Security Controls

Every person, team, and organization using Diligent applications and services expects their data to be secure, available, and handled according to strict confidentiality and privacy principles at all times— and we understand how important this is. We have built our global business on the trust our customers place in our ability to safeguard their data, and continue to maintain that trust through our security and compliance initiatives and culture of continuous improvement.

Security Controls Mission Statement

Confidentiality and integrity of customer data is our most important mission. We make all commercially and professionally reasonable efforts to maintain the highest levels of each, as customers would expect from us and themselves. We regularly assess risk, monitor our controls, evaluate potential threats, and use this information to update our controls framework from policies and procedures to encryption protocols.

Our Commitment

We are committed to providing a robust and secure service that protects our customers’ data. We provide our service to customers and we also use it ourselves— storing our corporate data in our products. We do so knowing that our platform is built upon industry-standard security technology, refined principles and practices, and ongoing investments in security training, testing, independent audits, expert consulting, and advanced tooling.

Security Environment and Principles

We have a dedicated Security department consisting of over a dozen security professionals focusing on product security, security operations, incident response, risk management, and compliance. The Security Team is overseen by a Chief Information Security Officer (CISO). Our multi-layered security environment follows the principles of least privilege, separation of duties, defense in depth, and usability. Customers have ownership of user access controls and manage the entire customer data life cycle in deciding:

  • What data goes into their system
  • How long it should be retained
  • What data should be deleted
  • Who can access the data

Incident Management

We have a robust Incident Response Plan to promptly and effectively manage incidents that impact the system environment. This plan is in place to both minimize potential damages that could result from a data breach and to ensure that parties affected by the data breach are properly informed and educated on how to protect themselves.

The Security Incident Response Team (SIRT) is responsible for responding, managing, and conducting security investigations, including all aspects of communication such as deciding how, when, and to whom the findings shall be reported.

The lifecycle of a security incident at Diligent

The Diligent incident management lifecycle encompasses six phases: preparation, detection and investigation, containment, remediation and eradication, recovery, and post-incident activities.


Highbond Security Controls
Diligent Boards Security Controls

Preparation

Preparation includes those activities that enable the SIRT to respond to an incident: policies, tools, procedures, training, effective governance, and communication plans. Preparation also implies that the affected groups have instituted the controls necessary to recover and continue operations after an incident is discovered. Post-mortem analyses from prior incidents should form the basis for continuous improvement of this stage.

Detection and Investigation

Detection is the discovery of the event with security tools or notification by an inside or outside party about a suspected incident. This phase includes the declaration and initial classification of the incident. We monitor and investigate all events and reports of suspicious or unexpected activity, and track them in an internal ticketing system. Investigation is the phase where SIRT personnel identify and determine the priority, scope, and root cause of the incident. The Investigations phase should include the completion of an “Incident Log”. The incident log can be used during the following phases of the incident, to keep track of all incident activities. This will be a reference aid during the incident closedown and can also provide information for the lessons learned phase.

Containment

Containment is the triage phase where the affected host or system is identified, isolated or otherwise mitigated, and when affected parties are notified and investigative status established. This phase includes sub-procedures for seizure and evidence handling, escalation, and communication. All evidence will be handled in accordance with local evidence handling procedures and legal requirements.

Remediation and Eradication

Remediation is the post-incident repair and recovery of affected systems and or data, communication and instruction to affected parties, and analysis that confirms the threat has been contained. Apart from any formal reports, the post-mortem will be completed at this stage as it may impact the remediation and interpretation of the incident.

Recovery

Recovery is the analysis of the incident for its procedural and policy implications, the gathering of metrics, and the incorporation of “lessons learned” into future response activities and training.

Post-Incident Activities

Post incident activities within the recovery stage include “Lessons Learned.” Lessons Learned allows SIRT to identify any weaknesses in the plan and the supporting policy and or process and to put in place remedial actions to mitigate any further such incident. During lesson learned, the SIRT will review the incident and examine all associated artefacts to identify any root cause. Lessons learned are documented and used to improve the plan.