Data Security at Rest and in Transit
Do we have a procedure regulating the encryption of data at rest and in transit?
Yes, according to the implemented policy PBI - 04 Annex 02 Procedure for Managing Security and Cryptographic Keys. Data in transit is encrypted using the SSL protocol. Long-term data storage in the form of backups is fully encrypted. Operational data is not encrypted for optimization reasons.
Is the development and testing of IT systems/applications conducted exclusively outside of the production environment?
Yes.
Is there segregation/separation of the production environment from development, testing, and acceptance environments?
Yes.
Are solutions such as automated (static) code review/analysis, dynamic code analysis, vulnerability scanning, penetration testing, and peer code review used for software security testing?
Yes.
Is there control over the source code developed by or for the Provider?
Yes.
The code is developed internally.
Is the source code and related elements not located in the production environment?
Yes.
The source code is stored in an independent environment.
Do we regularly perform penetration tests? How frequently?
Yes. Vercom conducts penetration tests according to the document 'Vercom Vulnerability Management Process.' We perform cyclic penetration tests of our application annually internally by our Pentester, and at least once every two years by an external auditing company (alternating between internal and external tests). The test plan is determined by the test coordinator in consultation with project directors and the CTO. A detailed test plan is established each time based on the suggested schedule.
Last updated