Our Need for Compliance
We embedded secure practices in the way we develop our products from day one. We also recognized the need to communicate this to our customers and users proactively. For us, compliance certification is a token of trust we owe our customers. This gives us a foundation of trust to build on with our customers. From the industry perspective, we were required to follow the standardized rules and procedures per the Insurance Self Networking Platform (ISNP) to ensure that we adhere to all Insurance Regulatory and Development Authority (IRDA) regulations. We wanted to go above and beyond the ISNP construct, which is why we decided to go for the ISO 27001 certification, as well as SOC 2. This way, we can truly claim to be a platform with world-class security, and that is where we started our compliance journey.
When it comes to personally sensitive information, protecting the privacy of this information is critical. With the rise in ransomware and other cyber attacks throughout industries, we needed to ensure that we didn’t have any vulnerabilities that could be a threat to the valuable data of our users.
This is where we decided to go beyond what is expected. While getting ISO 27001 certified was a no-brainer, we wanted to secure our user data under the highest standards of scrutiny out there; which is why we got GDPR compliant as well.
Certifications and Compliance
ISO 27001: ISO 27001 is an international information security standard. It calls for an Information Security Management System (ISMS) in the organization which is a governance arrangement designed to manage information security risks. The ISO certifications are the global gold standard in setting quality and security in organizations, and we always knew we would build to be ISO 27001 compliant.
ISO 27017 & 27018: These standards are additional controls placed along with ISO 27001. 27017 suggests a code of practice for information security controls based on ISO/IEC 27002 for cloud services. 27018 suggests a code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors. Given what we do and how we develop our product, these 2 standards were no-brainers.
SOC 2: It is a compliance standard developed by the American Institute of CPAs (AICPA), specifying how organizations should manage security and customer data. SOC 2 is the predominant standard used across the world for security, and so we decided to get SOC 2 compliant to serve our customers better, regardless of where they may be in the world.
GDPR: GDPR(General Data Protection Rules) is a framework introduced to protect the privacy of consumers through rules and regulations that any organization operating in the EU must adhere to. Given the sensitive nature of the information we process, we wanted to uphold ourselves to the GDPR guidelines, which are currently one of the most stringent privacy laws in the world.
ISNP ready: The Insurance Self Network Platform(ISNP) is a certification required by any entity that wants to sell insurance products online. Assurekit products are ISNP-ready, as they adhere to a stricter standard than the one instituted by the regulator.
Organizational Security
We have an Information Security Management System (ISMS) in operation which controls our security objectives and the risks and mitigations concerning all the interested parties. We implement strict policies and procedures, including but not limited to:
Employee background checks: Each employee undergoes a process of background verification. We appoint reputed external agencies to perform this check on our behalf. We do this to verify their criminal records, previous employment records if any, and educational background. Until this check is performed, the employee is not assigned tasks that may pose risks to users.
Security Awareness: We have formulated this exercise where every new joiner has to sign a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Furthermore, we evaluate their understanding through tests and quizzes to determine which topics they need further training in. We provide training on specific aspects of security that they may require based on their roles. We put our employees through the grind continually to educate them on information security, privacy, and compliance in our internal community where our employees check in regularly, to keep them updated regarding the security practices of the organization. We also host internal events to educate, raise awareness and drive innovation in security and privacy.
Internal audit and compliance: We have a dedicated compliance team to review procedures and policies in Assurekit to align them with standards, and to determine what controls, processes, and systems are needed to meet the standards. This team also does periodic internal scrutiny and facilitates independent audits and assessments by third parties
Server hardening: All servers directed for development and testing activities are hardened (by disabling unused ports and accounts, removing default passwords, etc.). The base Operating System (OS) image has server hardening built into it, and this OS image is within the servers, to determine consistency across servers.
Secure by design: We follow secure coding guidelines, a code review process and a robust change management process that ensures any changes are authorized before being deployed into production. Our robust security framework based on OWASP standards, implemented within the application layer, is designed to mitigate threats like SQL injection, Cross-site scripting and application layer DOS attacks. Our products are regularly tested by certified third-party auditors for vulnerabilities as well(VAPT).
Data isolation: Assurekit distributes and maintains separate cloud spaces for our customers. Each customer's service data is logically separated from other customers' which means it is stored securely using a set of protocols in the framework. The way it is stored prevents any customer’s information from being accessible to another customer. The service data is stored on our servers whenever you use our services. Your data is owned by you, and not by us. We do not share this data with any third party without your consent.
Incident Management: We have a dedicated incident management team. We notify you of any malicious activity that's happening and give advice on how to deal with it. We record all the incidents so we can make sure they're solved properly, and in some cases, we collect, identify, collect, acquire and provide you with necessary evidence in the form of application and audit logs regarding incidents that are related to the specific customer.
Furthermore, we implement controls to stop the recurrence of similar situations.
As data controllers, we report any breaches of security to the Data Protection Authority within 72 hours. according to the General Data Protection Regulation (GDPR). If necessary, we notify customers as well. As data processors, we inform the concerned data controllers without undue delay.