- Passed audit with short notice of just a few months
- Host private customer data for a top U.S. lending institution
- Hundreds of non-billable hours towards rigorous security measures
- Policies included information security, physical security, and personnel security
- Network Intrustion Detection
- Host-Based Intrusion Detection
- Dual Factor Authentication
- Onsite Technical Lead
- IT Manager
- IT Specialists
- Consultant
When we first begin working with clients, many are legitimately concerned about the security of their intellectual property and data. At the start of our relationship, the client does not know whether we are a trusted and reliable vendor and partner. It’s smart to ask tough questions and make sure you understand the company you are working with.
To protect intellectual property, we ask all of our employees to undergo full background checks, drug tests, and sign non-disclosure/noncompete agreements. Access to project materials (documentation, source code, etc.) is limited to resources assigned to the project. Further, while we have offshore offices, we are a U.S.-based company abiding by the same laws and regulations as any other U.S.-based company. Offshore offices are wholly owned and operated by Integrant.
Over the years, we’ve passed various security audits, SOX reviews and the like, in order to assuage fears. Perhaps the most challenging security-related project we faced was an audit for a top American lending institution. This particular client had the tightest, toughest and most restrictive requirements we had ever faced.
We are happy to report that we passed. Though we had rigorous security measures in place, we still had to make adjustments to meet the bank’s requirements. The client’s internal IT team knew how difficult their requests were for any company to meet. Our ability to pass the audit in just a few months’ notice even came as a surprise to the bank’s internal IT team. It was no small feat, but we prevailed. Here’s a snapshot of the some of the requirements:
- Designated individual responsible for information security
- Comprehensive business continuity management plan with proof of regular testing
- Information security policy reviewed and approved on an annual basis
- Comprehensive physical security policy
- Comprehensive privacy policy protecting customer information
- Documented human resources policy that covers personnel security
- Documented process to ensure background checks for all individuals with access to data and applications, including state and federal background checks and drug screening
- Code review process for in-house developed applications/software conducted prior to production deployment
- Complete employee training program for security policies
- Documented change control process
- Policy for the secure disposal of hardware and media
- Automated monitoring of system logs and application logs
- Automated monitoring of security patch management
It was a huge challenge, but it was important for us to gain the client’s trust. We invested in infrastructure, a security consultant and hundreds of non-billable hours. Today, we are trusted with hosting the institution’s private customer data. This information is used in business intelligence and customer relationship management systems to enable the company to better understand its client base.