Login Create Account Proudly New Zealand Owned
3rd-bc-01-iStock-1428132083

Secure Design

 

 

 

Security and Compliance

Secure by Design

 

360 Degrees Platform is a Software-as-a-Service (SaaS) platform that offers a unified solution designed to provide confidential secure vetting services.

The Client is the Client of 360 Degrees. The Customer is the individual being vetted and the User is any party utilising 360 Degrees platform.

Benefits of the Platform Approach to Security

Secure-by-design architecture

  • End to end encryption 256-bit AES encryption keys
  • Encryption algorithms are utilised throughout the system and are random
  • 360 Degrees automatically deletes confidential client data entirely from the platform after 21 days
  • 360 Degrees system and platform does not require the Client to download software and is limited to downloading the Customer's confidential data.

360 Degrees implements unified governance and compliance across the platform.

Security Partner

360 Degrees Vetting Limited has a dedicated Security Partner comprising a diverse team of security professionals focusing on product security, security operations, incident response, risk management, and compliance of 360 Degrees platform that monitor the platform in real time.

360 Degrees Responsibility

Customers share the responsibility of not only keeping their data secure, but also complying with privacy laws.

  • Customers have full ownership of their user access controls.
  • Customers manage their own data lifecycle.
  • Customers decide what information goes into their system, how long it should be retained, and what data should be deleted.
  • Customers determine who can access their data.

Security Protocols

The protocols includes capabilities to assist Clients in their responsibility for managing end-user system access:

  • Enforce strong passwords
  • Configure password expiry
  • Configure session timeout
  • Configure SSO (Single-Sign On) via SAML 2.0
  • Challenge user accounts after multiple failed logins
  • Easily delete or suspend user accounts
  • Specifically identify permissible user IP addresses
  • Use activity tracking to log access and system use

Data Protections

Data Security

Data is encrypted during transmission and at rest (AES-256) within 360 Degrees data storage facility. All platform customer data, including data in backups, are stored exclusively in the single hosting 360 Degrees server when and if applicable.

Data and Service Redundancy

In addition to this real-time redundancy, we back up all customer data, including field data and attached documents that are stored in your account within the system. A full backup of the entire system database is run daily. Backups are kept for the purpose of restoring data integrity due to systemic or database failure, but not for the purpose of restoring the end Customer's deleted data.

Data ownership

Clients own their data completely and are responsible for setting retention spans and for deleting unwanted content as they see fit. Customers have a responsibility of ensuring their data is compliant with applicable policies, regulations, and laws. 360 Degrees has the responsibility of ensuring the platform hosting customer data is secure until such data is auto deleted.

Terminating Services

When you choose to terminate your service, 360 Degrees will extend access to the system for an additional 30 days to copy or extract any data you wish to retain unless deleted. Once you have extracted your data, you have the full ability and responsibility to delete any or all your remaining data in your system.

To protect the Client's data and privacy 360 Degrees automatically deletes and removes the client data after 21 days.

Service Resiliency

360 Degrees is committed to delivering a world-class customer experience. Engineering teams actively monitor the platform for availability and performance.

360 Degrees maintains a disaster recovery plan. While the customer impact of a physical or environmental threat to its headquarters is considered low, 360 Degrees personnel's safety and availability is mission critical.

Data Privacy

Customer (for purposes of clarity, the Customer is the ultimate individual being vetted) data is considered confidential information and is handled securely by 360 Degrees personnel. Customer data is never copied to assets outside 360 Degrees environment, including employee laptops. Any troubleshooting that needs to be performed on customer data is performed in our secure environment.

Any required action by 360 Degrees personnel on a system is limited to resolving the client's needs, and nothing more. Once a customer is satisfied with the result, and the ticket is closed, access is removed. 360 Degrees collects only the minimum personally identifiable information necessary from your customers for purposes of account set-up, access to product resources, and system administration all confidential client data is deleted after 21 days.

Compliance

Platform Compliance

360 Degrees follows ISO/IEC 27001 standards to keep information data secure by implementing an Information Security Management System (ISMS). This provides a systematic approach for managing risk across 360 Degree's staff, processes, and manage IT systems.

360 Degrees platform undergoes annual SSAE 18 SOC 2 Type II audits. The SOC 2 Type Il audit is an industry recognized, independent audit, which reports on the suitability of the design, and operating effectiveness of 360 Degree's controls relating to security, availability, and confidentiality.

Reviewing 360 Degrees Policies, Security Documentation, and Audit Reports

Robust information security policies and processes are the foundation of 360 Degrees platform's security program. Security is reinforced by a range of operational and security policies, standards, and procedures that address various controls and requirements. These measures ensure that our customers can trust the platform to protect their data and maintain the highest levels of confidentiality, integrity, and availability.

Platform Security Controls

360 Degrees platform security is founded on the controls that are built into the service to protect customer data. Management regularly assesses risk, monitors the controls, evaluates potential threats, and uses this information to update the controls framework from policies and procedures to encryption protocols via all aspects of 360 Degrees platform.

Data Encryption

Strong encryption is used to protect all data in transit and at rest. Encryption in transit is achieved via the industry-standard TLS (Transport Layer Security) protocol supporting only the strongest encryption algorithms, including AES (Advanced Encryption Standard) with up to 256-bit key lengths. Encryption at rest is achieved by leveraging encryption software, to create and store the 256-bit AES encryption keys.

By using TLS version 1.3, an encrypted communication channel between the end-user web browser and the platform is established, ensuring the confidentiality and integrity of all data transmissions from end-to-end.

An encryption algorithm is widely recognized and approved by organizations worldwide as an industry standard in government, military, and commercial applications.

All emails from our platform are transmitted via TLS-encrypted channels, when available.

Password Management

User passwords are never stored in clear text format. A strong cryptographic algorithm is used to generate irreversible strings known as password hashes. The algorithm also uses a unique long random value known as a salt, which is different for each user and ensures protection against attacks based on pre-computation of password hashes.

Password Attempts

When signing in to our platform or generating a token to use in another application, users have up to five attempts to enter your password. After five attempts, reCAPTCHA displays. reCAPTCHA is a service that protects websites from spam and abuse, and requires you to enter a series of characters or numbers to prove you are human.

Session expiry

A session is a period of activity between a user logging in and out of an application. Sessions are global to all platform modules. Your session expires if you are inactive for the duration of time set by an Account Admin.

Anti-malware Protections

Files uploaded to the platform are scanned for malware to protect users automatically.

Event Monitoring

All product systems are monitored for security and availability. In the event of any service interruption, alerts are delivered via e-mail, text message, and phone call to system administrators and management.

Security and performance are monitored using sophisticated third-party monitoring tools. Security and performance requirements are reviewed on a weekly basis and any issues noted that potentially impact customers are documented and resolved.

Privileged Access

360 Degrees follows the principle of least privilege for internal administration. Employees who require administrative access must be requested via a ticketing system. The request requires the approval from management before access is granted.

360 Degree's administrative access is protected with a combination of network restrictions, username/password, multi-factor authentication, and private keys. Session limits for inactivity are set to 15 mins. All access is tracked and monitored for suspicious activity. Administrative access to all applications granted to employees only based on user job responsibilities. Access to all production system and internal applications is removed upon termination of employment.

Secure Software Development Life Cycle (SSDLC)

At all phases in the application development process, security is a top priority. 360 Degrees builds security into the platform.

Secure coding best practices are strictly followed. Common application layer vulnerabilities, including all OWASP Top 10 vulnerabilities, are explicitly addressed at all stages of the SDLC using industry standard counter-measures, such as explicit sanitization of all user input, use of parameterized queries, and use of secure libraries. All code changes are controlled and approved, and must go through strict peer review and Quality Assurance (QA) testing prior to production deployment.

Segregation of duties

Procedures, controls, and monitoring are in place to ensure that a separation of duties exist between the define, design, build, test, and deploy phases of the software lifecycle. Third-party monitoring tools are used for development, test, and production to detect run-time errors and monitor performance so multiple stakeholders are informed on deploy or error.

Penetration and hard testing

In addition to internal security testing, 360 Degrees uses 3rd party independent penetration testing to check for security vulnerabilities. These tests are performed by an organization specializing in software security, and are used to probe the environment for vulnerabilities, such as cross-site scripting, SQL Injection, session and cookie management. Exploitable vulnerabilities are resolved in a timely basis based on severity and impact.

Web scans and testing

360 Degrees source code is maintained in a repository exclusively for source code management. The source code repository is a complete copy of the source code. Vulnerability scans are performed to identify security flaws within the source code and dynamically on all applications prior to a production release. Any findings are resolved in a timely fashion.

Incident Management

360 Degrees has a robust platform Incident Response Plan to promptly and effectively manage incidents that minimize impact to the platform. There is a Security Incident Response Team (SIRT) that is responsible for responding, managing, and conducting security investigations, including all aspects of communication such as deciding how, when, and to whom the findings shall be reported.

Incident Response Plan

secure-design.png

  1.  Preparation - activities that enable the SIRT to respond to an incident: policies, tools, procedures, training, effective governance, and communication plans. Preparation also implies that the affected groups have instituted the controls necessary to recover and continue operations after an incident is discovered. Post-mortem analyses from prior incidents form the basis for continuous improvement of this stage.
  2. Detection & Investigation - the discovery of the event with security tools or notification by an inside or outside party about a suspected incident and the declaration and initial classification of the incident. Investigation includes completing an Incident Log to keep track of all incident activities. 360 Degrees monitors and investigate all events and reports of suspicious or unexpected activity, and tracks them in an internal ticketing system. Investigation is the phase where SIRT personnel identify and determine the priority, scope, and root cause of the incident.
  3. Containment - the triage phase where the affected host or system is identified, isolated or otherwise mitigated, and when affected parties are notified and investigative status established. This phase includes sub-procedures for seizure and evidence handling, escalation, and communication. All evidence will be handled in accordance with local evidence handling procedures and legal requirements.
  4. Remediation & Eradication - the post-incident repair and recovery of affected systems and or data, communication and instruction to affected parties, and analysis that confirms the threat has been contained. Apart from any formal reports, the post-mortem will be completed at this stage as it may impact the remediation and interpretation of the incident.
  5. Recovery - the analysis of the incident for its procedural and policy implications, the gathering of metrics, and the incorporation of "lessons learned" into future response activities and training.
  6. Post-incident Activities - activities within the recovery stage include "Lessons Learned." Lessons Learned allows the SIRT to identify any weaknesses in the plan and the supporting policy and or process and to put in place remedial actions to mitigate any further such incident. During lesson learned, the SIRT will review the incident and examine all associated artefacts to identify any root cause. Lessons learned are documented and used to improve the plan.

360 Degrees Generative AI Usage Principles

AI Safety and Ethics

360 Degrees is committed to responsible AI deployment. 360 Degrees maintains an AI Safety and Ethics group comprised of Information Security, Legal, Product, Engineering, and Executive Leadership. This group meets regularly to actively ensure our use of AI technologies meets the highest ethical and safety standards in order to protect the integrity of the ultimate customer's data.

360 Degrees Generative AI Principles

By default, 360 Degrees does not use AI models trained on data belonging to customers. Any deviation from this principle requires customer authorization and is always the customer's choice. Furthermore, 360 Degrees products label AI generated content to assist users with identifying AI-generated information.

360 Degrees develops AI functionality following the same secure development process as non-AI functionality. Information security controls that protect customer data (e.g. retention, encryption, and residency) are maintained at the same level.

Note:

As the intrinsic nature of 360 Degrees platform is customer vetting, which is a fact based process, combined with ascertaining factual information, validating identification and an individual's background, confirming an ascertaining qualifications when applicable, accreditation when applicable, the utilisation of AI is qualified and limited to only enhancing process.

360 Degrees

360-new.png