Security Policy

SECURITY POLICY

 

Confidentiality

 

Access controls are strictly enforced for all employees within the application and access to a specific user is provided based on the Role of the user as per business requirement. Only approved employees can access customer systems after onboarding to customer projects & subsequent customer approval. All user accounts are tracked and reviewed periodically.

All our employees and contract personnel are bound to our InfoSec Policies with regards to protecting sensitive, confidential & organizational data.

 

Personnel Practices

 

RevGurus carries out background verification of all employees as part of the hiring process. All employees receive ISMS Security awareness training, Privacy & Confidentiality, Ethics, and Compliance training during onboarding as well as on a periodic basis. All employees are required to read and sign a Non-disclosure agreement covering the security, availability, and confidentiality of RevGurus.

 

Network Protection

 

Network Firewall has been configured as per industry best practices. The firewall is configured to “deny” traffic that is not in response to internal requests raised.

Firewall is configured to protect against network and application-level attacks, and to secure against intrusion attempts, malware, trojans, and other threats.

 

Compliance

 

At RevGurus, we have established internal processes as per guidelines in ISO 27001:2013

 

ISO27001:2013

 

ISO 27001:2013 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization’s information risk management processes.

 

Incident Management & Response

 

RevGurus has defined Incident response and escalation procedure which has a procedure for raising security incidents. The escalation matrix is accessible to all employees in order to raise incidents immediately.  In the event of a security incident, RevGurus will notify the customer as per the SLA defined in the procedure. Our IT team can swiftly identify privacy breaches and contain security risks.

 

Internal Audits

 

RevGurus IT team conducts spot-checking to ensure that the security controls are in force and effective. Corrective action is taken to improve the effectiveness if there are any deviations observed.  Internal audit is carried out once every six months to ensure that the procedures are in effect.

 

Authentication

 

We operate on the principle of least-privilege basis and access is enabled to the level to be able to perform the business function.

Roles and areas of responsibility are well segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s information or data.

Employees can only access project-specific data based on the projects they are assigned. Access is well defined to prevent any unintentional modification or misuse of customer data.

All employees have a unique User ID that provides individual accountability to all systems, and there is no shared ID used by multiple employees.

 

Vulnerability Assessment & Penetration Testing

 

Vulnerability Assessment & Penetration testing of all systems & internal network. is done once a year. VAPT is done by an external security vendor. VAPT assessment is carried out in these 3 steps:

 

  • Internal VA
  • External VAPT
  • Remediation and Compliance

 

Data Loss Prevention (DLP)

 

All systems are installed with endpoint protection. Periodic monitoring is done to  detect the devices, not in compliance and the IT Admin team is authorized to take action on such systems and devices.

 

Information Security Audit

 

The audit is performed by 3rd party qualified accessors. Audit team (IA team) is entrusted with the responsibility of ensuring compliance with the ISMS framework in all aspects. The IA team meets every 6 months. They have the following responsibilities:

 

  • Conduct internal audits to assess conformance to the standard, organization’s policies, effectiveness of implementation and maintenance.
  • Ensure information security controls are effective.
  • Define and document procedures including responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records.
  • Review Audit process and checklist to ensure continuous improvement of internal audit and information security controls.
  • Evaluates organization’s compliance with the ISMS framework in all aspects.
  • Detects any shortcomings in the implementation of the ISMS framework within the organization
  • To recommend the necessary corrective and preventive actions.