InfoBridge information security compliance framework is based on the ISO 27001 standard. The ISO 27001 standard is an information security standard published by the International Organization for Standardization and currently the most widely used standard in the world.It is a specification for an information security management system (ISMS) including comprehensive coverage with recommended security controls. These controls help to address the risks that are identified and measured within InfoBridge.
InfoBridge 3 Lines of Defense strategy is based on the risk management principles adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41, InfoBridge has focused its responsibilities to 3 key segments for effectively managing information security risks: 1 – operation, 2 – compliance, and 3 – assurance.
Security Governance Board
InfoBridge Security Governance Board consists of InfoBridge executive management team reporting to the CEO. They are responsible for the assurance function and all assets within the organization.
Information Security Steering Committee
InfoBridge Information Security Steering Committee is an appointed group of leaders from the respective business divisions within the organization. This team is responsible for the overall programs for our risk management as well as carrying out the protection of assets with an Information Security Management System.
Operation (1st Line of Defense)
The 1st line of defense from the actual operation of our program. Those responsible are from our team of professionals that directly interface with customers and partners. Working with their respective leaders, our teams utilize InfoBridge security framework and controls to protect against risk from associated assets.
Compliance (2nd Line of Defense)
The 2nd line of defense assumes the risk management function within our organization and responsible for identifying, measuring, and managing risks. The team responsible is comprised of business unit leaders from the Security Steering Committee where common policy, frameworks, and controls are created, implemented, and maintained.
Assurance (3rd Line of Defense)
The 3rd line of defense is led by our Security Governance Board and the level that managed the oversight and assurance for our information security compliance programs. This board is ultimately responsible for ownership of the assets, resources, and risk at InfoBridge. Leadership at this level also ensures that adequate resources are available to properly address requirements from information security standards used to measure and address risks.
InfoBridge security controls are based on a Risk Management Methodology that accounts for assets used and handled by InfoBridge. This framework appoints ownership assignment and responsibilities for all assets as well as any associated risks. As risks are addressed in several effective ways, a measurement system helps understand the key impact, likelihood, and overall score. This score is carefully assessed against our tolerance set by the asset and risk owners for each. The outcome is a decision on how to handle the risk in the form of a risk treatment plan.Risk treatment plans are intended to reduce the likelihood or impact of threats by better handling specific aspects that can be measured, monitored, and controlled.
InfoBridge incident management policies and procedures are based on the goals of quickly and efficiently dealing with information security incidents while maintaining optimal integrity of services. Based on ITIL Incident Management as well key concepts from the NIST service publication 800-61, the workflow and logic of the InfoBridge Incident Management Framework is focused on identifying and managing information security incidents. While the goals of our incident management framework are focused on identification and maintaining integrity of services, our program also accounts for corrective action and preventative actions to continuously make improvements.
Detection and reporting
Identification and classification
Investigation and AssessmentResolutionRecording / tracking
InfoBridge cloud services leverages the Microsoft Azure platform, therefore the underling infrastructure follows Microsoft Azure compliance standards, certifications, and supporting processes.
Microsoft Azure is compliant with more than fifty (50) of the top global compliance programs.
The primary landing pages for Microsoft Azure compliance information are the Trust Center https://azure.microsoft.com/en-us/support/trust-center/ and the compliance landing page https://www.microsoft.com/en-us/TrustCenter/Compliance/default.aspx
A recent white paper on Azure Security, Privacy and compliance is also available here: http://download.microsoft.com/download/1/6/0/160216AA-8445-480B-B60F-5C8EC8067FCA/WindowsAzure-SecurityPrivacyCompliance.pdf
Azure certifications include
ISO/IEC 27001/27002 - https://www.microsoft.com/en-us/TrustCenter/Compliance/ISO-IEC-27001
PCI-DSS - https://www.microsoft.com/en-us/TrustCenter/Compliance/PCI
FISC - https://www.microsoft.com/en-us/TrustCenter/Compliance/FISC
BITS Shared Assets Program - https://blogs.microsoft.com/cybertrust/2013/09/17/financial-services-a-survey-of-the-state-of-secure-application-development-processes/
ENISA - https://www.enisa.europa.eu/
FIPS-140-2 - https://www.microsoft.com/en-us/TrustCenter/Compliance/FIPS
SSAE 16 – SOC1, SOC2, SOC3 - https://www.microsoft.com/en-us/trustcenter/Compliance/SOC
ISO/IEC 27018 - https://www.microsoft.com/en-us/TrustCenter/Compliance/ISO-IEC-27018