- 15 Jul 2022
- 2 Minutes to read
- Print
- DarkLight
Server Security Policies
- Updated on 15 Jul 2022
- 2 Minutes to read
- Print
- DarkLight
The purpose of this policy is to outline standards set by LightSpeed VT and its cloud hosting vendor—Amazon Web Services. Effective implementation of this policy will minimize unauthorized access to LightSpeed VT’s proprietary SaaS application. This policy applies to Amazon Web Services (AWS) virtual cloud instances operated by LightSpeed VT.This policy is specifically aimed at instances on the LightSpeed VT SaaS application network.
You can download our latest Server Security Policy and Application Standards here.
Ownership and Responsibilities
LightSpeed VT utilizes Amazon Web Services technologies for client-facing portals, video content and the main SaaS application. Security is maintained through strict IAM security groups and Virtual Private Cloud access-control lists. The virtual devices created by LightSpeed VT to run the current software-as-a-service (SaaS) application are created on cloud-based hardware owned by Amazon Web Services. Maintenance and maintainability of these devices is the responsibility of LightSpeed VT, and periodic, appropriate steps are taken to ensure the viability of these devices.
General Configuration Guidelines
- Operating Systems are installed in accordance with the Center for Internet Security (www.cisecurity.org)
- Services and applications that will not be used are disabled where practical.
- Access to virtual instances and applications are protected through access-control methods such VPN connections, Identity & Access Management and encrypted SSH or RDP connections.
- The most recent security patches are installed on each server/system as soon as practical, the only exception being when immediate application would interfere with business requirements.
- Security groups are used to control traffic between application subnets
- Standard security principles of least required access are used to perform server and application functions.
- Administrative accounts are not used when a non-privileged account will do.
- Privileged access is performed over secure channels, (e.g., encrypted network connections using SSH or IPSec).
- Application communication between the client (browser) and the server (LSVT AWS application) occurs using SHA256 SSL encryption to protect the data in transit and at rest.
- Primary SaaS servers are hosted in a Virtual Private Cloud with Amazon Web Services.
Monitoring
All security-related events on critical or sensitive systems are logged and audit trails saved as follows:
- All security related logs are kept online for a minimum of 1 week.
- Daily incremental tape backups will be retained for at least 30 days.
Security-related events will be reported to systems administration, who will review logs and report incidents to IT management. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to:
- Port-scan attacks
- DDoS attacks
- Evidence of unauthorized access to privileged accounts
- Anomalous occurrences that are not related to specific applications on the host
Systems and network monitoring agents are in place to alert systems administration of any application or network irregularities.
Compliance
We conduct very frequent internal audits, as our entire team is in-house; from software engineers, server infrastructure management, database management to network admins that work on our LightSpeed VT server infrastructure.
- Audits are performed on a regular basis by company personnel.
- Every effort will be made to prevent audits from causing operational failures or disruptions.
- We closely adhere to industry standard enterprise level policies, controls and protocols as set by the Center for Internet Security ( https://www.cisecurity.org/).
We leverage Amazon AWS for 100% of our SaaS Application infrastructure, and they keep some of the security audit docs noted below and more information on that is at this link:
https://aws.amazon.com/blogs/security/new-soc-2-report-available-privacy/