Security Policy

Effective date:
February 14, 2020
Last edited:
December 21, 2022

Credentially approach to security

Credentially is on a mission to make doctors working lives better. To help us achieve this, we need to make sure, that your data is secure, and protecting it is one of our most important responsibilities. We’re committed to being transparent about our security practices and helping you understand our approach.

Organizational security

At Credentially we are creating and maintaining a platform that is based on world’s best data protection and security standards at all levels. We are registered with ICO and comply with IG SoC. Credentially is actively preparing to comply with the new european directive - GDPR (General Data Protection Regulation) from the 25th of May 2018. Credentially has established an industry-leading security program, dedicated to ensuring customers have the highest confidence in our custodianship of their data. Our security program is aligned to the ISO 27000 standards and is regularly audited and assessed by third parties and customers.

Personnel security

Credentially personnel practices apply to all members of the Credentially workforce (“workers”)—regular employees and independent contractors—who have direct access to Credentially internal information systems (“systems”) and / or unescorted access to Credentially office space. All workers are required to understand and follow internal policies and standards.

Before gaining initial access to systems, all workers must agree to confidentiality terms, pass a background screening, and attend security training. This training covers privacy and security topics, including device security, acceptable use, preventing malware, physical security, data privacy, account management, and incident reporting.

Upon termination of working at Credentially, all access to Credentially systems is removed immediately.

Security and privacy training

During their tenure, all workers are required to complete a refresh of privacy and security training at least annually. They are also required to acknowledge that they’ve read and will follow Credentially information security policies at least annually. Some workers, such as engineers, operators and support personnel who may have elevated access to systems or data, will receive additional job-specific training on privacy and security. Workers are required to report security and privacy issues to appropriate internal teams. Workers are informed that failure to comply with acknowledged policies may result in consequences, up to and including termination.

Dedicated security professionals

Credentially has defined roles and responsibilities to delineate which roles in the organization are responsible for operating the various aspects of our Information Security Management System (ISMS). The responsibilities of each role are detailed in Credentially security documents.

At the center of administering our ISMS is Credentially Security Team. Credentially has appointed a Chief Security Officer (CSO) with overall responsibility for the implementation and management of our ISMS. The CSO is supported by the other members of Credentially Security Team, which currently consists of over a dozen security professionals with more than 100 years of combined experience, focusing on Product Security, Security Operations, Computer Security Incident Response, and Risk and Compliance.

Together, these teams divide responsibilities for key aspects of Credentially security program, as follows:

Product Security

  • Establish secure development practices and standards
  • Ensure project-level security risk assessments
  • Provide design review and code review security services for detection and removal of
  • common security flaws
  • Train developers on secure coding practices Security Operations
  • Build and operate security-critical infrastructure including Credentially public key
  • Infrastructure, event monitoring, and authentication services
  • Maintain a secure archive of security-relevant logs
  • Consult with operations personnel to ensure the secure configuration and maintenance of Credentially production environment

CSIRT (Computer System Incident Reporting Team)

  • Respond to alerts related to security events on Credentially systems
  • Manage security incidents
  • Acquire and analyze threat intelligence

Risk and Compliance

  • Coordinate penetration testing
  • Manage vulnerability scanning and remediation
  • Coordinate regular risk assessments, and de ne and track risk treatment
  • Manage the security awareness program
  • Coordinate audit and maintain security certifications
  • Respond to customer inquiries
  • Review and qualify vendor security posture

These policies are living documents: they are regularly reviewed and updated as needed, and made available to all workers to whom they apply.

Audits, compliance, and 3rd party assessments

Credentially operates a comprehensive information security program designed to address the vast majority of the requirements of common security standards. Please contact your Account Executive, or Support, for more information about the security standards with which Credentially companies and to request copies of available reports and certifications.

Audits

Credentially evaluates the design and operation of its overall ISMS for compliance with internal and external standards. Credentially engages credentialed assessors to perform external audits at least once per year. Audit results are shared with senior management and all findings are tracked to resolution.

Penetration testing

Credentially engages independent entities to conduct regular application-level and infrastructure-level penetration tests. Results of these tests are shared with Credentially management. Credentially Security Team reviews and prioritizes the reported findings and tracks them to resolution. Customers wishing to conduct their own penetration test of Credentially application may request to do so and should contact their account representative to obtain permission from both Credentially and Credentially hosting provider.

Legal compliance

Credentially employs dedicated legal and compliance professionals with extensive expertise in data privacy and security. These professionals are embedded in the development lifecycle and review products and features for compliance with applicable legal and regulatory requirements. Credentially also has a business code of conduct that makes legal, ethical and socially responsible choices and actions fundamental to our values and defines standards for meeting those goals.

Secure by design. Secure Development Lifecycle

Credentially assesses the security risk of each software development project according to our Secure Development Lifecycle. Before completion of the design phase, Credentially undertakes an assessment to qualify the security risk of the software changes introduced.

This risk analysis leverages both the OWASP Top 10 and the experience of Credentially Product Security team to categorize every project as High, Medium, or Low risk. Based on this analysis, Credentially creates a set of requirements that must be met before the resulting change may be released to production.

All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing. For the Credentially web application, Credentially Security Team operates continuous automated static analysis using advanced tools and techniques.

Signi cant defects identified by this process are reviewed and followed to resolution by the Security Team.

Protecting customer data

The focus of Credentially security program is to prevent unauthorized access to customer data. To this end, our team of dedicated security practitioners, working in partnership with peers across all our teams, take exhaustive steps to identify and mitigate risks, implement best practices, and constantly evaluate ways to improve.

Data encryption in transit and at rest

Credentially transmits data over public networks using strong encryption. This includes data transmitted between Credentially clients and the Credentially service. Credentially supports the latest recommended secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2 protocols, AES 256 encryption, and SHA 2 signatures, as supported by the clients.

Credentially monitors the changing cryptographic landscape and upgrades the cipher suite choices as the landscape changes, while also balancing the need for compatibility with older clients.

Data at rest in Credentially production network is encrypted using FIPS 140-2 compliant encryption standards. This applies to all types of data at rest within Credentially systems-relational databases, i.e. stores, database backups, etc. Credentially stores encryption keys in a secure server on a segregated network with very limited access. Keys are never stored on the local filesystem, but are delivered at process start time and retained only in memory while in use.

The Credentially service is hosted in data centers maintained by industry-leading service providers. Data center providers offer state-of-the-art physical protection for the servers and related infrastructure that comprise the operating environment for the Credentially service.

These service providers are responsible for restricting physical access to Credentially systems to authorized personnel.

Each Credentially customer’s data is hosted in Credentially shared infrastructure and segregated logically by the Credentially application. Credentially uses a combination of storage technologies to ensure customer data is protected from hardware failures and returns quickly when requested.

Network security

Credentially divides its systems into separate networks to better protect more sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Credentially production website. Customer data submitted into the Credentially services is only permitted to exist in Credentially production network, its most tightly controlled network. Administrative access to systems within the production network is limited to those engineers with a specific business need.

Network access to Credentially production environment from open, public networks (the internet) is restricted. Only a small number of production servers are accessible from the internet. Only those network protocols essential for delivery of Credentially service to its users are open at Credentially perimeter. Credentially deploys mitigations against distributed denial of service (DDoS) attacks at its network perimeter. Changes to Credentially production network configuration are restricted to authorized personnel.

In Credentially hosted production environment, control of network devices is retained by the hosting provider. For that reason, Intrusion Detection / Intrusion Prevention (IDS/IPS) are performed using host-based controls. For example, Credentially logs, monitors, and audits system calls and has developed alerts for system calls that indicate a potential intrusion.

Classifying and inventorying data

To better protect the data in our care, Credentially classifies data into different levels and specifies the labeling and handling requirements for each of those classes. Credentially ISMS considers data classifications in its encryption standards, its access control and authorization procedures, and incident response standards, among other security documents. Customer data is classified at the highest level.

Data classifications are maintained as part of the asset management process. Credentially inventories hardware, software and data assets at least annually to maintain correct data classification levels. Credentially restricts the flow of data to ensure that only appropriately

classified systems may contain Customer data.

Authorizing access

To minimize the risk of data exposure, Credentially adheres to the principle of least privilege-workers are only authorized to access data that they reasonably must handle in order to

fulfill their current job responsibilities. To ensure that users are so restricted, Credentially employs the following measures:

  • All systems used at Credentially require users to authenticate, and users are granted unique identifiers for that purpose.
  • Each user’s access is reviewed at least quarterly to ensure the access granted is still appropriate for the user’s current job responsibilities.

Workers may be granted access to a small number of internal systems, such as the corporate Credentially instance, by default upon hire. Requests for additional access follow a documented process and are approved by the responsible owner or manager.

Authentication

To further reduce the risk of unauthorized access to data, Credentially employs multi-factor authentication for administrative access to systems with more highly classified data. Where possible and appropriate, Credentially uses private keys for authentication. For example, at this time, administrative access to production servers requires operators to connect using both an SSH key and a one-time password associated with a device-specific token. Where passwords are used, multi-factor authentication is enabled for access to higher data classifications. The passwords themselves are required to be complex (auto-generated to ensure uniqueness, longer than 12 characters, and not consisting of a single dictionary word, among other requirements).

Credentially requires personnel to use an approved password manager. Password managers generate, store and enter unique and complex passwords. Use of a password manager helps avoid password reuse, phishing, and other behaviors that can reduce security.

System monitoring, logging, and alerting

Credentially monitors servers, workstations and mobile devices to retain and analyze a comprehensive view of the security state of its corporate and production infrastructure. Administrative access, use of privileged commands, and system calls on all servers in Credentially production network are logged.

Credentially Security Team collects and stores production logs for analysis. Logs are stored in a separate network. Access to this network is restricted to members of the Security Team. Logs are protected from modification and retained for at least two years. Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel. Alerts are examined and resolved based on documented priorities.

Endpoint monitoring

Credentially workstations run a variety of monitoring tools that may detect suspicious code or unsafe configurations or user behavior. Credentially Security Team monitors workstation alerts and ensures significant issues are resolved in a timely fashion.

Mobile device management

Mobile devices that are used to transact company business are centrally managed and required to be enrolled in the appropriate mobile device management systems, to ensure they meet Credentially security standards.

Responding to security incidents

Credentially has established policies and procedures (also known as runbooks) for responding to potential security incidents. All incidents are managed by Credentially dedicated Computer Security Incident Response Team. Credentially defines the types of events that must be managed via the incident response process. Incidents are classified by severity. Incident response procedures are tested and updated at least annually.

Data and media disposal

Customer data is removed immediately upon deletion or message retention expiration. Credentially hard deletes all information from currently running production systems (excluding team and channel names, and search terms embedded in URLs in web server access logs). Backups are destroyed within 14 days. Credentially follows industry standards and advanced techniques for data destruction.

Credentially defines policies and standards requiring media be properly sanitized once it is no longer in use. Credentially hosting provider is responsible for ensuring removal of data from disks allocated to Credentially use before they are repurposed.

Protecting secrets

Credentially has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials.

Workstation security

All workstations issued to workers are configured by Credentially to comply with our standards for security. These standards require all workstations to be properly configured, kept updated, run monitoring software, and be tracked by Credentially endpoint management solution. Credentially default configuration sets up workstations to encrypt data, have strong passwords, and lock when idle. Workstations run up-to-date monitoring software to report potential malware and unauthorized software and mobile storage devices.

Controlling system operations and continuous deployment

We take a variety of steps to combat the introduction of malicious or erroneous code to our operating environment and protect against unauthorized access.

Controlling change

To minimize the risk of data exposure, Credentially controls changes, especially changes to production systems, very carefully. Credentially applies change control requirements to systems that store data at higher levels of sensitivity. These requirements are designed to ensure that changes potentially impacting Customer Data are documented, tested, and approved before deployment.

Prevention and detection of malicious code

In addition to general change control procedures that apply to our systems, Credentially production network is subject to additional safeguards against malware.

Server hardening

New servers deployed to production are hardened by disabling unneeded and potentially insecure services, removing default passwords, and applying Credentially custom configuration settings to each server before use.

File change management

Credentially maintains the configuration of its production servers by using a configuration management system (CMS) that runs frequently to check that only the authorized version of key files are deployed. This CMS will overwrite files found on servers that don’t match the correct version stored in a change controlled repository.

Disaster recovery and business continuity

Credentially utilizes services provided by its hosting provider to distribute its production operation across four separate physical locations. These four locations are within one geographic region, but protect Credentially service from loss of connectivity, power infrastructure and other common location-specific failures. Production transactions are replicated among these discrete operating environments, to protect the availability of Credentially service in the event of a location-specific catastrophic event. Credentially also retains a full backup copy of production data in a remote location more than 2500 miles from the location of the primary operating environment. Full backups are saved to this remote location once per day and transactions are saved continuously. Credentially tests backups at least quarterly to ensure they can be correctly restored.

3rd party suppliers

To run its business efficiently, Credentially relies on sub-service organizations. Where those sub-service organizations may impact the security of Credentially production environment, Credentially takes appropriate steps to ensure its security posture is maintained. Credentially establishes agreements that require service organizations adhere to confidentiality commitments Credentially has made to its users. Credentially monitors the effective operation of the organization’s safeguards by conducting reviews of its service organization controls before use and at least annually.

Data security, international transfers and breaches

Security policy

Credentially has an information security policy supported by appropriate security measures.

International transfers

Credentially ensures an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the European Union.

Breach notification

Credentially has effective processes to identify, report, manage and resolve any personal data breaches.



Request a Demo

A ten minute custom walkthrough
could save you millions

10 minutes
Live walkthrough
No obligation
Free consultation