Back to the main menu
Behind the Scenes: Security Management at ScienceSoft
With 21 years of practical cybersecurity experience and an ISO 27001-certified security management system, ScienceSoft ensures full safety of the digital assets it handles.
|
No security incidents overshadowing our 35-year history. |
Trusted by 1300+ customers, including global brands such as Deloitte, Walmart, eBay, Nestle, NASA JPL, Viber, Leo Burnett, M&T Bank, T-Mobile. |
Dedicated to Keeping Our Customers Safe: Security Within a Project
When we embark on development, support, testing, and other projects, our customers' cybersecurity becomes our highest-priority concern. For each project, we have a charter describing security management procedures tailored to the client's business specifics, security and compliance requirements. Our certified internal auditors are ready to check how well our security management processes work during the project. As for specific measures we apply to secure customers’ IT resources we access, they may include:
Protecting our customers' intellectual property
- Signing a non-disclosure agreement to confirm we ensure full confidentiality of our customer's trade secrets or other intellectual property.
- Acknowledging that our customers own all the information they entrust to us: ideas, designs, code, etc.
- Deleting the customer's data from our ecosystem as soon as it is no longer needed for the project's purposes.
Securing project environment
- Enterprise-level VPN tunnels to protect permanent interconnection between our and our clients' infrastructures.
- Secure corporate devices, including the ones with encrypted disks.
- Secure virtual machines.
- A separate secure code repository for each project.
- The physical presence of our employees in a secure, controlled environment.
- A custom project environment: e.g., an isolated network infrastructure, dedicated physical servers, dedicated rooms for the project team.
Preventing unauthorized access to our customers’ data and IT systems
- Access to project data only for authorized employees strictly according to their roles.
- All the passwords granted by the client to access its systems are stored in the client's password storage; passwords to access the client's password storage are in ScienceSoft's secure password storage.
- Multi-factor authentication.
Evaluating the security of customers' IT assets within the project scope
- Security-focused code review/audit.
- Vulnerability assessment.
- Black/gray/white box penetration testing.
- Social engineering testing.
- Security audit.
- Compliance assessment.
What Sets ScienceSoft Apart as a Secure Vendor
We are experienced in handling all types of cyber threats
- 21 years in IT security services.
- A solid portfolio of completed cybersecurity projects.
We have built a security system that runs like clockwork
- Comprehensive security program based on NIST CSF.
- Clearly defined roles and responsibilities for the employees involved in managing security.
We keep our cyber defense up to date
- Security policies and processes frequently reviewed and improved by our ISO 27001-certified internal auditors.
- Regular security testing of our IT infrastructure and software.
We are compliant and help achieve compliance
- ISO 9001, ISO 27001, ISO 13485, and other certifications proving the quality and security of our processes.
- Developing software and providing IT services in line with the applicable compliance requirements, including HIPAA, PCI DSS/SSF, FISMA, SOC 2, NYDFS, GDPR, and others.
Four Pillars of ScienceSoft's Invincible Security
Secure IT asset management
- Full visibility: keeping a regularly updated inventory of all IT assets we handle, including our clients' data and IT infrastructure components we access during a project.
- Prioritization: classifying IT assets according to their confidentiality and business criticality.
- Risk-based approach: evaluating security risks for the IT assets to define and implement the optimal protection measures.
Secure environment
- Combination of protective and detective security tools, both on-premises and cloud ones, from trusted vendors like Cisco, F5, and IBM. They include firewalls with IDS/IPS, endpoint protection for local and remote workers, email protection, WAF, DLP, and SIEM systems.
- Device management: properly secured corporate devices and strict BYOD and MDM policies.
- Physical security measures: video surveillance, access control systems, alarms, and on-site security personnel.
Secure operations
- Strict controls for internal and remote access: our employees get access to corporate systems and project assets strictly according to their roles. Also, we use multi-factor authentication, advanced endpoint protection solution, secure VPN, etc.
- Strong encryption algorithms and secure communication channels to guarantee the security of data at rest and in transit.
- A dedicated team for continuous IT infrastructure monitoring and incident response.
Security awareness
- "Security is everyone's responsibility" mindset: our employees understand their roles in security management, while the executives empower them with the necessary knowledge, policies, and tools.
- Comprehensive and consistent security awareness training: from onboarding, our employees are continuously educated on the corporate security policies, potential cyber threats, as well as on how to act in case of potential incidents, according to their nature and severity.
- Promoting the reduction of digital footprint among our employees.
- Regular check-ups of employees' cyber resilience through interviews and social engineering testing.
Best Practices Behind ScienceSoft's Security Management
ISO 27001
Having implemented 114 security controls prescribed by the standard, we systematically protect our clients’ information.
NIST Cybersecurity Framework
The framework serves as the foundation for our well-rounded security program ensuring efficient cybersecurity risk management and reliable protection of IT assets.
CIS Controls
The critical security controls recommended by the Center of Internet Security and properly implemented by our experts make us resilient to pervasive cyber threats.
CIS Benchmarks
Guided by expert-vetted best practices, we ensure secure configurations of our applications, networks, and cloud infrastructure.
NIST Secure Software Development Framework
We integrate security at all stages of SDLC and deliver software with built-in security.
NIST SP 800-115
Following the guidelines on planning and conducting security assessments, we get accurate results and efficient vulnerability remediation strategies.
OWASP Web Security Testing Guide
Thanks to this comprehensive guide, we are equipped with the optimal techniques, methods, and tools for checking the security of web applications and services.
The Team Behind ScienceSoft's Cybersecurity Success
Director of Information Security
- Establishes, maintains, and improves ScienceSoft's information security vision, strategy, and program to ensure our IT assets are protected against all types of threats, including APTs.
Process unit
- Monitors the changes in security standards and compliance requirements.
- Designs security policies and processes and supervises their implementation.
- Reviews and updates security policies and procedures to keep them efficient in the fast-paced IT landscape.
Cyber defense unit
- Keeps abreast of the latest cybersecurity technologies.
- Implements technical security controls, sets ups and configures security tools.
- Monitors and improves technical security measures to offer the best possible protection of the changing IT environment.
Security testing unit
- Keeps up with the latest known vulnerabilities and state-of-the-art hackers' techniques.
- Conducts regular security check-ups of ScienceSoft's software and IT infrastructure.
- Analyzes the detected vulnerabilities and advises the cyber defense unit on the optimal remediation measures.
Internal audit group
- Defines ISO 27001 requirements applicable to a particular ScienceSoft's office or department.
- Identifies and describes compliance gaps.
- Creates a remediation plan and establishes deadlines for remediation.
- Performs re-auditing to make sure all the gaps are fixed.
