1. INTRODUCTION
1.1 SaaS Solutions’ Brief
Kinetic’s SaaS solution is housed on Amazon Web Services cloud. All the servers and data
storage are secured behind VPC and can only be accessed by authorized Kinetic staff. In
addition to this summary document, please refer to AWS’ cloud security and data privacy
policies.
Kinetic’s SaaS solutions’ infrastructure is managed by a team of senior software engineers, and
employs industry best practices such as default deny rules for firewalls, intrusion detection
systems and automated patch management.
Kinetic maintains documented procedures that include at a minimum:
• security control measures for all systems in the environment;
• hardening – disabling of all non-essential processes and ports, removing all default
users;
• patches deployed promptly on all applicable systems per manufacturer recommendation,
and no more than within 30 days for critical security patches;
• change management procedures; and
• incident detection and management.
1.2 Change Management Process
Kinetic maintains, communicates and follows formal change management processes. All
changes to the production environment (network, systems, platform, application, configuration,
including physical changes such as equipment moves) are tracked and implemented by a
dedicated team. All deployments into production or change to the production environment
(network, systems, platform, application, configuration, etc.) must be submitted to, reviewed and
approved by management prior to implementation.
Kinetic relies on well-defined processes, disciplined execution and continual training of staff.
Evaluating the probability and impact of all changes drives the risk management process to
protect against activities such as spoofing, tampering, disclosure or denial of services which
could expose the SaaS environment to attacks, compromise the privacy and confidentiality of
client data, or disrupt the availability of Kinetic’s SaaS solutions.
Both scheduled and emergency changes are tested in separate environments, reviewed and
approved by SaaS Operations, Engineering and Technical Support before deployment to the
production environment.
2019-05-01
1.3 Separation of development, testing and production
All systems used for the Solutions are managed by the Kinetic SaaS Operations team. All
access is limited to the least privilege needed and requires authentication. Access logs are
reviewed at least quarterly.
Administrative access to SaaS Operations resources is limited to SaaS Operations personnel
and authentication requires a separate set of credentials.
Promotion of code from engineering into production is controlled by the change management
process, and the SaaS Operations team manages all deployments into the production
environment. Testing, other than deployment validation, is prohibited in the production
environment.
2 MANAGEMENT
2.1 Anti-malware
Systems are scanned continuously by AWS Cloud management. In addition, Kinetic’s SaaS
Operations team stay up to date with published changes to AWS Cloud. Updates are managed
and pushed out via workstation/server policy management. Definitions are automatically
updated. Employees cannot disable the solution. Where optimal performance precludes active
scanning, anti-virus scans are scheduled weekly.
Kinetic uses a leading commercial solution for email security, including incoming and outgoing
filtering for spam, phishing attacks and malware.
2.2 Data Backup
Kinetic stores all client data in the SaaS production environment on fully redundant storage
systems, and utilizes either a multi-tiered backup approach or replication to a separate data
center.
2.3 Logging and monitoring
Kinetic maintains audit information and logs for all information technology resources,
applications and network accesses, monitors these logs for abnormal pattern and unauthorized
access attempts, and maintains defined processes for security alerting, escalation and
remediation. Logs are centralized in a limited-access system that prevents deletion and
changes.
2019-05-01
24×7 monitoring of critical network events with intrusion detection system (IDS) and log
aggregation with industry standard enterprise application management solution gives Kinetic
SaaS operations the ability to identify and address any unauthorized access to assets (including
access to client data) within the SaaS production network, and perform trend analysis and risk
assessment. This includes outside threats as well as internal users as the SaaS infrastructure is
behind firewalls in both cases. Alerting is in place to notify the Kinetic SaaS operations team of
any issue.
Escalation procedures exist to ensure the timely communication of significant security incidents
through the management chain and ultimately to any affected client.
2.4 Technical Vulnerability Management
Kinetic subscribes to manufacturers and independent security notification services to monitor
potential external threats.
Manual and automated vulnerability testing are performed during the development process.
Kinetic engages an independent third party security firm annually to conduct a vulnerability scan
of all external-facing (public) infrastructure devices and application penetration test of its
Solutions.
Vulnerabilities are logged as defects, resolved or mitigated, and verified fixed.
2.5 Hardening Controls
Specifically regarding ensuring that applications remains configured to build standards, Kinetic
SaaS Operations uses automated tools and documented procedures to build and configure all
network equipment, systems and servers from predefined build configuration procedures in
accordance with good industry practices. All systems, platforms and applications are configured
to minimize security risks. Specifically:
• Kinetic follows manufacturers hardening recommendations and documented standard
operating procedures;
• Kinetic disables unnecessary ports, protocols, services and features;
• Only necessary components, scripts, drivers, web services are included and enabled;
• Only enable hardware ports as needed;
• All new systems are deployed with most recent patches;
• Password parameters are configured to comply with Kinetic standards; and
• All systems are monitored and protected with anti-malware software.
2.6 Patch Management
Kinetic operates a commercial patch management solution to maintain network device, system,
OS and application level security patches. Reviews performed on a regular basis ensure
patching is consistent and current based on industry standards. Kinetic deploys security patches
2019-05-01
released by the vendors as necessary to development, testing, and production systems after
validation in pre-production environment.
Patches are applied on a monthly schedule, unless criticality demands a quicker response.
Critical patches are evaluated and deployed as promptly as possible, based on Kinetic review of
server/workstation vulnerabilities and the risks to any operating applications. Patch applicability
and urgency is evaluated based on the zone of deployment (perimeter, DMZ, applications,
storage), its relevance (i.e. is the service being patched enabled in the environment) and threat
severity (likelihood x impact).
3 NETWORK SECURITY
Network-based intrusion detection systems (IDS) monitor network traffic and activity for
intrusion and Kinetic SaaS Operations personnel leverages multiple network and application
monitoring tools to continuously scan for errors or suspicious activities. Kinetic hosted
environment is completely separate from Kinetic corporate environment. Access is restricted to
SaaS operations personnel, and authentication requires a separate set of credentials.
Comprehensive and centralized system and application logging and monitoring facilitate
alerting, trend analysis, and risk assessment. A network configuration management tool tracks
and catalog changes, which are reviewed. Escalation procedures exist to ensure the timely
communication of security incidents through the management chain and ultimately to any
affected client.
With fault tolerance and redundancy as guiding principles, Kinetic deploys appropriate, modern,
and warranty-backed servers to host the application and database environment for SaaS
Operations. In addition, Kinetic SaaS Solutions infrastructure includes a mix of redundant data
storage arrays, near line backups and off-site backups for client data.
4 DISCLAIMER
Kinetic reserves the right to modify this document based on security and privacy requirements,
changes to AWS Cloud, expansion of Kinetic’s SaaS Solutions to other Cloud service providers,
and general advancement in technology. This document should only be used as a guideline to
assess the measures taken by Kinetic to keep customer data secure in its SaaS Solution.
Please contact your Kinetic representative for any specific questions or concerns. You can also
email support@wearkinetic.com.