Symplicity’s Executive Team, Engineering, Security, and IT Teams collaborate on an overall risk assessment for the Company and the System, annually. Risk management at Symplicity is the ongoing process of identifying, assessing and responding to IT and security risks by taking steps to reduce risk to an acceptable level.
Symplicity’s incident response procedures are detailed in its Incident Response Plan. Our primary goals will be to investigate, contain any exploitations, eradicate any threats, recover Symplicity systems, and remediate any vulnerabilities. Throughout this process, thorough documentation will be required as well as a post-mortem report.
Symplicity uses native backup solutions provided by our Cloud Service Providers (AWS, Azure, OCI) to store and backup client data. Structured data, unstructured data, and user-uploaded files are all backed up and stored using AES 256 Encryption. Access to Symplicity networks is heavily restricted using role-based authorization controls, multi-factor authentication, and other access controls.
Symplicity’s change management procedures are detailed in the Change Management and Software Development Policies, as well as within internal procedures. There are five requirements for all changes to the organization, business processes, information processing facilities, and systems that affect information security in Symplicity’s production environment. They are as follows:
Symplicity has a dedicated Information Security Team that maintains a Security Operations Center (SOC) Infrastructure that uses a combination of services to monitor its various infrastructures, networks, and systems. These include but are not limited to Microsoft Defender, AWS Systems Manager, AWS Security Hub and other security services, Oracle Cloud Guard, various logging and inspection tools, IAM policies, SIEM, IDS, Multifactor Authentication (MFA), Vulnerability Management and Endpoint Protection Platform, Mobile Device Management (MDM), and others. The SOC has network peers or communicates via encrypted transmissions over the internet with the various Symplicity infrastructures.
The Security Operations Center capabilities are as follows:
Symplicity constantly strives to improve our security monitoring capabilities and uses our CSP’s documentation on best practices to inform the alarming and logging measures we take.
Symplicity has four main offices, but all production infrastructure is provided by our Cloud Service Providers such as AWS, MS Azure, and the Oracle Cloud Infrastructure (OCI). No client data is stored on-site in our offices. Because of this, physical and environmental security controls are mainly inherited by our Cloud Service Providers. There are specific considerations taken, however, regarding remote work and the security risks inherent specific to companies that provide remote working arrangements. These can be found in our Working from Home, Workstation and Mobile Device, Access Control, and Acceptable Use (AUP) Policies.