XGRC CYBER SECURITY
XGRC Software®’s cloud-based platform is designed with security and privacy as top priorities. We follow industry best practices and adhere to strict security standards, such as those set forth by ISO27001, GDPR and POPIA, to ensure the protection of our users’ data.
XGRCSoftware SECURITY OVERVIEW
- Data Security and Privacy Controls
- Data Storage Location
- Access Management & Endpoint Security
- Encryption Standards
- Network Security & System Monitoring
- Penetration Testing & Vulnerability Management
- Research & Disclosure
- Application Security
- Security Awareness
- Reliability
- Disaster Recovery & Business Continuity
- Incident Response
- Data Privacy
- Vendor Management
- Supporting Documentation
Data Centres
XGRC Software®’s physical infrastructure is hosted and managed within the Microsoft Azure global infrastructure.
1B > USD investment in security R&D and 3,500 cyber security
Security is foundational for Azure. Take advantage of multi-layered security provided across physical data centres, infrastructure, and operations with cyber security experts actively monitoring to protect your business assets and data.
Data Storage Location
XGRC Software® is a multi-tenant cloud-based platform hosted in Microsoft Azure’s Europe-West (Amsterdam) region. The solution is designed to comply with data protection laws and regulations of the European Union (EU) and South Africa, ensuring that customers affected by both regulations are equally satisfied with the platform’s privacy and security controls. As the platform is GDPR and POPIA-compliant, it adheres to the General Data Protection Regulation (GDPR) of the EU and the Protection of Personal Information Act (POPIA) of South Africa.
Access Management
XGRC Software® places the highest priority on data security and access management. Our platform adheres to the principles of least privilege and role-based permissions when provisioning access, ensuring that our employees are only authorised to access data necessary to perform their job duties. This approach minimizes the risk of unauthorized access and ensures our customers’ data’s confidentiality, integrity, and availability.
To provide an additional layer of security, XGRC Software® utilizes multi-factor authentication for organizations that use Azure Active Directory. It helps ensure that only authorized personnel can access XGRC Software®’s platform and its sensitive data.
Endpoint Security
At XGRC Software®, we prioritise the security of our client’s data. We have established strict security standards for employee endpoints to ensure our client’s data is secure. These standards require all endpoints to be correctly configured and updated and to utilise up-to-date Endpoint Protection software. We also require that all endpoints employ encryption at rest, use strong, complex passwords, and lock when idle. It helps to ensure that our client’s data remains safe from modern cyber threats.
Encryption Standards
We at XGRC Software® understand the importance of data security and are committed to implementing the best possible security measures to protect our client’s data. We have adopted the Rijndael encryption standard, which offers superior protection against modern cyber threats. Developed by Belgian cryptologists Joan Daemen and Vincent Rijndael, this encryption method significantly improved over the outdated Data Encryption Standard (DES) developed by the US National Bureau of Standards.
Rijndael encryption is a symmetric-key block cypher that generates 10 128-bit keys from a 128-bit key and stores them in 4 x 4 tables. The plaintext is also divided into 4 x 4 tables, each in 128-bit chunks, and is processed in a 10-round process with a 128, 192, or 256-bit key. The encryption method is based on byte-by-byte replacement, swap, and XOR. Each byte is substituted in an S-box and replaced by the reciprocal over GF (2 8). A modulo 2 matrix is applied bitwise, and an XOR operation is performed at 63. The rows of the matrices are sorted cyclically, and then the columns are exchanged by matrix multiplication via a Galois field (GF) (2 8). An XOR link is applied to the subkey for each round.
The Rijndael encryption method provides increased security against brute-force attacks and is three times faster than DES in software. It is a reliable option for secure key exchange and data transmission. It’s worth noting that the Advanced Encryption Standard (AES), approved in the United States for high-level government documents, is based on the Rijndael encryption method. At XGRC Software®, we are proud of our commitment to data security and will continue to use the best security measures to protect our client’s data.
Network Security and Server Hardening
XGRC Software® employs several measures to ensure the highest level of security for its platform and customer data. Firstly, the platform layers are segregated into separate networks with restricted access between them. Additionally, different hosting environments are utilised for Staging, Development, and Production. Endpoints and services are hardened following industry-standard CIS benchmarks, and network access to XGRC Software®’s hosting environment is restricted, with only load balancers accessible from the Public Internet. To maintain constant vigilance, XGRC Software® logs, monitors, and audits all system events and alerts using HakWare Archangel, which detects and reports any potential intrusion or exfiltration attempts.
System Monitoring, Logging and Alerting
XGRC Software® takes a proactive approach to security by utilising HAKWARE’s Security Information and Event Management (SIEM) solution. This tool collects, aggregates, and correlates millions of system events daily across XGRC Software®’s hosting environments, providing real-time insight to our Security and DevOps teams regarding potential security events. Administrative access, use of privileged commands, and system events on all endpoints in XGRC Software®’s hosting environments are logged and monitored, allowing for automated analysis to detect potential issues and alert our Security and DevOps teams. We believe in being proactive and vigilant to keep our customers’ data safe and secure.
Penetration Testing & Vulnerability Management
XGRC Software® takes proactive measures to ensure its platform’s and customer data’s security. Before code release, all code undergoes thorough testing to detect and address potential security vulnerabilities. In addition, XGRC Software® regularly scans its network and systems for vulnerabilities, utilising HakWare Archangel, an Artificial Intelligence-based vulnerability scanner and pen-testing tool. Quarterly application and infrastructure penetration tests are conducted using Archangel, and any identified vulnerabilities are prioritised and remediated on time. The results of these tests are shared with senior management to ensure transparency and accountability. With Archangel, using advanced Artificial Intelligence technology, XGRC Software® can continuously monitor its networks, systems, and applications for security vulnerabilities.
Research & Disclosure
At XGRC Software®, we take our platform’s and user data’s security very seriously. We recognise the value of the security community in identifying and addressing potential vulnerabilities, and we encourage the responsible disclosure of any security issues found. If you believe you’ve discovered a security issue in one of our products, please email [email protected] with a detailed description of the problem and the steps required to reproduce it. Our team will review and prioritise all vulnerabilities received based on their severity.
However, we want to be clear that we do not encourage or condone any activities that violate applicable laws or negatively impact our platform, systems, or data. This includes hacking, penetrating, or attempting to gain unauthorised access to XGRC Software® applications or systems, downloading, copying, disclosing or using proprietary or confidential XGRC data, or engaging in any activities that could adversely affect XGRC Software® or our operations. XGRC Software® does not waive any rights or claims concerning such activities.
We appreciate your help in keeping our platform and user data safe. For all other security inquiries, please get in touch with us at [email protected].”
By including these revisions, XGRC Software®’s security policy is clearly outlined, emphasising the importance of responsible disclosure and setting clear boundaries for what activities are not permitted.
Application Security
XGRC Software®’s software development lifecycle is designed with security as a top priority, and we follow industry best practices, such as those set forth by the Open Web Application Security Project (OWASP), to ensure the quality and security of our code. All code changes must undergo rigorous peer review and manual and automated testing. No single individual is authorized to request or implement changes without several other individuals’ review and approval; all changes are logged and tracked to ensure transparency and accountability.
Our developers must complete training on secure development practices, and we conduct regular testing and auditing to identify and address potential vulnerabilities or weaknesses. Additionally, we utilize penetration testing, code analysis, and vulnerability scanning tools to ensure that our code is thoroughly tested and secured.
By implementing these measures, we can ensure that our software is of the highest quality and security and that our users can rely on us to provide a reliable and trustworthy platform.
Security Awareness
At XGRC Software®, we recognize that security is everyone’s responsibility. We have implemented a comprehensive security awareness program to ensure that all employees understand the importance of security and its intersection with their daily work. As part of this program, all new employees and contractors are required to complete security training. Training completion is audited throughout the year to ensure compliance and identify any areas for improvement.
XGRC Software® employees must also read and adhere to our IT and Security policies, which outline our expectations for security best practices, such as password requirements, acceptable use policies, and incident response procedures. We conduct regular security awareness campaigns to help ensure that employees know the latest and emerging security threats and know what to do if they encounter them.
In addition, our Information Security team leverages several security threat intelligence sources to stay up-to-date on the latest threats and vulnerabilities. This information is used to enhance our security controls. It is disseminated through regular training and awareness campaigns to ensure that all employees know the risks and how to protect themselves and the company.
By implementing these measures, we can ensure that XGRC Software® remains a secure and reliable platform and that all employees are equipped with the knowledge and tools they need to maintain the highest level of security.
Reliability
XGRC Software® understands the importance of high availability and minimal downtime for our users, and we have implemented a comprehensive strategy to ensure that our platform is accessible and responsive at all times.
Our platform is designed to be highly available, and we use both automated and manual monitoring tools to ensure that our services run smoothly. We have redundancy and failover mechanisms in place to minimize the impact of any service disruptions, and our support team is available to address any issues as they arise quickly.
In addition, we regularly conduct capacity planning and load testing to ensure that our platform can handle increased traffic and usage without experiencing slowdowns or disruptions. Our forum is hosted in Microsoft Azure’s Europe-West (Amsterdam) region, which provides high availability and resiliency through its globally distributed data centres and network infrastructure.
By implementing these measures, we can ensure that our users can rely on our platform to be accessible and responsive whenever they need it and that any potential downtime or disruptions are minimized and quickly addressed.
Disaster Recovery & Business Continuity
XGRC Software® recognises the value of data and understands that the protection and availability of our user’s data are paramount. To ensure our platform remains accessible and responsive even during a site disaster, we perform daily backups and data replication across multiple locations.
This helps to protect data from loss or corruption and facilitates quick restoration of our platform in the event of any disruption.
Our backup strategy includes full backups, which are saved at least once per day, and daily rolling backups that are kept for 30 days. This ensures that we maintain a comprehensive backup history and that data can be restored anytime. We also periodically test our backup and restore capabilities to ensure successful disaster recovery and minimise potential downtime or data loss.
By implementing these measures, we can assure our users that our platform will be available and responsive when needed and that any potential disruptions or data loss is minimised and addressed promptly.
Incident Response
XGRC Software® is committed to maintaining the security and privacy of our users’ data, and we have established comprehensive policies and procedures for responding to security incidents. All security incidents are managed by XGRC Software®’s Security Incident Response Team, which is trained to respond quickly and effectively to any incident.
Our policies define the types of events that must be managed via the incident response process and classify them based on severity. In the event of an incident, affected customers will be informed via email, and we will establish a communication plan to ensure timely and transparent updates to affected customers.
To determine the root cause of an incident, we use forensic analysis tools to investigate the incident and identify any vulnerabilities or areas of concern that may need to be addressed. We also review and update our incident response procedures annually to ensure they remain practical and up-to-date in the face of evolving security threats.
By implementing these measures, we can assure our users that their data is safe and that potential incidents are managed quickly and effectively with transparency and communication with the affected parties.
Data Privacy
At XGRC Software® we take data privacy seriously and have designed our data privacy controls to meet our obligations around collecting, processing, using, and sharing personal data. Our processes also ensure compliance with applicable privacy laws, including those related to data retention and disclosure. We collect and use personal data in accordance with our Privacy Policy, which outlines our commitment to protecting the privacy and confidentiality of our client’s information. Rest assured that your data is in safe hands with XGRC Software®.
Data Sharing and Processing
XGRC Software® is deeply committed to safeguarding the privacy of our customer’s data and ensuring that our platform fully complies with international data protection obligations, including GDPR and POPIA. We diligently adhere to these regulations by collecting, processing, and storing customer data in accordance with the provisions outlined in these legislative frameworks.
We have implemented policies and controls to ensure that we delete customer data when it is no longer necessary for a legitimate business purpose. These measures are in place to ensure that our user’s data is always protected, and we are fully committed to complying with all applicable data privacy laws and regulations. With our strict data privacy controls in place, our users can be confident that their data is always safe and secure.
Vendor Management
At XGRC Software®, we understand the importance of safeguarding customer data and take this responsibility very seriously. As a result, we only share personal information with trusted third parties who have agreed to protect its confidentiality and privacy.
To ensure compliance with data protection regulations such as GDPR & POPIA, we have established agreements with all sub-processors that require them to adhere to strict confidentiality commitments and maintain appropriate security measures. When exporting personal data outside the EEA, we ensure that all subcontractors comply with the updated Standard Contractual Clauses.
Our commitment to data privacy and protection is unwavering, and we strive to maintain the highest possible standards.
By implementing these measures, we can give our users peace of mind, knowing that their data is managed with the utmost care and attention.
Supporting Documentation
Additional supporting documentation, policies and procedure related to our information security practises can be requested. To ensure confidentiality and protection of sensitive information interested parties must sign a mutually executed Non-Disclosure Agreement (NDA).