Security Practices
Updated September 22, 2023
At Big Village, we pride ourselves on protecting our business, clients, partners, and our people by ensuring the information and data we handle is done so with the utmost care. We take the security of all data very seriously and consider this as one of our primary responsibilities. We aim to be as open and transparent as possible about our security practices. You can find and download a copy of our externally published Technical and Organizational Measures here. These measures are further outlined below.
Please feel free to contact us at infosec@big-village.com, and one of our friendly security professionals will reach out to you ASAP.
OUR MISSION
Big Village has established and maintains a formal Information Security Program. This program is resourced and empowered through an executive charter that outlines its purpose aligned to our business. The charter is reviewed and accepted annually by Big Village’s leadership to re- affirm our commitment. A copy of the charter can be provided upon request.
It is our policy that:
- Big Village will always seek to protect our company and our ability to service clients from information security threats to our business and operations
- A formal information security program and underlying Information Security ManagementSystem will be operated to meet the security needs of Big Village, our clients, and other interested parties
- The program will be maintained by an Information Security Officer with authority for its ongoing direction and purpose
- The program and its objectives will be derived from business objectives prioritized and approved by executive leadership – these include Big Village’s overall business strategy, contractual and regulatory requirements, and use of technology
- The program will enable the standards, principles, governance structures, strategy, and technical and organizational measures necessary to secure the organization
- Big Village will proactively invest in the program; it will be sufficiently resourced to collectively manage needs across compliance, risk, and security
- The program objectives will be approved and regularly reviewed by executive leadership viaBig Village’s Information Security Oversight Board
ORGANIZATIONAL SECURITY
Big Village’s Information Security Program addresses the administrative, organizational, and human aspects of security as a critical first step to ensure data protection is a well-established cultural element to our business.
CONFIDENTIALITY
Big Village establishes confidentiality by ensuring only those employees who requires access to client data are provided access, and that the level of access provided is consistent with their job function. Access to client data is assigned based on level of data classification and minimum level of access required.
The operation of Big Village services requires that some employees have access to the systems which store and process client data. For example, IT staff such as systems administrators may be able to access client data to effectively support a system or diagnose a problem. These employees have separate user accounts for administrative and non-administrative duties, and they are not authorized to view or access systems with client data unless is it required for their privileged job function. Technical controls are in place to ensure such access is logged where feasible.
The controls that support confidentiality are extended by Big Village to our vendors and suppliers and validated through our Third-Party Assessment Program.
Big Village has invested in industry leading security technologies providing a high level of assurance and trust for our clients. Security controls are regularly reviewed and updated internally, and they are validated by external partners on an annual basis though audits and penetration testing.
PERSONNEL PRACTICES
All Big Village employees, contractors, and suppliers must adhere to our information security policies regarding protection of client data.
Candidates for employment undergo background checks and are required to sign confidentiality agreements before joining Big Village. All candidates are screened for competency for their role. Job responsibilities related to security within the organization are defined and communicated prior to employment.
Upon hire, all employees are provided security orientation training and are required to read and acknowledge their understanding of Big Village’s information security policies for data protection and acceptable use.
Employee and third-party onboarding and offboarding processes have been developed to ensure accurate and effective controls are followed for provisioning and deprovisioning access. These processes are systematically employed wherever possible to minimize human error and provide timely execution and reporting.
SECURITY AWARENESS TRAINING
All employees are provided security awareness training on a regular basis (quarterly) that reminds and reinforces Big Village’s policies. The training measures all employee’s sentiment, engagement, and knowledge of security best practices and concepts. The Big Village Infosec team uses this training to create additional focused training sessions for major regulatory requirements for example GDPR, CCPA, and HIPAA.
OUR TEAM
Big Village employs experienced security professionals ensuring its Information Security Management System (ISMS) is effectively owned and managed. These individuals comprise BIG VILLAGE’s Information Security Team and Incident Response Team. Dedicated roles include our Chief Information Security Officer (CISO), regional Compliance Officers, Risk and Compliance Analysts, and technical security staff. Together these teams oversee the following aspects of BIG VILLAGE’s ISMS and information security program:
- Security strategy, governance, and policy
- Security architecture
- Operational risk management
- Security engineering and operations
- Incident detection and response
- Vulnerability management
- User education and awareness
At an executive level, an Information Security Oversight Board governs and authorizes security strategy to ensure alignment with overall company goals and provides necessary resourcing and budget for execution of the strategy by the CISO and security teams.
COMPLIANCE
To ensure the effectiveness of Big Village’s ISMS and related security controls, we have aligned our security practices to common industry standards and control frameworks including ISO 27001, HITRUST, and Cyber Essentials Plus.
BIG VILLAGE is audited by independent external assessors for each of these frameworks on an annual basis.
- SOC2, Type II: Big Village’s Information Technology organization and business operations are assessed annually for a SOC2, Type II Security certification.
- SOC: The environments and service providers that host Big Village services maintain multiple security and data protection accreditations for their operations and data centers, including SOC. For information regarding their compliance, please visit AWS Security website, AWS Compliance website, Google Security website, Google Compliance website, and Microsoft Service Trust website.
MANAGEMENT POLICIES AND STANDARDS
Big Village’s policies, standards, procedures, and guidelines provide overall governance for security within the organization, thus providing context-based application of security frameworks aligned to our internal systems and processes. These documents and related processes comprise Big Village’s Information Security Management System (ISMS) at a top-level, and they provide the guidelines for employees to observe and practice security in their day-to-day job roles.
These documents include, but are not limited to:
- Code of ethics and conduct
- Information technology acceptable use policy
- Big Village’s house rules for security
- Information security policy
- Information security exceptions policy
- Risk management policy and process
- Access control policy
- Asset management policy
- Information classification policy
- Data retention policy
- Change management policy
- Secure workplace (clear desk and scree) policy
- Network and communications security policy
- Compliance policy
- Encryption policy
- IT assets and services acquisition policy
- Cloud services policy
- Security roles and responsibilities policy
- Incident response policy and process
- Mobile device and remote working policy
- System development policy
- Open source software policy
- Operations security policy
- Third-party and supplier relationships policy
- Ransomware response policy
- Vulnerability management policy
These policies are living documents and reviewed and updated on an annual basis. They are available to all employees via our company intranet. Redacted copied can be requested by clients as needed by contacting infosec@Big-Village.com.
AUDITS AND ASSESSMENTS
Big Village evaluates the design and operation of its ISMS through annual external audits. This ensures compliance with internal and external standards. On an annual basis, Big Village engages qualified and credentialed third-party assessors to review our controls. The reports from these audits are shared with the Information Security Oversight Board and executive leadership. All findings are tracked to resolution.
LEGAL AND PRIVACY COMPLIANCE
Big Village employs dedicated legal and compliance professionals with extensive expertise in data privacy and security. Along with the security team, these individuals are embedded in the development lifecycle for new services and technologies, and they review products and features for compliance with applicable legal and regulatory requirements. They work closely with development teams, IT, and security teams to ensure client, third-party, and regulatory requirements are met on an ongoing basis.
PENETRATION TESTING
On an annual basis, Big Village engages a qualified and credentialed external security services provider to perform penetration testing of the network and systems that support Big Village’s corporate technology services. Testing includes Big Village -managed infrastructure and systems underlying customer services. The requirement for annual testing is extended into our supply chain through Big Village’s third-party supplier & risk assessment program. Findings from Big Village and third-party test reports are tracked to resolution.
DATA PROTECTION
ENCRYPTION IN TRANSIT AND AT REST
Any information transmitted to or from Big Village over public networks uses strong encryption. This includes communications via e-mail where strong encryption protocols are supported by both parties. Big Village’s standard for encryption is TLS 1.2 or later protocol with AES-256 and SHA2.
Big Village classifies all client data as Confidential. Such data is always encrypted while at rest or in transit where technically and commercially feasible to do so.
User devices including laptops, smartphones, tablets, and other media are prohibited from transferring, storing, or processing Confidential data. These devices are encrypted at rest using IT-managed encryption technologies with AES-256. This includes removable media such as USB drives.
Data backups are encrypted both on-site and off-site.
Key management ensures keys are stored separately from the systems they protect.
Big Village hosts its services with industry-leading data center providers in facilities that are ISO 27001, HIPAA / HITRUST, PCI, and SOC 2 Type 2 compliant. This ensures best-in-class protection for physical and virtual assets located within these centers. All providers encrypt all assets, including data in transit and at rest, for services used by BIG VILLAGE.
LOGICAL ACCESS CONTROLS
All electronic data stored by Big Village has strict access controls enforced through multiple layers of security. Big Village’s access control methodology adheres to the following core tenets of access management:
- Role-based access: access is provided only to those who require it
- Separation of duties: employees with privileged access much have this access granted independently, with a separate set of credentials, from non-privileged access
- Least privilege: the minimum amount of access required to perform one’s job function is granted
- Conditional access: access is dependent on certain conditions, for example time of day, location, or means of authentication
To this end, Big Village employees the following measures:
- All systems used at Big Village require users to authenticate using a unique set ofcredentials assigned to each user
- Multifactor authentication (MFA) is used for all systems and services that support it – this includes all Big Village corporate employee accounts
- System administrators have unique credentials for privileged and non-privileged accounts
- Access is logged, and suspicious logon attempts are systematically reviewed and alerted tothe security team
- Access levels are regularly reviewed as part of Big Village’s internal audit function, specifically our Compliance Assurance Plan (CAP); included in the CAP is a review third-party supplier access, privileged access, and inactive accounts
- IT administrator access is reviewed regularly to ensure the level of access granted is still appropriate for the employee’s current job function.
Big Village has implemented safeguards to protect secrets including the creation, storage, retrieval and destruction of service account credentials, access codes, and encryption keys. Secure password vaults are used within IT to store credentials and delegate access to staff as needed.
PHYSICAL ACCESS CONTROLS
Big Village offices have access control mechanisms in place such as key cards and numeric keypads which are fitted to all ingress/egress points and secure internal locations.
Areas housing sensitive information or systems for the storage, transfer, or processing of data are restricted to ensure only authorized employees are permitted access. CCTV systems exist in Big Village offices including at all ingress and egress points; these retain video recordings for at least 30 days.
Visitors to Big Village facilities must show valid identification, have an employee sponsor their visit, sign a visitor log, and wear a visitor identification badge.
NETWORK SECURITY
Big Village has adopted a “zero-trust” model for network security. This model requires that any worker, in any location, using any device must have access control and application sessions authorized by a network policy. Details of this model can be shared with clients as requested. Connections to the internal Big Village network are strictly controlled and require authentication regardless of ingress point. Wireless network connections require two factors of authentication and are restricted to Big Village devices only.
All devices connected to the Big Village network must meet an initial security baseline; once connected, they receive regular patches and updates for vulnerabilities even if they are later disconnected from the network.
Networks are segregated physically and logically based on security classification of systems and data made available on each segment. Network access controls on devices such as firewalls, routers, and servers ensure only traffic that is required for a given services is accessible within or between network segments.
Network monitoring is performed at the data center edge to detect anomalies and inbound network-based attacks. In keeping with the zero-trust model, monitoring is also performed on end-user devices.
AUTHENTICATION
Big Village has strong policies and controls for user authentication and password management. These policies reduce the overall number of accounts required across applications and services thus reducing risk of multiple accounts and password re-use.
To further the reduce the risk of unauthorized access, Big Village employs multi-factor authentication for all employee user accounts including third-party and administrative accounts. Where technically feasible and appropriate, Big Village uses encryption keys for authentication. For example, access may require access using an SSH key in additional to Big Village username and password.
All user and administrative passwords are required to incorporate several factors of complexity and be created without references to common dictionary words or patterns.
Big Village conducts sophisticated real-time analysis of every user logon attempt, and it alerts the security team when suspicious logon attempts or anomalies are detected.
DATA CLASSIFICATION AND LABELING
Big Village classifies all data we control or process, including client data, to ensure appropriate levels of protection and control. Client data is classified as Confidential and requires the following measures:
- Role-based access
- Sharing authorization by owner only (no transitory sharing)
- Strict access controls / least privilege
- Encryption at rest and in transit
- Logging of all access
- Additional controls for Data Loss Prevention (DLP) and Information Rights Management (IRM)
- Defensible destruction
DEVICE AND WORKSTATION SECURITY
Big Village workstations run a monitoring and configuration tools to enforce security baselines and to prevent suspicious activity or unsafe configurations. End-users are limited in the administrative actions that can be taken on a workstation.
Malware detection occurs in real time through inspection of code in storage and in memory as code is executed.
All workstations use full disk encryption to prevent data loss or theft.
MOBILE DEVICE MANAGEMENT
All mobile devices used within Big Village are encrypted. Big Village utilizes a Mobile Device Management platform to control configuration and policy for remote devices used to transact company business including laptops, smartphones, tablets, and removable media.
It is Big Village’s policy that mobile devices and removable media are not permitted for use for storage, transfer, or processing of any sensitive data.
DATA AND ASSET DISPOSAL
Client data is removed and deleted when no longer required. Many of Big Village’s processes for data removal are automated. Big Village defines policies and standards requiring all physical assets and media to be properly destroyed (if no longer required for use) or sanitized (if being repurposed for use).
OPERATIONAL SECURITY
Big Village’s operational security practices include mature processes for service and change management aligned to the ITIL framework, centralized logging and monitoring, on-site and off- site data backups, technical vulnerability management, operational and security risk management, incident management, and asset management. Together these ensure a reliable and effective base from which to protect Big Village and client assets.
Our security team performs frequent scans on a continual basis for our network, systems, and application assets. Findings are documented, reported, and tracked to remediation.
Big Village’s security team collects and stores network, system, and application logs for analysis. These logs are stored in a dedicated platform that is protected from modification by IT staff. Analysis of logs is automated to the extent feasible technically and commercially.
RISK MANAGEMENT
Big Village employs an internal risk assessment process to review its business units for technical, operational, and administrative threats and weaknesses. This process includes an audit of systems, data, and processes used within the business to ensure alignment with Big Village VILLAGE policy and control measures. Where gaps and risks are discovered, these are documented, reported to accountable stakeholders, and tracked to resolution.
SECURE DEVELOPMENT LIFECYCLE
For systems and applications developed by Big Village, we take a variety of measures to prevent the introduction of malicious or erroneous code to our environments and to protect against unauthorized access. This includes:
- Separation of production and non-production environments
- Change management
- Developer training
- Secure code repositories and version control systems
- Secure code analysis
- Application vulnerability management, e.g. OWASP 10
- Strict policies regarding open source software
- Security hardening of host systems and infrastructure
COMPLIANCE ASSURANCE PROGRAM
Big Village abides by a “Plan, Do, Check, Act” cycle for security management. In support of this, an internal Compliance Assurance Program (CAP) has been enacted to help us address the most common threats and vulnerabilities attackers use today. The CAP is an internally developed program that ensures we continuously check the effectiveness of our processes related to security controls so improvements can be made and so any erosion of these processes is readily identified.
At Big Village, we are keenly aware of our role as a service provider to our customers. Through the CAP, we also self-check our processes and controls to ensure these are met in accordance with our contractual obligations.
THIRD PARTY SUPPLIERS
Big Village has a formally established third-party vendor and supplier risk assessment program. New vendors in scope with any form of technology-based service including the storage, processing, transfer, or analysis of data is reviewed by Big Village’s security team.
All third parties are assessed and tracked within a Governance, Compliance, and Risk (GRC) platform that captures key elements of each assessment and provides for effective risk processes and reporting.
Third-party assessments are conducted during vendor or supplier onboarding to Big Village through manual interrogation by Big Village’s information security team. This occurs prior to vendors participating in any live projects and thereafter on an annual basis.
A third-party assessment is a detailed process that requires vendors and suppliers to provide evidence of security controls no less effective than Big Village’s own controls and demonstrating due care of sensitive assets and data. Any gaps are reported to management and required to be remediated before the vendor or supplier is authorized for use by Big Village.
DISASTER RECOVERY AND BUSINESS CONTINUITY
AVAILABILITY
Big Village’s internal systems and those which house or support customer systems and data follow a robust technology standard aimed to ensure maximum uptime. This technology standard includes:
- Redundancy and high availability by design eliminating single points of failure
- Geographically segregated facilities / computing locations including backups stored in different regionsfrom primary data
- Service provider, network, and supplier diversity
- Strict use of technology platforms that are recognized as best-of-breed within their service areas,providing a high degree of availability and support
- Virtualization providing for rapid portability and provisioning of systems and data
- Remote working technologies
DISASTER RECOVERY
Big Village’s formal disaster recovery program is based on ISO 27031 standard and defines a purposeful and relevant approach to ensure survivability of internal and customer systems during a disaster event. The program includes the technical, administrative, and procedural measures required for effective preparation and response, including:
- Required policies and standards
- The program leadership and teams
- Objectives for availability and recovery including RTO and RPO
- Classification of systems and assets for recoverability
- Planned processes and standards for operations and execution including communications,critical decision-making, change management, and security incident response
- Risk impact assessment aligned with BIG VILLAGE’s security risk assessment processes
Together these measures constitute Big Village’s disaster recovery planning. Plans are updated annually to ensure effectiveness.
Big Village maintains backup copies of production data in remote locations from primary data. Recovery tests for data are performed on a regular basis.
PANDEMIC AND REMOTE WORKING
In addition to our technology availability and continuity plans, Big Village maintains a pandemic and remote working plan. Through this plan, Big Village is capable of efficiently transitioning our core business operations to a 100% remote workforce while sustaining customer services.
This plan is tested annually and was successfully executed during the 2020 Covid-19 outbreak.