Syniti's Company-wide Commitment to Customer Security
Take a look at some of the most frequently asked questions about our security approach.
Does Syniti conform to a recognized ISMS (Information Security Management System) standard?
- Yes. Syniti is ISO 27001 certified, highlighting our commitment to security by adhering to an international information security standard that is recognized and conformed to by some of the world’s largest commercial organizations and governments.
Our information security processes for handling customer information has been audited by an objective third-party auditor, BSI, and found to be implemented and operating effectively. Equally important, it means our security measures are regularly reviewed to ensure continued compliance with the standard.
We retain a dedicated team to manage these measures and an information security and risk manager oversees the effective delivery of all aspects of our ISMS.
Is Syniti SOC2, Type 2 certified?
We sure are. SOC 2, Type 2 is an internationally recognized information security standard that demonstrates a company’s ability to protect the confidentiality, integrity, and availability of their clients’ data. This certification also assures clients that Syniti has undergone rigorous third-party audits to ensure compliance with industry standards. Ultimately, Syniti clients can have confidence that their data is being protected by the highest level of security protocols and procedures and they can rest easy knowing that Syniti is doing everything they can to protect their business from potential security breaches or data loss.
Has Syniti achieved NIST 800-53 Security Compliance?
Absolutely. NIST 800-53 is a set of guidelines and best practices for information security management that is used by U.S. federal agencies and other organizations to ensure the confidentiality, integrity, and availability of sensitive information. Achieving compliance is a significant accomplishment for our company and our software, and we are proud to have met these rigorous requirements. By completing the NIST 800-53 compliance requirements, our company has demonstrated our on-going commitment
How do you protect and isolate our customer systems & data at rest and in transit?
- Systems and data are isolated from all other Syniti operational systems, end users, and developers in an isolated cloud operations hosting environment. Access is restricted to cloud operations administrators and indirectly to consultants who are working with the customer to facilitate migrations and other business driven actions only on need-to-know basis.
- Tenants have their own isolated environments with no access to or from any other customer environment.
- Customer data transferred in or out of the cloud operations environment to the customer is encrypted in transit with industry standard encryption protocols.
- Systems have data encrypted at rest at the disk level with industry standard encryption.
- Access to customer environments by cloud operations administrators occurs through a secure web portal mitigating most concerns related to the security posture of Syniti laptops, desktops, mobile devices, wireless, etc.
- All Cloud Operation administrators are enabled with Multi-factor Authentication (MFA) to confirm identities.
- Privilege authorization is managed through the PAM (Privilege Access Management) technology to ensure that access has been provided only on a Need-to-Know basis and the principle of Least privilege is being adhered to.
- All external threats are being controlled at perimeter itself via the functionalities of Next generation firewalls.
Is your infrastructure SOC 2 compliant?
- Syniti partners with well-known global IaaS Hyperscalers who maintain SOC 2 compliance.
- Syniti’s cloud operations hosting environment is both SOC 2 Type 1 compliant and SOC 2, Type 2 certified.
What endpoint security do you implement for customer systems themselves?
- We operate host based firewalls, EDR software and other protections ensuring:
- Validated software is installed and running
- Validated processes are running on customer systems
- Virus & malware assessments of customer systems are current and accurate.
- Host-based firewalls.
- File Integrity Management
- Host Intrusion Detection
- Vulnerability Management
- Syniti maintains auditing in place to collect/store the events from all endpoints to further enable accountability.
How do you track and respond to security incidents?
- Syniti cloud operations maintains a 24×7 NOC built around a SIEM solution for aggregating and correlating security events and identifying actionable security incidents.
- Syniti maintains an Integrated Incident Response Plan and a dedicated SIRP (Security Incident Response Plan) which has IRPs/used cases covered thus helps in driving through the security incidents.
Is customer data backed up?
- All customer data is backed up daily.
How is password storing and rotation managed?
- All the customer related password storing and rotation is being managed by our PAM solution which has a secure wallet feature and enables the remote connectivity to authorized personnel without exposing the credentials in clear text.
- Password rotation is enabled which ensures passwords are automatically changed at every 90 days.
How does Syniti stay updated about the latest threats and vulnerabilities?
- We leverage a vulnerability management solution from a market leading vendor and maintain a regular check on all new and existing vulnerabilities.
- We have a vulnerability management program in place to remediate any discovered vulnerabilities.
- Additionally, our SOC service provider leverages a threat hunting program to ensure the highest level of diligence.
How does Syniti ensure confidentiality, integrity and availability (CIA) for customer data?
- We encrypt all ingress and egress of customer data with the recommended encryption protocols.
- We have FIM (File Integrity monitoring) functionality to observer any unauthorized modification to the production data.
- Syniti maintains a network based data loss prevention platform
- We also do have a Cloud & Container Security monitoring tool in place which also keeps up updated on our existing security posture.
- Our CSP is a market leader and provides us with 2n+1 level of redundancy with their T4 level of data centers.
Does Syniti encrypt my data?
- Yes. Both in transit, enforcing https, and at rest in the database using AES256 encryption. We also support SQL Server Transparent Data Encryption (TDE).
Do you review your applications for security vulnerabilities?
- Throughout our Software Development Lifecycle (SDLC), we scan the code looking for security vulnerabilities using independent 3rd-party static and dynamic scanning tools and any significant issues are resolved prior to release.
Does your application support Multi-Factor Authentication?
- We support Single Sign On (SSO), where the application delegates user authentication to the customers corporate Identity Provider. In this way, the customer directly controls who has access to the Syniti application using their established user authentication policies and procedures.
Do you use industry standards (i.e. OWASP Software Assurance Maturity Model, ISO 27034) to build in security for your Systems/Software Development Lifecycle (SDLC)?
- Syniti information privacy and security governance and the SDLC process is aligned with the International Organization for Standardization (ISO) 27001 and 27002 security standards and the National Institute of Standards and Technology (NIST) Special Publications 800 Series. The Syniti secure SDLC program follows the guidelines set by the OWASP Framework.
What is the uptime SLA for your SaaS products?
- We ensure an uptime of 99.5%.
How often do you release updates to the software?
- Our SaaS products follow a CI/CD model where changes are deployed to production as soon as they have passed all of our SDLC checkpoints.
- Our on-premise software is released on the following frequency:
- Service Packs – every 4-6 weeks
- Minor versions – every calendar quarter
- Major versions every 1-2 years