Security at Thought Industries
Last updated February 7, 2023
The following summarizes the organizational, physical, and technical controls utilized by Thought Industries to safeguard the confidentiality, integrity, and availability of the information Thought Industries processes, creates, receives, maintains, or transmits. These safeguards include people, processes, and technology to implement a secure and private environment.
Thought Industries Accreditations and Certifications
- SOC 2 type 2 report covering Security, Availability, and Confidentiality
- PCI DSS Attestation of Compliance
- GDPR Compliance Brief, Shrems Position Paper, and DPA w SCCs
- CCPA contractual commitments and no sale of PI
- ISO 27001 Certification
- Customer Assurance Package contains documentation necessary to perform due diligence for data security and privacy
Information Security Management Program
To ensure the protection of company and customer data, Thought Industries maintains an Information Security Management Program that employs guidance and standards from multiple frameworks such as the AICPA’s Trust Services Criteria, ISO 2700x series information security practices, and the National Institute of Standards and Technology (NIST) guidance related to protecting the confidentiality, integrity, and availability of data. Our management is committed to implementing an effective Information Security Management Program by ensuring the necessary resources are available and our organizational structure is conducive to a culture of security and compliance. An Information Security Officer has been designated and is responsible for establishing, managing, and improving the Information Security Management Program. The responsibilities of this role include developing and implementing security policies, standards, and procedures as well as ensuring organizational, physical, and technical controls comply with these policies.
Thought Industries’ SOC 2 type II audit report and ISO 27001 certificate are available upon request from your account representative.
Security Program Composition
Thought Industries has implemented controls based on guidance from multiple standard frameworks. Our controls include, but are not limited to, the following policies:
- Access Control
- Awareness and Training
- Audit and Accountability
- Assessment and Authorization
- Background Screening
- Configuration Management
- Contingency Planning
- Incident Response
- Risk Assessment & Management
- System and Services Acquisition
- System and Communications Protection
- System and Information Integrity and
- Program Management.
Information system access is limited to approved users only. Technical controls such as strong passwords, brute-force protection, and two-factor authentication are implemented to restrict access. Administrator and privileged operation activities are logged. Log access is restricted and protected from modification.
User Access Management
Thought Industries maintains policies, procedures, and technical controls to identify account types, establish group memberships, and identify authorized users’ privileges. Policies and procedures require approval to establish or activate accounts. Account access is also modified, disabled, and removed in a timely manner based on authorized change requests as appropriate. System access is based on valid authorization, intended use, and related role-based functions.
Awareness and Training
All personnel are trained when they join the organization and annually thereafter on data security and associated risks as well as applicable regulations, policies, standards, and procedures. Software developers are annually required to complete secure coding practices and techniques training. A sanctions policy is enforced for employees who fail to comply with established information security policies and standards.
Audit and Accountability
Thought Industries creates, protects, and retains audit records as required to monitor, analyze, investigate, and report any unauthorized or suspicious activities. Logged activities are traceable to individual users. Security controls are reviewed on an ongoing basis to ensure their effectiveness and compliance with policies. Any deficiencies discovered are corrected to reduce risks to a reasonable and acceptable level as defined by Thought Industries leadership. Employees receive expectations of securing and preventing unauthorized access to information through written information security policies. Thought Industries has a formal sanction policy in place for personnel that fail to comply with the organization’s policies and procedures with penalties up to and including termination and criminal charges where applicable.
Thought Industries ensures that individuals occupying positions of responsibility within the organization are trustworthy and meet established criteria. Background checks are conducted prior to employment, and employees must acknowledge their understanding of security policies and sign conduct and confidentiality commitments.
Business Continuity & Disaster Recovery
Emergency response, backup operations, and post-disaster recovery plans are maintained to ensure critical systems’ availability. Backups are performed nightly and retained for three (3) months.
Data Protection and Privacy
Thought Industries acts as a Data Processor on behalf of our customers, the Data Controller. As a processor, Thought Industries executes and abides by contractual Data Protection Agreements (DPAs), which include the Standard Contractual Clauses approved by the European Commission. These DPAs contain contractual commitments such as providing assistance complying with data subject rights requests (when applicable), supervisory authority breach notice obligations, support for data protection impact assessments and audits, and the return or destruction of data unless otherwise required by law. Upon request, we will review and consult with our Customers’ business-specific needs around the DPA. Contact your Thought Industries account representative to request a copy of Thought Industries’ DPA or with any other DPA-related questions.
Data Retention and Destruction
Thought Industries retains customer data for the duration of the contract and up to 45 days post termination. Backups are securely retained until they age off after 3 months.
Access to Customer Data
Thought Industries contractually commits that its personnel may access Customer Data only in accordance with providing the Services, to prevent or address technical or service problems, or if compelled by law. Thought Industries support personnel are located in the U.S., Malaysia, and Ireland and support may be provided from any location for all Thought Industries services.
Thought Industries maintains separate staging, development, and test/QA environments. All non-production environments use test data only (non-production data).
Thought Industries uses Transport Layer Security (TLS) v1.2 or higher encryption to protect the communication and transmission of data over public networks and between systems. Customer data at rest is encrypted using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.
Host and Network Security
The Thought Industries platform is powered by operating systems that are hardened to industry best practice guidelines and standards, including a minimal configuration that removes unnecessary and default processes, accounts, and protocols to reduce the equipment’s attack surface. Customers access the Thought Industries platform using the public internet and use Transport Layer Security (TLS) for connection security. The allowed network traffic passes through virtual firewalls and is monitored for anomalies. The platform is hosted on cloud infrastructure through Amazon Web Services (AWS).
Thought Industries classifies information into three categories: public, proprietary, and confidential. All customer data is given the highest protection classification of Confidential. There are appropriate policies for access, handling, distribution within/outside the organization, storage, disposal/destruction, and penalties for not abiding by policies or procedures in place.
A formal Incident Response Plan is in place to adequately prepare, detect, analyze, contain, recover, and respond to a security-related incident. Incidents are tracked, documented, and reported as appropriate. Thought Industries maintains a Security Incident Response Team (SIRT) that executes the Incident Response Plan made up of subject matter experts from across the entire organization. Contractual agreements are in place with all sub-processors to ensure that incident response and notification procedures are implemented.
Infrastructure Monitoring and Logging
We monitor the information generated by and configuration settings of all the systems in our environment 24×7. All infrastructure systems are configured to produce audit logs and off-load logs to protected locations. Audit records are maintained to provide sufficient information such as type of events, date/time of occurrence, source/destination addresses, outcome of events, user identity, and file name or flow control rule invoked. Alerts are generated in real-time and configured to notify the Information Security and Infrastructure teams as applicable. Audit records are restricted to authorized users and backed up daily.
Penetration Testing & Vulnerability Management
Annual penetration testing is performed by experienced penetration testers, holding multiple industry-recognized certifications, including CREST, CPT, and OSCP. Web application security tests are conducted quarterly and include coverage for the following:
- SANS Top 25 Full Coverage
- OWASP Top 10 Full Coverage
- PCI DSS 6.5.1-6.5.11 Full Coverage
Any noted vulnerabilities are categorized for risk. High and Critical risks are resolved immediately, and the platform is re-tested to ensure these are remediated. Medium and Low findings are assessed for risk and prioritized for remediation in scheduled releases as appropriate.
The Thought Industries platform is hosted on cloud infrastructure through Amazon Web Services AWS. More information on the physical security controls of Amazon data centers is available here: https://aws.amazon.com/compliance/data-center/controls/
All users must be identified and authenticated as a prerequisite to connecting to information systems and network resources. User account passwords must be unique so that they are not the same as other accounts held by the user. Strong passwords, cryptography, and two-factor authentication protect elevated privilege accounts.
Protection Against Malicious Software
Malicious code protection mechanisms are employed on all workstations, servers as feasible. These solutions are installed by authorized employees, updated, configured to run scans, and are prevented from being disabled by users.
Web browsing is secured through category blocking, malicious traffic detection, safe browsing, and download repudiation. Insecure plugins are reported and remediated with anti-malware removal.
Security Risk Assessment and Management
The Information Security Officer is responsible for executing, developing, and implementing a remediation program for issues identified through risk assessment. Remediation plans are developed and implemented to lower risks to an acceptable level. Root cause analysis is conducted to determine preventative actions that may improve Thought Industries’ security posture. Thought Industries Information Security Management Program is based on risks, and decisions are made to address high-risk areas as a priority. Thought Industries assess the risks to operations, assets, and individuals in the processing, storage, and transmission of information on an ongoing basis. Risks are tracked in a risk register and assessed annually. The risk assessment and management program is reviewed and audited as a part of the SOC 2 engagement.
Software Development Lifecycle
Our software developers follow a design, build, and verify methodology employing secure coding practices throughout. No outsourced application development contractors are employed. Application code is securely managed using policies and controls, including granular roles, authentication, access management, audit logging, and reporting. Controls are applied upon actions within the code repository, such as repository access, password resets, code change, and push. We perform code reviews that check for security, style, and functionality. We have a full suite of automated tests to prevent regressions and supplement that with a complete manual quality assurance process. We use staging servers prior to going live in production.
Third-Party Vendor Due Diligence
The Information Security Officer is responsible for analyzing third-party vendor security and privacy controls and assessing risk. Contractual requirements are recorded in service agreements with third parties to include any required privacy and security provisions. Thought Industries’ information security office routinely re-assesses vendors to ensure security and privacy requirements are met. Upon any termination of a service agreement, vendor access is revoked, and any information maintained must be returned or certified destroyed.
All workstations are managed using mobile device management (MDM) solutions. Systems maintain a secure base configuration, disk encryption, patch application management, next-generation anti-malware, and malicious software protection. Users are prohibited from utilizing non-TI resources to conduct official business. Any non-standard hardware configuration must be evaluated and approved before use. All systems must have up-to-date anti-virus software installed and meet minimum security requirements.
Customers and their Learners access the Thought Industries platform using a password which is known only to them and only over secure (HTTPS) connections. Customer and learner password strength requirements are configurable on a per-instance basis.
Passwords of users logging on Thought Industries are not stored. Only a secure hash (bcrypt) of the password is stored in our databases. Because the hash is expensive to compute, and because a “salt” is used, password reverse-engineering is difficult even if the hash value were to be obtained by a malicious party. Brute-force guessing attempts are automatically detected and blocked.
When Thought Industries instances opt to connect to an external system using user-supplied credentials (SSO), where possible this is done using JWT, SAML 2.0, or CAS, and in those cases, no credentials need to be stored in Thought Industries servers.