Security

Compliance with NIST 853 Medium Level

Our Software as a Service (SaaS) product is designed with a strong commitment to security and compliance, specifically to meet the standards of NIST 853 at the medium level. This page provides an overview of our compliance with key technical specifications laid out by NIST 853.

1. Access Control: Our SaaS product implements role-based access control (RBAC) to ensure that only authorized individuals can access sensitive information. We enforce the principle of least privilege, meaning users are granted the minimum levels of access necessary to perform their functions.

2. Awareness and Training: We provide regular security awareness training to all employees. This includes training on the policies and procedures related to the secure use of our SaaS product.

3. Audit and Accountability: Our system maintains detailed logs of all user activity. These logs can be audited at any time to ensure accountability.

4. Security Assessment & Authorization: Our product undergoes regular security assessments. This includes vulnerability scanning and penetration testing to identify and remediate any potential security weaknesses.

5. Configuration Management: We have a robust configuration management process in place. This includes maintaining a baseline configuration, and managing and controlling changes to that configuration.

6. Contingency Planning: We have a comprehensive contingency plan in place, which includes procedures for data backup, disaster recovery, and business continuity.

7. Identification and Authentication: Our SaaS product requires strong user authentication. This includes the use of multi-factor authentication (MFA) for all users.

8. Incident Response: We have a formal incident response plan in place. This includes procedures for detecting, reporting, and responding to security incidents.

9. Maintenance: We perform regular system maintenance to ensure the ongoing security and performance of our SaaS product. This includes the timely application of patches and updates.

10. Media Protection: We have measures in place to protect the media that stores customer data. This includes encryption at rest and in transit.

11. Physical and Environmental Protection: While our SaaS product is hosted in the cloud, we ensure that our cloud service providers have robust physical and environmental controls in place.

12. System and Information Integrity: We have measures in place to protect the integrity of customer data. This includes the use of checksums and digital signatures.

13. Risk Assessment: We perform regular risk assessments to identify and mitigate potential security risks.

14. System and Services Acquisition: We have a formal process for the acquisition of systems and services. This includes conducting due diligence on all third-party vendors.

15. System and Communications Protection: Our SaaS product uses strong encryption for all data in transit. We also use secure coding practices to protect against common web vulnerabilities.