Every day, hundreds of companies entrust TowerData with their confidential information. Serving as a world-class steward for this information while it’s in our possession is critical to our success. TowerData’s ISO 27001-certified information systems contain multiple layers of security to ensure the confidentiality and integrity of all data that is submitted to us, and the availability of our services.
- TowerData’s corporate leadership is committed to protecting our clients’ information assets.
- Our Information Systems Management Committee, chaired by our VP of Compliance, is responsible for maintaining our security policies and systems.
- Annual risk assessment serves as a foundation for our information security efforts.
- TowerData’s systems are hosted in the cloud by Amazon Web Services. We take advantage of AWS’s extensive physical security systems and multiple availability zone redundancy.
- All files submitted to TowerData are encrypted at rest using AES-256 with keys managed by Amazon KMS.
- All data transfers to and from TowerData are encrypted using TLS or SFTP.
- Most of our systems have automated patching in place. This automatically ensures we’re running the latest patches where those patches come from package managers.
- We have personnel responsible for subscribing to CVE announcements for all relevant software used by a given system, triaging the announcements, and applying patches quickly where necessary. This ensures we run the latest patches, even where those patches need to be applied manually, such as for custom-built software.
- We set each system’s firewall to reject all traffic by default and only allow intended traffic types from accepted sources. All non-Internet facing systems are restricted within private subnets.
- SSH access is restricted to modern protocols and only key-based authentication, using an IP whitelist, VPN, and bastion boxes.
- We maintain strong IT policies, well-explained and enforced.
- All employees and IT contractors undergo extensive background checks including criminal history, the terrorism watch list, financial crimes list, and drug screening.
- All employees and IT contractors complete regular security awareness training.
- In addition to understanding and complying with our privacy and acceptable use policies, employees are responsible for alerting management if they ever see signs of practices that might be inconsistent with the policy.
- Even when hiring for non-technical positions, we look for candidates with an appreciation for, and interest in, security.
- All employee accounts undergo regular access reviews to ensure that everyone has the minimum amount of access to do their jobs.
- We use MFA for all administrative accounts and other accounts wherever possible.
- Code reviews are required for all changes, with a focus on OWASP top ten vulnerabilities.
- For software that we write ourselves, we design it to be difficult to hack and use extensive testing to convince ourselves that’s true.
Intrusion detection systems
- Intrusion detection begins with Amazon’s Guardduty IDS. Findings are reviewed by custom software and may be escalated for human review.
- IPS triggers are implemented when necessary.
- Internal vulnerability scans are completed quarterly and when major software releases are rolled out.
- Annual penetration testing is performed by an outside agency to ensure that our internal testing is not missing anything.
- Internal audits: We perform annual audits to confirm that we are complying with our own policies.
- External audits: Annual audits are completed by an external agency to maintain ISO 27001 certification.
Business continuity and disaster recovery
- TowerData uses high-availability architecture across multiple geographic zones to keep our systems running and to recover quickly in case of an outage.