Security Measures

Our Security Measures

LAST UPDATE: July 26, 2022

Price for Profit LLC d/b/a INSIGHT2PROFIT (“INSIGHT”), when provided services to a client (“Client”) will utilize the following security measures to protect information, materials, and data of Client provided to INSIGHT in furtherance of INSIGHT’s provision of such services (“Client Data”):

Software Development

  1. All software engineers receive software security training that covers security best practices including OWASP Top Ten and Mobile Security best practices.
  2. Use of static and dynamic code analysis tools to analyze code for security vulnerabilities.
  3. All source code is developed in accordance with a standard Software Development Life Cycle (SDLC) process that includes:a. Software and Security code review before being promoted to production use;b. Running through a continuous integration test suite; andc. Manual quality assurance testing

Hosting Environment

INSIGHT’s infrastructure employs the use of several carrier class data centers all of which offer high availability and are compliant with the following security standards:

a. SSAE-16b. SSAE-18c. HITRUSTd. HIPAAe. PCI-DSSf. SOX

Secure Configuration

INSIGHT has implemented, and maintains secure configuration standards for hardware and software, including networking devices, operating systems, databases and applications and administrative systems.

Confidentiality

  1. Client Data is not made available or disclosed contrary to the terms and conditions of the agreements entered into between Client and INSIGHT.
  2. Client Data is processed only in accordance with the terms and conditions of the agreements entered into between Client and INSIGHT and only as required for the performance of the services.
  3. INSIGHT ensures that all employees, agents, sub-processors, and representatives likely to handle Client Data are under a duty of confidentiality, receive appropriate security awareness training, and have undergone a background check.

Client Data

To protect Client Data, INSIGHT takes the following handling precautions:

  1. Client Data, may only be stored on INSIGHT managed equipment which is subject to system hardening and security compliance requirements.
  2. Client Data is never stored on transportable media such as USB drives, portable hard drives, or writable discs.
  3. When the relevant work/project ends, any files temporarily stored on a laptop are deleted within a commercially reasonable timeframe.

Passwords and Encryption

All Client Data is encrypted to prevent unauthorized access and access to such Client Data is password protected. The encryption key and passwords are kept secure at all times.

All web traffic is encrypted by TLS 1.2 or greater. INSIGHT follows NIST recommendations for hashing symmetric and asymmetric encryption.

Security Incidents

If INSIGHT becomes aware of unauthorized access or disclosure of Client Data under its control, INSIGHT will adhere to the procedures described in its incident response plan.

Incident response plan includes regularly scheduled exercises to train, test and revise our plans, playbooks, and staff.

Security Audit

  1. INSIGHT executes internal security audits in accordance with its internal audit policies and procedures.
  2. INSIGHT contracts with an external security provider for annual penetration testing, application testing, and general security assessments.
  3. Any remedial measures identified in an audit will be fully and promptly implemented.
  4. Verification and attestation of remediation are verified by INSIGHT’s external security provider.

Access Control

Access to Client Data is restricted pursuant to INSIGHT’s internal access control policies and procedures. Authorized personnel will be permitted to access Client Data only to the extent necessary for the performance of their duties.

Passwords requirements are based on NIST guidelines.

All accounts used to access Client Data utilize Multi-Factor Authentication (MFA).

Principle of Least Privilege (PoLP) is a foundational element of INSIGHT’s information security program, the principle of least privilege has been adopted for company wide use and is used to drive actions whenever assigning access.

Access audit logs are in place for all employees and they are reviewed for anomalies via automated and manual methods.

Privilege account separation requirements define and delineate employee, application, and system roles and tasks so that access is only granted to specific, discrete parts of systems or data as is necessary.

Vulnerability Management

INSIGHT has a vulnerability and patch management processes for all software and hardware. All servers and workstations are scanned by INSIGHT for vulnerabilities on a continuous rotation and have defined remediation timelines to remediate any vulnerabilities.

Inventory of Information Assets

INSIGHT maintains a detailed inventory of information assets complete and accurate with classification and criticality through the combination of manual and automated systems. These systems also quickly identify unauthorized devices.

Malware Defenses

INSIGHT monitors workstations, servers, email, and mobile devices for active, up-to-date anti-malware protection with anti-virus, and procedures to ensure antivirus checking for all incoming files. These systems report to a central set of monitoring, logging, alerting and defense systems.

Data Loss Prevention

INSIGHT monitors our networks, user activities and system processes to prevent and detect unauthorized data movements.

Perimeter Defense

INSIGHT deploys a multilayered perimeter defense by use of firewalls, proxies, network segmentation, IPS/IDS and DMZs.