Growers Edge takes the responsibility of protecting the confidentiality, integrity, and availability of the data entrusted to us very seriously. To fulfill our responsibility and commitment to protect your confidential data, we have implemented and maintain a comprehensive Information Security Management System utilizing NIST SP 800-171 as the framework.
OUR COMMITMENT TO OUR CLIENTS, PARTNERS, AND EMPLOYEES:
- Growers Edge will treat your data like it is our own.
- All required laws and regulations to protect your data and privacy will be followed.
- We will never share your confidential data with any external parties without your permission.
- Maintain an enterprise-wide Risk Management framework to ensure the confidentiality, integrity, and availability of data and resources are protected.
- Facilitate security strategies consistent with the regulations and compliance requirements to protect data and privacy.
- Provide oversight to ensure risks are mitigated.
DATA INFRASTRUCTURE SECURITY:
- All Personally Identifiable Information (PII), Protected Health Information (PHI), or similar confidential or restricted data as described in the company’s Data Classification Standard is protected with encryption during transmission over public networks.
- All desktop and laptop workstations utilize volume or disk encryption to ensure data at rest cannot be accessed without authorization.
- Growers Edge utilizes a defense in depth strategy by employing firewalls, routers, architected security zones, and continuous monitoring to detect and or block malicious traffic.
- System availability is achieved utilizing redundant technologies, regularly scheduled maintenance, and mature change controls processes.
- Network devices and applications are monitored continuously for performance and security and utilize redundant power, UPS, and backup generators
Data Loss Prevention
- Device full disk encryption.
- USB device usage monitoring.
- Network monitoring and alerts for data exfiltration.
- Secure email and file transfer.
- 2-factor authentication is utilized to access critical applications and systems.
- Data destruction procedures for physical and logical devices to ensure proper disposal of information.
- Data classification policies and procedures.
Backup & Retention
- Backup solutions have been implemented to ensure data is available and consistent with company Business Continuity (BC) and Disaster Recovery (DR) requirements.
- Backups are verified daily.
- Regular test restorations are performed to demonstrate functionality and compliance.
- The Record Retention Policy complies with state and federal retention laws.
Anti-Malware & Threat Detection/Prevention
- Anti-virus solutions are utilized to recognize and block malware and reduce phishing attacks.
- An Intrusions Detection System is in place to alert on suspicious activity or policy violations.
- An Intrusion Prevention System is in place to examine network traffic and prevent vulnerability exploits.
Data Retention & Disposal
- Data is retained and disposed of according to the Growers Edge Data Retention & Destruction Standards.
Secure System Configuration & Maintenance
- Baseline configurations are used to deploy new systems with appropriate application and security settings. Growers Edge has a System Maintenance Standard to identify and keep systems and devices patched and up to date.
Vulnerability Scanning & Penetration Testing
- Network and device vulnerability scanning is performed.
- Web application penetration testing is performed annually by an external third party.
- Application vulnerability and penetration testing is performed for each release.
- Any identified vulnerabilities are reviewed, and remediation plans are developed.
Logging & Monitoring
- A Security Information & Event Management (SIEM) solution is in place to provide a holistic view into the Growers Edge network. The SIEM provides 24×7 continuous monitoring, data analysis, threat intelligence, and security incident reporting 365 days a year.
- An Information Security Risk Management Program to manage risk from internal and external threats has been put in place. Identified items are maintained on a risk register.
- An annual third-party risk assessment is also performed to identify any opportunities for improvement.
- Growers Edge has and maintains a robust set of security policies, standards, and procedures based on NIST Special Publication 800-171. These documents are reviewed and acknowledged annually by staff.
- Growers Edge has partnered with a third-party information security consulting firm, Pratum, to serve as the company’s virtual Chief Information Security Officer (vCISO). We believe leveraging an external information security firm for our information security program provides added expertise and experience in the information security industry.
- Vendor Management best practices are used to ensure privacy and security is maintained by all vendors and partners and that they handle data with the same care and importance as Growers Edge.
- Critical vendors are assessed by the company before engagement and annually to confirm proper controls exist and are maintained.
- Physical security controls include video surveillance, electronically controlled doors (badge access), visitor escort procedures, sign-in to secured locations, 24/7 staffed security and an alarm system.
- Co-located servers are hosted at SOC2 Type II certified facilities.
- All employees receive information security training upon hiring and annually.
- Regular awareness campaigns of current information security threats and trends are provided to employees to keep information security at the top of mind.
- Background checks are required for all employees prior to employment, and the appropriate non-disclosure and confidentiality agreements are signed.
- Developers are trained in OWASP security best practices.
- Role-based access controls are utilized to restrict access to data on a need-to-know basis and only by authorized personnel whose job responsibilities require it.
- Technical controls are in place, including but not limited to strong password requirements (complexity, rotation, etc.) and multi-factor authentication (MFA).
- Administrative controls are in place, including user access reviews, segregation of duties, policies, procedures, and standards.
- Account authorization and removal are performed through comprehensive checklists ensuring all physical, electronic, and third-party account access is terminated.
Incident Response & Management
- Growers Edge has an Incident Response Plan in place to respond to a security incident. The Security Team with individual responsibilities, has been documented within the plan. The plan is tested on an annual basis, or more frequently, to ensure the organization is prepared for an incident.
Business Continuity (BC) & Disaster Recovery
- In the unfortunate case a disaster affecting the organization occurs, Growers Edge is ready and prepared to respond quickly and appropriately. A thoroughly vetted and tested BC/DR Plan has been developed to guide and allow the business to return to full operation.
Have a question about the Growers Edge Information Security Management System (ISMS)? Don’t hesitate to contact us, and we’ll be in touch!