TSIA Information Security Measures

Information security and data privacy are critically important goals for TSIA. Our information security measures meet the highest standards in the industry.

Compliance

Compliance with state, federal and international guidelines and regulations is at the core of our information security measures.

SOC 2

TSIA is SOC 2 compliant for 2023 with the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. The standard is based on the following Trust Services Criteria: security, availability, processing, integrity, confidentiality, and privacy.

Policy

TSIA’s Information Security Policy is aligned with the NIST Cybersecurity Framework; an outline of the Policy is available upon request. TSIA’s data practices are described in our Privacy Policy and in our Membership Terms and Conditions.

Training

TSIA creates a culture of information security through semi-annual security awareness training and on-demand recordings. TSIA’s Information Security Policy details the components of the training plan. Training resources are posted on the company intranet. All new hires are required to read the information security policy and undergo information security training via the on-demand recordings.

Audit

Annual audits of TSIA’s internal and external network and physical security, including penetration testing, are performed by an independent contractor utilizing the NIST Cybersecurity Framework 800.53. The auditor provides TSIA with a letter of attestation. Should there be a need to remediate, the auditor prioritizes the issues by severity level in an executive summary. Attestation of the most recently completed audit is available upon request.

Incident Response

TSIA has a standardized process for responding to security incidents. When a security incident is suspected, teams are notified and a central communication channel is established. If TSIA believes that confidential or personally identifiable information has been accessed or modified by an unauthorized third party, we take all necessary steps to notify the affected individuals/companies as quickly as possible, and in no case greater than two business days after we learn of the breach. In our communications, we include the following information:

• How the information was accessed (i.e., viewed, modified, etc.)
• The actual information accessed
• What we are doing to mitigate the access
• What corrective actions we will take to prevent future breaches

After an incident, we conduct a post-mortem analysis to identify root causes and track any related follow-up work.

Infrastructure Security

Our infrastructure security efforts focus on providing the underlying tools, systems, processes, and knowledge resources to operate secure and privacy-protecting systems.

Physical Security

Access to TSIA office working spaces, both external and internal, is strictly controlled with location-specific key cards and supporting administrative procedures.

Storage and Transmission

All of TSIA’s infrastructure runs in the cloud; Rackspace is our primary service provider. See Rackspace Security for more information regarding their managed security measures.

Network Isolation

TSIA limits external access to network services by running them inside a Virtual Private Cloud (VPC) and blocking all unnecessary ports from external traffic. Access to our production network is limited to necessary personnel, logged, and secured using VPN connectivity. We use Cisco firewalls to control VPN access and available ports.

Threat Detection

TSIA utilizes AT&T’s Cybersecurity Security Information and Event Management (SIEM) solution for continuous monitoring, alerting and response processes for suspicious activity occurring in our infrastructure.

Vulnerability Scanning

TSIA uses automated security scanning tools to notify us quickly of changes in our infrastructure that may result in a security issue. The results of these scans are regularly triaged by our IT department and the Rackspace dedicated support team.

Third Party Vulnerability Management

TSIA regularly monitors global vulnerability feeds, including the Threat Exchange and various security-related forums, as well as security release information for software in our stack. When a vulnerability that affects us is released, we prioritize the rollout of the patch based on the severity, or impact, of the vulnerability in question.

Patching

TSIA, along with Rackspace Managed Services, regularly updates our operating systems images, container images, language runtimes, and language libraries to the latest known supported versions.

Logging

TSIA maintains a centralized log for product and infrastructure events and metrics. All system-level actions performed in production environments with administrator permissions are logged.

Encryption

TSIA encrypts all confidential and Personally Identifiable Information (PII) in transit outside of our private network and at rest in our private network.

Disaster Recovery

TSIA’s website is hosted in a Rackspace data center on two hypervisors for a high-availability failover. Should the Rackspace data center succumb to natural disaster where failover is not an option, TSIA has a “cold site” solution that would spin up a new infrastructure and restore our backups in 48 hours.

End User Security

The goal of our IT security practices is to make employees more productive while also providing them the tools they need to do their job safely and securely.

Access

TSIA has an internal classification standard that describes the different types of data that our employees work with and how that data should be handled and by whom. TSIA practices the Principle of Least Privilege (PLP) with regard to access to systems and data. Accounts are activated when an employee joins and deactivated when an employee leaves, using automated processes where possible.

Acceptable Use

TSIA employees are authorized to access corporate systems, data, and applications via corporate end user devices only. Corporate end user devices include laptops, notebook computers, and cell phones.Our Mobile Device Policy describes best practices for device configuration and software usage. It mandates network connectivity, website usage, full disk encryption for all devices that have access to sensitive data, the use of screen locks after a period of inactivity, and remote wipe capabilities. It also describes our permitted software and software update practices.

Device Security

TSIA utilizes endpoint encryption on all end user devices from BitLocker (PC) and FileVault (Mac) and protects them from malware and viruses with software from BitDefender. Should there be any issues with a machine, we have the ability to remove any apps or remote wipe via Cisco’s Meraki MDM. All data is backed up and encrypted in the cloud by Carbonite. External hard drives are not authorized for use by TSIA employees.

Password Protection

TSIA requires all employees to store their passwords in a password management system. This system allows IT insight into the strength of passwords and, when it occurs, the reuse of passwords. Strong and unique passwords are required for all corporate end user devices and applications. In addition to password management, TSIA configures SSO with those applications/cloud services that allow such a configuration.

Authentication

Access to corporate applications, including email, is governed by two-factor authentication.

Third Party Software

All requests to install third party software must be made to IT and approved by the requesting party’s supervisor. Once approved by IT, the software is pushed to the user’s machine via Cisco Meraki MDM software.