IConduct is highly dedicated to customer security and sets it a priority for further development. We use some of the most advanced security tools and refer to some of the strictest security policies to ensure safe and reliable integrations for our users. Our top security priorities always relate to preventing and eliminating risks, mitigating vulnerabilities, protecting user privacy, and making all high-end security services available at all times.
Cybersecurity is a critical concern for organizations of all sizes and types. To ensure that IConduct adequately protects its assets and data, we implement annual compliance processes such as ISO27001, SOC, and penetration tests. These standards provide guidelines and best practices for managing information security risks, including conducting regular risk assessments, establishing security policies and procedures, and implementing appropriate controls.
Our annual penetration testing process involves simulating a cyber-attack on our products and looking for vulnerabilities that could be exploited by malicious attackers. Penetration testing is an essential tool for ensuring the security of computer systems and networks. We are committed to addressing all vulnerabilities and verifying with a third-party company that we are adequately covered for the future.
IConduct
Compliance
SOC
Dedication to security
IConduct highly values the safety of the user data, and the board of directors constantly keeps in contact with a person dedicated to system security and responsible for every measure taken regarding the system. No sensitive information about the IConduct users can be stolen or otherwise misused due to the absence of the user database. All information operated using IConduct interacts directly with RAM and disappears right after every process is complete. The company also conducts annual full-scale monitoring involving a third-party organization to ensure the full involvement in security matters of the IConduct management.
All information about the system and its processes is securely protected both physically and digitally from leakage and damage on a number of levels, including the global AWS infrastructure, using specific third-party systems that are designed to prevent leakage, implementing best of breed authorization systems, etc.
IConduct is one of the most secure integration platforms, that carries out all imaginable measures to protect the sensitive data of the system’s users, keep system running efficiently at all times, and ensuring that every person involved in the system control is fully aware of all those security measures.
Security assessment- FAQs:
Corporate governance
Is sensitive customer information stored encrypted?
IConduct does not have a customer database and, therefore, does not store any customer information. Instead, the information is processed through the RAM memory and is automatically erased at the end of each process.
Does the organization have a risk assessment process that includes checking the organization's level of protection?
Once a year, a third-party organization conducts a survey with the full involvement of the organization's management.
Corporate governance
Are there working procedures and a policy document in terms of information protection and cyber protection?
There is a detailed document that undergoes at least annual updates and requires approval from the organization's management.
Is there a list of assets in your organization?
There is a detailed list of assets, that is updated at least once a year.
Awareness & Human resource
Are reliability processes/background checks carried out in the process of hiring the employees, and during their performance?
All employees are required to sign a Non-Disclosure Agreement (NDA), and strict reliability checks are conducted based on their positions.
Does your organization have a training and awareness program for cyber risks in the organization (including third parties: suppliers, consultants, etc.)
To maintain a high level of awareness about security risks, IConduct implements various processes and procedures. To ensure that all our employees and suppliers understand these risks, we conduct multiple training sessions throughout the year, including final test.
An orderly process is carried out as part of the employment termination process for an employee or supplier, which includes revoking their privileges, returning the company's equipment and media, and requiring them to sign a confidentiality agreement.
Yes, there is an orderly process including closing permissions for all systems.
Physical security
Does your organization implement access prevention and physical security processes to prevent unauthorized access to areas such as: communications room, server room, operational area?
Yes, facilities are highly physically secure.
All our infrastructure is on AWS infrastructure - strict standards.
Does your organization maintain protection inputs against environmental damage (flooding, fire, power outages, etc.) for computers and computing equipment in accordance with accepted standards?
Yes, the facilities are highly physically secure.
All our infrastructure is on AWS infrastructure - strict standards.
Does your organization have a mechanism for monitoring physical access of the company's employees and its suppliers, including the use of security cameras in sensitive areas (server rooms, sensitive complexes, etc.)
Yes, the facilities are highly physically secure.
All our infrastructure is on AWS infrastructure - strict standards.
Access control
Does your organization implement a system to prevent information leakage?
Yes, a system was implemented to prevent information leakage, including control and investigation capabilities.
Does your organization have a 2FA user authentication solution implemented?
Yes.
Is the number of users with strong/high privileges limited to the minimum required?
Yes, there is a small infrastructure team that has access to the production environments. Apart from them, all other users only have privileges to access low-level environments.
Is there a periodic authorization review process?
Yes, critical systems undergo a quarterly process, while the other systems have a median or annual process.
Does the access control policy in the organization include the application of the principle of compartmentalization, according to which an employee will be exposed only to the information that is required for him to fulfill his role and the principle of granting minimal privileges?
Permissions are granted to individual employees based on their role and approved by the direct manager.
Permissions are audited periodically according to the risk level
Workstation and perimeter defense
Has your organization implemented any procedures to protect endpoints and servers?
We have a comprehensive procedure that is updated annually and is based on accepted best practices recommendations. This procedure is applied to all servers & workstations, including Microsoft 365 Active Directory.
All our infrastructure is on AWS infrastructure - strict standards
Is software installed on the positions to protect against harm?
Yes, a managed and updated system is used in full deployment
Does your organization implement a system to prevent information leakage?
Yes, a system was implemented to prevent information leakage, including control and investigation capabilities.
Does your organization have a security patch update management process? (Patch management)?
Yes, every quarter, we evaluate the necessity of updates based on their level of importance. After testing and receiving approval in low-level environments, updates are implemented as needed.
Control & Monitoring, Backup & Recovery
Does your organization monitor and review an event log regarding alerts received from the security system (AV, FW, etc.)
Regular monitoring is in place, and we receive push notifications via email or cell phone regarding any suspected unusual event. As part of our work methodology, all technical teams conduct a weekly review of all alerts in the forum to learn from them and improve our processes.
Does your organization monitor and review an event log for actions performed by users with strong privileges (administrative privileges)?
The company has a few users with high permissions, reviews are carried out on a quarterly basis
Is there a process of performing a proactive restoration in order to examine the quality and effectiveness of the backups?
As part of the company's information security policy, there is an asset mapping that has been defined as indicators for business continuity and once a year, we practice DR including backup and restoration.
Secure development & Event management
Does your organization have a cyber incident handling procedure?
Yes, there is a work procedure to deal with a cyber incident
Is developer access to the production environment controlled and monitored?
In accordance with our company's policy, developers do not have access to the production environment, and occasional reviews are conducted to ensure that access permissions are aligned with requirements.
Is there vendor's business information in lower environments?
In the low environments only, dummy data is used (or a tokenization process is performed on sensitive data).
Is the software written in a Secure by Design approach?
Yes, The Cyber security Manager is involved in the development process starting from the requirements initiation phase, and the VP of R&D is guided by the company's cybersecurity policy.
In your organization, is the customer's information environment physically or logically separated from the environments of other customers?
Yes, there is a physical separation for clusters of customers, each cluster is installed on a different DC of AWS.
Apart from that, there is a logical separation on the DB level.
The authorization mechanism in the company is built in a way that allows users to do their work without revealing information they don't need to see, IConduct provides a flexible design that allows a data set to be revealed to different user groups. All users and security at the application level are defined and maintained by the administrator (admin) of the organization (client side/ordered) and not by IConduct.
Access to the system is role dependent and controlled and documented by Cognito in AWS
The product admin of the organization is determined by the client.
For Control and documentation Iconduct maintains adequate administrative, physical, and technical safeguards.
Is a test conducted during software development to evaluate its resilience against common threats and adherence to accepted practices?
Yes, the tests are conducted within the process of code review and code scan during development, and by the QA team, during the testing process.
The company meets the requirements accepted in the industry (OWASP) as part of meeting these requirements, an orderly process of configuration management is administered, and security updates are required. All the company's infrastructures are managed in AWS and Office365 Microsoft, occasionally, relevant security updates are carried out as needed: hardening, software and security updates, ongoing examination of the architecture and its adaptation to the changing information security risks, code scans by a third party, etc.
On top of that, there is a regular PT done by 3rd party.
Is there an orderly version management process?
The company maintains an organized version management process that documents all changes made between each version, including content, database changes, release notes, and security improvements. Customers are notified about all changes included in the latest version compared to previous versions. The process is automated using AZURE TFS, including continuous integration and delivery. a “Go/No-go” process is in place, and indicators are established to encourage continuous change and improvement, which are evaluated as part of a lessons-learned approach.
Are cyber protection and information security requirements included in the test scripts used by your organization's QA personnel?
Yes, there is a set of tests conducted from a cybersecurity perspective for each version of the product. These tests are updated periodically in line with new developments and changes to the risk landscape. Additionally, as an R&D organization working in an agile manner, the QA team participates in the entire development process starting from the business analysis phase. During the design period, special tests are also defined that must be conducted in accordance with the nature of the implemented development.
Has the cloud environment been robustly tested by an independent third party?
Once per year, a third party conducts a penetration test (PT) on the company's systems.
Does your organization maintain separation between operational information environments (including client environments) and low-level environments (such as development and test environments)?
The company's production environments are hosted on AWS infrastructure (4 different DC’s), while low-level environments are hosted on TRIPLE-C infrastructures.
Cloud
Does the process of customer identification for accessing your environment require strong authentication measures?
When a user logs in, Iconduct performs authentication against AWS Cognito, the system will ask the user to verify his identity using the AWS authentication method or according to his choice such as Okta or SAML or another SSO. in addition, there is Cloudflare protection that hides the IP of Iconduct and provides WAF.
More Common questions
Is there monitoring of abnormal user behavior?
Yes.
Does the company have a solution for email filtering?
Yes.
What is embedded technology for protection?
Several different technologies have been implemented - WAF, Cloudflare, Bitdefender, IP hide
Is there a minimum TLS 1.2 encryption for WEB traffic API?
Yes.