SECURITY

Superior Security. Trusted Protection.

Learn why the world’s leading corporations, law firms, and government agencies trust Casepoint to keep their data protected and secure.

Request Demo

Product Brochure

Security Brief

Compliance Overview

Casepoint’s number one priority is to keep your data safe and secure. Casepoint and all of its data centers have obtained and maintained the highest levels of industry security certifications and attestations, undergoing all applicable reviews. 

Below are Casepoint’s certifications and third-party audits, to help your compliance and legal teams understand and validate the compliance requirements for your organization.

Certifications and Third-Party Audits

FedRAMP Moderate

Section Image

FedRAMP moderate impact level is the standard for cloud computing security for controlled unclassified information across federal government agencies. 

SOC 1

Section Image

Service Organization Controls (SOC 1) reports provide information about a service organization’s control environment that may be relevant to the customer’s internal controls over financial reporting.

Our SOC 1 Type II report is issued in accordance with Statements on Standards of Attestation Engagements (SSAE) No. 18 (Reporting on Controls at a Service Organization).

The SOC 1 report, comprising of Account Opening, Customer Service, Data Processing, Data retention and destruction, Account Closure services throughout the period April 01, 2019 to March 31, 2020, and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the description.

SOC 2

Section Image

The Casepoint SOC 2 Type II report is an independent assessment of our control environment performed by a third party.

Our SOC 1 Type II report is issued in accordance with Statements on Controls placed in Operation.

 The SOC 2 report is based on the AICPA’s Trust Services Criteria and is issued annually in accordance with the AICPA’s AT Section 101 (Attest Engagements). The report covers a 12-month period, and on description of a Service Organization‘s System Relevant to Security, Confidentiality, Availability, Processing Integrity & Privacy and the suitability of Design and Operating Effectiveness of Controls.

SOC 3

Section Image

The American Institute of Certified Public Accountants (AICPA) has developed the Service Organization Control (SOC 3) framework for safeguarding the confidentiality and privacy of information that is stored and processed in the cloud.

ISO 9001:2015  

Section Image

ISO 9001:2015 specifies the needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.

ISO 27001:2013

Section Image

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.

Privacy Shield  

Section Image

Casepoint complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States.

NIST 800-53

Section Image

NIST SP 800-53 database represents the security controls and associated assessment procedures defined in NIST SP 800-53 Revision 4 Recommended Security Controls for Federal Information Systems and Organizations.

NIST 800-171

Section Image

NIST 800-171 refers to the National Institute of Standards and Technology Special Publication 800-171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. It is essentially a set of standards that define how to safeguard and distribute material deemed sensitive but not classified.

SIG Questionnaire  

Section Image

The Standardized Information Gathering (SIG) Questionnaire is a compilation of information technology and data security questions across a broad spectrum of control areas into one industry standard questionnaire.

The SIG is issued by Shared Assessments, a global organization dedicated to third party risk assurance. Casepoint self-assesses against the SIG annually, providing our customers with an in-depth view of our control environment against a standardized set of inquiries.

Other Certifications

Looking for a certification that isn’t listed here? It’s possible we’ve received it recently, and haven’t yet updated our website. Please reach out to us at sales@casepoint.com or use our in-page chat support, and we’ll let you know if we have (or soon expect to have) the additional certifications needed for your organization’s needs.

Security Datasheet

A list of the above certifications are also available and summarized on this one-page Security Datasheet.

Security Overview

Casepoint has established comprehensive security measures at all levels—organizational, architectural, and operational­—to ensure that all data, applications, and infrastructure remain protected and secure.

Casepoint has designed, developed, documented, approved, developed and implemented an Information Security Management Program (ISMP) that addresses industry-best practices around security and privacy. Our ISMP includes administrative, technical, and physical safeguards to protect data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Our ISMP is also comprehensively documented with corresponding manuals for our security procedures and other policies.

Organizational Security

At Casepoint, security is the responsibility of each and every employee. All new Casepoint employees undergo a security awareness training within the first three days of employment.  

We also send out monthly security newsletters to maintain security awareness and update employees with training and best practices regarding phishing, malware, industry data breaches, and more. We ensure that all Casepoint employees are apprised of security best practices and learning from the unfortunate experiences of other firms.

Casepoint’s Security Team is comprised of a group of executives from across our enterprise. This team designs and drives our security programs, across our organization and ensures that our security awareness and policies are maintained across our organization.

Architectural Security

Data Encryption

Casepoint has defined policies for granular controls for access such as:  Network access control, OS access control, application access control, VPN access policy, and end user encryption key protection policy. Casepoint uses FIPS 140-2 compliant algorithms such as AES256. Storage system uses AES256 encryption, and data in transit is encrypted using TLS1.2 with AES256. All media drives are encrypted with military grade encryptions.

Logical Security

Casepoint security access is role-based, supporting LDAP Delegated Authentication, SAML for single sign-on and Multifactor Authentication.  Casepoint can also restrict access to customer managed devices for your users in two ways: restricting IP addresses to a particular location (example customer offices) and through multi-factor authentication (MFA), including integration with certain identity management systems (e.g. SAML, ADFS SSO, etc.).

Single-Sign-On Support

Casepoint supports single-sign-on capability for organizations that utilize Microsoft Active Directory Federation Services.

Multifactor Authentication

Casepoint’s security authentication method uses multi-factor authentication. Users need a username, password, and a 6-digit token received via an approved software token generator via a mobile application on a registered iPhone or Android (Google Authenticator, Microsoft Authenticator, Yubikey, etc.) or six-digit code received via email. If required by a client, Casepoint can work to set-up hardware authentication with their internal systems (e.g. RSA, Yubikey, etc.).

Operational Security

Physical Security

There are several levels of physical security controls in place to protect information assets in our offices and facilities where information assets are stored and/or processed (i.e. our secure data center). 

For our main office headquarter facility located in a large professional office building, it is manned by multiple security guards in the lobby entrance on a 24 x 7 basis. Access to certain offices and rooms (such as an IT room), requires special key card access and/or a special key which is restricted on a role and need only basis.

All physical access to the data centers is highly restricted and stringently regulated. Data center physical security includes:

  • Physical security personnel
  • Key card entry
  • Biometric scanners
  • Double mantrap entries
  • Controlled site access
  • Cameras with perimeter and interior IP-DVR

Network Security

Casepoint has implemented Windows Firewall and System Center Endpoint Protection (SCEP) on all Windows servers and iptables on Linux hosts within the production environment All alerts are forwarded to SIEM for correlation and analysis. Azure Network Watcher captures Azure Network Security Group (NSG) flow logs and sends logs to SIEM. Casepoint SOC personnel use these alerts, dashboards, and reports to monitor Casepoint cloud environments for suspicious and/or malicious activity in real-time.

Casepoint has established detailed operating policies, procedures, and processes designed to help manage the overall quality and integrity of the Organization environment. We’ve also implemented proactive security procedures like network intrusion prevention systems (IPS). Network IPS monitors the critical network segments for a typical network patterns in the customer environment as well as the traffic between tiers and service.

Application Security

Casepoint’s management approved ISMS Manual provides policy and procedures for development or acquisition of new applications, systems, databases, infrastructure, services, operations, and facilities. 

Casepoint follows NIST guidance regarding security considerations in software development in that information security must be integrated into the software development lifecycle (SDLC) from system inception. 

Continual integration of security practices in the Casepoint’s agile-based SDLC enables quick, early identification and mitigation of security vulnerabilities and misconfigurations; awareness of potential software coding challenges caused by required security controls; identification of shared security services and reuse of security best practices tools which improves security posture through proven methods and techniques; and enforces Casepoint’s already comprehensive risk management program. 

Casepoint has established software development and release management processes to control implementation of major changes including:

  • The identification and documentation of the planned change
  • Identification of business goals, priorities and scenarios during product planning
  • Specification of feature/component design
  • Operational readiness review based on a pre-defined criteria/check-list to assess overall risk/impact
  • Testing, authorization and change management based on entry/exit criteria for DEV (development), Testing (QA/QC), UAT (Pre-production) and PROD (production) environments as appropriate.

Vulnerability Assessments

On a quarterly basis, Casepoint’s internal security team performs internal penetration tests to mitigate the new vulnerability and to keep the environment safe.

On an annual basis, Casepoint conducts a third-party annual penetration test [VAPT] to make the environment robust. 

In addition, on a monthly basis, Casepoint performs vulnerability scanning using the Nessus tool, of all servers and is engaged in the Continuous Monitoring process.

Ready to See Casepoint in Action?

Learn how to deliver more value and maximize your competitive advantage with our powerful technology and secure end-to-end platform.

Request a Demo

  • This field is for validation purposes and should be left unchanged.