Security

Introduction

Protecting customer information is critical to interviewstream. We understand the importance of customer information privacy and go to great lengths to ensure it is not exposed to unauthorized parties, inappropriately altered, or unavailable at the time it is needed. A well-defined structure is needed to provide the governance needed to maintain customer information privacy. interviewstream continually works to maintain alignment with the International Standards Organization (ISO) 27002 cybersecurity framework to protect digital assets.

Roles and Responsibilities

interviewstream has implemented an effective Cybersecurity Program to engage employees and maintain security of information as its processed, transmitted, and stored. The Information Security Oversight Board (Board) establishes security objectives and ensures the organization adjusts to the changing threat and technology landscape. The Board is comprised of business and IT leadership dedicated to the protection of customer data.

Technology Risk Controls Implementation

interviewstream deploys several information security controls to protect customer data. These controls are designed, implemented and maintained by using industry leading practices and are reviewed periodically to ensure they are effective.

• People Operations Security

  Employees recognize their obligation to the privacy of customer data within interviewstream’s custody and management. Employees acknowledge this responsibility by signing the Employee Handbook as a condition of employment. All interviewstream candidates must pass a stringent background check conducted by a qualified third party before being offered a position. The background check includes criminal history.

• Information Security Awareness Education and Training

  Employees are the first line of defense in security. A comprehensive security and privacy employee awareness and training program has been developed. The goal of this program is to enhance employee awareness in order to ensure that data is handled in accordance with policies and standards.

• Information Systems, Acquisition, Development and Maintenance

  interviewstream strives to incorporate security requirements prior to developing or acquiring new systems. Our goal is to consider interviewstream security principles and guidelines, and build privacy and security in during the design of systems. interviewstream applies leading software security practices as prescribed in OWASP Application Security Verification Standard (ASVS) to identify and resolve well-known web application vulnerabilities. Additionally, interviewstream performs security testing during each stage of the development and deployment process to verify major weaknesses are eliminated.

• Cloud and Infrastructure

  interviewstream isolates all services in a Virtual Private Cloud (VPC). Production systems are isolated and network traffic to hosts is controlled. Direct administrative access to cloud resources is highly restricted. Multi-factor authentication is enforced for cloud services administration and administrative access to provisioned resources.

• Customer Isolation

  In addition to access control, interviewstream has implemented techniques to segregate customer environments and prevent data leakage. Isolation is addressed at each layer in the technology stack such as the network, storage, server, virtual infrastructure, database, and application.

• Access Control

  The goal of access control is to restrict access to data by limiting user and administrative network access to system resources. A periodic review of access is conducted to verify user and administrative access is appropriate. interviewstream requires two-factor authentication for privileged administrative access. interviewstream protects secrets by using leading practices to salt and hash credentials before they are stored.

• Encryption

  Encryption is deployed to maintain the privacy of customer information. Data is encrypted at rest and in transit using secure ciphers and 256 bit key length. Leading key management practices are followed including periodic key rotation. Encryption of communications includes API calls, client communication, and replication of data to support disaster recovery.

• Change Management

  The appropriate controls are in place to ensure the integrity of all changes within the interviewstream Software-as-a-Service (SaaS) environment. All changes made to production systems are controlled by documented and approved change management processes.

• Vulnerability Management

  Monitoring of system components is performed to identify well-known hardware and software vulnerabilities and the patches needed to address them. The interviewstream DevOps schedules patch implementation in accordance with risk. Additionally, interviewstream continually monitors to identify operational threats and implements the appropriate countermeasures in a timely manner. Adapting to the changing threat landscape is a critical component of the interviewstream Cybersecurity Program.

• Information Security Incident Management

  Incidents can pose an immediate threat to the privacy of interviewstream customer data. Our Information Security Incident Management process provides for monitoring, detecting, and responding to these incidents in the most effective and efficient manner. Incident remediation is the primary objective of security response. This includes containing the incident, determining root cause, and implementing corrective controls needed to prevent re-occurrence. We are committed to timely resolution to ensure customer data is protected.

• Disaster Recovery

  interviewstream replicates data across multiple Availability Zones (AZs) and has implemented processes to recover systems and data from regularly-completed backups in the event of catastrophic events. A disaster recovery exercise is performed quarterly to validate the effectiveness and efficiency of the recovery process.

Security Assessment

interviewstream engages external parties to conduct security vulnerability assessments and penetration tests to validate the effectiveness of security controls. Assessment results are used to prioritize security activities to ensure the confidentiality and integrity of data is maintained.

Summary

interviewstream leadership is focused on providing the right governance to defend against customer data loss (accidental data leakage or targeted attacks), monitor and identify intrusions, and respond to security incidents in an effective and efficient manner. We are committed to maintaining effective controls in a constantly changing climate.

Contact Information

For additional information regarding this Security Statement, please contact privacy@interviewstream.com.