Confidentiality & Security

Resiliency Program partners with Digital Ocean to provide our data hosting infrastructure at its SOC 2 Type II and ISO 27001 compliant facilities. Data center facilities are powered by redundant power, each with UPS and backup generators.

The Digital Ocean center facilities feature a secured perimeter with multilevel security zones, 24/7 manned security, video surveillance, multifactor identification with biometric access control, physical locks, and security breach alarms.

Resiliency Program currently leverages Digital Ocean Data centers in the United States and India.

Control over our software development process is key to producing quality software. Security is a critical subset of that quality. That is why all development is done using the Resiliency Program Secure Software Development Lifecycle (S-SDLC) that has been designed and adopted to ensure the software Resiliency Program produces meets compliance requirements and is free of software security defects (to the greatest extent possible) that may expose sensitive data.

At appropriate stages in the life cycle, vulnerability scans are performed for identification of noncompliance or potential vulnerabilities. At higher-level milestones (the lesser of annually or with any major release), penetration tests are performed at the application level both internally and with a qualified third-party information security expert using both automated and manual testing techniques.

Resiliency Program S-SDLC uses an Agile/Scrum process for managing system development activity and has implemented change management and version control software to ensure that all system development changes are sourced from authorized requesters, validated, and prioritized based on business, technical, and security impact. In addition, all changes deployed are tracked for revision control.

QA engineers review and test our application both manually and using automated scripts to identify any application and security vulnerabilities

Dev, QA, UAT and Production environments are separated physically and logically from each other. No client data is ever used in the development, test and UAT environments.

Our principle engineers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors, and Resiliency Program security controls.

Our network is protected by redundant firewalls, best-in-class router technology, secure HTTPS transport over public networks, regular audits, and 24/7/365 Security Operations Center that monitor and/or block malicious traffic and network attacks.

Our network security architecture consists of multiple security zones. DMZs are used between the internet, and internally between the different zones of trust.

Access to the Resiliency Program databases is restricted by an explicit need-to-know basis, utilizes POLP, and is frequently audited. In addition, employees with such access privileges are required to use multiple factors authentication.

Communications between users and the Resiliency Program is encrypted via industry best-practices HTTPS and Transport Layer Security (TLS 1.2 and above) over public networks.

All user and client data stored with Resiliency Program is encrypted at rest using AES-256 bit algorithm with a block/chunk size of 128 bits.

Users can sign into the Resiliency Program application using authenticated credentials. Users are also required to use Multi Factor Authentication for secured sign-in to the application. User provisioning and permissioning is managed by our clients.

Resiliency Program provides clients the option to define their password change frequency and repeat policy. Password length and password strength are defined based upon industry best practices. BCrypt algorithm is used to hash and salt passwords securely.

Authorized Resiliency Program Users are provided with multi-level permissions based upon user and role credentials. The flexible role-based authorization process is governed by each client to ensure data is secure and only made available to those who require access to it.