Security is very important to CAN since we work with our clients' most sensitive information and provide them insights that are essential to the future of their organizations. Our clients trust us with their most valuable information including business plans, intellectual property, financial and customer data. We work daily to respect that trust. The following is an introduction to how CAN maintains the security of all of our systems, sensitive data, and Contemporary Analysis.
1. Sensitive Data
The first step to protecting CAN's sensitive data is to limit any unnecessary data. We require CAN's clients to scrub any sensitive data that is not needed to build models. For example we can often build robust models without having to have access to names or addresses. A CAN Navigator and Data Scientist can help you determine what data is necessary and how to scrub any unnecessary sensitive data.
The second step to protecting CAN's sensitive data is classifying data by type, security level, and access permissions. All sensitive information is labeled by client, project, and security level. CAN employees are provided only the data required to fulfill their job description. CAN classifies our data into three major categories, each with a default type, security level and access permissions.
1. Public data is not sensitive and is accessible to everyone at CAN. Public data is information that is available on the Internet and is widely available to people outside of CAN and CAN's clients.
2. Internal data is sensitive and is accessible to only executives at CAN, and as needed. Internal data is data that is used to operate CAN's business.
3. CAN Client data is sensitive and is only accessible on a project basis to the data scientists, sales executives and navigators that are working. Permission to the data is removed as soon as the project is completed. CAN client data is any information that we receive from a client, and includes temporary data files that CAN uses to generate deliverables and also deliverables for clients.
2. Data Management
CAN stores all data in a central location and also carefully manages devices and people that have access to specific types of information. All of our data is stored in a secure and encrypted hosted environment. Our IT infrastructure is designed so that in case that a device goes missing or is compromised, CAN can identify the location of that device, terminate access to CAN's network and data files, and remove the encryption key to the hard drive.
CAN has also increased the simplicity and security of our data management policy by not permitting the use of USB powered drives and other external hard drives. With the state of CAN's network and technology, USB powered drives and external drives are unnecessary and a major threat to the fidelity of CAN's network and data management. When possible CAN uses SFTP, "SSH File Transfer Protocol", when transferring data within and outside CAN's network.
All data transferred between CAN and Client requires a encrypted USB drive or secure FTP. CAN requires that only new encrypted USB drives are used, and that the drive is either shredded after the transfer or stored in a locked container at CAN HQ.
We use encryption on all disks and devices to add an additional level of security. Even if someone was able to get a hold of a CAN device or break into CAN's network without access to the encryption key it impossible to use the data stored on a device.
CAN uses disk encryption on laptops, desktops, mobile devices, and servers. CAN also encrypts data in motion between laptops, desktops, mobile devices, and servers. In addition to device level encryption, each client's data is stored on encrypted virtual drives. This keeps each client's data separate, and keys are only provided to the data scientists, sales executives and navigators that are responsible for that specific project. Only data scientists are provided the encryption key to the client's raw data.
In the event of a security breach CAN is able to revoke the disk encryption key of all of CAN's laptops, desktops, mobile devices and servers as soon the device is connected to the Internet. In addition, the encryption key is automatically removed and the disk erased after 10 failed attempts to access a device. Once the disk encryption key is removed the data is unreadable.
It is important that the right people are accessing the right information. CAN uses password, software, and physical access control to protect against unauthorized access. We require that every device used by CAN employees or contractors used when performing their job responsibilities require passwords to access, lock out for 10 minutes after 3 unsuccessful log-in attempts, and after 10 unsuccessful log-in attempts remove encryption key and start erasing the disk. User are required to change their password every 90 days, and will be promoted automatically. Passwords on phones and tablets will have 4 numbers, and passwords on other devices will require 12 minimum characters, and use at least 2 different character classes.
We control physical access to CAN's facilities. When our facilities are not occupied by CAN employees and contractors an alarm system is used. We are also investing in more advanced access control. In the future, employees and contractors use RFID badges to enter CAN HQ, individual floors, as well as the server room. Each door will also monitored by a camera. Each time a door is opened the badge id and a brief video clip will be recorded. These records will be reviewed once a month, and as needed.
5. Data and Disk Destruction
Disks and drives are stored securely at CAN HQ until properly shredded or destroyed. All employees and contractors are provided two trashcans, one for paper, disks and drives, and one for other materials. Trash is removed daily, and either stored or properly disposed of.
CAN's employees and contractors are required to help CAN maintain effective security. Employees and contractors receive security training when they start at CAN, and are required to participate in training each year. All employees and contractors are required to report any suspected or real security threat or breach.
7. Visitors and Guests
CAN has a lot of people that visit our offices. All guests sign-in and sign-out at the front desk of Suite 200. They use their drivers license or photo ID to sign-in. All guests are provided with a visitor badge. They are met at the front desk and their host escorts them until they leave the office. CAN also maintains a separate WiFi network outside of CAN's firewall for guests and employees that bring their own devices to work. Occasionally, depending on the nature of a guest's visit they are asked to leave their devices and bags at the front desk in Suite 200.
8. External Devices
CAN's employees and most of CAN's vendors, clients and contractors enjoy technology and are constantly investing in the latest and greatest consumer technology. CAN allows our employees, clients and contractors to bring external devices into our facilities. However, external devices are not allowed behind CAN's firewall, and are required to follow CAN's security policies, including monitoring and management by CAN IT and security staff.
9. Network Security
The fidelity of CAN's network is essential to protecting ourselves, our sensitive information, and our clients and partners' networks. We record and monitor all devices that connect to our network and their activity. Logs are reviewed monthly and as often as necessary. We also require that devices, including mobile, tablet, laptop, desktop and servers, use software to protect and identify malware and spyware attacks.
10. Disaster Recovery
CAN's IT and Security infrastructure allows CAN to respond quickly to national, local, company, and individual disasters. We maintain copies of all key systems in multiple locations, including static backups at CAN's facilities. All key systems, files, and applications are hosted and managed in a professional managed environment. Using hosted solutions allows CAN to leverage state of the art providers with investments in hardware, facilities, fire protection and redundant backups. Also, in the event of a disaster using hosted solutions allow CAN's workforce to quickly relocate to a new physical office or a virtual office environment. All that we would need is power and an Internet connection.
When designing CAN's security policies we wanted to make them as simple as possible so that our security policies were easy to remember, follow and enforce. There are more complex and sophisticated security systems, but simple systems get implemented, and only a security system that get implemented keeps anything safe. CAN and our clients are confident that these security policies will protect CAN, our clients, and CAN's sensitive data. We are continually refining and improving our security policies.
Please feel free to ask any questions that you might have.