Growers Edge Information Security
Management System (ISMS) Overview

Growers Edge takes the responsibility of protecting the confidentiality, integrity, and availability of the data entrusted to us very seriously. We understand and agree your most important concern when partnering with us is the protection of your confidential data. To fulfill our responsibility and commitment to protect your confidential data, we have implemented and maintain a comprehensive Information Security Management System utilizing NIST SP 800-171 as the framework.

 

OUR COMMITMENT TO OUR CLIENTS, PARTNERS, AND EMPLOYEES:

  • Growers Edge will treat your data like it is our own.
  • All required laws and regulations to protect your data and privacy will be followed.
  • We will never share your confidential data with any external parties without your permission.

SECURITY GOVERNANCE

  • Maintain an enterprise-wide Risk Management framework to ensure the confidentiality, integrity, and availability of data and resources are protected.
  • Facilitate security strategies consistent with the regulations and compliance requirements to protect data and privacy.
  • Provide oversight to ensure risks are mitigated.

RISK MANAGEMENT

  • An Information Security Risk Management Program to manage risk from internal and external threats has been put in place. Identified items are maintained on a risk register. An annual third-party risk assessment is also performed to identify any opportunities for improvement.
  • Growers Edge has and maintains a robust set of security policies, standards, and procedures based on NIST Special Publication 800-171. These documents are reviewed and acknowledged annually by staff.
  • Growers Edge has partnered with a third-party information security consulting firm, Pratum, to serve as the company’s virtual Chief Security Officer (vCSO). We believe leveraging an external information security firm for our information security program provides added expertise and experience in the information security industry.

VENDOR MANAGEMENT

  • Vendor Management best practices are used to ensure privacy and security is maintained by all vendors and partners and that they handle data with the same care and importance as Growers Edge.
  • Critical vendors are assessed by the company before engagement and annually to confirm proper controls exist and are maintained.

ACCESS CONTROLS

  • Role-based access controls are utilized to restrict access to data on a need-to-know basis and only by authorized personnel whose job responsibilities require it.
  • Technical controls are in place, including but not limited to strong password requirements (complexity, rotation, etc.) and multi-factor authentication (MFA).
  • Administrative controls are in place, including user access reviews, segregation of duties, policies, procedures, and standards.
  • Account authorization and removal are performed through comprehensive checklists ensuring all physical, electronic, and third-party account access is terminated.

LOGGING & MONITORING

  • A Security Information & Event Management (SIEM) solution will be in place to provide a holistic view into the Growers Edge network. The SIEM will provide 24×7 continuous monitoring, data analysis, threat intelligence, and security incident reporting 365 days a year.

SECURITY TRAINING

  • All employees receive information security training upon hiring and annually.
  • Regular awareness campaigns of current information security threats and trends are provided to employees to keep information security at the top of mind.
  • Background checks are required for all employees prior to employment, and the appropriate non-disclosure and confidentiality agreements are signed.
  • Developers are trained in OWASP security best practices.

VULNERABILITY SCANNING & PENETRATION TESTING

  • Network and device vulnerability scanning is performed.
  • Web application penetration testing is performed annually by an external third party.
  • Application vulnerability and penetration testing is performed for each release.
  • Any identified vulnerabilities are reviewed, and remediation plans are developed.

SECURE SYSTEM CONFIGURATION & MAINTENANCE

  • Baseline configurations are used to deploy new systems with appropriate application and security settings. Growers Edge has a System Maintenance Standard to identify and keep systems and devices patched and up to date.

BUSINESS CONTINUITY (BC) & DISASTER RECOVERY

  • In the unfortunate case a disaster affecting the organization occurs, Growers Edge is ready and prepared to respond quickly and appropriately. A thoroughly vetted and tested BC/DR Plan is being developed to guide and allow the business to return to full operation.

INCIDENT RESPONSE & MANAGEMENT

  • Growers Edge is developing an Incident Response Plan in place to respond to a security incident. The Security Team with individual responsibilities, has been documented within the plan. The plan is tested on an annual basis, or more frequently, to ensure the organization is prepared for an incident.

PHYSICAL SECURITY

  • Physical security controls include video surveillance, electronically controlled doors (badge access), visitor sign-in and escort procedures, 24/7 staffed security, and alarm system.
  • Co-located servers are hosted at SOC2 Type II certified facilities.

ENCRYPTION

  • All Personally Identifiable Information (PII), Protected Health Information (PHI), or similar confidential or restricted data as described in the company’s Data Classification Standard is protected with encryption during transmission over public networks.
  • All desktop and laptop workstations utilize volume or disk encryption to ensure data at rest cannot be accessed without authorization.

ANTI-MALWARE & THREAT DETECTION/PREVENTION

  • Anti-virus solutions are utilized to recognize and block malware and reduce phishing attacks.
  • An Intrusions Detection System is in place to alert on suspicious activity or policy violations.
  • An Intrusion Prevention System is in place to examine network traffic and prevent vulnerability exploits.

DATA RETENTION & DISPOSAL

  • Data is retained and disposed of according to the Growers Edge Data Retention & Destruction Standards.

PRIVACY & COMPLIANCE

  • A company Privacy Policy is supported by the practices included in our Information Security and Risk Management policies and has been developed to comply with today’s data privacy and regulatory compliance. Please visit our web site for our privacy notice.

NETWORK SECURITY

  • Growers Edge utilizes a defense in depth strategy by employing firewalls, routers, architected security zones, and continuous monitoring to detect and or block malicious traffic.
  • System availability is achieved utilizing redundant technologies, regularly scheduled maintenance, and mature change controls processes.
  • Network devices and applications are monitored continuously for performance and security and utilize redundant power, UPS, and backup generators.

BACKUP & RETENTION

  • Backup solutions have been implemented to ensure data is available and consistent with company Business Continuity (BC) and Disaster Recovery (DR) requirements.
  • Backups are verified daily.
  • Regular test restorations are performed to demonstrate functionality and compliance.
  • The Record Retention Policy complies with state and federal retention laws.

DATA LOSS PREVENTION

  • Device full disk encryption.
  • USB device restrictions.
  • Restricted access to external email and file storage services.
  • Network monitoring and alerts for data exfiltration.
  • Secure email and file transfer.
  • Mobile Device Management software and authentication PIN required on mobile devices.
  • Data destruction procedures for physical and logical devices to ensure proper disposal of information.
  • Data classification policies and procedures.

 

Have a question about the Growers Edge Information Security Management System (ISMS)? Don’t hesitate to email us, and we’ll be in touch!

UPDATED: 02.15.21