Viz.ai received the International Organization for Standardization Certification for Cybersecurity (ISO 27032:2012).
ISO/IEC 27032:2012 provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular
It covers the baseline security practices for stakeholders in the Cyberspace.
This International Standard provides:
- an overview of Cybersecurity,
- an explanation of the relationship between Cybersecurity and other types of security,
- a definition of stakeholders and a description of their roles in Cybersecurity,
- guidance for addressing common Cybersecurity issues, and
- a framework to enable stakeholders to collaborate on resolving Cybersecurity issues.
Viz.ai is annually audited for compliance with ISO 27032:2012 by an accredited third-party certification body that provides independent validation that applicable security controls are in place and operating effectively to protect our customers’ data.
Viz.ai is fully based on Amazon Web Services (AWS). AWS data centers are built in clusters in various global regions. Viz.ai provides customers with the flexibility to connect to one of the geographic regions in which AWS operates. Viz.ai deploys its services using multiple Availability Zones within each region in which it operates.
Security controls at Amazon data centers are based on the highest-standard technologies and follow the industry’s best security practices. The physical security controls are built to eliminate the effect of single points of failure and maintain the resilience of the computing center. A variety of environmental controls are implemented at the data center facilities
Two forms of authentication, one of which is biometric, must be used at the same time to enter the data center. The facilities are protected by a fire suppression system, which protects the computing equipment and has built-in fire, water, and smoke detectors.
There is 24-hour video surveillance of all entrances and exits, lobbies, and ancillary rooms. The videos are recorded,monitored and archived.
The data centers that host your data are guarded seven days a week, 24 hours a day, every day of the year by private security guards. Servers are locked inside the infrastructure in a designated area.
The server area is cooled by a separate air conditioning system, which keeps the climate at the desired temperature to prevent a service outage. The facilities have on-site generators, which serve as an alternative power source.
Viz.ai customers designate in which physical region their content will be located. Viz.ai will not move customers’ content from the selected region without notifying the customer, unless required to comply with the law or requests of governmental entities.
Read more about AWS Data Centers HERE
Viz.ai’s policy is to maintain complete and accurate records for the period of their immediate use and to discard them thereafter unless longer retention is required for historical reference, contractual or legal requirements, or for other purposes as stated in our “CYB-POL-0026 Data Retention, Archiving, Destruction and Restitution Policy” policy.
This policy details the recommended minimum retention periods applicable to Viz.ai documents based on legal requirements and practical considerations.
Viz.ai staff may, however, decide that longer retention periods are desirable for programmatic or historical purposes. This policy will be applied in the same manner to documents in printed form and to the equivalent documents in electronic form unless otherwise specified.
All data stored by Viz.ai on behalf of customers has strong tenant isolation security. Viz.ai leverages Amazon Web Services (AWS) encryption mechanisms for nearly all the services, including Amazon Simple Storage Service (S3), Amazon Elastic Block Store (EBS) and Amazon Elastic Compute Cloud (EC2). In addition, Viz.ai leverages AWS Key Management Systems (KMS) to create and control encryption keys.
Internally, Viz.ai establishes and manages cryptographic keys for required cryptography employed within the Viz.ai infrastructure.
Viz.ai cryptographic processes are reviewed for continued compliance with SOC and ISO/IEC 27001:2013 by independent third-party auditors.
Security incidents can arise from multiple threat vectors and may result from accidental, intentional, or malicious actions. Therefore when incidents occur, our dedicated Incident Response Team (IRT) provides the necessary assessment, coordination, management, feedback
As part of the Viz.ai security incident response policy, this dedicated IR Team is also responsible to assess, contain, mitigate and learn from those information security incidents in order to ensure that we successfully minimize the risk of them reoccurring.
Logging of service, user and security events is enabled and retained centrally. Viz.ai restricts access to audit logs to authorized personnel based on job responsibilities.
The Viz.ai incident response program (detection, investigation and response to incidents) has been developed in alignment with ISO/IEC 27001:2013 standard. System utilities are appropriately restricted and monitored. Viz.ai SOC report provides additional details on controls in place to restrict system access.
Viz.ai has developed robust processes to facilitate a coordinated response to incidents if one was to occur. A security event may include, among other things, unauthorized access resulting in loss, disclosure or alteration of data.
The Viz.ai Incident Response process follows the following phases:
System and security alerts may be harvested, correlated, and analyzed. Events are investigated by Viz.ai operational and security organizations. If an event indicates a security issue, the incident is assigned a severity classification and appropriately escalated within Viz.ai. This escalation will include product, security, and engineering specialists.
The escalation team evaluates the scope and impact of an incident. The immediate priority of the escalation team is to ensure the incident is contained and data is safe. The escalation team forms the response, performs appropriate testing, and implements changes. In the case where in-depth investigation is required, content is collected from the subject systems using best-of-breed forensic software and industry best practices.
After the situation is contained, the escalation team moves toward eradicating any damage caused by the security breach, and identifies the root cause for why the security issue occurred. If vulnerability is determined, the escalation team reports the issue to product engineering.
During recovery, software or configuration updates are applied to the system and services are returned to
• Lessons Learned
Each security incident is analyzed to ensure appropriate mitigation is applied to protect against future re-occurrence.
In the event a tenant is impacted by an event, Viz.ai has clearly defined incident response plans and notification requirements.
Security and incident response plans are continually updated and tested at least annually.
Viz.ai’ incident response program, plans and procedures have been developed in alignment with ISO/IEC 27001:2013 standard. Viz.ai has been validated and certified by an independent auditor to confirm alignment with ISO/IEC 27001:2013 certification standard.
The Viz.ai SOC report provides details about the specific control activities executed by Viz.ai. All data stored by Viz.ai on behalf of customers has strong tenant isolation security and control capabilities.
If Viz.ai becomes aware of any unlawful access to any Customer Data stored by Viz.ai resulting in loss, disclosure, or alteration of Customer Data (each a “Security Incident”), Viz.ai will promptly (1) notify the Customer of the Security Incident; (2) investigate the Security Incident and provide the Customer with detailed information about the Security Incident; and (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
Notification(s) of Security Incidents will be delivered to one or more of the Customer’s administrators by any means Viz.ai selects, including via email. It is the Customer’s sole responsibility to ensure that Customer’s administrators maintain accurate contact information. Viz.ai’s obligation to report or respond to a Security Incident under this section is not an acknowledgement by Viz.ai of any fault or liability with respect to the Security Incident.
The Customer must notify Viz.ai promptly about any possible misuse of its accounts or authentication credentials, or any security incident related to Viz.ai Service.
Security and incident response plans are continually updated and tested at least annually. If you want to report a vulnerability or have a security concern regarding Viz.ai cloud services please e-mail firstname.lastname@example.org.
Information technology — Security techniques — Information Security Management Systems (ISMS)
Viz.ai received the International Organization for Standardization Certification for Information Security (ISO 27001:2013).
The audit evaluated our information security management system from product, infrastructure and organizational aspects, and verified that we have the necessary information security controls in place to ensure the confidentiality, integrity and availability of sensitive information assets.
Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for C
Viz.ai received the International Organization for Standardization Certification for Information Security (ISO 27017:2015).
This specific ISO provides guidance about the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO 27001 and ISO 27002 standards. This standard provides additional information security controls’ implementation guidance specific to cloud service providers.
Our commitment to ISO 27017:2015 guidance demonstrates our ongoing adherence and efforts to align with globally-recognized best cloud security practices and proves that Viz.ai has implemented precise controls specific to our cloud services.
Information technology — Security techniques — Code of practice for Protection of Personally Identifiable Information (PII) in Public Clouds acting as PII Processors
This specific standard, based on ISO 27002, provides guidance about protection of personal data in the cloud and also provides implementation guidance on ISO 27002 controls applicable to public cloud Personally Identifiable Information (PII).
Being certified with this standard demonstrates to our Customers that we have implemented controls to specifically handle the protection of their sensitive content.
As verified by a third-party assessment, Viz.ai’s alignment with this internationally recognized code of practice demonstrates our commitment to the protection and privacy of our Customers’ content.
Health informatics– Information Security Management in Health using ISO/IEC 27002
Viz.ai received the International Organization for Standardization Certification for Information Security (ISO 27799:2016).
This healthcare standard provides guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls in health informatics of ISO/IEC 27002 so that they can be effectively used for managing health information security.
As a company primarily related to healthcare, and one highly regulated by many certification bodies such as the FDA, we successfully implemented ISO 27799:2016 to ensure a high level of security that is appropriate to healthcare organizations and other custodians of health information, that will maintain the confidentiality, integrity and availability of personal health information in their possession.
We are annually audited for compliance with ISO 27799:2016 by an accredited third-party certification body that provides independent validation that applicable security controls are in place and operating effectively to protects our Customers’ public health information (PHI).
Monitoring and Protection
Viz.ai has identified auditable event categories across systems and devices within the Viz.ai system. The log storage system is based on Amazon Simple Storage Service (S3) and designed to provide a highly scalable, highly available service that automatically increases capacity as the ensuing need for log storage grows. Audit records contain a set of data elements to support necessary analysis requirements. In addition, audit records are available for the Viz.ai Security team or other appropriate teams to perform inspection or analysis on demand, and in response to security-related or business-impacting events. All access to log and monitor systems is monitored and audited.
Designated personnel on Viz.ai teams receive automated alerts in the event of an audit processing failure. Audit processing failures include, for example, software/hardware errors. When alerted, on-call personnel create a ticket for the issue and track the event until it is resolved.
Viz.ai continuously performs monitoring through multi-tiered security audits that include security checks, security reviews, application, and infrastructure security vulnerability assessment scans and third-party patching.
Log and monitor access is highly restricted to only authorized staff with a business need to access such systems. Viz.ai service components are configured to log and collect security events.
Viz.ai relies on multiple security information sources including external cyber security consultants to remain updated about impending infrastructure vulnerabilities worldwide.
Viz.ai also engages an independent security company that periodically conducts several security penetration tests based on OWASP Top 10.
We are carefully monitoring the services available to our Customers.
This includes continuous scanning for vulnerabilities, monitoring of intrusion attempts and abuse detection, Denial-of-service (DDoS) attack prevention, frequent penetration testing, and data analytics to ensure that the operation is stable and secure.
NIST guidelines adopt a multi-tiered approach to risk management through control compliance. SP 800-53 works alongside SP 800-37, which was developed to provide federal agencies and contractors with guidance on implementing risk management programs. SP 800-53 focuses on the controls that can be used together with the risk management framework outlined in 800-37.
The controls are divided into 3 classes based on impact – low, moderate, and high – and split into 18 different families.
The NIST SP 800-53 security control families are:
|AU||Audit and Accountability|
|AT||Awareness and Training|
|IA||Identification and Authentication|
|PE||Physical and Environmental Protection|
|CA||Security Assessment and Authorization|
|SC||System and Communications Protection|
|SI||System and Information Integrity|
|SA||System and Services Acquisition|
NIST SP 800-53 also introduces the concept of security control baselines as a starting point for the security control selection process. These baselines outline a number of key considerations such as operational and functional needs and the most common types of threats facing information systems. A tailoring process is also outlined to help organizations select only those controls appropriate to the requirements of the information systems in use within their environment.
Compliance with NIST SP 800-53 and other NIST guidelines provides a number of benefits. NIST 800-53 compliance is a major component of FISMA compliance. It also helps to improve the security of your organization’s information systems by providing a fundamental baseline for developing a secure organizational infrastructure. It is important to note, however, that simply following the guidelines laid down by NIST should not be the extent of an organization’s security program. While NIST SP 800-53 compliance is a great starting place, the NIST guidelines themselves recommend that you should assess all your data and rank which is most sensitive, in order to further develop your security program.
Procedures have been established and implemented to scan for vulnerabilities on Viz.ai-managed instances in the scope boundary.
Viz.ai implements vulnerability scanning on server operating systems, databases, and network devices with appropriate vulnerability scanning tools.
Viz.ai contracts with independent assessors to perform penetration testing of the Viz.ai boundary. Viz.ai Security regularly scans all Internet-facing service endpoint IP addresses for vulnerabilities. Our Security Team notifies the appropriate parties to remediate any identified vulnerabilities.
Viz.ai’ s own maintenance and system patching generally do not impact Customers. Software updates are released through the release cycle using change and release management procedures. Emergency out-of-band security software updates (0-day & Security Incident Response Process updates) are deployed as quickly as possible.
Refer to ISO/IEC 27001:2013 standard, Annex A, domain 12 for additional details. Viz.ai has been validated and certified by an independent auditor to confirm alignment with ISO/IEC 27001:2013 certification standard.
Reporting Suspected Vulnerabilities
Viz.ai takes security very seriously, and investigates all reported vulnerabilities. This page describes our practice for addressing potential vulnerabilities in any aspect of our cloud services.
- • If you would like to report a vulnerability or have a security concern regarding Viz.ai cloud services please e-mail email@example.com.
A dedicated security team works alongside the Cloud Services team and investigates all reports of security vulnerabilities affecting Viz.ai products and services.
So that we may more effectively respond to your report, please provide any supporting material (proof-of-concept code, tool output, etc.) that would be useful in helping us understand the nature and severity of the vulnerability. The information that you share with Viz.ai as part of this process is kept confidential within Viz.ai. It will not be shared with third parties without your permission.
Viz.ai will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outlining the next steps in the process.
Evaluation by Viz.ai
After the report has been submitted, Viz.ai will work to validate the reported vulnerability. If additional information is required in order to validate or reproduce the issue, Viz.ai will work with you to obtain it. When the initial investigation is complete, results will be delivered to you, together with a plan for resolution and public disclosure.
A few things to note about the Viz.ai evaluation process:
- • Confirmation of Non-Vulnerabilities. If the issue cannot be validated, or is not found to be a flaw in a Viz.ai product, this will be shared with you.
- • Vulnerability Classification. Viz.ai uses version 2.0 of the Common Vulnerability Scoring System (CVSS) to evaluate potential vulnerabilities. The resulting score helps quantify the severity of the issue and to prioritize our response. For more information on CVSS, please see the CVSS-SIG announcement.
Viz.ai is committed to being responsive and keeping you informed of our progress as we investigate and / or mitigate your reported security concern. You will receive a non-automated response to your initial contact within 24 hours, confirming receipt of your reported vulnerability. You will receive progress updates from us at least every five working days.
If applicable, Viz.ai will coordinate public notification of a validated vulnerability with you. When possible, we would prefer that our respective public disclosures be posted simultaneously.
In order to protect our Customers, Viz.ai requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed Customers if required.
Also, we respectfully ask that you do not post or share any data belonging to our customers. Addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems.
Viz.ai public notifications are in the form of security bulletins, which are posted in here in our Security Trust Center Center. Individuals, companies, and security teams typically post their advisories on their own web sites and in other forums and, when relevant, we will include links to those third-party resources in Viz.ai security bulletins.
The Viz.ai Secure System Development Life Cycle (Secure SDLC) incorporates industry best practices that include formal design reviews by the Viz.ai Security Team, threat modeling
In alignment with ISO/IEC 27001:2013 standard, Viz.ai has established formal policies and procedures to delineate the minimum standards for logical access to Viz.ai resources.
Access to Viz.ai source code is limited to authorized personnel. Where feasible, source code is maintained in a separated project or repository for independent projects. Viz.ai employees are granted access only to those projects or repositories which they need access to perform their duties. The source code repository enforces control over changes to source code by requiring a review from designated reviewers prior to accepting new code or code changes. An audit log detailing modifications to the source code is maintained.
The Viz.ai SOC report outlines the controls in place to manage access provisioning to Viz.ai resources.
Source code builds are scanned for malware prior to release to production.
Viz.ai has procedures to manage new development of resources. Refer to ISO/IEC 27001:2013 standard, Annex A, domain 14 for additional details. Viz.ai has been validated and certified by an independent auditor to confirm alignment with ISO/IEC 27001:2013 certification standard.
Viz.ai communicates its security and control environment to Customers through industry certifications and third-party attestations, white papers (available here) and providing certifications, reports and other relevant documentation directly to Viz.ai Customers.
Certifications, Policies & Reports
Viz.ai provides third-party attestations, certifications, Service Organization Controls (SOC) report and other relevant compliance reports directly to our customers under NDA.
The Viz.ai ISO/IEC 27001:2013 certification can be downloaded from Viz.ai Trust Center.
The Viz.ai Security Team regularly scans all Internet-facing service endpoint IP addresses for vulnerabilities. The Viz.ai Security Team notifies the appropriate parties to remediate any identified vulnerabilities. In addition, external vulnerability threat assessments are performed regularly by independent security firms. Findings and recommendations resulting from these assessments are categorized and delivered to the Viz.ai leadership.
In addition, the Viz.ai control environment is subject to regular internal and external audits and risk assessments. Viz.ai engages with external certifying bodies and independent auditors to review and test the overall Viz.ai control environment.