Security at Vantage Circle
The objective of information security is to provide management direction and support for information security in accordance with Vantage Circle’s business requirements and administering laws and regulations. Information security policies are approved by the management, published, and communicated to all employees and relevant external parties. These policies will set out Vantage Circle’s approach to managing information security and will align with relevant state-wide policies.
Information security will be coordinated across different parts of the Vantage Circle with relevant roles and job functions. Information security responsibilities will be clearly defined and communicated. Security of Vantage Circle’s information assets and information technology that are accessed, processed, communicated to, or managed by external parties will be maintained.
Information security policies will be reviewed at planned intervals annually or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. Each policy will have an owner who has approved management responsibility for the development, review, and evaluation of the policy. Reviews will include assessing opportunities for improvement of Vantage Circle’s information security policies and approach to managing information security in response to changes to Vantage Circle’s environment, new threats and risks, business circumstances, legal and policy implications, and technical environment.
Vantage Circle is ISO 27001:2013 certified and we are continuously committed to identifying threats, assessing all kinds of risks, and implementing controls that help us to comply with the best industry standards.
The goal of ISO 27001 is to protect the three aspects of information:
- Confidentiality: Valid Authorized Personnel can only access the information.
- Integrity: Valid Authorized Personnel can change the information.
- Availability: Information is accessible to authorized persons whenever it is needed.
Vantage Circle is proud to announce that it has been awarded an ISO 27701 certification for its privacy information management system (PIMS). This certification demonstrates our commitment to protecting the privacy of individuals and managing personal data in accordance with international best practices.
Our PIMS is based on a robust framework that includes policies, procedures, and controls to ensure the confidentiality, integrity, and availability of personal data. Our system is designed to comply with relevant privacy laws and regulations, and is regularly audited to ensure that it continues to meet the latest standards.
As an ISO 27701 certified organization, our organization is committed to continuously improving its PIMS to better protect the privacy of individuals. We are proud to be among a select group of organizations that have achieved this important recognition and look forward to continuing to serve our customers with the highest level of privacy protection.
The objective of physical and environmental security is to prevent unauthorized physical access, damage, theft, compromise, and interference to Vantage Circle’s information and facilities. Locations housing critical or sensitive information or information assets will be secured with appropriate security barriers and entry controls. They will be physically protected from unauthorized access, damage, and interference. Secure areas will be protected by appropriate security entry controls to ensure that only authorized personnel are allowed access. Security will be applied to off-site equipment. All equipment containing storage media will be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal in compliance with statewide policies.
Vantage Circle is hosted on Digital Ocean (Cloud Service Provider) and infrastructure. Employees at Vantage Circle do not have any physical access to the production servers. Digital Ocean provides their customer with the best physical security controls built to meet the requirements of the most security-sensitive organizations as per their declarations in Annex B – Security Measures.
Password-based authentication is vulnerable to a brute-force attack. So, password-based authentication is disabled to our production servers. Instead, public-private key pair is generated on the accessing machines and placed in the appropriate place in the servers. As such, the servers are accessible from these particular machines only. Also, database servers can be accessed only from application servers.
Access to information, information systems, information processing facilities, and business processes will be controlled on the basis of business and security requirements. Formal procedures will be developed and implemented to control access rights to information, information systems, and services to prevent unauthorized access. Users will be made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords. Users will be made aware of their responsibilities to ensure unattended equipment has appropriate protection. A clear desk policy for papers and removable storage devices and a clear screen policy will be implemented, especially in work areas accessible by the public. Steps will be taken to restrict access to operating systems to authorized users. Protection will be required commensurate with the risks when using mobile computing and teleworking facilities.
- All cloud servers will be locked from password access and only be allowed through digital certificates.
- Digital certification for production access will be changed from time to time.
- Password for Vantage Circle admin interface will be changed every 3months.
Data Storage & Redundancy
Vantage Circle uses Managed Mysql Database Hosted at Digital Ocean Data Centers. As Data is critical, Digital Ocean ensures that data is backed up automatically every day. Data can be restored data to any point within the previous seven days.
Vantage Circle uses several monitoring services to make sure the servers and the environmont is secure. The services alert us via email for any abnormalities in our servers.
The design, operation, use, and management of information and information assets are subject to statutory, regulatory, and contractual security requirements. Compliance with legal requirements is necessary to avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements. Legal requirements include, but are not limited to: state statute, statewide and Vantage Circle policy, regulations, contractual agreements, intellectual property rights, copyrights, and protection and privacy of personal information.
Controls will be established to maximize the effectiveness of the information systems audit process. During the audit process, controls will safeguard operational systems and tools to protect the integrity of the information and prevent misuse.
For our Vulnerability Disclosure Program refer here