At One Point One Solutions, we’re committed to providing secure and reliable products and services to our partners. Security is a top priority for us, and we take a comprehensive approach to ensure that our corporate and product environments are protected. Our goal is to not only focus on the security of our products but also on the overall security architecture and practices within our organization.
To ensure the highest level of security, we follow a documented Information Security policy based on ISO27000 standards. This policy covers information classification and handling, access provisioning and review, personnel security and security awareness, application and system security, network security, vulnerability and threat management, security monitoring and incident management, and business continuity management. We also have a clear definition of employee responsibilities and acceptable use of information system resources.
Our policy is reviewed and updated periodically to stay up to date with the latest security standards and to address any potential vulnerabilities. We require all employees to review and acknowledge the policy annually to ensure that everyone is aware of their responsibilities and committed to following our security procedures.
Ensuring the security of our partners’ information is a top priority at One Point One Solutions. To achieve this goal, we have established a strong organizational structure for information security. Our Chief Technology & Information Security Officer (CTIO) reports directly to the Chief Executive Officer (CEO) and leads an Executive Information Security Council made up of senior leaders from all areas of our business. This ensures that our security program is overseen, and risks are managed appropriately. Within the organization, we have clearly defined roles and responsibilities, with a segregation of duties, to further enhance our information security efforts. Our Information Security organization is made up of key operating areas including:
We take the security and protection of our data and information system assets seriously, whether they belong to our partners or to us. We classify all assets according to their sensitivity and criticality, and we drive protection by implementing security policies and procedures that are relevant to each classification level.
We apply the same level of care and attention to our customers’ data, which we host in our private cloud. We do not inspect or monitor our customers’ data, and we have no ability to determine how they have classified their data. As such, we rely on our customers to be the data controller (i.e., data owner) for all data they store in their One Point One Solutions instance and to apply access controls according to their data classification policies. This ensures that our customers remain in control of their data, and that it is treated and handled in accordance with our policies for all customer data.
To ensure the protection of confidential information, One Point One Solutions has established policies regarding personnel conduct and security. All employees are required to conduct themselves according to the company’s guidelines, which include confidentiality, business ethics, and professional standards. Confidentiality agreements are also signed by all employees to ensure the protection of sensitive information. Additionally, One Point One Solutions provides security training to employees at the time of hire and annually thereafter, covering a range of topics such as security awareness, compliance, and privacy. The company’s code of conduct is also required reading, with employees expected to understand and complete a training course on the subject.
To ensure the safety and security of our facilities and the data within them, we have implemented robust physical and environmental security measures. Our corporate offices and support locations across the globe are equipped with policies, procedures, and infrastructure that comply with industry standards. We utilize cameras and badge access controls at all entrances, and our locations have backup power supplies that can draw power from diesel generators and backup batteries. Our information systems and infrastructure are geographically dispersed to provide high availability and redundancy to both One Point One Solutions and our valued customers.
To ensure the integrity of our systems, One Point One Solutions employs a formal change control process for any modifications made to our information systems, network devices, physical environment, and other system components. This process involves a comprehensive review, approval, testing, and post-implementation monitoring to ensure that the changes are properly functioning and meet our expectations. By monitoring and controlling all changes made, we can mitigate the risk of unintended disruptions or errors to our systems.
To ensure the protection of our systems and data, all of our systems generate and maintain audit and event logs that capture security-relevant events and personnel access. These logs are sent to a central event management server for correlation and analysis and are protected from unauthorized access and tampering. Only authorized individuals have access to our auditing and logging tool, and the security operations team continuously monitors for suspicious activity. If potential security issues are identified, they are escalated to the Incident Response team accordingly. We also have retention schedules for the various logs defined in our security control guidelines, and administrators are alerted of critical system configuration changes in real time.
To ensure the security of our endpoints, One Point One Solutions has implemented a cloud-based, next-generation threat protection platform. This platform utilizes a combination of execution profiling and predictive security analytics, along with malware signatures, indicators of compromise, exploits, and vulnerabilities, to provide comprehensive endpoint protection. Our security team continuously monitors for potential threats and takes appropriate measures to protect our endpoints and data from any malicious activity.
To ensure the security of our systems and networks, One Point One Solutions conducts regular vulnerability scans and assessments. Any identified vulnerabilities are reviewed, prioritized, and assigned to the appropriate team for remediation based on severity. We also commission regular assessments, including vulnerability assessments, phishing assessments, and penetration tests through third-party providers that have been panelled by Cert-In.
Additionally, One Point One Solutions has established a process to address zero-day vulnerabilities that includes utilizing threat intelligence for visibility, scanning to assess the threat, and emergency escalation provisions for remediation. This approach allows us to proactively identify and address vulnerabilities before they can be exploited by potential attackers.
One Point One Solutions employs automated tools to assist with the identification and deployment of patches across the organization. The tools are used to monitor for new patch releases, scan systems for missing patches, and automate the deployment of patches to endpoints. This ensures a timely and effective response to new vulnerabilities and reduces the risk of exploitation. One Point One Solutions also conducts regular reviews of patch management processes and procedures to ensure they remain effective and efficient.
One Point One Solutions uses a role-based access approach in all its information systems, meaning that access to system resources is granted based on an individual’s job function and responsibility. The system access entitlements are defined based on the principle of least privilege, which means that each user is granted only the minimum level of access necessary to perform their job responsibilities. This approach minimizes the risk of unauthorized access to sensitive data or systems.
To further enhance security, processes and procedures are in place to govern access provisioning, access termination, and periodic entitlement reviews. Access requests for additional resources are subject to a formal approval process that involves a data or system owner, manager, or other executives, as defined by One Point One Solutions’ security guidelines. These approvals are managed using workflow tools that maintain audit records of changes.
One Point One Solutions ensures that all users have unique account IDs, and password requirements enforce the use of complex passwords and password rotation to protect against unauthorized use of passwords. Passwords are individually salted and hashed for added security. Additionally, multifactor authentication (MFA) is enabled and enforced on employees’ accounts to access required applications. Privileged access is further controlled by segregation of account IDs, security notifications of privileged account usage, and time-bound access.
Application security is a process that ensures the security of software and applications throughout their development and operation. At One Point One Solutions, we have a defined methodology for software development that is designed to prioritize security and privacy. We implement security and security testing throughout the entire software development process and involve quality assurance at each phase of the lifecycle. Security best practices are also a mandatory aspect of all development activities.
Our secure development lifecycle includes standard security practices such as vulnerability testing, regression testing, penetration testing, and product security assessments. We also have an architecture review board that is responsible for reviewing all major changes to our products as well as changes to our engineering approach and methodology. This ensures that any vulnerabilities or security issues are identified and addressed before they can be exploited by attackers.
One Point One Solutions has established an incident response plan and procedures to handle any Information Security incident. This plan defines the roles and responsibilities of key personnel, outlines the processes and procedures for incident notification, and details the steps to be taken to respond to and contain the incident. The incident response team is well-trained and regularly tests the plan to ensure its effectiveness in a real-world scenario. The team is responsible for all aspects of incident response, including preparation, detection and analysis, containment, eradication, and recovery.
One Point One Solutions has implemented data backup and disaster recovery programs across all business-critical environments to minimize service interruption due to technology failures, natural disasters, or other catastrophic events. These programs have multiple components to reduce the risk of any single point of failure. Access and encryption controls are established to safeguard data backups and ensure data privacy and security.
To maintain the effectiveness of these programs, all recovery and data restoration plans are regularly tested and updated. This ensures that the recovery process is optimized and that our teams are prepared to respond to any potential disaster scenario. In the event of a disaster, One Point One Solutions has the capability to rapidly restore critical services, minimi