Security Overview
Casepoint has established comprehensive security measures at all levels — organizational, architectural, and operational — to ensure that all data, applications, and infrastructure remain protected and secure.
Casepoint has designed, developed, documented, approved, and implemented an Information Security Management Program (ISMP) that addresses industry-best practices around security and privacy. Our ISMP includes administrative, technical, and physical safeguards to protect data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Our ISMP is also comprehensively documented with corresponding manuals for our security procedures and other policies.
Organizational Security
At Casepoint, security is the responsibility of each and every employee. All new Casepoint employees undergo a security awareness training within the first three days of employment.
Casepoint's security team is comprised a group of executives from across our enterprise. This team designs and drives our security programs, across our organization and ensures that our security awareness and policies are maintained across our organization.
Architectural Security
Data Encryption
Casepoint has defined policies for granular controls for access. Casepoint uses FIPS 140-2 compliant algorithms such as AES256. Storage system uses AES256 encryption, and data in transit is encrypted using TLS1.2 with AES256. All media drives are encrypted with military grade encryptions.
Logical Security
Casepoint security access is role-based, supporting LDAP Delegated Authentication, SAML for single sign-on and multi-factor authentication. Casepoint can also restrict access to customer managed devices for your users in two ways: restricting IP addresses through multi-factor authentication (MFA), including integration with certain identity management systems.
Single Sign-on Support
Casepoint supports single sign-on support capability for organizations that utilize Microsoft Active Directory Federation Services.
Multi-Factor Authentication
Casepoint’s security authentication method uses multi-factor authentication. Users need a username, password, and a six-digit token received via an approved software token generator mobile application or six-digit code received via email. If required by a client, Casepoint can work to set-up hardware authentication with their internal systems.
Operational Security
Physical Security
There are several levels of physical security controls in place to protect information assets in our offices and facilities where information assets are stored and/or processed.
All physical access to the data centers is highly restricted and stringently regulated. Casepoint physical security includes:
-
Physical security personnel
-
Key card entry
-
Biometric scanners
-
Double mantrap entries
-
Controlled site access
-
Cameras with perimeter and interior IP-DVR
Network Security
Next-generation firewalls are implemented for the protection of all networks. All the information passing through the network is encrypted using AES with TLS 1.2.
Casepoint has implemented web application firewall (WAF) along with IDS and IPS solutions for the entire environment.
SIEM solution is implemented for correlation and analysis of all the events occurring in the environment with automated triggered alerts.
Application Security
Casepoint follows NIST guidance regarding security considerations in software development in that information security must be integrated into the software development lifecycle (SDLC Prince2 agile-based) from system inception.
Casepoint has established software development and release management processes to control implementation of major changes including:
-
The identification and documentation of the planned change
-
Identification of business goals, priorities, and scenarios during product planning
-
Specification of feature/component design
-
Operational readiness review based on a predefined criteria/checklist to assess overall risk/impact
-
Testing, authorization, and change management based on entry/exit criteria for DEV (development), Testing (QA/QC), UAT (pre-production) and PROD (production) environments as appropriate.
Vulnerability Assessments
On a quarterly basis, Casepoint’s internal security team performs internal penetration tests to mitigate the new vulnerability and to keep the environment safe.
On an annual basis, Casepoint conducts a third-party annual penetration test (VAPT) to make the environment robust.
In addition, on a monthly basis, Casepoint performs vulnerability scanning using the Nessus tool, of all servers and is engaged in the continuous monitoring process.