Security at asBuilt

Version 1.0
Updated: 18 August 2022
 

asBuilt’s maintains a comprehensive, written information security program that contains administrative, technical and physical safeguards that are appropriate to (a) the size, scope and type of asBuilt's business; (b) the amount of resources available to asBuilt; (c) the type of information that asBuilt will store; and (d) the need for or security and confidentiality of such information.
asBuilt’s security program is designed to:

  • Protect the confidentiality, integrity, and availability of Customer Data in AsBuilt’s possession or control or to which asBuilt has access;
  • Protect against any anticipated threats or hazards to the confidentiality, integrity, and availability of Customer Data;
  • Protect against unauthorised or unlawful access, use, disclosure, alteration, or destruction of Customer Data;
  • Protect against accidental loss or destruction o~ or damage to, Customer Data; and
  • Safeguard information as set forth in any local, state or federal regulations by which asBuilt maybe regulated.

Without limiting the generality of the foregoing, AsBuilt’s security program includes:

1    Security Awareness and Training

A mandatory security awareness and training program for all members of AsBuilt’s workforce (including management), which includes:

  1. Training on how to implement and comply with its Information Security Program;
  2. Promoting a culture of security awareness through periodic communications from senior management with employees.

2    Access Controls

Policies, procedures, and logical controls

  1. To limit access to its information systems and the facility or facilities in which they are housed to properly authorised persons;
  2. To prevent those workforce members and others who should not have access from obtaining access; and
  3. To remove access in a timely basis in the event of a change in job responsibilities or job status.

3     Physical and Environmental Security

Controls that provide reasonable assurance that access to physical servers at the production data centre is limited to properly authorised individuals. This is under control of third-Party Hosting services.

4     Security Incident Procedures

A security incident response plan that includes procedures to be followed in the event of any security breach of Customer Data or any security breach of any application or system directly associated with the accessing, processing, storage, communication or transmission of Customer Data.
Such procedures include:

  1. Roles and responsibilities: formation of an internal incident response team with a response leader;
  2. Investigation: assessing the risk the incident poses and determining who may be affected;
  3. Communication: internal reporting as well as a notification process in the event of unauthorised disclosure of Customer Data in accordance with the Master Subscription and Services Agreement (MSSA);
  4. Recordkeeping: keeping a permanent record of what was done and by whom to help in later analysis and possible legal action; and
  5. Audit: conducting and documenting root cause analysis and remediation plan

5    Contingency Planning/Disaster Recovery

Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, pandemic flu, and natural disaster) that could damage Customer Data or production systems that contain Customer Data. Such procedures include:

  1. Data Backups: A policy for performing periodic backups of production file systems and databases according to a defined schedule;
  2. Disaster Recovery: A formal disaster recovery plan for the loss / disruption of third-party hosting solutions, including:
  3. A documented executive summary of the Disaster Recovery testing, at least annually, which is available upon request to customers.
  4. Business Continuity Plan: A formal process to address the framework by which an unplanned event might be managed in order to minimise the loss of vital resources.

6    Audit Controls

Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements.

7    Data Integrity

Policies and procedures to ensure the confidentiality, integrity, and availability of Customer Data and protect it from disclosure, improper alteration, or destruction.

8    Storage and Transmission Security

Technical security measures to guard against unauthorised access to Customer Data that is being transmitted over a public electronic communications network or stored electronically. Such measures include requiring encryption of any Customer Data stored on desktops, laptops or other removable storage devices which are housed outside of a secured data centre.

9    Secure Disposal

Policies and procedures regarding the disposal of tangible property containing Customer Data, taking into account available technology so that Customer Data cannot be practicably read or reconstructed.

10    Assigned Security Responsibility

Assigning responsibility for the development, implementation, and maintenance of its Information Security Program, including:

  1. Designating a security official with overall responsibility;
  2. Defining security roles and responsibilities for individuals with security responsibilities;and
  3. Designating a Security Leadership Team consisting of cross-functional management representatives to meet on a regular basis.

11    Testing

Regularly testing of the key controls, systems and procedures of its information security program to validate that they are properly implemented and effective in addressing the threats and risks identified.

Such testing includes:

  1. Internal risk assessments;
  2. ISO 27001 certification (in process of application); and
  3. SAS 70 Type II (or successor standard) audits annually.

12    Monitoring

Monitoring the network and production systems, including error logs on servers, disks and security events for any potential problems.

Such monitoring includes:

  1. Reviewing changes affecting systems handling authentication, authorisation, and auditing;
  2. Reviewing privileged access to asBuilt production systems; and
  3. Engaging third parties to perform network vulnerability assessments and penetration testing on a regular basis.

13    Change and Configuration

Maintaining policies and procedures for managing changes to production systems, applications, and databases.

Such policies and procedures include:

  1. A process for documenting, testing and approving the promotion of changes into production;
  2. A security patching process that requires patching systems in a timely manner based on a risk analysis; and
  3. A process for asBuilt to utilise a third party to conduct web application-level security assessments.
    These assessments generally include testing for:
         •  Cross-site request forgery
         •  Improper input handling
         •  Denial of Service attacks
         •  Weak Session Management
         •  Data validation flaws and data model inconsistencies
         •  Insufficient authentication
         •  Insufficient Authorisation

14    Program Adjustments

asBuilt monitors, evaluates, and adjusts, as appropriate, the security program in light of:

  1. Any relevant changes in technology and any internal or external threats to asBuilt or the Customer Data;
  2. Security and data privacy regulations applicable to asBuilt; and
  3. asBuilt’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

 

210720-PnC Icon-Purple