Information security risks have greatly increased for organizations in recent years. From hackers becoming more skilled to customer expectations and new regulations that can significantly impact organizations’ bottom lines, information security can no longer be an afterthought.
At RainFocus, we understand these risks and proactively work to keep our organization one step ahead of the risks. We do this by:
- Making security a top priority
- Having a good culture that values security
- Implementing policies, processes, and technical measures
In this article, we discuss each of these items and include an FAQ at the end to answer some common questions about our organization’s security program.
RainFocus Makes Security a Top Priority
With a finite amount of resources and personnel, priorities have to be set. Our executive team has chosen to make information security a top priority since the founding of RainFocus. When Mike Bushman, Travis Cushing and Doug Baird were initially designing and building the RainFocus Platform in 2016, they intentionally built the software with security in mind. For example, since day one our platform has had access and identity management control and been encrypted in-transit and at-rest.
To continue ensuring our organization stays one step ahead of the risk landscape, we:
- Base our security program on industry best practices.
- Partner with our clients, receiving feedback from them on how we can continuously improve our security program. The more people reviewing our security program, the better we will be.
- Conduct the following audits on an annual basis to maintain our ISO 27001 status:
- Risk assessment
- Internal audit
- External audit
- Are becoming ISO 27001 certified in Q1 2020 (more on this in the FAQ section).
RainFocus’ mission statement is: “Be the most trusted and innovative event software company.” Key to this statement is the word trusted. Our clients and event attendees entrust us to securely safeguard their data, and we take this responsibility seriously. We recognize that an organization’s culture is just as important as keeping data safe as implementing technical measures.
For example, organizations with poor cultures fall for phishing emails far more often than organizations with good cultures. When a good culture exists employees feel safe to raise questions, be cautious and do the right thing, rather than fearing they’ll be reprimanded for not getting work done fast enough even when something seems off.
For RainFocus’ executive team, having an excellent culture has and always will be a top priority. Several of our Core Values that facilitate a good security culture include:
- We care about and invest in the success of our clients
- We are a high-performing organization
- We constantly innovate
- We face challenges with optimism
- We trust each other to be excellent stewards
Policies, Processes, and Technical Mechanisms
We have a number of policies, processes, and technical mechanisms in place to ensure data on our platform stays secure, including:
- Encryption of data at rest (AES-256) and in-transit (TLS 1.2)
- Identity and access management controls on the Platform
- Secure software development process
- Robust authentication & password policies, adhering to industry best practices
At RainFocus, we have a responsibility to keep data secure, and we are deeply committed to being excellent stewards. We have a robust security program in place and are constantly improving through:
- Partnering with our clients
- Instituting a culture of excellence
- Becoming ISO 27001 certified
Has RainFocus ever had a Data Breach?
No. RainFocus has never suffered a data breach. These are just a few of the things we’ve implemented to prevent data breaches from happening:
- Encrypt all devices (laptops, cell phones, tablets, etc.) that contain any of our clients’ data
- Monitor for suspicious activity 24/7
- Any suspicious activity is immediately investigated by our full-time Security Team
- Remove employees’ access immediately when they leave the company
- Employ a defense-in-depth model, in compliance with ISO 27001
What Happens if There is a Data Breach?
- We have a thoroughly documented and tested contingency plan in place
- We believe in being accountable for our actions. If a data breach were to ever occur, our formal policy is that:
- Clients are to be immediately notified
- We will work with each of our affected clients to remediate the breach
When will RainFocus be ISO 27001 certified?
Becoming officially ISO 27001 certified is a rigorous and demanding process, and it’s a process RainFocus has enthusiastically undertaken.
To become ISO 27001 certified, an organization must:
- Have formal policies in place
- Put those policies into practice through formalized processes
- Conduct a risk assessment
- Conduct an internal audit to ensure all of ISO 27001’s requirements are being met
- Remediate risk assessment and internal audit findings
- Be annually assessed by an outside, independent auditor
As of today, RainFocus is in the final stages of completing step five of our ISO 27001 certification. We have engaged BSI as our auditor, and we anticipate being ISO 27001 certified in Q1 of 2020.