1. INTRODUCTION

1.1 SaaS Solutions’ Brief

Kinetic’s SaaS solution is housed on Amazon Web Services cloud. All the servers and data

storage are secured behind VPC and can only be accessed by authorized Kinetic staff. In

addition to this summary document, please refer to AWS’ cloud security and data privacy

policies.

Kinetic’s SaaS solutions’ infrastructure is managed by a team of senior software engineers, and

employs industry best practices such as default deny rules for firewalls, intrusion detection

systems and automated patch management.

Kinetic maintains documented procedures that include at a minimum:

• security control measures for all systems in the environment;

• hardening – disabling of all non-essential processes and ports, removing all default

users;

• patches deployed promptly on all applicable systems per manufacturer recommendation,

and no more than within 30 days for critical security patches;

• change management procedures; and

• incident detection and management.

1.2 Change Management Process

Kinetic maintains, communicates and follows formal change management processes. All

changes to the production environment (network, systems, platform, application, configuration,

including physical changes such as equipment moves) are tracked and implemented by a

dedicated team. All deployments into production or change to the production environment

(network, systems, platform, application, configuration, etc.) must be submitted to, reviewed and

approved by management prior to implementation.

Kinetic relies on well-defined processes, disciplined execution and continual training of staff.

Evaluating the probability and impact of all changes drives the risk management process to

protect against activities such as spoofing, tampering, disclosure or denial of services which

could expose the SaaS environment to attacks, compromise the privacy and confidentiality of

client data, or disrupt the availability of Kinetic’s SaaS solutions.

Both scheduled and emergency changes are tested in separate environments, reviewed and

approved by SaaS Operations, Engineering and Technical Support before deployment to the

production environment.

2019-05-01

1.3 Separation of development, testing and production

All systems used for the Solutions are managed by the Kinetic SaaS Operations team. All

access is limited to the least privilege needed and requires authentication. Access logs are

reviewed at least quarterly.

Administrative access to SaaS Operations resources is limited to SaaS Operations personnel

and authentication requires a separate set of credentials.

Promotion of code from engineering into production is controlled by the change management

process, and the SaaS Operations team manages all deployments into the production

environment. Testing, other than deployment validation, is prohibited in the production

environment.

2 MANAGEMENT

2.1 Anti-malware

Systems are scanned continuously by AWS Cloud management. In addition, Kinetic’s SaaS

Operations team stay up to date with published changes to AWS Cloud. Updates are managed

and pushed out via workstation/server policy management. Definitions are automatically

updated. Employees cannot disable the solution. Where optimal performance precludes active

scanning, anti-virus scans are scheduled weekly.

Kinetic uses a leading commercial solution for email security, including incoming and outgoing

filtering for spam, phishing attacks and malware.

2.2 Data Backup

Kinetic stores all client data in the SaaS production environment on fully redundant storage

systems, and utilizes either a multi-tiered backup approach or replication to a separate data

center.

2.3 Logging and monitoring

Kinetic maintains audit information and logs for all information technology resources,

applications and network accesses, monitors these logs for abnormal pattern and unauthorized

access attempts, and maintains defined processes for security alerting, escalation and

remediation. Logs are centralized in a limited-access system that prevents deletion and

changes.

2019-05-01

24×7 monitoring of critical network events with intrusion detection system (IDS) and log

aggregation with industry standard enterprise application management solution gives Kinetic

SaaS operations the ability to identify and address any unauthorized access to assets (including

access to client data) within the SaaS production network, and perform trend analysis and risk

assessment. This includes outside threats as well as internal users as the SaaS infrastructure is

behind firewalls in both cases. Alerting is in place to notify the Kinetic SaaS operations team of

any issue.

Escalation procedures exist to ensure the timely communication of significant security incidents

through the management chain and ultimately to any affected client.

2.4 Technical Vulnerability Management

Kinetic subscribes to manufacturers and independent security notification services to monitor

potential external threats.

Manual and automated vulnerability testing are performed during the development process.

Kinetic engages an independent third party security firm annually to conduct a vulnerability scan

of all external-facing (public) infrastructure devices and application penetration test of its

Solutions.

Vulnerabilities are logged as defects, resolved or mitigated, and verified fixed.

2.5 Hardening Controls

Specifically regarding ensuring that applications remains configured to build standards, Kinetic

SaaS Operations uses automated tools and documented procedures to build and configure all

network equipment, systems and servers from predefined build configuration procedures in

accordance with good industry practices. All systems, platforms and applications are configured

to minimize security risks. Specifically:

• Kinetic follows manufacturers hardening recommendations and documented standard

operating procedures;

• Kinetic disables unnecessary ports, protocols, services and features;

• Only necessary components, scripts, drivers, web services are included and enabled;

• Only enable hardware ports as needed;

• All new systems are deployed with most recent patches;

• Password parameters are configured to comply with Kinetic standards; and

• All systems are monitored and protected with anti-malware software.

2.6 Patch Management

Kinetic operates a commercial patch management solution to maintain network device, system,

OS and application level security patches. Reviews performed on a regular basis ensure

patching is consistent and current based on industry standards. Kinetic deploys security patches

2019-05-01

released by the vendors as necessary to development, testing, and production systems after

validation in pre-production environment.

Patches are applied on a monthly schedule, unless criticality demands a quicker response.

Critical patches are evaluated and deployed as promptly as possible, based on Kinetic review of

server/workstation vulnerabilities and the risks to any operating applications. Patch applicability

and urgency is evaluated based on the zone of deployment (perimeter, DMZ, applications,

storage), its relevance (i.e. is the service being patched enabled in the environment) and threat

severity (likelihood x impact).

3 NETWORK SECURITY

Network-based intrusion detection systems (IDS) monitor network traffic and activity for

intrusion and Kinetic SaaS Operations personnel leverages multiple network and application

monitoring tools to continuously scan for errors or suspicious activities. Kinetic hosted

environment is completely separate from Kinetic corporate environment. Access is restricted to

SaaS operations personnel, and authentication requires a separate set of credentials.

Comprehensive and centralized system and application logging and monitoring facilitate

alerting, trend analysis, and risk assessment. A network configuration management tool tracks

and catalog changes, which are reviewed. Escalation procedures exist to ensure the timely

communication of security incidents through the management chain and ultimately to any

affected client.

With fault tolerance and redundancy as guiding principles, Kinetic deploys appropriate, modern,

and warranty-backed servers to host the application and database environment for SaaS

Operations. In addition, Kinetic SaaS Solutions infrastructure includes a mix of redundant data

storage arrays, near line backups and off-site backups for client data.

4 DISCLAIMER

Kinetic reserves the right to modify this document based on security and privacy requirements,

changes to AWS Cloud, expansion of Kinetic’s SaaS Solutions to other Cloud service providers,

and general advancement in technology. This document should only be used as a guideline to

assess the measures taken by Kinetic to keep customer data secure in its SaaS Solution.

Please contact your Kinetic representative for any specific questions or concerns. You can also

email support@wearkinetic.com.