ZYROUS COMMITMENT TO SECURITY
ZYROUS COMMITMENT TO SECURITY
The purpose of the Commitment to Security Statement is to provide Zyrous clients and prospective clients with an objective description of the security commitments of Zyrous and our approach to safe and secure data protection.
Commitment to Security:
Zyrous is a digital native organisation, this means that we are a cloud first company and do not manage company hosted networks or servers.
Client information is an important asset to our company and Zyrous, along with its employees, is committed to protecting the integrity, privacy and security of confidential information as required by law, professional ethics, and accreditation requirements under ISO 9001 quality management systems.
Zyrous acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Information generally, and protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded flow of information for lawful and appropriate purposes.
Zyrous has implemented appropriate privacy and security policies and procedures to meet, and in many instances, exceed, the privacy and security standards for five (5) key areas outlined below:
I. Administrative Safeguards
Zyrous has implemented policies, practices and procedures to safeguard protected information for its clients.
Security Management Process
Zyrous has implemented policies and procedures including an annual Risk Analysis to identify potential risk and vulnerabilities to the confidentiality, integrity and availability of client information and remediate those risks as needed.
Zyrous has a comprehensive Risk Management Policy including routine internal security audits, use of third-party security experts for client systems where appropriate and annual review of security policies and procedures.
Zyrous maintains a Sanction Policy as part of our corporate Privacy and Security Policy Manual regarding workforce member conduct relative to a number of areas that impact client information. The Sanction Policy highlights the potential range of penalties when a workforce member violates any of the policies. Workforce members are trained annually including the Sanction Policy.
Information System Activity Review
Zyrous has implemented automated and continuous system monitoring that provides alerts and notification to services staff. This includes procedures to follow when a system alert occurs.
Assigned Security Responsibility
Zyrous, through its management routines with the Directors of the company, has a Privacy and Security Committee responsible for the overall privacy and security at Zyrous.
Zyrous workforce members have access to client information based on their job function in order to minimize access to client information. Employment at Zyrous is subject to storing of sufficient identification within the employee local jurisdiction. Zyrous has a termination policy and procedure in place to ensure that access to client information is terminated upon a workforce member’s employment ends with the company.
Information and Access Management
Access to all resources is controlled by an inclusion policy only, meaning that access to areas by default is locked down. The level of access is based on the workforce member’s job description within the organisation and the client they are working on.
All Zyrous applications and data storage within their SaaS solutions, including its elements such as the network, servers, storage and databases are equipped and operated at high-availability.
II. Physical Safeguards
Zyrous hosts all its company data and applications using SaaS solutions, including client information data in dedicated spaces in data centers using google or AWS services. These are co-location facilities or dedicated spaces in these Tier IV data centers.
All security policies are set by the hosting facility. Zyrous has reviewed these policies and verified acceptability where deemed appropriate. They maintain 24/7 manned security. All doors have alarm contacts, the building has ballistic entrances/bulletproof glass and no signage. Only authorized employees have badges that will get them in any door. The physical security requires both a proximity badge and a palm print biometric authentication be performed before anyone can gain access to the facility via man traps. The data centers have recording cameras spread throughout and outside the facility and several motion sensor lights.
Aside from the aforementioned facility security implementations, Zyrous also has procedures and practices related to the following:
Two Factor Authentication
Zyrous has implemented policies and procedures that govern the access to the core authentication system for Zyrous using two factor authentication.
III. Technical Safeguards
Zyrous has implemented policies and procedures in order to ensure secure and controlled access to client data. These policies and procedures include:
Unique user IDs and secure passwords for access to systems Automatic Logoff procedures Data that is moving is encrypted using Secure Socket Layer and Transport Layer Security (SSL/TLS). Data at rest is either encrypted or de-identified using our SaaS solutions.
All interactively and remote database access and activities are also logged locally and centrally within their respective SaaS solution. All web access to the applications from users are logged in a platform and/or application specific database down to the activity level.
Person or Entity Authentication
User authentication is handled within the application. It is equipped with configurable options to comply with commonly enforced password policies in the market.
Zyrous’ applications are equipped with transmission security and data integrity mechanisms to protect the exchanges of Protected Information according to the Encryption Policy including SSL/TLS or SSH Encryption.
IV. Documentation Requirements
Zyrous has a comprehensive Compliance Audit Plan which includes a review of the following policies:
Annual Risk Assessment
Annual review of all Privacy and Security Policies
Annual review of Client Systems Management Program
Annual employee training