Security Measures
Last Updated: June 1, 2024
ORGANIZATIONAL MEASURES
Organization and Management
Symphony has a formal organizational structure and reporting lines in place to define authority and delineate lines of reporting. An Information Security Policy based on ISO 27001 is in place addressing system requirements for all users. The policy is reviewed and updated on an annual basis and as needed by the Chief Information Security Officer (“CISO”).
Hiring practices have been designed to ascertain whether new employees are qualified for their position. Written job descriptions are established describing the roles and responsibilities of users for all posted jobs. Potential candidates are interviewed to confirm their qualifications and determine their ability to meet entity requirements prior to hiring. Additionally, background checks are performed on new hires as permitted by local laws.
Symphony personnel are required to sign an Employee Handbook upon hire acknowledging such policies, including the Information Security Policy, Acceptable Use of Technology, and General Standards of Conduct. Progressive disciplinary procedures up to termination of employment have been established and are included in the Employee Handbook. On an annual basis, active employees reacknowledge the policies and standards outlined in the Employee Handbook.
Employees are provided with security and confidentiality related training upon hire and on a continuing basis. Further, ongoing online communications are provided via the Symphony Security Lounge to promote security awareness and provide the latest security news.
Risk Management and Design and Implementation of Controls
A Business Risk and Information Control Committee (“BRICC”) is in place co-led by the Chief Information Security Officer. The committee meets on a monthly basis together with members of Engineering leadership to discuss security initiatives at the executive level, internal and external security threats, business continuity program initiatives, and adopt company-wide security policies and standards. The Board of Directors meet on a quarterly basis to discuss corporate strategy and governance, set company goals, and review company performance and material events. Meeting minutes are recorded and approved at the subsequent Board meeting. The Board of Directors consist of majority of independent members as per the Board of Directors’ Limited Liability Company Agreement (“LLCA”) to maintain independence from management.
On an annual basis the CISO reviews SOC2 reports from subservice organizations Amazon Web Services (“AWS”) and Google Cloud Platform (“Google”) to ascertain whether complementary subservice organization controls are operating effectively.
TECHNICAL MEASURES
Access
Symphony has implemented technical controls so that each Authorized User will be able to gain access only to those categories of personal data to which access is necessary to perform assigned job responsibilities.
Privileged access is authorized by company management prior to access being provisioned. New employees are only granted privileged production access after a period of time where they have demonstrated sufficient proficiency and competency.
Symphony uses a single-sign-on (“SSO”) solution for identity management of applications used in Symphony’s environment. The SSO solution has been configured to read from Active Directory and is used to grant access to further applications as needed.
Authorized Symphony employees are granted privileged access to the production environment of the Symphony application hosted at AWS and Google to install application updates and perform system maintenance.
Upon termination, Human Resources will notify IT personnel to revoke system access. Access is revoked within one business day after notification from the manager. Additionally, company management performs a quarterly review of production access for appropriateness.
Access to the production environment is authenticated through unique user IDs and multi-factor authentication. Password parameters are in conformity with information security policies and standards (e.g., password minimum length, complexity and expiration). Production environments can only be accessed when a user is connected to the Symphony network directly or through a Virtual Private Network (“VPN”).
Anti-Virus
Anti-virus software is installed on Symphony corporate workstations. The anti-virus software is configured to detect and quarantine threats, and is monitored by the Security Team on an ongoing basis. Customers are responsible for implementing anti-virus software to prevent or detect and act upon the introduction of unauthorized or malicious software.
Network Security
Symphony has deployed firewalls and rule configurations to protect Symphony servers against outsiders and threats to the system’s security, availability, and confidentiality. Firewall consoles are monitored by the Security Team and unusual activity noted is researched and resolved.
Encryption
Symphony encrypts personal data in transit, using Transport Layer Security (“TLS”) and encrypts personal data at rest using 256-bit AES encryption or stronger.
Remote Access
Symphony permits remote access to its networks only via a VPN or a similar secure means.
Contingency Planning
Symphony backs up personal data on a regular schedule. Back-ups are encrypted and stored in a location apart from the primary storage. Back-ups permit prompt restoration of personal data in the event of a disaster.
Symphony has developed and maintains a business continuity/disaster recovery plan to ensure that it can promptly resume service and restore access to personal data in the event of a physical or technical incident occurrence (for example, fire, ransomware attack, vandalism, system failure, pandemic flu, and natural disaster).
PHYSICAL SAFEGUARDS
Visitors to Symphony offices are required to sign-in at reception, and security cameras are located at entry points for Symphony offices. Physical access to IDF computer and data rooms are restricted to authorized personnel.
Symphony has outsourced hosting of Symphony servers, including the physical and environmental security of facilities housing such servers, to AWS and Google. Symphony’s controls were designed with the expectation that AWS and Google provide physical and environmental security of facilities housing Symphony servers.
SYSTEM OPERATIONS
A Customer Support Team is in place to provide support to customer authorized contacts as needed. Customers may reach the Customer Support Team via telephone, email, or the Customer Support portal, and response times have been established reflecting the severity of the customer inquiry.
All customer inquiries and reported incidents are acted upon timely and tracked to completion by Customer Support personnel. Incidents are identified and monitored using Splunk. Should a customer inquiry warrant a change to the application (e.g., feature request) Customer Support will open a ticket to be further evaluated by a Product Manager. In cases where an incident is identified by Symphony, customers are notified in a timely manner. The Global Head of Customer Support and team members participate in various daily meetings, both internal, and together with members of Production Operations, SRE/DevOps, and other groups to review open customer inquiries and ascertain they are being resolved timely.
CHANGE MANAGEMENT
The company applications are developed in-house. Change requests may be received from internal or external sources, including employees and customers. Change requests are evaluated and prioritized by Product Managers to determine whether they will be included in the next release, and a ticket is created to track progress of the change request. External requests are received by the Support Team, and a corresponding ticket is created to track the change request.
The engineering teams prioritize development requirements of the next release into Sprints, Epics, and Stories, for distribution of development amongst the team. Source code is maintained in the source code control system to record changes and Confluence serves as a document repository throughout the software development lifecycle. A separate development environment is in place and the Development Teams are restricted from accessing the production environment.
Members of the Security Team work with the developers and perform testing during the development stage to ascertain whether Security and Confidentiality requirements are being adhered to. Once a change is completed it is moved to the QA environment, where functional testing is performed by the QA Team. Testing is considered complete once the release is approved by QA.
Key stakeholders partake in a Release Readiness meeting followed by a go / no-go meeting where final approval is obtained for release to production. Access to implement changes to the production environment is appropriately restricted and segregated from developer access. New releases typically occur on a periodic basis and release notes are communicated to employees and customers prior to implementation of the release.
[The foregoing applies to Symphony, Cloud9, and StreetLinx Services only. There are some variances with respect to Services offered by Amenity Analytics. Please consult with your Symphony representative regarding any questions pertaining to Amenity Services.]