Consistent with Kersia’s obligations, a designated security management team is responsible for ensuring compliance, not only operationally for monitoring the effectiveness and adherence to the security controls, but also in the maintenance of the security policies and procedures. Active management involvement in the review of the security program assures that the organization takes security seriously.
Kersia Risk Management Program is a function that is responsible for identifying potential business risks from multiple IT sources, such as the company’s use of technology while serving our clients, coordinating client security inquiries in support of their due diligence requests, performing risk assessments to evaluate potential IT risks, and providing input concerning risk management plans which help to minimize and maintain IT risks to an acceptable level.
Vulnerability and Patch Management
Kersia has implemented a vulnerability management program that is focused on mitigating and remediating the risks associated with the software and hardware used in our infrastructure.
Kersia takes these risks seriously as they could have a significant negative impact for our assets and our organization.
The vulnerability management process encompasses monthly external vulnerability scans, annual application and security patching. The objectives of these assessments are to detect vulnerabilities, gaps in processes, areas of non-compliance, missing patches, unnecessary services / ports, and end of life / support devices.
Remediation actions are created, prioritized, executed and recorded in line with the agreed timeframes and risk levels. Information Technology is responsible for informing and facilitating the remediation process. Management has oversight responsibilities over the remediation process.
Security Policies and Standards
Our Information Security policies and standards are reviewed and evaluated annually and also if changes occur within Kersia that affects a particular approved policy or standard. The policies are distributed and communicated to all employees with supportive guidance and compliance requirements.
Security Awareness Training
The privacy and security awareness and training program is available to employees and contractors of Kersia and is mandatory upon employment or engagement and then on a periodic basis. To the extent reasonable and appropriate, periodic security updates and reminders are issued, and supplemental training provided. In addition, certain areas that are considered to handle very sensitive information may provide additional training and mentoring, as well as active monitoring of performance.
Security Incident Management
Kersia implements policies and procedures to address the handling of security incidents. A security incident is an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. Kersia’s procedure is to identify and respond to suspected or known security Incidents; mitigate, to the extent practicable, harmful effects of security Incidents that are known to Kersia; and document security incidents and their outcomes.
Business Continuity and Disaster Recovery
Recognizing the need for responding to emergency or natural/made threats that damage systems that contain sensitive data or to assist federal or local authorities, Kersia maintains plans for data backup, business continuity, and disaster recovery. At the core of the plan are procedures to enable the continuation of critical business processes associated with our hosted facilities, and the protection of the sensitive data stored at those facilities. To the extent reasonable and appropriate, Kersia reviews the procedures for periodic testing and revision of these contingency plans.
Threats to the security of systems and the information they contain are evolving at a faster pace. The regulatory environment is responding to the concerns of its constituents. Kersia understands that it must periodically review not only its policies and procedures to respond to these changes, but adjust its corresponding security controls to be consistent with the policies and procedures by publishing and enforcing additional guidelines.
Kersia has designed and implemented a large-scale, mission-critical Software as a Service (SaaS) solution that only requires that participants have access to the internet and a modern web browser (IE 9+, Firefox, Chrome, Safari). Kersia provides its services using multiple server and supporting network components in world-class data centers.
Kersia has built a platform and service that will scale with the company’s national rollout, and with sufficient excess capacity to address unplanned utilization spikes and growth. The Kersia platform is hosted on a redundant, horizontally-scaled, and highly-available cloud service provider. Application and database servers run on hardened servers. Network, security and availability are primarily handled through managed firewalls.
The Kersia platform forces secure sessions, restricts IP access, and provides customer-specific login policies. The platform is built on application security development best practice (OWASP) that prevents the following vulnerabilities: weak server-side controls, insecure data storage, insufficient transport layer protection, unintended data leakage, broken cryptography, client side injection, security decisions via untrusted inputs, improper session handling, and lack of binary protections.
To the extent reasonable and appropriate, Kersia utilizes technologies or methodologies that make PII unusable, unreadable or indecipherable to unauthorized individuals , including mechanisms to encrypt sensitive data at rest and in motion whenever possible. Kersia will also destroy PII in accordance with federal standards. All sensitive data that is transmitted to or from Kersia is encrypted at a minimum strength of 256-bit during transport.
Kersia’s SaaS platform is hosted at Azure data center. Physical access to the data center is restricted to authorized personnel. Proximity cards are used at Azure to appropriately secure access to specific areas and business access. Two-factor authentication is used to gain access to the Data center. Visitors to Azure facilities check in with reception/security before being granted access to the facility. Closed circuit video surveillance has been installed at interior and exterior of the building, and is monitored by authorized Azure personnel. The CCTV retention period is at least 90 days.
Management enforces policies and procedures to ensure that only those that require access to sensitive data have the appropriate level of access consistent with their job responsibility. Access management procedures are enforced through roles and an approval process based on segregation of duties. Kersia has implemented procedures for terminating access to, and reclaiming corporate Assets and when the employment of, or engagement with, a Kersia employee or contractor ends.
Kersia implements technical and administrative policies and procedures that restrict access to corporate Assets to only to those persons or software programs that have been granted access rights in additional to authorization to view critical systems’ information. To ensure the enforcement of both authentication as well as authorization rights, Kersia has implemented hardware, software, and procedural mechanisms to record activity on its critical systems.