Security Standards

The below is a general description of Aura’s security standards and practices as of the date hereof. Aura is continuously reviewing its practices and the following may change without notice as Aura deems reasonably necessary to improve its security standards and practices.

Secure Architecture

• All personal data of customers of Aura’s products or services (“Customer Data”) is accessible only by authorized Aura team members and only on a need-to-know basis. 
• Customer Data never leaves the production environment except as needed to provide Aura products and services to the customer or otherwise in accordance with Aura’s privacy policy. 
• Web access, where end-users access their Customer Data, is entirely segregated from the rest of Aura’s technical architecture. 
• No administrative access to Aura’s architecture is available directly from the public Internet.

Information Security Policy and Program Management

Aura Security Program is overseen by Aura’s Executive Management. The execution of the Security Program is delegated to the Chief Information Security Officer (CISO). Management delegates the maintenance of issue-specific policies to the CISO. Specific policies are reviewed annually and include the following :

• Acceptable Use Policy
• Account Management Policy
• Application Development Policy
• Approved Software Policy
• Change Management Policy
• Cloud Computing Policy
• Configuration Management Policy
• Data Classification & Handling Policy
• Data Protection Policy
• Electronic Mail Policy
• Employee Onboarding & Offboarding Policy
• Firewall Management Policy
• Hardening Standards Policy
• Incident Response Plan
• Information Backup Policy
• Information Security Policy
• IT Asset Management Policy
• Logging & Monitoring Policy
• Network Controls Policy
• Password Management Policy
• Patch Management Policy
• PCI Scoping Document
• Personal Device Use Policy
• Physical Security Policy
• Policy on Information Security Policies
• Remote Access Policy
• Risk Management Policy
• Security Awareness Policy
• Third Party (Vendor) Management Policy
• Vulnerability Management Policy

Vulnerability Management

The following steps are taken to identify vulnerabilities in software and services hosted by Aura as determined necessary by Aura.

• Regularly occurring internal vulnerability scans
• Quarterly external vulnerability scans
• Ongoing static code scans of all Aura production source code
• Third-party library code scans of all Aura production source code
• At least annual penetration tests of Aura products and services
• All critical and high findings are remediated as soon as reasonably possible. Systems are retested until findings are resolved.

Asset Management

• Aura identifies all assets (hardware and software) and maintains an active list.
• Asset lifecycles are controlled and managed. The IT department is responsible for managing the lifecycle and secure destruction of decommissioned physical assets.

Data Classification

Protecting data starts with an understanding of the types and locations of data within an organization. Aura classifies all data into three categories:

• Public data: Any data elements that have been approved by Legal for public consumption. These include public web pages, press releases, job postings, public financial reporting etc. This information may be freely shared.
• Internal-Use-Only: Any data that does not fall into the Public or Sensitive category. Access to this data is limited by business need.
• Sensitive data: This includes Customer Data. This data is stored in secured locations and encrypted in accordance with industry-leading standards. Access is limited by roles and business need.

Data Handling

• Electronic Sensitive Data is stored in the Production Environment only, and in authorized, secure storage locations
• Sensitive Data does not move out of the Production environment unless required to provide Aura products or services, or as otherwise set forth in Aura’s privacy policy. 
• Any movement of Customer Data outside the production environment is in encrypted format.
• Destruction of electronic data is carried out using approved methods for secure destruction

Encryption

All sensitive data is transmitted encrypted when traveling beyond Aura networks.

• TLS ver. 1.2 or higher for Web Sites and data exchange with Vendors and Partners
• We do support sftp for File Transfers where specifically requested, using SHA256 key algorithm.

Storage Encryption

• Structured Storage: Database encryption using AES-256
• Unstructured Storage: Filesystem encryption using the AES-256 

Device Encryption

• All laptops are encrypted using Bitlocker or FileVault

Key Management

• Aura uses secure key management vaults provided by AWS to store and maintain authentication keys.

Internal Aura Account Management

• The assignment of account privileges throughout the organization are guided by the “Least Privilege Principle”, “Need to know” and the use of Role Based Access. Least privilege principle holds that each user will be assigned the minimum account privileges necessary to do their job and no more.
• Ad hoc data access request is individually approved by the data owner based on a business need
• All access to Customer Data is reviewed by the Data Owner and Information Security
• Roles are established at the time of hire by People Operations and are auto-provisioned by the HRIS system and identity provider (IdP) system.
• Account privileges for separated employees or contractors must be revoked as soon as possible, but no more than 1 hour past the time of separation.
• Accounts are always traceable back to an individual. 
• The use of shared, or generic, accounts is strongly discouraged. In the rare situation in which a shared account is needed, each use of the account must be tied to the person using it via audit record.
• Password requirements are: minimum of 12 characters, contains both numbers and letters, may not be the same as the previous 8 passwords. These rules are enforced by an identity provider.
• In accordance with modern industry standards, we do not automatically expire passwords based on time. This is in-line with NIST recommendations, SP 800-63B.

Security Awareness

• All employees undergo Information Security and Privacy training at time of hire. Additionally, regular re-training occurs.
• All employees and contractors are provided an internal website that encapsulates the security policies for the organization.

Malware Detection

• All endpoints are protected by industry standard malware prevention and detection software. The configuration prevents the user from being able to disable the software.
• In addition, malware detection is being done by web and email gateways.

Physical Security

• Aura makes use of a very small number of collaboration spaces, where employees can meet and interact with others.  There are no on premise data centers and no data is stored in these collaborative areas.
• There are no trusted networks in these collaboration areas.  All network access to company data must be authenticated and authorized through a SASE gateway.
• Secure areas are protected by appropriate entry controls to ensure that only authorized personnel are allowed access. Visitors are permitted with registration.
• Our cloud systems are housed in AWS data centers that are protected with appropriate controls and audited regularly.  We review those audit results as we conduct our internal audits.

Application Security

• Aura uses an Agile development methodology and deployments are handled in a continuous delivery model.
• Aura maintains a Software Development Life Cycle (SDLC) with consideration and training on security principles in software development. 
• All production products and services are tested against OWASP top 10 vulnerabilities
• Development and testing is carried out in a separate environment using a test data set. No production data is ever used in development or testing.
• Static Code analysis is carried out as part of the development pipeline.

Change Management

• The company uses an agile methodology for engineering and a continuous delivery model of changes to production.
• All changes follow a defined change management process.
• All changes are approved before they are released, with clear separation of duties.

Network Controls

• The Aura network is designed with a defense in depth philosophy.  Products use a serverless architecture and various components do not have direct connectivity at lower levels of network stack.
• Network segments are separated by network firewalls or application firewalls.
• The edges are protected by web application firewalls.  There are no options for direct connectivity at a network layer to our edge boundaries.
• Data Loss Prevention systems are employed on endpoints and network layers
• Changes to firewall rules (often in the form of security groups or web application firewalls) are logged and reviewed.
• All endpoint connections to the Internet go through a web gateway which provides blocklists, data loss prevention, and security hygiene services.
• Wireless access is provided in collaboration areas, but is not considered a trusted network and has no connectivity to the production environment.

Remote Access

• All access to company resources goes through a SASE gateway, which requires Multi-Factor authentication and is logged and monitored.

Security Monitoring

• Information Security is responsible for all security event monitoring
• All logs are centralized and managed exclusively by Information Security with appropriate monitoring and response happening on a continuous basis

Security Incident Handling

• Security incidents are managed by the Information Security and Engineering teams as appropriate.
• Incidents are classified according to the Incident Response Plan
• Incident Response Plan is defined and reviewed annually.  The plan includes considerations for notification, response, and the use of third party resources.  
• Tabletop exercises are conducted at least annually.

Compliance

Aura Suite certifies to the following security standards:

• PCI DSS
• SSAE 18 SOC2 Type II