Information Security Management System

Security is an important part of our reputation and is critical to earning our customer’s trust, vital to how we do business, and essential in delivering our product. Innovative strives to provide secure products and services for its customers. This is achieved through Innovative’s proprietary Information Security Management System (ISMS). The ISMS is comprised of polices listed in its Information Security Management System Program Document as well as standard operating procedures and various different logs and tracking spreadsheet. This web page summarizes the program and how it takes reasonable and appropriate administrative, technical and physical measures to protect the confidentiality, integrity and availability of the company’s sensitive information as required by both internal and external parties.

At its core Innovative’s ISMS strives to maintain the principles of “need to know” and “least privileged” as well as the assurance that there is accountability and segregation of job duties to ensure no one person has too much authority. Current roles and responsibilities are as follows:

Role

Responsibility

Everyone

Everyone is responsible for understanding and following company security requirements, reporting security incidents, protecting the company, and promoting a secure environment.

Executive Management

The Executive Management Team is responsible for providing the ISMS with resources and promoting the ISMS within the company. Executive management is also responsible for contributing to the goals and objectives as well as the continual improvement of the Information Security Management System.

Information Security Management Team (ISMT)

The Information Security Management Team (ISMT) is responsible for directing and supporting persons to contribute to the effectiveness of the information security management system. They review the ISMS goals and objectives, discuss security topics, review key security metrics, and review the Information Security Management System Program Documentation.

Data Protection Officer (DPO)

The DPO is responsible for all issues relating to the protection of personal data. S/he will advise the organization on privacy impact assessments and monitor its performance and have due regard to risk with any associated processing activities. They are also responsible for ensuring compliance with respect to privacy laws (such as the General Data Protection Regulation) and serve as the primary contact point for any supervisory authority.

Security Compliance Engineer (SCE)

The Security Compliance Engineer is responsible for creating implementing and maintaining the ISMS Program Document, ensuring the ISMS conforms to the standard and reports the performance and effectiveness of the program to the ISMT. The security compliance engineer is also responsible for designing, implementing and enforcing; risk assessments, security incidents, audits, company certifications and change management as well as any and all other standard operation procedures related to the Information Security Management System.

Security Administrators

Security Administrators include systems administrators, database administrators, network administrators, and other application administrators. These functional teams maintain the responsibility for the management of security controls and configurations within the information systems they support. They implement security mechanisms and maintain the requisite technical expertise to support them. They ensure systems and services comply with all approved corporate information security policies, documents and standard operating and procedures (SOP).

Functional Managers (Data Owners)

Information Owners retain primary responsibility for their data whether it is in their custody or in the custody of others. These individuals provide appropriate security direction to include operations, management, and technical controls. They are responsible for the appropriate user access to their areas.

Customer Advisory Board on Security

Existing Innovative customers that will meet quarterly to help influence where the ISMS should focus its security posture based on customer needs and industry standards.

Legal

Innovative’s Legal department is responsible for: owning and approving Innovative’s public facing Services Privacy Policy and Privacy Policy and any contract reviews of 3rd party agreements as well as responding to any privacy related inquires, subpoenas, warrants, government orders, or other lawful request by public authorities, data protection authorities and the department of commerce. 

Innovative’s ISMS is designed to be a living/breathing continually improving system based on ISO/IEC 27001:2013. It takes into account various different internal and external factors upon its creation and every time it’s updated, including: factors such as internal resources, key stakeholders, industry standards, customer requirements and any legal regulatory or compliance requirements.

As such, Innovative Interfaces is now ISO/IEC 27001:2013 certified. With the scope of the certification being: the information security management system (ISMS) supporting the hosted and cloud infrastructure managed by Innovative Interfaces’ Cloud Operations Team, in accordance with the statement of applicability dated January 20, 2017 that includes the following locations:

  • Corporate Headquarters:789 E. Eisenhower Parkway, Ann Arbor, MI 48108, United States
  • New York Office: 103 Commerce Boulevard, Suite A, Liverpool, New York, 13088, United States

  • George’s Quay Plaza, 9th Floor (Block A) Dublin Ireland

The current status (as well as a downloadable version) of Innovative Interfaces’ certificate can be found here. 

All policies are reviewed by Innovative’s Security Compliance Engineer, Information Security Management Team (ISMT) and the functional managers (if necessary). Final approval of all ISMS policies are performed by Innovative’s designated Chief Information Security Officer (CISO).

The Information Security Management Team (which is comprised of various different Vice Presidents, Directors, Managers and Engineers pulled from every facet of the organization to ensure that all departments are represented) meets on a quarterly basis to approve new policies and perform other functions as outlined above.

Information Security Management System Policy Summary:
Acceptable Use

Innovative communicates the acceptable use of company technology, systems and data to its entire staff: forbidding personal use on corporate systems, outlining proper care of company equipment, addressing social media, and general guidelines and restrictions around corporate systems.

Physical Security

Innovative implements enterprise level door access and video surveillance at all of its ISO 27001:2013 certified locations. Special instructions must be followed when visitors, vendors and/or 3rd party access is required into the facility. The policy outlines requirements for isolated security zones and delivery areas, ensuring backup generators and HVAC systems are present and maintained to handle any potential environmental threats.

Personnel

While Innovative aims at hiring the best and brightest talent it’s also important to remain secure when doing so. In conjunction with the Human Resources department, Innovative’s ISMS implements a top of the line on-boarding and off-boarding procedure. These processes cover background and reference checks as well as removal or re-adjustment of access rights based on job function.

Network Security

Network security is of the upmost importance, so much so that Innovative implements an industry standard policy and employs fulltime in-house Network/Security Engineers. The policy specifies how physical and virtual firewalls are configured to provide a highly available dual layer of protection on its infrastructure. The Engineers ensure that networks are configured in proper segments utilizing VLAN’s and DMZ’s as well as ensuring that infrastructure technology is configured using secure protocols and patches are kept up to date.

Security Awareness and Training

Perhaps one of the most daunting challenges today is increasing awareness around information security. However, Innovative has a security awareness and training policy that dictates requirements for educating, training, and promoting information security throughout the company. Both during the onboarding and at least annually, all Innovative employees undergo specialized security training focusing on a variety of topics such as: email security, how to protect customer information, physical security, privacy security, and development security.

Data Management

Understanding how to classify data and knowing what to do with it is a vital aspect of any Information Security Management System. Innovative employees understand the difference between Public, Private, Protected, and Customer data. They also understand how to properly dispose of that data, which helps to not only protect the security of sensitive Innovative data, but more importantly, our customers’ data. For additional information on Innovative’s privacy practices, please refer to our Privacy Policy and Services Privacy Policy.

Passwords

Innovative follows industry best practices as far as length, complexity, expiration, and reuse for all of its passwords. The policy also takes it further by specifying things such as: changing default passwords, encrypting passwords in storage, and no passwords should be stored or sent in clear text.

Security Incidents

Security related incidents are a top concern at Innovative. Incidents are reported and tracked using an enterprise level ticketing system ensuring prompt action and fast resolution. Evidence collection, root cause analysis and lessons learned are key components of Innovative’s incident response plan along with the ability to escalate issues to top executives if necessary. If you are experiencing a potential security incident related to Innovative products, please follow your normal support procedures informing them of the situation.

Risk Management

Managing risks is a key component of the ISO 27001 standard. Innovative’s risk management policy and procedure are based on NIST 800-30 Rev 1. The goal of Innovative’s risk assessment procedure is to prevent or reduce undesired effects and integrate the effectiveness of the risk treatment plan into the ISMS. Risks assessments are performed at least annually and are reported to Innovative’s Information Security Management team on a quarterly basis. All high risks must undergo proper assessment, treatment and mitigation.

Change Management

Changes to Innovative customer systems, infrastructure and applicable software are managed by Innovative’s Change Advisory Board (CAB). Innovative’s CAB is a group of Innovative employees that represent, IT, Security, Support, Services, and Engineering departments and they are responsible for reviewing and approving any requests for changes.

Backups

As with other aspects of its ISMS, Innovative utilizes enterprise software as a backup solution for themselves and for its customers. Backups are monitored, encrypted in transit, stored in geographically separated secure locations and periodically tested.

Mobile Devices

Remote workstations and mobile devices must be protected from unauthorized access, loss or theft. Innovative leverages Office 365 capabilities to ensure compliance with security policies. Remote workers are required to have Innovative owned and sanctioned equipment to ensure proper security measures are in place to protect sensitive data.

Anti-Malware/Virus

Falling in line with industry best practices, Innovative deploys antivirus software on all Innovative workstations. Virus signatures are scheduled to update and perform daily scans and are monitored for any outbreaks or unusual activity.

Patch Management

Ensuring that all systems have the most current and up-to-date security patches also ranks high on Innovative’s ISMS requirement list. Innovative’s patch management policy ensures that all servers and workstations are monitored to ensure they have latest critical and security patches installed.

Business Continuity and Disaster Recovery

Innovative creates and maintains its own disaster recovery/business continuity plan. Business Impact Analysis is performed and the plan is updated on an annual basis. Test of Innovative’s BCP/DR plans are also scheduled for annual testing and verification.

Vendor Management

Innovative understands the potential security implications when selecting vendors. To that affect Innovative has implemented a vendor management program to ensure that any third party IT vendors undergo a security review. Any significant changes to IT vendors require security reevaluation and all contracts go under review by Innovative’s Legal department.

If you are interested in reviewing any of Innovative’s ISMS policies in detail, please reach out to your Account Managers.

Updated: September 15, 2021

Talk to a sales consultant

To get pricing or answers to your questions about our products, contact us.