This article provides you with appropriate details and audit artifacts that will explain our approach to security at the highest level. We are proud that TeleTracking’s Information Security & Assurance Strategy represents a commitment to incorporating numerous industry best practices into a single plan to ensure the strategy is thorough and adequately addresses a defense-in-depth security posture.
Industry best practices adopted in our plan include:
An information technology governance structure designed in accordance with the ISO/IEC 27001:2013 Information Security Management System framework;
Information technology risk management based on NIST 800-37 Guide for Applying the Risk Management Framework;
A physical security strategy patterned from the ISC2 CISSP Security Practitioner Common Book of Knowledge;
Traditional technical controls selected from the Centre of Internet Security’s 20 Critical Security Controls as well as NIST 800-53r4 Security and Privacy Controls for Information Systems publications;
Data privacy strategies aligned with NIST 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information and the Caldicott Principles in the United Kingdom.
Application security conforms to the Building Security in Maturity Model (BSIMM), the Open Web Application Security Project (OWASP), as well as the ISO/IEC 27034 Application Security framework.
Data Encryption
Outside of the mature governance structure and comprehensive security controls, TeleTracking has processes in place to ensure all data is encrypted from end-to-end; this includes encrypting data at rest using symmetric key cryptographic algorithms that are compliant with the Federal Information Processing Standard (FIPS) 140-3 Security Requirements for Cryptographic Modules, as well as encrypting data wherever it traverses, using a combination of symmetric and asymmetric encryption algorithms for a ‘best-of-breed’ approach.
Detective Security Controls
In addition, TeleTracking employs numerous detective security controls as an assurance that protected data stays protected throughout its lifecycle. For example, TeleTracking utilizes advanced intrusion detection and prevention systems, as well as an enterprise security incident and event management system which correlates industry threat intelligence to live processing.
TeleTracking’s best-practice defense-in-depth approach is not reserved for medical or personal information, but is instead used to secure all customer data. TeleTracking treats all customer data as highly sensitive and puts protections in place to ensure customer data is used only for its intended purpose, and always stay safe.
In the event of a security incident
In the event of a security incident, TeleTracking mobilizes its incident response team in accordance with the company’s published incident handling guide. The guide was created to be fully compliant with practices found in NIST 800-61r2 Computer Security Incident Handling Guide, as well as ISO/IEC 27035 Information Security Incident Management.
Incident handling serves as a cornerstone of the cyber security design strategy by ensuring that our response to threats follows an iterative approach:
Identifying a threat through threat intelligence and event correlation;
Protecting the assets and data with security controls;
Detecting security incidents and events as they happen;
Responding to those threats in accordance with incident handling best practices contained within NIST 800-61r2 Computer Security Incident Handling Guide;
Recovering systems and services once the incident has been completed; and
Lessons learned from the incidents are incorporated to improve the process as outlined in the ISO/IEC 27001:2013 ISMS plan-do-check-act (PDCA) iterative approach to process improvement.
Day-to-Day Security Operations
Alongside handling incidents as they arise, day-to-day security operations are also paramount to maintaining a highly defensible system. At TeleTracking, this includes activities such as enterprise deployment of malware defenses (i.e., next generation antivirus systems), comprehensive vulnerability and patch management programs that scan all systems weekly for vulnerabilities, as well as software update deployment.
TeleTracking verifies its commitment to security by having penetration tests conducted on the systems and software that interact with the sensitive data. The tests are conducted yearly and are performed by independent third parties to provide a level of comfort to both TeleTracking as well as the customers it supports.
Data Privacy Legislation Compliance
Complying with ever-changing data privacy legislation becomes much easier to manage when the cyber security strategy is designed with worldwide industry best practices. For example, by simply adopting and implementing a single framework such as ISO/IEC 27001, an organization would be compliant with many industry regulations and data privacy laws throughout the world.
However, adopting a best-of-breed information security governance structure ensures the program evolves as the industry and privacy legislation evolves. Thus, TeleTracking is constantly changing its security practices as the frameworks change in response to increased data privacy regulations, such as the EU General Data Protection Regulation, or the California Consumer Privacy Act.
Our approach is to build compliance in our software applications wherever possible, and to use a combination of policies and processes to comply when it cannot be built into the application.
Supporting Documents
Copy of TeleTracking’s current ISO/IEC 27001:2013 Certification, noting there were no exclusions to the standard as written.
This document details exactly what was in-scope for the ISO 27001 certification.
This document shows which ISO controls were selected and why.
This policy will outline the overall information security strategy for TeleTracking at a high level. Please note that every underlying standard and policy that is referenced within the document exists and was audited during the ISO certification.
This document is an example of one of the downstream policies/standards.
As we follow many best practices, this document defines how TeleTracking defines standard security terms referenced in the policies.
Request More Information
If you need additional details, please submit an inquiry and we'll get back to you as soon as possible.