Skip to main content
Sign in

Security FAQ

Marina Berlin
  • Updated

Corporate security 

Does Atriis have a formal information security program in place? 

The program is designed with consideration for both local and international laws, standards, and regulations applicable to Atriis. It outlines the measures and controls implemented to safeguard the Atriis service and its customers' data. Anchored in ISO 27001 standards, the program encompasses the entire Atriis organization, including its employees, contractors, subcontractors, partners, and any party involved in creating, maintaining, storing, accessing, processing, or transmitting Atriis’s or its users’ information concerning the service provided by Atriis.

 

Which Security and Privacy regulations, standards, and certifications does Atriis comply with as of the date hereof?

Atriis complies with the following certifications, reports, and compliance programs:

ISO 27001, PCI-DSS, GDPR

 

Which other standards and certification does Atriis comply with?

Atriis also complies with quality and environmental standards and certifications: 

ISO 9001, ISO 14001

 

Does Atriis have a Privacy Notice/Policy?

Yes, you can find our Privacy Policy here.

 

Does Atriis have a data processing agreement?

Yes, you can find our DPA here.

 

How do you manage your suppliers and the risks you share?

 As a component of the ISO 27001 framework, 3rd party risk management program is established, with oversight provided by the Security Steering Committee quarterly. The security team is tasked with evaluating risks and conducting security risk assessments for critical vendors.

 

Describe the process by which third parties are granted access to customer’s Data.

To grant 3rd parties privileged access to customer data, we initiate a comprehensive assessment and justification process to ensure such access is strictly necessary and aligned with business needs. This involves meticulously evaluating the scope of access, considering the specific requirements of each business function, and ensuring that granting access serves a clear and justifiable purpose. Following this initial phase, we conduct thorough due diligence and a comprehensive risk assessment of the third party to evaluate their security measures and compliance with relevant standards, such as ISO 27001 and GDPR. This entails examining their track record, assessing the robustness of their security protocols, and verifying their adherence to regulatory requirements. The process includes drafting and signing detailed contractual agreements that define the terms of access, data protection obligations, and adherence to our security policies. These agreements are meticulously crafted to establish clear guidelines for handling of customer data, outlining specific protocols for data encryption, storage, and transmission. Additionally, they include provisions for regular audits and reviews to ensure ongoing compliance with established standards and regulations.

Business continuity and Incident management 

Do you have a documented Incident Response plan in place?

Yes. An incident response plan exists as of ISO 27001 to ensure that Atriis is prepared to respond to any security incidents that may occur. The plan outlines the steps to take in the event of a security incident, including containment, investigation, and recovery.

 

Has a dedicated Information Security Response Team been established? 

Yes, there is an internal technical Incident Response (IR) team, complemented by external professional services as required. 

 

Do you have a business continuity plan?

Yes. We do have BCP approved by a senior manager.  The plan is reviewed annually as part of the ISO 27001 program.

 

What RTOs and RPOs would we expect if we were to use your systems?

Recovery time objective: 6 hours.

Recovery point objective: 1 hour.

 

Do you perform regular DR and BCP tests?

Yes. Annually.

 

DR diagram:

 

Does Atriis do restore tests?

Yes, at Atriis, we conduct restore tests, commonly referred to as data restore tests or recovery tests. This process involves systematically verifying the effectiveness of our backup systems by attempting to restore data from backup storage to its original state. The primary objectives of these restore tests are twofold:

 

1. Verification of Data Recovery:

 The central purpose of restore tests is to ensure the successful recovery of data.

 By simulating the restoration process, we rigorously validate that data can be retrieved and reinstated to its original state, confirming the robustness of our backup systems.

 

2. Validation of Backup and Recovery Processes:

 Beyond data recovery, restore tests serve to validate the overall functionality of our backup and recovery processes.

 These tests ensure that the intricate mechanisms involved in safeguarding and restoring data are performing as intended, fortifying our data management practices.

 

In essence, restore tests at Atriis are a pivotal component of our holistic approach to data management and business continuity. By regularly conducting these tests, we not only verify the resilience of our backup systems but also bolster our readiness to respond effectively in the event of unforeseen disruptions, contributing to a comprehensive and robust data protection strategy.

 

Application Security

Have you had a pen test on the API/web application in the past 12 months?

Yes; A third-party red team performs infrastructure and application penetration tests annually.

 

What measures are in place to prevent man-in-the-middle attacks or tampering with information transmitted between the APIs?

To safeguard against Man-in-the-Middle (MitM) attacks and ensure data transmitted between our API has not been tampered with, we utilize a combination of Transport Layer Security (TLS) for encryption and API HMAC Authentication for integrity and authenticity. HMAC Authentication involves signing API requests and responses with a secret key, providing a strong mechanism to detect any alteration of data in transit. This approach, coupled with continuous monitoring for unusual activity, ensures the secure and intact delivery of information between the client and our API.

 

What measures are in place to ensure that the information was sent from the correct counterparty?

To ensure information is sent from the correct counterparty, we employ several key security measures. Mutual TLS (mTLS) is used for strong mutual authentication, ensuring both the sender and receiver are verified. Digital signatures provide an additional layer of assurance, confirming the sender's identity and the integrity of the message. For API interactions, we utilize OAuth 2.0 with access tokens to verify the authenticity of requests, backed by JSON Web Tokens (JWT) for secure, claims-based identity verification. These strategies, supported by ongoing monitoring for anomalous activities, form the foundation of our approach to securing and authenticating data exchanges.

 

What measures are in place to protect against Broken Object Level Authentication?

In addressing the challenge of Broken User Authentication, our approach is comprehensive, focusing on strengthening authentication mechanisms, enhancing monitoring capabilities, and fostering user awareness. We implement several key measures to ensure that authentication processes are secure, resilient, and capable of thwarting unauthorized access attempts:

  • Multi-Factor Authentication (MFA): We require MFA for all internal users, adding a layer of security beyond just passwords. This significantly reduces the risk of unauthorized access, even if user credentials are compromised. We also encourage all platform users to enforce MFA.
  • Strong Password Policies: Our system enforces a strong password policy that requires complex passwords, including a mix of uppercase letters, lowercase letters, numbers, and special characters. We also implement password length requirements and prohibit the use of commonly used passwords.
  • Password Hashing and Salting: To protect passwords at rest, we hash and salt all passwords before storing them in our databases. This ensures that even if data breaches occur, the actual passwords remain protected against brute force attacks.
  • Account Lockout Mechanisms: To prevent brute force attacks, we implement account lockout mechanisms after a certain number of unsuccessful login attempts. Users are then required to go through a secure process to regain access, which may involve multi-step verification.
  • Session Management: We ensure secure session management by generating unique session identifiers with high entropy after login. Sessions are also set to expire after a period of inactivity, requiring re-authentication, and are securely terminated upon logout to prevent session hijacking.
  • Secure Transmission: All authentication data is transmitted securely using TLS encryption, preventing credentials from being intercepted during transmission.

 

Do you utilize rate limiting for protection against DoS attacks?

ATRIIS platform is protected by Cloudflare web application firewall against SQL injection, cross-site scripting (XSS), and zero-day attacks, including OWASP-identified vulnerabilities and threats targeting the application layer and DDoS protection.

 

What measures are in place to protect against Injection attacks?

In addition to security means provided by Microsoft Azure, ATRIIS is protected by Cloudflare web application firewall against SQL injection, cross-site scripting (XSS), and zero-day attacks, including OWASP-identified vulnerabilities and threats targeting the application layer and DDoS protection. 

Furthermore, Cloudflare accelerates and optimizes the delivery of ATRIIS data. 

More information can be found at Cloudflare 

Operation management 

Describe the process by which a nonemployee (e.g., contractor, vendor, and customer) is granted access to network resources.   

All nonemployees are required to sign a Non-Disclosure Agreement (NDA) and receive approval from senior management. Access is granted based on the need-to-know principle and is implemented through Role-Based Access Control (RBAC) and active monitoring.

 

Physical and Environmental Security

Describe the physical security mechanisms to protect your data centers.

Atriis hosts its digital assets on the Azure platform. No data is hosted locally on Atriis offices.

Azure security measures are available in the following article: 

Azure facilities, premises, and physical security

 

Data Security

What are your procedures concerning the handling and storage of sensitive data?  

Data, whether at rest or in transit, is secured through robust encryption methods, safeguarding its confidentiality and integrity against unauthorized access.  Atriis enforces the data encryption controls:

 

  • Employing Azure SQL Database Transparent Data Encryption (TDE) to secure data at rest. TDE encrypts the database files, encompassing both data and log files, through the use of a symmetric key. 
  • PII data filed is encrypted using AES 128-bit encryption. 
  • Credit card data is encrypted using RSA 2048-bit encryption.
  • All data transferred through secured channels (HTTPS and TLS 1.2 or higher).   
  • PII fields are encrypted.
  • The decryption key is stored on the Azure Key vault.  

 

Describe your information classification methods and labeling practices

Our classification labeling system is rigorously enforced through policy enforcement mechanisms and the utilization of Azure's advanced data classification feature, which offers robust capabilities for managing and categorizing data according to its sensitivity and importance.

 

Our classifications encompass three main categories:

Public: This category includes information that has been intentionally made available to the public and does not contain any restricted or classified information. It encompasses data that poses no risk to the company's objectives, business, reputation, or liability.

Restricted: Information falling under this classification is subject to legal restrictions and regulations. It comprises data that is legally protected and requires special handling to ensure compliance with relevant laws and regulations.

Classified: This category encompasses information that, if exposed, could potentially harm the company's objectives, business operations, reputation, or legal liability. It includes sensitive data that is not necessarily legally restricted but requires stringent protection measures to mitigate risks.

 

How will deletion work when the retention period of data is reached? Are there data protection-compliant methods used?

 

Atriis diligently adheres to a comprehensive data handling process to ensure the utmost security and compliance. Our practiced approach encompasses the following key steps:

1. Removal from Production Database:

When data is no longer required in the production database, it is promptly removed to minimize exposure.

This proactive measure mitigates any potential risks associated with unnecessary data retention.

 

2. Encrypted Trip Data Storage:

Trip data, considered sensitive, is encrypted before being transferred to a separate database.

This dedicated storage facility ensures the confidentiality and integrity of trip-related information for a period of three years, aligning with our commitment to secure data retention practices.

 

3. PII Data Purge (Right to Be Forgotten - GDPR):

Personal Identifiable Information (PII) undergoes a rigorous purging process in strict accordance with the "Right to Be Forgotten" principle mandated by the General Data Protection Regulation (GDPR).

This commitment to data privacy empowers individuals with control over their personal information, reflecting our dedication to compliance with global data protection standards.

 

4. Encrypted Invoice Information Storage:

Relevant invoice information is subjected to encryption protocols before storage.

This encryption aligns with both legal and fiscal requirements, ensuring that sensitive financial data is safeguarded in compliance with regulatory standards.

 

How do you protect the confidentiality and integrity of data between Atriis customers?   

Data in transit is encrypted using industry-standard protocols TLS 1.2 or higher, ensuring that data cannot be intercepted or tampered with as it moves across the network.

To ensure data integrity within our API/web application, we implement several key technical measures beyond TLS. We utilize Hash-Based Message Authentication Codes (HMAC) to verify that the data sent between the client and server remains unaltered in transit. Additionally, digital signatures are employed to ensure the authenticity and integrity of messages. For sensitive data operations, we also incorporate checksums and hashing algorithms, like SHA-256, to validate the integrity of data before processing. These measures collectively ensure that our data remains accurate and tamper-proof throughout its lifecycle.

 

Human Resources Security

Do terms and conditions of employment clearly define information security requirements, including non-disclosure provisions for separated employees and contractors?

Yes. Our employment terms include information security requirements and non-disclosure agreements that bind employees and contractors during and after their tenure. These provisions explicitly prohibit unauthorized disclosure of confidential information, ensuring ongoing protection of our sensitive data.

 

Is the screening process established for all users (employees, contractors, vendors, and other third parties)?

Yes. Our screening process for users involves background checks, employment history, and personal interviews (HR + professional). This thorough evaluation ensures trustworthiness and reliability before granting access to our systems and data, with regular updates to these checks in line with role sensitivity and legal requirements.

 

Do you conduct formal information security awareness training for all users, including upper management?

Yes. Formal information security awareness training for all Atriis personnel is conducted at least annually.

 

Is there a formal procedure dictating actions that must be taken when a user has violated any information security policies?

Yes. Atriis has a formal procedure in place for handling violations of information security policies. This procedure includes an initial investigation to understand the scope and impact of the violation, followed by appropriate disciplinary actions tailored to the severity of the breach.

 

Access Control

What access model do you use to provide your users with access?

Atriis utilizes Azure Role-Based Access Control (RBAC) and Single Sign-On (SSO) to regulate access to all Global Travel Platform (GTP) components, infrastructure, and applications.

The principles of least privilege and need-to-know are implemented across all systems and processes.  

 

Is any type of remote access allowed and if so, how is this secured?

Remote access is granted to Atriis users based on their specific roles, facilitated through VPN and Single Sign-On.

 

Do you have a password policy and associated standards?

Yes. Passwords must adhere to the following guidelines:

  • At least one lowercase letter; 
  • At least one uppercase letter;
  • At least one number;
  • One special character (e.g !@#$);
  • Eight characters minimum;
  • History: 3 months;
  • Max age: 90 days;

 

Does Atriis carry out a periodic review of granted access rights & permissions?

Atriis has established a structured and periodic review process to meticulously assess user access rights, aligning with our commitment to robust information security practices. Our approach includes:

 

1. Regular Users/Applications:

  • A comprehensive review of access rights for regular users and applications is conducted annually.
  • This systematic examination ensures that access permissions remain aligned with business needs and individual responsibilities, promoting the principle of least privilege.

 

2. Privileged Users/Sensitive Applications:

  • A heightened frequency characterizes the review process for privileged users and sensitive applications, occurring quarterly.
  •  This more frequent assessment recognizes the elevated risk associated with privileged access and sensitive applications, allowing for swift identification and mitigation of potential security vulnerabilities.

 

By implementing this dual-tiered approach to access rights reviews, Atriis ensures a balance between comprehensive scrutiny and targeted vigilance. This proactive strategy not only enhances our ability to adapt to evolving security landscapes but also underscores our dedication to maintaining the highest standards of access control and risk management.

 

How does Atriis ensure that access to data and systems will be revoked for employees who left the company or switched their position?

ATRIIS prioritizes robust measures to manage personnel changes effectively, safeguarding information security. Our formal termination or employment change process ensures a seamless transition by incorporating comprehensive controls:

 

1. Access Register Maintenance:

A dynamic access register meticulously documents the access rights and privileges granted to each employee.

Regular updates ensure that the access register remains current, reflecting any modifications to employee permissions.

2. Role-Based Access Control (RBAC):

ATRIIS employs Role-Based Access Control, aligning access permissions with specific job roles. This strategic approach streamlines access management, ensuring employees have the appropriate permissions necessary for their respective responsibilities.

 

3. Termination and Role Change Procedure:

A structured procedure governs the termination and role change process.

Human resources assumes responsibility for promptly notifying the IT team of employee departures or role adjustments, fostering a proactive response to potential security risks.

 

4. Immediate Access Revocation:

Access rights are swiftly revoked upon an employee's termination or role change.

This immediate action minimizes the window of vulnerability, reinforcing our commitment to proactive security measures.

 

At ATRIIS, we recognize the critical importance of securing company assets and sensitive information during personnel transitions. Our integrated controls and processes underscore our dedication to maintaining the highest standards of information security.

 

Secure Development Life Cycle

What tools and technologies do you utilize to effectively manage the development lifecycle?     

Atriis system development methodology is deeply rooted in the principles of security by design and resilience, ensuring that required information security functionalities are embedded from the earliest stages of development. We adhere to a structured and industry-approved system development methodology that incorporates the following key strategies:

 

Security by Design: From the initial design phase, security is a primary consideration. We adopt a proactive approach to security, identifying and incorporating security functionalities such as authentication, authorization, encryption, and logging into the system architecture.

 

Risk Assessment and Mitigation: Early in the development process, we conduct thorough risk assessments to identify potential security vulnerabilities and threats. This allows us to build mitigation strategies directly into the system design, ensuring resilience against known and emerging threats.

 

Secure Development Practices: Our development teams adhere to secure coding practices informed by the latest industry standards, such as OWASP Secure Coding Practices. We utilize both static and dynamic analysis tools throughout the development process to identify and address security vulnerabilities, ensuring that the codebase is robust and secure.

 

Agile Project Management: Azure DevOps Boards are used for project management, supporting our Agile workflow with features for backlog management, sprint planning, and issue tracking. These tools enhance visibility and coordination among development, QA, and product teams.

 

Testing: Security testing is an integral part of our quality assurance process. We employ a variety of testing methodologies, including penetration testing, vulnerability scanning, and security audits, to validate the security and functionality of information security controls within our systems. This thorough testing regime ensures that systems are resilient and can withstand both current and future security challenges.

 

Training: We provide ongoing training for our development teams on secure coding practices and emerging security threats, ensuring that our personnel remain aware of the latest developments in cybersecurity.

 

Are security professionals involved in the testing phase of an application?

Yes.  Security testing is an integral part of our quality assurance process. We employ a variety of testing methodologies, including penetration testing, vulnerability scanning, and security audits, to validate the security and functionality of information security controls within our systems. This thorough testing regime ensures that systems are resilient and can withstand both current and future security challenges.

 

Does Atriis separate test and development environments?

Yes. Atriis employs a meticulous approach to environment separation by utilizing distinct Azure subscriptions for both production and test environments. It is essential to note that our Test/Dev environments strictly exclude production data, especially personally identifiable information (PII). This segregation ensures that sensitive PII is not present in the testing and development phases, upholding the highest standards of data privacy and security. Our commitment to maintaining this clear demarcation underscores our dedication to rigorous data protection practices and aligns with the industry's best standards for secure software development and testing environments.

 

How changes are deployed into the production environment?

 Changes to the production environment follow a structured and secure deployment process to ensure stability and security. This process begins with thorough testing in a staging environment that closely mirrors production. Changes are subject to code reviews and automated testing to identify any potential issues.

 

Once approved, changes are scheduled for deployment during low-traffic periods to minimize impact on users. We use automated deployment tools to ensure consistency and to track the deployment process. Rollback procedures are in place to quickly revert changes if any issues are detected post-deployment.

 

Finally, the deployment is monitored closely, with key performance indicators (KPIs) and logs reviewed to confirm the success of the update and to detect any unforeseen impacts. This careful approach ensures that deployments are conducted safely, with minimal disruption to services.

 

Do you use data sets containing personal information from actual people when testing an application?

No; we do not use real data in test and staging environments.

 

How does Atriis protect its application source libraries?  

Protecting our application source libraries involves a combination of strict access controls, secure coding practices, and continuous monitoring to ensure the integrity and security of our code. 

 

Throughout a software development project, when do you typically start to discuss the security design requirements?   

From the initial design phase, security is a primary consideration. We adopt a proactive approach to security, identifying and incorporating security functionalities such as authentication, authorization, encryption, and logging into the system architecture.

 

Have Atriis developers been trained in secure coding techniques?

We provide ongoing training for our development teams on secure coding practices and emerging security threats, ensuring that our personnel remain aware of the latest developments in cybersecurity.

 

Describe your techniques to handle input and output validation when designing a software application.  

To prevent indirect data exposure through injection attacks, we employ strict input validation and output encoding practices. By validating all incoming data and encoding output, we reduce the risk of attackers exploiting input validation weaknesses to gain unauthorized access to data.

 

How does Atriis conduct technical reviews of application designs?

Our R&D team leaders and security team leaders conduct thorough code reviews, to scrutinize any changes for potential security vulnerabilities. 

In addition to manual reviews, static and dynamic application security testing scans are in place.

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk