Our security mission
Lynxcare ensures security via its ISO27001/NEN7510 certified Information Security Management System. With this management system we achieve our business and security goals and priorities, as defined by the management team. These goals are:
- Adequate security technologies. We select the best preventive and reactive security technologies for every context.
- Secure Software Development Lifecycle. The core of Lynxcare, our SaaS application is developed according to the best security practices.
- Access controls based on the principle of least principle. If you don’t need access for your job, you don’t get it. If you change jobs, you lose it.
- Efficient incident management. An incident can always happen, so we need to be prepared, right?
- Effective business continuity and disaster recovery management. In case of an incident affecting our availability, we ensure we are quickly back on track, serving our customers.
- Security aware team. Every team member is trained to have the right security skills and attitude, in line with his or her job responsibilities.
- Compliance with all applicable laws and regulations. With our efforts we meet the expectations of industry and governments.
In the next paragraphs, we explain how we achieve these goals.
The security technologies we have implemented are always selected based on a risk assessment. As such we can spend the time and resources on the most critical elements. Some of the technologies we use are:
Data Encryption at rest
Data, Operating Systems and disks are encrypted.
Data Encryption in transit
All connections to our websites or services are protected via the use of encrypted connections, such as the SSL/TLS protocol. LynxCare uses TLS-encrypted connections by default, the same level of encryption used by financial institutions to secure online banking transactions. Encryption is used on both external and internal connections. This way, sensitive information is never sent or received as readable text.
We use Distributed Denial of Service (DDoS) mitigation services.
90% of attacks start with a phishing e-mail. Also, e-mail is still used by attackers to send malicious content, or to direct the user to malicious content. Therefore, we have implemented strict technical security controls, as well as warnings for our users and a continuous phishing training program.
The devices used by our team members are controlled by our central software. As these are an entry point to our cloud environment, proper security controls are required.
Every (virtual) machine is foreseen with endpoint protection. These prevent malware, detect suspicious behavior, scan for local vulnerabilities, etc.
Our cloud-based firewall technology protects our virtual networks and their resources. Via these we create, enforce, and log application and network connectivity policies.
Based on the information classification label of data or a resource, we enforce the relevant security policy. As such, we can effectively prevent data loss.
Separation of Environments
LynxCare ensures a clear separation between different customer environments and there is a clear separation between relevant components within that customer environment.
There is also a clear separation between the test, staging and production environment.
Vulnerability and Patching Management
We continuously scan for vulnerabilities in our environment. Once a vulnerability is found, this is treated as an incident.
We continuously follow up on available patches and deploy these according to our patching schedule, unless it is an urgent security patch.
Secure Software Development Lifecycle
- At Lynxcare software development is done using an Agile approach, performing sprints of 3 weeks.
- We follow security best practices and frameworks such as OWASP Top 10.
- We work with a security by design principle, including risk assessments, data protection impact assessments and design reviews from a security perspective.
- Code is only deployed in production after review of a colleague of the developer. There is a strict change management process. This is not only the case for code, but also for infrastructure changes.
- We use Static Application Security Testing (SAST) to detect basic security vulnerabilities in our codebase.
- We use Dynamic Application Security Testing (DAST) to scan our applications.
- We organize regular penetration tests, executed by external specialists. These happen at least twice a year and at every major release.
- We work with multi-factor authentication. A user can only log in when he shows something he knows (his password) and something he has (an authenticator application).
- Access is based on the principle of least privilege and separation of duties. This means any team member can only see or change as much as is strictly necessary for his role. Also for important tasks, multiple people are required, so no team member could undertake a significant action without any control.
- Password must adhere to a minimum amount of complexity. This is enforced by the system.
- We work with privileged access management, meaning a team member who is authorized to use privileged roles (the roles with access to our most important resources), can activate these only in case of a good reason. This access is always time-bound.
- For highly privileged roles, we require a second, extra secure, separate account.
- We have activated conditional access policies, meaning in case anything suspicious is detected, access is denied (e.g. the device is non-compliant, the log in is from an unusual location, etc.).
- At onboarding and at an internal change of roles a team member gets the access package that fits with the role’s responsibilities.
- At off-boarding, access rights are taken away on the last day, or immediately (in case of a forced resignation).
- We work with single-sign on, so a team member can use one account to access all resources. Just one account is not only easier for our team members, but also easier to secure and manage. Furthermore, with this way of working passwords are not stored in an application.
- Every year an extra manual review of all access rights is performed.
- The same principles are implementer for customer accounts. The control of who is authorized to see what is then of course in the hands of the customer.
Access control is also related to physical security.
- You can only enter our office with a badge.
- Our IT environment is completely cloud-based. For the most recent description of the physical security of our cloud environment, please see the physical security description of Azure.
Detection is one of the most important parts of incident management. We analyse the logs of various technology components to find suspicious events. We train our people to notify us of anything strange. Once an incident has been detected, we follow a trained process with designated people to resolve the incident. The steps to take depend on the type of incident (a security incident, a data breach, an availability issue…). Major incidents must be resolved within 4 hours. The CISO is responsible to organize a lessons learned with the management team and other relevant staff members afterwards.
Business continuity and disaster recovery
Dedicated team and recurrent tests
Business continuity and disaster recovery are vital in case of a severe major incident. For this process we have designated people to follow up, including the management team. Twice a year we perform a business continuity and disaster recovery test to ensure our skills remain sharp, just in case we would need them at some point in the future.
An essential part of any business continuity and disaster recovery are backups. We regularly execute restore tests, so we are sure we can restore a backup in case needed.
We have more than one backend. In case a backend would go down, our “traffic manager” can redirect traffic to another backend immediately.
Infrastructure as code
We work with infrastructure as code. This a method of provisioning and managing IT infrastructure through the use of source code, rather than by using manual processes and standard operating procedures. This allows us to spin up an entire infrastructure architecture, not only running virtual servers, but also launching storage systems, network infrastructure, databases, and other cloud services, quickly. This is useful in case of an incident.
Furthermore, this increases security, because if all compute, storage, and networking services are provisioned with code, then they are deployed the same way every time. As such, security standards can be easily and consistently deployed without having to have a security gatekeeper review and approve every change.
Service Level Agreements (SLAs)
Our entire environment is cloud-based. With our providers we negotiate strict SLAs so we can guarantee availability to our customers.
We use partners for some business processes that are not core to our expertise but are critical to our customers having a quality experience. The confidentiality, availability and integrities of these third parties are crucial to guarantee business continuity. Therefore, we impose strict security requirements on our suppliers, depending on the products and/or service they offer. We closely monitor our requirements. If required, we stop the partnership and select another supplier.
Security aware team
- Our team members sign a non-disclosure agreement when starting at Lynxcare.
- We have at least once a year a general security awareness event.
- New team members are onboarded and immediately receive a security training based on their role at Lynxcare.
- We invest in competence development, also for security, and create a personal development plan for every team member.
- Together with our legal experts we follow up on the legislative and regulatory requirements for our business (a.o. GDPR). Then, we create actions plans on how to comply with them.
- We also comply with various international security and privacy standards, such as ISO27001, NEN7510 and HIPAA.
- Our environment is completely cloud-based, but data is only stored in the region of the customer.
- Our cloud partner also has extensive documentation about their extensive security, privacy and compliance efforts, please see the Microsoft Trust Center.