovative’s Information Security Management team on a quarterly basis. All high risks must undergo proper assessment, treatment and mitigation.
Changes to Innovative’s hosting and cloud infrastructure must be reviewed. And any request for a change must be documented and approved by the Change Advisory Board (CAB). Innovative’s CAB is a group of Innovative employees that consists of senior management, security and infrastructure contributors that are responsible for reviewing and approving any requests for changes.
As with other aspects of its ISMS, Innovative utilizes enterprise software as a backup solution for themselves and for its customers. Backups are monitored, encrypted in transit, stored in geographically separated secure locations and periodically tested.
Remote workstations and mobile devices must be protected from unauthorized access, loss or theft. Innovative’s mobile device management software is required on all corporate devices or any device connecting to corporate email or infrastructure. Remote workers are required to have Innovative owned and sanctioned equipment to ensure proper security measures are in place to protect sensitive data.
Falling in line with industry best practices, Innovative deploys antivirus software on all Innovative workstations. Virus signatures are scheduled to update and perform daily scans and are monitored for any outbreaks or unusual activity.
Ensuring that all systems have the most current and up-to-date security patches also ranks high on Innovative’s ISMS requirement list. Innovative’s patch management policy ensures that all servers and workstations are monitored to ensure they have latest critical and security patches installed.
Innovative creates and maintains its own disaster recovery/business continuity plan. Business Impact Analysis is performed and the plan is updated on an annual basis. Test of Innovative’s BCP/DR plans are also scheduled for annual testing and verification.
Innovative understands the potential security implications when selecting vendors. To that affect Innovative has implemented a vendor management program to ensure that any third party IT vendors undergo a security review. Any significant changes to IT vendors require security reevaluation and all contracts go under review by Innovative’s Legal department.
If you are interested in reviewing any of Innovative’s ISMS policies in detail, please reach out to your Account Managers.
Updated: May 2018