4.2.1 IT Governance framework.
We implement the general requirements of ISO 27002-2013
4.2.2 IT Equipment.
All employees are issued Innovisor-owned equipment, and all Innovisor-owned equipment is managed by the office IT Information Security Manager. Per company’s policy, employees cannot store your information and Personal Data on removable media. If the Innovisor-owned equipment is being disposed, the IT Information Security Manager removes data by considering the following steps:
- overwrite data on the device (e.g., overwrite a device with binary zeroes or random data under Unix), and;
- re-install an operating system on the drive.
We use antivirus software on endpoints and servers that store, transmit or process your information and Personal Data. The antivirus signature files are kept up to date and system and security patches are applied in a timely manner to the endpoints and servers that store, transmit and process the personal information and data.
4.2.4 Timeout period on applications.
We institute an inactivity period on applications and systems that are used to store, transmit, process or access your personal information and data.
4.2.5 Third-Party Service Providers
We use third-party service providers which are all cloud-hosted. Their data centers are located in the European Union and all communications are sent over SL/TLS connections. Secure Sockets Layer (SSL) and Transport Layer Security technology protect communications by using both server authentication and data encryption. We have adopted storage and transmission practices of the most secure institutions in the world by using 256-bit AES encryption to encode data during storage and transmission. This ensures that information and personal data in transit are safe, secure, and available to intended recipients.
We impose a minimum password length and complexity on any of the SaaS vendors and IT equipment. Passwords must be:
- at least 8 characters in length;
- not be equal to current and previous passwords;
- not be a single word that appears in the dictionary, and;
- composed only of characters in the Roman alphabet, numbers, or symbols on the US keyboard.
The Innovisor password policy also mandates a new password after three months.
After ten failed login attempts, the user account will be locked out and the user will be requested to contact the IT Information Security Manager to re-activate the account.