Introduction

Cloud computing, and the Software as a Service (SaaS) it has enabled, has changed the way that companies today do business. Organizations look to their SaaS providers to oversee or manage their infrastructure, operations, and delivery of services, realizing that these product providers can split the costs to deliver secure and compliant infrastructure across multiple customers and alleviate the organization of the need to fund dedicated resources.

As a cloud-based SaaS provider, SibylSoft fully understands the security implications of the cloud model. That’s why we designed our solutions to deliver better security than many traditional on-premises approaches. We make our security-first approach a priority to protect our own operations and to protect our customers.

Zero-trust principles drive our system architectures, our operations, and our organizational structures.  In this policy document, we outline our most significant security and compliance practices. 

Disclaimer

The content contained herein is correct as of June 2021, and represents the status quo as of the time it was written. SibylSoft's security policies and systems may change going forward, as we continually improve protection for our customers.

SibylSoft’s Security-Focused Culture

SibylSoft has created an inclusive, security-focused culture for all employees.  Aside from our own usage of our product line, to ensure all of our employees are engaged and contributing members of our security team, we implement several other practices designed to support and encourage our security-focused culture.

Employee Background Checks

Before someone joins our staff, SibylSoft verifies their education and previous employment, and performs internal and external reference checks. Where local labor law or statutory regulations permit, SibylSoft may also conduct identity and criminal checks and confirm work status, depending on the position.

Mandatory Security Awareness Training

In addition to the awareness activities included in their use of Sibylity, SibylSoft employees undergo security training as part of the orientation process and throughout their SibylSoft careers.  Depending on their role, employees participate in additional training on specific aspects of security and attend presentations on security-related topics relevant to their roles.

Secure Environments

SibylSoft’s zero-trust approach enforces context-aware critical access controls. This approach considers both internal and external networks to be inherently untrusted.  Within internal networks, we make use of additional isolation capabilities to ensure minimum necessary access and to optimize the value of defense-in-depth principles.

Additionally, our teams are trained on the practices of desktop security and participate in information flow assessments designed to identify vulnerabilities in workplace practices and environments.

Our Dedicated Security Personnel

SibylSoft maintains a team of full-time security and compliance professionals who are responsible for coordinating the engagement of our workforce in cybersecurity practices. They are additionally tasked with maintaining our defense systems, developing security review processes, building security infrastructure and implementing the company’s security policies.  The team actively scans for security threats using commercial and custom tools, penetration tests, quality assurance (QA) measures and software security reviews.

Federated Cyber-Risk Management

Federated cyber-risk management is the next evolution of cyber-risk management.  The aim is to use the benefits achieved through the cyber-risk management process as a way to mitigate the risk of human-enabled breaches.  It is designed to be an efficient method for implementing a cybersecurity-aware culture.  Through it, the educational aspects of cybersecurity aren’t limited to a unidirectional annual training, but are integrated into the cybersecurity processes themselves, allowing for insights to flow bidirectionally.  SibylSoft is dedicated to this concept and to achieving its full value through our full use of the Sibylity product line.

Operational Security

Security at SibylSoft is an integral part of our operations.

Cyber-Risk Management

The cyber-risk management process, when implemented fully and correctly, provides organizations with the following benefits:

1. It aids in the identification of vulnerabilities. 
2. It helps organizations to better understand the current risk so they can make more informed decisions about how to prioritize mitigation actions.
3. And it ensures that the risk handling decisions are represented in a documented security plan that can be disseminated to stakeholders who need to know the actions that must be taken.

SibylSoft implements a form of risk management known as Federated Cyber-Risk Management.

Vulnerability Management

SibylSoft’s vulnerability management program actively scans for security threats using a combination of commercially available and purpose-built in-house tools, intensive automated and manual penetration efforts, quality assurance processes, software security reviews, and audits.

Configuration Change Management

SibylSoft maintains a baseline configuration for our systems using automation technologies that allow us to implement security and compliance as code approaches in a repeatable manner and regardless of which isolation strategy each customer chooses.

Changes to our baseline configurations undergo a rigorous review, validation, and approval process as a part of our release management activities. 

Malware Prevention

An effective malware attack can lead to account compromise, data theft, and possibly additional access to a network.  SibylSoft takes these threats to its networks and its customers very seriously and uses a variety of methods to prevent, detect and eradicate malware.

We use detection methods to identify and isolate suspicious emails and sites accessed through our email systems or from SibylSoft managed devices.  Then, we use automated malware scanning on all SibylSoft managed devices to detect and eradicate known malware on SibylSoft managed devices.  Finally, we monitor these systems to detect signs of anomalous behavior and investigate those findings.

Security Monitoring

SibylSoft’s security monitoring program is focused on gathering information from internal network traffic and correlating it with employee actions and against the same threat intelligence we curate and use to the benefit of our customers in our Sibylity product line.  These automated network analyses help determine potential unknown threats and ensure they are escalated for investigation.

Incident Response

SibylSoft implements a rigorous process for managing security events and incidents.  This process specifies actions, escalations, mitigations, resolutions, and notification requirements for management of any internally or externally reported incidents.  Further, retrospectives are performed following the resolution of major or unique incidents so that lessons learned can be used for the ongoing benefit of our customers.

Data Center Security

As a cloud-based SaaS product provider, SibylSoft uses principles of zero-trust and defense-in-depth to create an IT infrastructure that is more secure than traditional technologies.  As a customer of Amazon Web Services (AWS), SibylSoft can confidently offload some of the infrastructure management responsibilities to AWS, however, we recognize and understand the limitations of what they can do for us.  So we proactively manage our relationship with AWS and the controls implemented at the technical boundaries between their responsibilities and ours.

Cloud Services Provider

AWS maintains a document describing their Shared Responsibility Model that clarifies the separation of responsibilities for security controls between AWS and their customers, like us.  It can be found here:  https://aws.amazon.com/compliance/shared-responsibility-model/.

This document forms the foundation upon which we build our technical security practices and we strive to remain consistent and current with the AWS recommendations for applying the AWS Shared Responsibility Model in Practice documented on that same page.

Security, Identity, and Compliance Tools

Within the areas of responsibility that fall to us, we predominantly choose AWS technologies and apply them in ways that are consistent with recommendations for secure systems.  Information about these technologies can be found here:  https://aws.amazon.com/products/security/. 

Additionally, we make use of third-party audit, assessment, and scanning technologies as a way to facilitate independent verification.

Supporting Compliance Requirements

SibylSoft is committed to providing secure products and services that meet your compliance and reporting requirements.  We publish our Security and Privacy policies as well as our Terms of Use.  Our products undergo regular internal verification of their security and compliance controls and our Enterprise customers can request privileged access to these and other reports. 

Regulatory Compliance

Our customers may operate across regulated industries, including finance, government, healthcare and education. SibylSoft provides products and services in a way that enables our customers to be compliant with numerous industry-specific requirements through well-known and documented control standard mappings.

Independent Third-Party Certifications

SibylSoft aims to achieve and maintain various third-party certifications and attestations.  Enterprise customers may contact their SibylSoft representative for the latest updates on this for their current product version.

Data Access and Restrictions

Our data access practices start with a clean separation between our operational data and our customers’ data.  This allows us to minimize the number of employees that have access to customer data.

Administrative Access

We’ve designed our systems to actively monitor the activities of those employees that administer the system and, in particular, those who require access to customer data as a part of their work assignments. 

Non-administrator SibylSoft employees are only granted a limited set of default permissions to access company resources. SibylSoft follows a formal process to grant or revoke employee access to SibylSoft resources, and access is automatically removed for departing employees. 

Access authorization is enforced at all relevant layers of the system. Access is monitored by our dedicated security personnel as a check on the effectiveness of our controls. The security personnel actively monitor access patterns and investigate unusual events.

For Customer Administrators

Customers can control access to data and services on Sibylity to help ensure that data is protected in accordance with the organization’s desired configuration. In Sibylity Enterprise, role and group-based access controls enable customers to appoint users as administrators, granting the user the ability to access and perform certain tasks in the Sibylity Administrator application. 

Law Enforcement Data Requests

The customer, as the owner of their customer data, is primarily responsible for responding to law enforcement data requests and it is SibylSoft’s policy to direct the government to request such data directly from the customer.

Empowering Customers 

Our robust security infrastructure and systems provide the default security and compliance support for our customers.  Beyond this, customers are actively empowered to enhance and customize individual security options through their selection of security features and through choices they make when administering the application.

Access and Authentication

2-Step Verification

Enterprise customers can strengthen account security by including 2-step verification. These can help mitigate risks such as the misconfiguration of employee access controls or attackers taking advantage of compromised accounts.  Options include the use of our in-house verification solution or you can bring your own.

Single Sign-On (SAML 2.0)

SibylSoft offers Enterprise customers an option to use their single sign-on (SSO) service that lets users access multiple services using the same sign-in page and authentication credentials based on SAML 2.0, an XML standard that allows secure web domains to exchange user authentication and authorization data.

OAuth 2.0 and OpenID Connect

SibylSoft offers Enterprise customers an option to use their providers implementing OAuth 2.0 and OpenID Connect, an open protocol for authentication and authorization that allows customers to configure one single sign-on service (SSO) for multiple cloud solutions. 

Isolation and Location Strategies

SibylSoft offers Enterprise customers some security options that impact how and where their instances of the Sibylity product are deployed.

Partial Isolation

Partial isolation is the default deployment.  It uses common multi-tenant approaches to ensuring customer data remains isolated.  Under this model, the technology stack is shared with the following exceptions:

• Enterprise customers always received their own dedicated user pool in our identity and access management environment.  Access controls restricting access to customer-specific data use this to ensure no cross-contamination.
• Enterprise customer data is kept in customer-specific database shards and access to those shards is constrained to users within the corresponding customer user pool.

Full Isolation

Full isolation is an option available to Enterprise customers.  Under this model, the application is deployed in a customer-specific virtual private cloud environment.  There is no sharing of any resources with other customers beyond the inherent sharing common to all cloud deployments.

Data Location 

Enterprise customers may request that their deployment maintains their customer data within a specific region or country.  We will do our best to accommodate within the constraints of the available AWS data center locations.  Static assets provided by SibylSoft or used for customer branding are not included.  We serve those using a global CDN, so copies may be present near to where your users are when they access the application.

Controlling Access

Groups and Roles are the primary mechanism for controlling the flow of information to your organization.  These access control features are supplemented by discretionary access capabilities that permit users to make individual access control decisions that are limited by design and constrained according to settings you control. 

Groups for Compartmentalization

It is through Groups that you can achieve compartmentalization.  When your organization is instantiated within Sibylity, you will be given a top level Group representing your organization.  This allows you to grant organization-wide access to persons you determine should have that level of visibility.  You may add any hierarchy of subgroups you like from there. 

Roles for Controlling Actions

Sibylity has a set of predefined Roles that, when coupled with Groups and applied to a user, represents the level of access to a specific set of data that will be granted to the given user.  Roles are cumulative, so users with multiple Roles will have access to a broader set of features than persons with only one role.

Administrator Settings

While Groups and Roles give you a way to implement mandatory access control, Sibylity also has some discretionary access control features and gives you a way to constrain their use.  Discretionary access control is access granted at the discretion of a user.  Sibylity permits this under very specific circumstances and only in very controlled ways.  See the Administrator Guide for your version of Sibylity for a listing of the available settings.

Conclusion

The protection of your data is a primary design consideration for all of SibylSoft’s products and personnel operations. Our products are designed to meet stringent security standards based on industry best practices. In addition, we give you options and tools you need to help meet your compliance and reporting requirements.