NIST Cybersecurity Framework 1.1
This is a collaborative effort involving industry, acedemia and government managed by the National Institute of Standards and Technology, also known as the NIST CSF. The framework is an evolving effort that focuses on using business drivers to guide cysbersecurity activities and implementing cybersecurity risk as part of an organization’s risk management process. The NIST CSF incorporates five main areas – Identify, Protect, Detect, Respond and Recover – that serve to frame best practice guidance. The NIST CSF is explained here. Zix uses the NIST CSF as a benchmark framework for it’s security and compliance program.
SOC2
The American Institute of Certified Public Accountants (AICPA), Service Organization Control Type 2 Report (SOC2) validates how the effectiveness of a company's operational controls.The following component systems are reviewed: infrastructure, software, data, people, and procedures. Prior to issuing the certification to Zix, a third-party reviewed key features of Zix’s security program. The report is provided in our Diligence Kit.
Security: that the reviewed system is protected against unauthorized access, use, or modification to meet the entity’s commitments and system requirements.
Commitment to Competence
- Competence levels for particular positions are considered and required skills and knowledge levels are included in written position requirements.
- Candidates are assessed to determine whether they possess the perquisite level of competence to hold the position.
- Background checks are performed by a third party investigate agency in accordance with provisions of the Fair Credit Reporting Act for all prospective employees.
- New employees are required to complete security and confidentiality training upon hiring in addition to undergoing background checks that are conducted by a third party.
- Existing employees are required to complete security and awareness training on a recurring basis.
- Training courses are provided to new and existing employees in order to maintain and advance the skill level of personnel.
- Training materials are subjected to review and approval on a quarterly basis and when changes to confidentiality related procedures occur.
- Performance evaluations are completed regularly, and results are retained in employee’s personnel file.
- Terminated employees’ access is communicated and removed in a timely manner.
Application Controls
- Privacy statements documenting description of services, information sharing and disclosure, security, user requirements and information collection and use practices.
- Media disposal procedures addressing the secure disposal of hardcopy and electronic media.
Board of Directors and Audit Committee Participation
- A board of directors has oversight over management activities and meet on a quarterly basis.
- An internal audit team is in place to guide the activities of the internal audit program and results of self-assessments.
- Steering Committee monitors operations to help ensure activities are in accordance with IT governance, risk and compliance requirements.
- Steering Committee reviews and approves corporate policies and procedures.
- IT security administrator performs a system security and availability review on a quarterly basis.
Physical Security
- Limited access for identified systems to individuals with job responsibilities requiring access.
- Badge access card requirements, coupled with biometric device authentication, for access to data center infrastructure.
- Data center entrances monitored by operations personnel.
- Facility activity monitored by surveillance cameras monitor.
- Facility access controlled by badge access.
Information Security
- Personnel supporting services are assigned specific roles and responsibilities, with Data Center, operations, security and network management roles having more rigorous requirements.
- Policies and procedures for classification, labeling, and handling of data.
- Users with access to client systems must sign acknowledgement forms.
- Access is restricted to individuals with job specific responsibilities.
- Users must authenticate themselves via user account, passphrase, and a second authentication factor (2FA).
Data Communications
- Firewall configured to filter unauthorized traffic.
- Events analyzed for intrusion detection.
- Network vulnerability assessments and external scans performed on regular basis.
- Logs and events monitored by the Security Operation Center (SOC).
Availability: The system is available for operation and use to meet the entity’s commitments and system requirements.
Environmental Integrity
- Redundant air conditioning units inspected on a regular basis by a third party.
- Redundant Uninterruptible Power Supply systems inspected on a regular basis by a third party.
- Back-up power systems.
- Fire detection and suppression controls, including a FM200 system, inspected by a third party on a regular basis.
Computer Operations
- Procedures for identifying and mitigating risks in the production environment.
- Redundant infrastructure for key components, such as ISP and load balancing.
- Mirroring of customer account data to alternate hot side locations.
- Documented audit and restoration of applicable backup data regularly performed.
Incident Management and Monitoring
- Procedures for responsibilities, security levels and escalations.
- Commercial support ticketing system managed incidents and responses.
- Consistent monitoring for availability and incidents.
- Root Cause Analysis for incidents.
Business Continuity: The entity has policies and procedures for business continuity and recovery, including for pandemic risk.
The Zix program adopts recommendations from the Computer Security Incident Handling Guide, Special Publication 800-61 revision 2, published by National Institute of Standards and Technology (NIST). Zix procedures include:
Disaster Recovery Plan (DRP)
- Immediate Response
- Emergency Response.
- Initial Notifications.
- Initial Damage Assessment.
- Incident Declaration.
Recovery Process
- Recovery Organization.
- Recovery Coordination Team.
- Business Crisis Management Team.
- Operations Recovery Team.
- Information Systems Continuity Team.
- Client Services Continuity Team.
Pandemic Preparedness Plan (PPP)
- Planning.
- Preparedness.
- Response.
- Recovery.
Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s commitments and system requirements.
Systems Maintenance
- Standard server builds for installing hardware and software.
- Patch management procedures.
Change Management
- Formal documentation of changes to system configurations, software, hardware, network components and maintenance.
- Emergency response and resolution procedures, supported by automation tools.
- Specialized tools for change request, customer contact, user support and problem tracking.
- Segregation of duties to ensure organization for development, quality assurance, and staffing.
- Change request documentation for requests, authorization testing and approval of changes, supported by a commercial tracking system workflow.
- Development and test environments are physically separated from the production environment.
- Regular meetings to discuss production issues.
Confidentiality: Information designated as confidential is protected to meet the entity’s commitments and system requirements.
Application Controls
- Privacy statements documenting description of services, information sharing and disclosure, security, user requirements and information collection and use practices.
- Media disposal procedures addressing the secure disposal of hardcopy and electronic media.
Control Environment
- Maintain a control environment that reflects the importance of controls, with an organizational structure, separation of job responsibilities, and documentation of relevant policies and procedures.
- Integrity and Ethical Values
- Integrity and ethical values are key elements of the control environment.
The SOC2 third-party review also covered:
Risk Assessment
- Assessing sufficiency of corporate policies, procedures, and systems.
- Identifying potential risks.
- Determining the level of severity for identified risk factors.
- Identifying potential sources of risk and recommending mitigations.
- Monitoring and evaluation the operating effectiveness of existing controls considering changes in the company and surrounding circumstances.
- Monitoring the regulatory environment.
Monitoring
- Management oversees the quality of its internal control performance, using regular “key indicator” reports and supporting third-party monitoring solutions.
- Formal policies and procedures designed to ensure compliance, and redress violations and suspected violations.
Information and Communication
- Policies and procedures are communicated through orientation training, ongoing training, and other messaging such as emails and meeting presentations.
- Description of Complementary User Entity Controls
- Maintenance of complementation control considerations, that include additional requirements such as parameters for password use.
ISO 27001
Designed by the International Organization for Standardization (ISO), ISO/IEC 27001: 2013 (ISO 27001) specifies the requirements for an information security management system. The ISO requirements cover 35 main security categories and 114 controls. To earn the certification, a third-party must validate compliance with the following areas:
Information security policies
- Management direction for information security.
Organization of information security
- Internal organization.
- Mobile devices and teleworking.
- Human resource security
- Prior to employment.
- During employment.
- Termination and change of employment.
Asset management
- Responsibility for assets.
- Information classification.
- Media handling.
Access control
- Business requirements of access control.
- User access management.
- User responsibilities.
- System and application access control.
Cryptography
- Cryptographic controls.
Physical and environmental security
- Secure areas.
- Equipment.
Operations security
- Operational procedures and responsibilities.
- Protection from malware.
- Backup.
- Logging and monitoring.
- Control of operational software.
- Technical vulnerability management.
- Information systems audit considerations.
Communications security
- Network security management.
- Information transfer.
System acquisition, development and maintenance
- Security requirements of information systems.
- Security in development and support processes.
- Test data.
Supplier relationships
- Information security in supplier relationships.
- Supplier service delivery management.
Information security incident management
- Management of information security incidents and improvements.
Information security aspects of business continuity management
- Information security continuity.
- Redundancies.
Compliance
- Compliance with legal and contractual requirements.
- Information security reviews.