How do I protect my content and data?
The Training Arcade® is used by some of the most highly regulated industries and corporations. As a result, we take security very seriously. Below is an overview of our protocols.
Passwords expire at least every 90 days and are encrypted at rest and in transit, using industry-standard information security encryption algorithms. For customer data on The Training Arcade® a protocol is in place to prevent connectivity between two sets of data. Specifically, every customer has a unique subdomain and we have a software protocol in place to prevent connectivity to data stored under a subdomain to which a customer is not authorized access.
We have a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP). The plans are part of a broader context that includes Security, IT, Personnel and company operations. Specifically, the BCP & DRP cover handling both disruptions (environmental, electrical, civic disruption, etc.) and destruction (fire, flood, explosion, earth movement, etc.) at our physical locations and the AWS data centers we use to deliver services. The plans include information on backup infrastructure and procedures, a chain of command and communications to employees and clients, and overall system recovery. The annual test of our BCP and DRP was completed March, 2019. All clients using The Training Arcade® are notified when there are scheduled or unexpected interruptions to the service.
All non-public data is encrypted in transit using TLS and our databases are encrypted at rest. Client Data is encrypted in transit over public networks. Remote access connections into our network occur over an encrypted tunnel (e.g. VPN). Logins and data transfers are secured with encryption for cloud connections (e.g. HTTPS, SFTP, etc.). Wireless networks are required to be encrypted in accordance with industry standards.
We conduct background checks on employees in accordance with local, state and federal laws. We expand this to third parties and contract workers on a case-by-case basis depending on the specific engagement. We expand the scope of the background check when the situation requires it (e.g. our work in
INFORMATION SECURITY INCIDENT MANAGEMENT
We have an Incident Management Policy and an Incident Management team assigned to respond to security incidents. TGA has support agents that operate during business days, during business hours (Monday through Friday 9:00 AM to 6:00 PM EST). TGA also employs team members who are on call 24/7 and are notified of system outages, security events, and other major alerts. If required for the scope of work with Enterprise Learning we can employ dedicated support staff to meet customer requirements.
When an issue is identified, TGA personnel log it in our task management system and assign it to the appropriate technical personal with priority level, description, and requested due date. Technical staff accepts the ticket by marking it as in progress. Once resolved, the ticket is sent back to the reporter who provides a quality assurance function and closes the ticket when satisfied. All updates and changes are deployed in commits and merged into the staging or production instances for deployment when appropriate. Production deployments do not occur on Fridays or Holidays except in the case of emergencies and critical
updates. Backups of systems and data are performed daily.
ORGANIZATION OF INFORMATION SECURITY
We have an Information Security Policy and an Information Security team with defined Privacy and Security roles and responsibilities. Our information Security group maintain contacts with Information Security special interest groups, specialist security forums, and professional associations (i.e. ISACA, CSIRT,
PHYSICAL & ENVIRONMENTAL SECURITY
TGA is a US-based company that does not store any client data on its premises. Client Data resides in a secure data center and AWS facilities maintain environmental controls.
SYSTEM ACQUISITION, DEVELOPMENT
Change Control: TGA employs a formal change control process. Changes are monitored throughout the implementation process to ensure success. The process is spearheaded/owned by the product owner and managed via stand-ups, sprint cycles, and backlog. Appropriate segregation of duties is maintained between change approvals and change implementation. Approvals are obtained for Emergency changes. There are separate development, test, and production environments. We ensure that client production data is not used in development, staging, or testing / QA environments. We have a vulnerability management program that includes remediation of vulnerabilities identified in network and application security tests.