Information Security

In the world of information security, there are 3 essential elements that ensure the right direction for a company: Confidentiality, Integrity, and Availability. They are often referred to as a CIA triad. SoftServe focuses foremost on security and protection of Client data and our associates’ Personal Data to ensure the CIA triad. Since we are working with Clients from all over the world, we are continuously improving our security information measures to be able to meet the contractual security requirements. The best testament to our efforts is the fact that there has been no Client's personal data breach to date.

Our modern world calls for swift and dynamic changes in every sphere, and cybersecurity is not an exception. Hence nowadays, every organization should take appropriate measures to react to threats properly and securely like never before. Digital attacks are becoming more sophisticated, and it is not enough to simply deploy static, reactive security measures. Staying ahead of threats requires developing proactive monitoring systems, business customization, dynamic processes, and ensuring a constant vigilance.

All our data security measures are described in the Information Security Management System, which is updated annually by the InfoSec department and reviewed by our internal as well as independent external auditors. The internal audit team reviews the SoftServe’s compliance with security best practices and provides assessment according to the designed audit program, checks controls, processes, and systems, and defines areas for further improvement. SoftServe achieved certification of its Information Security Management System (ISMS) to the ISO/IEC 27001:2013 standard and the ISMS is a subject of continuous improvement. The ISO/IEC 27001 is the most widely accepted international standard for information security best practices and a tangible measure by which existing and potential Clients can be reassured that SoftServe has established and implements the best practices in the information security process.

It is not a secret that attention to privacy is one of the crucial parts of doing business nowadays, and our company follows this world trend. To guarantee privacy to our associates, contractors, and customers, we achieved the ISO/IEC 27701 certification. This international certification is intended to specify requirements and provide guidance on building, usage, and improvement of information privacy management. Additionally, we launched a Corporate Data Security Program, which drives a privacy project within the company and covers the main aspects of data protection, ensures privacy awareness, and provides the appropriate security level for the customer, corporate, and personal data.

Other certifications that we achieved (related to the Information Technology Service Management System) are ISO/IEC 20000-1:2011 and ISO 13485. They promote adoption of an integrated approach to delivering managed IT services. This standard is aligned and is fully compatible with the Information Technology Infrastructure Library (ITIL) framework. SoftServe follows the best practices of ITIL for organizing the IT service management. A set of practices like Change Management, Incident management, Vulnerability management, and Patch Management help our company to maximize business value by means of using information technology, increasing customer satisfaction, avoiding major incidents, and keeping risks in check.

In SoftServe, we believe that security is not something you can buy, but it is something that you do. That is why we conduct annual Independent Penetration Testing to identify and mitigate possible vulnerabilities. A comprehensive penetration test assures that the organization is operating within the acceptable limit of information security risks.

One of our security slogans encourages our associates to make this world a secure place together, because our associates are our first and main line of defense.

The company’s personnel (from background checks to security education)

SoftServe’s values define who we are. Soft stands for the main people-oriented values that we share. Serve stands for the core client-oriented values that we foster. SoftServe creates an inclusive and highly professional security culture within the entire organization. We care about security from day one of the hiring process and until retirement. Before a person joins our company, SoftServe will carefully examine their CV by verifying information about education, references, etc. Associates, who handle our Clients’ data, at the Client’s request, shall also undergo additional background checks that include a criminal record check and drug and health screening (if local legislation permits to do so). We greatly value the amount of confidence that our clients entrust us with, and that is why all our associates in their first working day must sign a Non-Disclosure Agreement (NDA) and get familiar with the core information security practices before being granted access to any confidential information.

We collect the best practices about conducting a security awareness training and create our own Information Security Awareness Training and Privacy information and Data Protection Training for SoftServe associates. These trainings are mandatory for every associate following the initial employment and then annually. The content of trainings is continuously updated and improved with use-cases that result from yearly risk assessments. These trainings include major dos and don'ts based on additional security activities to make sure that we know how to react to information security risks (for example, fishing, social engineering, etc.). To make sure that our trainings are effective, and our personnel can recognize and respond promptly to phishing attacks, we perform a phishing simulation campaign on a regular basis. Depending on a project, some specific, deeper internal security training may be assigned, for instance, any of the GDPR, HIPAA, PCI DSS, OWASP Top 10 trainings.

As security is a continuously changeable area, we must keep our finger on the pulse to stay familiar with the most recent changes and improvements. We care about the growing number of professionals in a particular field and aspire to continuously raise awareness in the areas of security and data privacy for our teams that are responsible for the corporate information security. To always stay on top of new trends and developments, our Security and IT Teams regularly attend international conferences and obtain certificates in professional security.

Operational security

At SoftServe, we strongly believe that Security is not something you can buy, but it is something you can do. This is why we base our security policy on the best world standards, guidelines, frameworks, and best practices.

One of our lines of defense is a СSOC (Cyber Security Operation Center), whose mission and purpose is to monitor security events and prevent any cybersecurity incidents by means of proactive actions. The CSOC provides continuous 24/7 monitoring, detailed threat hunting and analysis, and suspicious activity alerts monitoring. Additionally, there is a capability to perform corrective actions on network segments, user accounts, registry entries, folders, files, processes, and services. Events from all security controls, for example NG FW, IPS, DNS protection, CASB, and next generation anti-malware ecosystem are forwarded to the SIEM/SOAR for future correlation and security monitoring.

Vulnerability management

Vulnerability management is a key component that SoftServe uses to preemptively defend itself against the exploitation of vulnerabilities in the company applications, software, and networks. At the heart of a typical vulnerability management is a vulnerability scanner. We use the Vulnerability management services to actively implement corrective and preventive measures against cybersecurity threats. The Identification process is performed by means of vulnerability scanning for inside and outside corporate perimeter. For the vulnerability differentiation we use a Vulnerability Priority Rating (VPR) and a corporate classification of the Service Criticality levels. Accurate and prompt evaluation and analysis of the organization’s exposure to such vulnerabilities are specifically designed to ensure the timely reaction and appropriate security measures. At early stages, it is easy to mitigate or even avoid any associated risks. Our Security Team is responsible for identifying and following up on our vulnerabilities and reacting to them in time by applying patches.

Patching is an important part of the vulnerability management. The Patch management process is established to ensure that the most recent operating systems, security, and critical patches are installed. Our Security Operations Team monitors security mailing lists, vendor notifications, specific public websites and any related professional blogs and articles to be able to respond to patch updates instantly. By applying a formal patch management process, we are ensuring that all systems have proper security and critical patches installed. Patches are tested and evaluated before they are installed to ensure their effectiveness and absence of any potential side effects.

To withstand 21st-century attacks, SoftServe puts maximum efforts to follow the best world-recognized security practices and controls to guarantee endpoint protection.

Endpoint protection

We strategically adopted the “defense-in-depth” approach within SoftServe. This means that we are implementing control measures on each endpoint, such as DNS level protection, NG EDR, sandboxing, host firewall management, and full drive encryption. DNS protection provides the first line of defense against threats on the internet. By leveraging insights from one of the world’s largest commercial threat intelligence teams, DNS protection uncovers and blocks a broad spectrum of malicious domains, IPs, URLs, and files that are being used in attacks. It blocks requests to malicious and unwanted destinations before the connection is even established.

To prevent more advanced security threats, we are using the world class Next Generation EDR system, which includes threat hunting and sandboxing capabilities. By means of host-based firewalls, we manage a firewall protection on all endpoint devices and control the full drive encryption.

Our corporate anti-malware solution is a cloud-based next-generation threat protection that leverages execution profiling and predictive security analytics instead of focusing on malware signatures, indicators of compromise, exploits, and vulnerabilities.

Another security feature of the anti-malware ecosystem is sandboxing. It is used for an in-depth static code analysis, behavior investigation, and detection of hidden, evasive threats.

We don’t always live in an ideal world, so to adequately respond to threats, we need to establish the Incident Management process within the company to deal with incidents by implementing the best strategies.

Incident Management

The Incident management process is established to resolve information security incidents that may affect confidentiality, integrity, or availability of the SoftServe Associates’ data or Client data. SoftServe associates are aware of the information security incident reporting procedure, which they learn during their participation in the Information Security Awareness Training. If a security incident occurs, the CSOC Team prioritizes it according to its impact on the data, service, or business. Incidents that directly impact Client data are assigned the highest priority.

SoftServe’s security incident management process is structured around the NIST guidance on handling incidents. When investigating information security events, we’re performing analysis of precursors and indicators, looking for correlating information. To ensure that the knowledge gained from analyzing and resolving information security incidents is used to reduce the likelihood of future incidents, the organization conducts lessons learned sessions and assigns long-term corrective and preventive tasks to the appropriate Project in the Project Management Tool. To prevent similar incidents in the future, the CSOC is performing a root cause analysis and regular risk assessments based on security incident reports and analytics.

Logging and monitoring

Security Logging and Monitoring is a method used to detect possible threats, inconsistences, and to check if effective security practices and controls are in place. Security Information and Event Management System (based on Splunk) is implemented to provide real time event processing of corporate systems as well as notifications of any detected suspicious activity and vulnerability exploitation attempts. The system gathers information from internal network traffic and associates`s actions in systems. In case of any suspicious activity and security alert, the SIEM generates alerts and is able to make appropriate registration and response. Event logs are stored separately from the source systems in order to protect them from accidental or intentional modification or destruction.

The company never stands still and always moves forward to keep up with the world security tendencies. This leads to changes that may have risky security impact on our everyday processes. We therefore control the security of all changes through the practice of Change Management.

Change Management

An effective change management is a central and essential part of a successful delivery of IT services, and it also helps to keep a sense of traceability. The change management process ensures that the service availability is maximized and that SoftServe business processes are not adversely disrupted by any undesirable changes to technology systems and components. The Change management process provides a framework for achieving a better performance, enhances business continuity, optimizes business risks, increases accountability, and improves reliability of technology services. The whole change management process is built considering any possible risks, change categorization and their approval workflow, ALM lifecycle, implementation, communication of changes, and metrics.

Identification, Authentication and Authorization Approach

As part of the NIST Cybersecurity Framework (CSF), SoftServe implements Identity Management, Authentication and Authorization Control. We adopt a Zero Trust Model for information processing and exchange. The Zero Trust Model is a security concept centered on verifying anything and everything that is trying to connect to its system before granting access. For the implemented Identification, Authentication and Authorization, SoftServe changes the accustomed approach to securing a device and managing access. Each Associate with an access to SoftServe’s application, services, or programs, is uniquely identified, and, depending on the information sensitivity classification, authenticated with various level of assurance. User accounts are covered by Multi-Factor Authentication. Our Authorization process is built on the RBAC approach, where access is granted depending on the role in the company.

Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) that ensures deep visibility, strong data controls and enhanced threat protection to SoftServe cloud apps. CASB acts as a supervisor for the enterprise users and the cloud resources they use, regardless of their location and device they are using. CASBs provides the possibility to monitor user activity for any abnormal behavior, controls access to the cloud resources based on a risk score, provides the ability to classify and prevent sensitive information leak, and protects against malicious agents.

Alongside operational security, SoftServe also cares about the information we store in our hardware, software, and workplace facilities.

Sensitive Data Protection Methods

Data encryption prevents data from unauthorized access or theft. SoftServe provides encryption of data in rest and data in transit. Corporate portable devices and personal communication devices (with connected corporate mailboxes) are encrypted. However, it is not enough, because there is always a risk of human error. That is why we devote a great deal of attention to educating our associates and creating new opportunities to keep information transfer inside and outside SoftServe absolutely safe. One of such services is Sensitive Data Protection Methods, which include 4 methods of digital information transferring (Azure RMS, AIP, Sensitivity labels and Office 365 Message Encryption). It consists of a solution that is built in the Outlook as well as a custom developed feature for the needs of a specific project. The main idea of these methods is to guarantee a secure transfer by encryption and manage a recipients list. Associates must select data for protection and then choose appropriate methods to secure it.

Network and IT infrastructure

Security is a primary driver of the SoftServe’s IT infrastructure design. All services and systems are being developed and maintained according to a well-defined lifecycle, which integrates the ITSM (IT Service Management) and ISMS (Information Security Management System) standards and procedures. This approach helps us to make sure that we never overlook security at any stage, from strategy to daily operations. In the core of the SoftServe’s IT Infrastructure lies the idea of being a service provider to our internal and external customers. This means that all our IT resources are always assigned granularly to project and administrative teams and that records are maintained to ensure accountability and traceability of assets and information.

Within such a mode of operation, a project team is allocated a discrete logically isolated environment. This segregation extends over the entire SoftServe IT infrastructure: Local Area Networks and Wi-Fi in all Development Centers, Remote Access using VPN clients, computing resources in our Private Cloud, and accounts in IaaS public clouds. Network traffic of different partitions is always encrypted and routed separately, any interconnection between them or external networks undergoes a thorough inspection by the Next Generation Firewalls with IPS (Intrusion Prevention Systems). All access methods to a dedicated project partition require a strong authentication, and sessions via Internet-published gateways additionally require Multi-Factor Authentication.

Consistent expansion of the network security means over all kinds of locations and resources creates a reliable security perimeter with a proper visibility and actionable threat protection. This perimeter also encompasses mobile assets that are using SASE (Secure Access Services Edge) toolset by the DNS-level protection (Cisco Umbrella) and Cloud Access Security Broker (Microsoft CASB). Discrete and secure project partitions may be integrated with partners’ networks by means of VPN technologies and federations on the application level to create seamless and efficient work environments for engineering teams.

Maintaining high availability and performance is a very important aspect of the IT infrastructure and network security. SoftServe has invested a lot into establishing geographically disperse data centers at top-tier facilities in Europe and USA. Our architecture guidance calls for compulsory redundancy for all network connectivity and mission-critical applications.

Chiefly, most projects use cloud solutions for storing and exchanging information between a Client and SoftServe. In order to be able to protect our cloud instances according to the best practices, we have chosen the NIST 800-53 control framework as a standard approach for cloud compliances using Palo Alto Prisma Cloud and Splunk as our SIEM/SOAR service. Each cloud service passes 4 stages of validation before being implemented: vendor assessment, cloud application assessment via cloud application security checklist, corporate service assessment via internal service security checklist, and finally, validation of information security controls via SOAR.

Physical Security

SoftServe protects all areas—telecommunications area, cabling area, off-site area that contains Information Processing Systems or media that contain Client information—by using a list of appropriate security controls. Access to the premises is controlled by a defined security perimeter, appropriate security barriers, 24/7 security guards who must undergo background checks, training, and authentication control. All external doors and accessible windows are enhanced with intruder detection system. Access control to offices is carried out by using card-passes that each Associate receives during the first day of employment. Any visitors should be accompanied by an associate. A face ID access control is implemented in several offices. Video surveillance equipment provides a non-stop and immediate control of vulnerable points in rooms and on premises. Access logs and camera footage are preserved and in case of any incident are available as a proof of event. Server rooms are highly controlled areas with restricted access only to the predefined list of authorized associates. We guarantee that in the event of a utility failure we are able to maintain enough power to run offices at full capacity with the help of diesel generators.

A business can achieve a superhero status in security, but there is always a threat of natural or a man-made disaster present. Our stability is constantly challenged by hurricanes, tornadoes, ice storms, earthquakes, fires, flooding, pandemic software and hardware failures, and cyber-attacks. While there is no sure way to avoid certain risks, there are things that a company can do to protect business from any potential fallout.

BCP and IT DRP

Business Continuity management is becoming more apparent and helps organizations stay resilient. To ensure that SoftServe is ready and able to run business continuously, protect its associates and standard business processes, a set of plans were developed and are continuously being tested. The BCP provides a vision of potential threats that may directly affect our business and saves us critical time to react by taking appropriate measures in case these potential threats become reality. The best example of this is a WFH strategy that has been successfully implemented during the COVID-19 pandemic. As part of the BCP, we have developed and are still testing the IT Disaster Recovery Plan, the Pandemic Plan, and the Crisis Communication Plan in order to stay afloat despite possible hazards.

Privacy

Protection of Associates’ Personal Data, Client Data, and compliance with applicable data privacy and protection laws is important to SoftServe. SoftServe`s Privacy Policy explains the main principles of processing, collecting, correcting, and deleting personal data of customers and subscribers, and instructs on how to get in touch with us. Our privacy practices are designed to provide the highest level of data protection for your personal data.

SoftServe is committed to the GDPR compliance. From the very beginning, we have respect for privacy and security ingrained in our business DNA, and as we have grown, our focus on handling and protecting the data that our Associates and Clients entrust us with has remained a priority.

During the engagement stage, the SoftServe’s goal is to be in compliance with the GDPR, and in particular its regulations that relate to a Client specifically. In order to work with a Client who is addressing the GDPR requirements, SoftServe additionally has signed the Data Processing Addendum, which includes details regarding subject-matter, the rules of processing, the type of Personal data, and the categories of data Subject. In the data processing contractual obligation, SoftServe usually acts as a Data Processor and a Client is a Data Controller, if not stated otherwise in the contact. As a Data Processor, SoftServe ensures appropriate technical and organizational measures to maintain data security. In case of transferring data, SoftServe complies with the GDPR requirements by providing adequate protection when transferring personal data from Europe to third parties, and in particular, enters into standard contractual clauses approved by the European Commission.

SoftServe is fully compliant with the GDRP rules regarding the realization of rights such as:

• Right to information
• Right of access
• Rights to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object
• Automated individual decision-making, including profiling.

HIPAA and PCI DSS Compliance

SoftServe also adheres to and fully complies with all HIPAA privacy requirements. In case of processing PHI on behalf of a Client, it is mandatory to execute the Business Associate Agreements (BAA) as part of a full compliance with the HIPAA requirements. BAAconsist of information regarding the allowed and forbidden uses of PHI between a Client and SoftServe.

On a corporate level, we developed the awareness training for HIPAA and GDPR. Usually, a SoftServe Associate, who is working on a project related to HIPAA or GDPR, has to pass that training.

Contractual security requirements related to HIPAA or GDPR are stored in the CRM system, marked accordingly, monitored, and additionally communicated to each Project Manager.

Summary

We take security seriously at SoftServe. We start building our security environment using fundamental elements of security on a corporate level. We are continuously improving our security posture in order to meet Client requirements. Our company takes comprehensive measures to protect its infrastructure, networks, services, and applications, and to train associates in security and privacy areas. SoftServe continues to grow and develop having its primary emphasis on security and privacy.