We have implemented security measures in accordance with our certifications during every phase of development and operations.
How Signify handles security during development
In accordance with the SDL, Signify takes the following actions during design, development, and testing:
- A security risk analysis is performed for every new development project and for every significant change to an existing system or development project.
- Automated code analysis and manual code reviews are regularly performed during development.
- Third-party code, including open-source code, is analyzed to identify and mitigate vulnerabilities.
- Hardening of the operating system and applications is performed for products, devices, and cloud-based solutions.
- Appropriate network security and firewall rules are implemented and reviewed regularly.
- Encryption of data in transit and at rest is implemented in accordance with generally accepted best-practices.
- Penetration tests are performed before each major commercial release of a system.
How Signify handles security during operations
After secure development, our systems are commercially released, and the operations phase starts. During operations we take the following measures.
Global software operations
Our cloud-based systems are managed by a specialized global operations team to ensure proper segregation of duties and least access principles.
Access rights to information
Multiple authorization levels are used when granting access to the data in the system. When a Signify employee leaves the company or move to a different role, their access rights are reviewed and revoked if needed.
Segregation of duties and least privilege access principle
We have defined authorization profiles in accordance with least privilege and segregation of duties principles and restrict and control the allocation and usage of privileged access rights.
Our employees and subcontractors are granted access only to those parts of the system needed to perform the tasks associated with their role in operating the system. Development and operations are managed within separated environment and separated teams.
A password policy and technical controls are in place in our systems and internally within Signify that prohibits the sharing of passwords, governs responses to password disclosures, requires default passwords to be altered, and requires users to change passwords on a regular basis.
All systems that manage customer data use encryption by applying the following measures:
- Cryptographically secure random number generation
- Crypto functions designed for expected product lifetime
- Sensitive data at rest and transit encrypted with generally accepted industry standards
- Defined logically separated development, testing, and production environments
- Implemented detection, prevention, and recovery controls to protect against malicious or unauthorized access
- Defined and established roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment, patching, asset tracking, and any coordination responsibilities required. Depending on how urgently a technical vulnerability needs to be addressed, the action taken is carried out by following our maintenance or information security incident response procedures.
- Protected the infrastructure used for the operations of system by ensuring that all systems, networks, and supporting infrastructure are compliant to our security requirements and according to industry standard benchmarks. This includes removing or disabling unused networking and other computing services and installing various levels of system firewalls, changing all default account names and/or default passwords, and that the appropriate technical measures are in place (for example, anti-malware, logging).
- Identified and keeps an updated inventory of assets
- Implemented a rigorous process for distribution of keys and secrets
- Designed operational redundancy in our system on a risk basis
We perform technical security reviews such as penetration testing, vulnerability assessments, configuration reviews, application testing and code reviews. Such reviews shall not impact our customers’ business processes. We review our procedures on a yearly basis.