Risk Management  

Symplicity’s Executive Team, Engineering, Security, and IT Teams collaborate on an overall risk assessment for the Company and the System, annually.  Risk management at Symplicity is the ongoing process of identifying, assessing and responding to IT and security risks by taking steps to reduce risk to an acceptable level.  

 
 

Incident Management 

 

Symplicity’s incident response procedures are detailed in its Incident Response Plan. Our primary goals will be to investigate, contain any exploitations, eradicate any threats, recover Symplicity systems, and remediate any vulnerabilities. Throughout this process, thorough documentation will be required as well as a post-mortem report. 

 

Data Backup and Recovery

Symplicity uses native backup solutions provided by our Cloud Service Providers (AWS, Azure, OCI) to store and backup client data.  Structured data, unstructured data, and user-uploaded files are all backed up and stored using AES 256 Encryption. Access to Symplicity networks is heavily restricted using role-based authorization controls, multi-factor authentication, and other access controls. 

 

Change management and SDLC 

Symplicity’s change management procedures are detailed in the Change Management and Software Development Policies, as well as within internal procedures. There are five requirements for all changes to the organization, business processes, information processing facilities, and systems that affect information security in Symplicity’s production environment. They are as follows:

  • The change must include processes for planning and testing changes, including remediation measures.
  • Documented managerial approval and authorization before proceeding with changes that may have a significant impact on information security, operations, or the production platform.
  • Advance communication/warning of changes, including schedules and a description of reasonably anticipated effects, provided to all relevant internal and external stakeholders.
  • Documentation of all emergency changes and subsequent review.
  • A rollback process for unsuccessful deployments must be in place.
 
 
 

System Monitoring

Symplicity has a dedicated Information Security Team that maintains a Security Operations Center (SOC) Infrastructure that uses a combination of services to monitor its various infrastructures, networks, and systems. These include but are not limited to Microsoft Defender, AWS Systems Manager, AWS Security Hub and other security services, Oracle Cloud Guard, various logging and inspection tools, IAM policies, SIEM, IDS, Multifactor Authentication (MFA), Vulnerability Management and Endpoint Protection Platform, Mobile Device Management (MDM), and others. The SOC has network peers or communicates via encrypted transmissions over the internet with the various Symplicity infrastructures.

The Security Operations Center capabilities are as follows:

  • Security Information and Event Management System (SIEM)
  • Security Analytics
  • Intrusion Detection/Prevention (IDS/IPS)
  • Log Data Analysis
  • File Integrity Monitoring (FIM)
  • Vulnerability Detection
  • Configuration Assessment
  • Incident Response
  • Regulatory Compliance
  • Cloud Security
  • Container Security

Symplicity constantly strives to improve our security monitoring capabilities and uses our CSP’s documentation on best practices to inform the alarming and logging measures we take.

 
 

Physical Security

Symplicity has four main offices, but all production infrastructure is provided by our Cloud Service Providers such as AWS, MS Azure, and the Oracle Cloud Infrastructure (OCI). No client data is stored on-site in our offices.  Because of this, physical and environmental security controls are mainly inherited by our Cloud Service Providers. There are specific considerations taken, however, regarding remote work and the security risks inherent specific to companies that provide remote working arrangements. These can be found in our Working from Home, Workstation and Mobile Device, Access Control, and Acceptable Use (AUP) Policies.