Implementing a cloud-based service can raise questions about the security of your system — that’s only natural.
So we’d like to reinforce that when you entrust Halogen with your data and processes, we take it seriously. In fact, we’re committed to providing you with the information and security services you need to be confident that your data is secure.
The security protections people have come to expect of a leading cloud provider
An organizational commitment to sound practices around security and IT service delivery
Our security organization, which practices separation of duties from our IT teams, reports separately to senior management. As a top priority, the organization works with operational IT and product development teams to ensure that our products and services are designed with security from a customer’s perspective. The organization is also responsible for monitoring Halogen’s TalentSpace™ operational activities as they relate to Halogen’s service offerings.
A commitment to independent assurance
Not surprisingly, customers often want validation from independent third parties that the security measures we take at Halogen, not only make sense but are also appropriate and working effectively.
To assist our customers in meeting their compliance and security requirements, we’re continually investing in resources to provide our customers with access to independent assessments and evaluations on Halogen’s security control effectiveness.
Halogen SaaS architecture diagram
Halogen’s security services at a glance
We base our access control approach on four main concepts:
- Separation of duties
- Least privilege
- Information classification
We’ve implemented an authorization and review process so that access rights are aligned with these four concepts. Access control is defined through compliance with Halogen’s Information Security Policy and Access Control Policy, which is documented through the use of formal access control lists and a RACI matrix.
Management of access control includes management approval for access to the TalentSpace™ environment and regularly scheduled access reviews, to ensure they are accurate and up to date.
Our Access Control Policy defines the requirements for unique usernames and complex passwords. Access Control Standards are implemented and monitored through the use of a central authentication server that enforces the documented standards.
Halogen’s TalentSpace™ environment has a layered security architecture which includes:
- Multilayered firewall design (perimeter, data tier, and host)
- Multilayered intrusion detection systems (perimeter and host)
- Traffic segregation enforced through the implementation of a specialized network topology
Logical access to the TalentSpace environment is monitored by a dedicated security team and complemented by ongoing point-in-time audits performed by the TalentSpace operations group. Security monitoring includes a daily review of security logs, privileged account usage and review and remediation of weekly security vulnerability scans, both internally and externally.
Compliance with secure configuration standards is monitored, and compliance reports are reviewed and audited. Non-standard configurations are immediately reported, investigated and then remediated using the formal incident management process.
Operational controls in the TalentSpace™ environment include:
- Checklists to support the completion of daily, weekly and other time based tasks
- Automated and scheduled tasks
- Continuous system, application, and task monitoring
Halogen owns and manages all assets required to deliver our SaaS TalentSpace™ offering, and all operational activities are carried out by Halogen full-time employees. We’ve also implemented a control framework to help ensure consistency and integrity of the ongoing operations in the TalentSpace™ environment.
Operational controls address requirements for the timely execution of activities and the ability to review operational effectiveness. These controls also help maintain proper segregation of duties and access.
We’ve included consideration for web application security into our software development practices:
- Education and awareness training for developers, testers, and other team members responsible for the quality of our application code. Training materials are aligned with the OWASP Top 10 web application risks and are presented within the specific context of our application.
- We engage with an industry recognized third-party web application vulnerability testing company to continually assess each application end point.
- Third-party results are reviewed by Halogen’s Security, Risk and Compliance department.
- Confirmed defects are prioritized and entered into Halogen’s defect management system for remediation.
We’re committed to continually investing resources to provide our customers with access to independent assessments and evaluations on the effectiveness of Halogen’s security controls. These third-party evaluations are available upon request and include the following:
- AICPA SOC 2 Type II
- Web Application Vulnerability Reports
- Vulnerability Scanning Results
Halogen’s TalentSpace™ environment implements encryption at rest for all customer production data. This includes all data submitted by the customer or generated by Halogen TalentSpace™, such as customer entered data, system generated forms, reports, backups and logs.
Data center and environmental security
We’ve contracted with best-in-class data center providers to co-locate the TalentSpace™ environment in two physical sites, both of which have strict physical and logical access controls:
- Primary data center (Rogers) – Toronto, Ontario, Canada
- Backup and recovery data center (Q9 Networks) – Calgary, Alberta, Canada
- Both sites are more than 2,600 km apart (1,600 miles)
Access to hardware located in secure and dedicated cages requires pre-authorization from Halogen’s TalentSpace™ operations management team.
The multi-layer physical security system includes the requirement for management pre-authorization, and authorized individuals must provide government issued Photo ID to a manned security desk. Additionally, controlled man-traps and two-factor authentication (including biometrics) are required to gain access to the data centre server room floor and Halogen’s dedicated and secured cage.
We perform on-site visits to each facility to validate the proper functioning of physical and logical access controls. We review the most recent assurance reports from our data center provider(s) on a continual basis.
Service levels have been contractually defined with data center providers for availability and quality of service. Service levels are continually monitored by a range of applications which report on availability, performance and quality of service.
Both data center facilities include redundant environmental protections, including considerations for cooling, power, physical security, network connectivity and natural disasters.
Backups, redundancy, and recovery
At Halogen, we’ve implemented backup and recovery processes and procedures that enable us to respond effectively to customer requests and recover quickly in the event of an incident. Key information, including customer data and infrastructure information, is backed up on a regular basis.
There are formal processes in place for the replication of all customer data to a backup and recovery data center. To support full recovery, the backup and recovery data center is equipped with the same computing capacity as our production data center.
Halogen also has a documented disaster recovery plan, which leverages Halogen’s proprietary technology and replicated customer data to restore service in the event of a disaster
Finally, Halogen’s enterprise platform implements data retention to support investigation activities. We can also support customers’ investigation should it be required.
Security and service delivery
Change management is a key operational control and Halogen has aligned with the ITIL v.3 change management process. Changes must be appropriately documented, tested and validated before being presented to Halogen’s Change Advisory Board for risk evaluation and approval prior to implementation.
We’ve also implemented a service incident management process, also based on the ITIL v.3 framework, to ensure that any failure in the production environment is addressed in a timely manner, based on the existing service level agreements. All changes related to customer impacting incidents are treated as emergency changes in our change management process.
Security and privacy incident response
At Halogen, we have a security and privacy incident response process designed to address possible security events or incidents.
The process includes the procedures for the response to potential incidents and includes a dedicated Security Incident Response Team (SIRT). The SIRT is responsible for managing the response and remediation of any confirmed security incident or privacy breach. This includes coordinating all investigative processes, communication to customers and third parties as well as documenting impact assessments and post incident improvements.