SECURITY POLICY
Introduction
RevGurus is an ISO 27001:2022 certified organization. This Security Policy defines our commitments and controls to protect the confidentiality, integrity, and availability of information.
Confidentiality
Access controls are strictly enforced for all employees. User access is granted based on role and business need. Only approved employees may access customer systems after onboarding to customer projects and receiving customer approval. All user accounts are tracked and reviewed periodically.
All employees and contract personnel are bound by our information security policies regarding the protection of sensitive, confidential, and organizational data.
Personnel Practices
RevGurus performs background verification for all employees as part of hiring. All employees receive ISMS security awareness, privacy and confidentiality, ethics, and compliance training during onboarding and periodically thereafter. All employees must read and sign a non-disclosure agreement covering security, availability, and confidentiality.
Network Protection
Network Firewall has been configured as per industry best practices. The firewall is configured to “deny” traffic that is not in response to internal requests.
Firewall is configured to protect against network and application-level attacks, and to secure against intrusion attempts, malware, trojans, and other threats.
Compliance
At RevGurus, we have established internal processes as per the guidelines in ISO 27001:2022
ISO27001:2022
(ISO/IEC 27001:2022) is the specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes legal, physical, and technical controls involved in an organization’s information risk management processes.
Incident Management & Response
RevGurus has a defined incident response and escalation procedure for reporting security incidents. The escalation matrix is accessible to all employees to enable immediate reporting. In the event of a security incident, RevGurus will notify the customer as defined in the applicable SLA. Our IT team can promptly identify privacy breaches and contain security risks.
Internal Audits
RevGurus IT team conducts spot checks to ensure security controls are effective. Corrective actions are taken to address any deviations. Internal audits are conducted annually to ensure procedures remain in effect.
Authentication
We operate on the principle of least privilege; access is granted only to the level required to perform job functions. Roles and responsibilities are segregated to reduce opportunities for unauthorized or unintentional modification or misuse of information.
Employees may access project-specific data only for projects to which they are assigned. Access is defined to prevent unintentional modification or misuse of customer data. All employees have unique user IDs for individual accountability; shared IDs are not used.
Vulnerability Assessment & Penetration Testing
Vulnerability assessment and penetration testing of all systems and the internal network are performed annually by an external security vendor. The VAPT process includes:
- Internal vulnerability assessment
- External VAPT
- Remediation and compliance verification
Data Loss Prevention (DLP)
All endpoints have installed endpoint protection. Periodic monitoring identifies noncompliant devices, and the IT administration team is authorized to remediate or take action on such systems and devices.
Information Security Audit
The information security audit is performed by qualified third-party assessors. The Internal Audit (IA) team is responsible for ensuring compliance with the ISMS framework across the organization. The IA team meets annually and has the following responsibilities: