Your data security and privacy are a top priority for Core Strengths, and we value your trust in our service offerings.
Security is Our Top Priority
Security and Privacy are at the center of how we continue to enhance customer trust. Core Strengths invests heavily in protecting the confidentiality, integrity, availability, security, and privacy of customer data. Core Strengths continuously assesses and implements additional measures to help improve our security program and address the ever-changing threat landscape.
Active Security Management
Core Strengths has an active ISMS (Information Security Management System) Team. The Executive leadership actively engages with the ISMS Team, and the Core Strengths Board is provided with updates on security threats, hygiene, and the maturity of the Information Security Management System.
Core Strengths holds an ISO 27001 certification as well as Privacy Shield and CyberEssentials certification. We continue our pursuit to improve and achieve robust industry accreditations/ certifications.
Shared Security Model
Core Strengths uses a number of AWS services to provide a tiered security model. AWS (Amazon Web Services) has certification for compliance with ISO/IEC 27001:2013, 27017:2015, and 27018:2014. Their compliance with these internationally-recognized standards and code of practice is evidence of their commitment to information security at every level of their organization. The AWS security program is in accordance with industry-leading best practices.
Certifications, standards & regulations
Protecting your company and employee data is our top priority. We earn your trust every day by complying with international privacy, security, and confidentiality protocols, regulations, and requirements.
Core Strengths has an Information Security Team that ensures that both Core Strengths service offerings and our customer’s data are secure with privacy maintained.
Information Security Program
The risk-driven Information Security Program includes administrative, technical, and physical safeguards to align with applicable requirements, standards, and best practices.
Suite of Safeguards
Core Strengths maintains a comprehensive suite of information security policies that is regularly reviewed, updated, and approved on a predefined schedule or in response to new security-related threats and issues.
The Foundation of Core Strengths’ Security
Core Strengths periodically conducts industry-standard security risk assessments to identify, analyze, monitor, and respond to risk.
Our multi-faceted approach to risk management also includes using multiple sources of input, such as vulnerability assessments, penetration testing, and other forms of security review.
Risk treatments are strategically planned and prioritized with key stakeholders to ensure alignment with security and business objectives. Cross-functional collaboration with the ISMS is integral in reviewing and managing information security risk.
The Core Strengths Information Security Management System (ISMS) Team is a governing body consisting of executive and senior-level management representatives at Core Strengths. The ISMS meets regularly to advise, prioritize, and enable the Information Security Management System.
Processes and policies are in place to ensure the security of our employees throughout their Core Strengths journey.
Keeping our customer’s data secure and private is a top priority at Core Strengths.
We follow industry-standard SDLC (Software Development LifeCycle), which includes OWASP best practices.
Monitoring & Response
Monitoring mechanisms and response procedures are managed to enable awareness and resilience in the face of security threats.
Independent penetration testing and automated testing in our secure development practices are conducted to enable the identification and mitigation of vulnerabilities.
Explore our Frequently Asked Questions section for answers and details to some of our customers’ common inquiries.
Core Strengths maintains established policies and procedures designed to standardize employee onboarding and offboarding, which is a part of an Employee Lifecycle Management system that maintains a living record of events associated with each employee throughout their tenure with Core Strengths. Background checks are performed on new hires in accordance with the Core Strengths hiring procedure prior to onboarding. Confidentiality agreements and terms of acceptable use are in place for each party concerning their role and area of responsibility.
To promote a culture that enables members of the Core Strengths workforce to safeguard data and information securely, Core Strengths maintains a comprehensive Security Awareness Training program to address general and role-based security training. Core Strengths uses an LMS to deliver appropriate training to our employees. The LMS tracks the training modules each employee has reviewed and the results of the tests that demonstrate their understanding.
Aside from onboarding-related training, every employee has mandated training on an annual basis to update them on new and emerging security/privacy considerations and to refresh their general awareness.
All security policies that comprise our ISMS are communicated internally and available for reference in a centralized location. Known policy violations follow an established disciplinary and enforcement process that, at its most stringent, could result in employment termination.
Core Strengths data is encrypted at rest and in transit using industry-standard ciphers and methods. This includes the use of AES-256 and TLS encryption ciphers. Encryption keys are stored securely with limited access. Advanced encryption is applied to various application infrastructure layers, including disk, application, and database encryption. Sharing of encryption keys is prohibited, and essential management procedures are reviewed on an annual basis.
Core Strengths provides a number of mechanisms to help customers keep their data secure and control access. This includes a series of controls based on the principle of least privilege. Our Relationship Intelligence Platform is fully responsive across desktop, laptop, and mobile devices. Security event and audit logs are collected and monitored to detect and respond to anomalous behavior.
Multi-factor authentication (MFA) is required for Core Strengths employees to access information systems and resources. Access is controlled through a central directory system, with access limited and granted based on the principle of least privilege.
Our Relationship Intelligence Platform delivers a user-friendly experience through the implementation of role-based access features.
Our Relationship Intelligence Platform is built on isolated, private networks using security groups and firewalls within virtual private clouds (VPC). All inbound and internal traffic is restricted to specific ports across a limited group of machines. All traffic rates, sources, and types are actively monitored at various points in the network beyond ingress and firewalls. Core Strengths logically isolates customer data using application container technology and unique identifiers, which assures that access to customer data is limited to only that customer.
Customer data will be deleted upon written request. In general, customer data is retained as needed to satisfy data classification and external requirements.
Core Strengths analyzes the application source code to determine bugs, technical debt, and security vulnerabilities. A strict scoring criterion is adhered to by the Engineering Team to ensure not only the security of code in our products but quality as well.
Core Strengths analyzes project dependencies to determine vulnerabilities. Strict scoring criteria prevent code containing vulnerable dependencies from being promoted into production until the vulnerable dependencies can be fully mitigated.
Core Strengths runs automated web application scans against the platform frequently. This allows for bugs, common exploits, security vulnerabilities, and issues to be discovered early in the development process. By automating this approach, Core Strengths can improve the quality and security of our service offering to our customers.
Core Strengths performs a vulnerability assessment on all container images to detect any vulnerable software running on a given container.
In alignment with industry best practices, Core Strengths has developed a baseline of source code control standards to provide proper hygiene around code repositories supporting our service offering. These standards have been developed to span the company. Standards being enforced include but are not limited to role-based access control, least privilege, code & repository ownership, segregation of duties, branch protections, and secrets management.
Security Monitoring and Response
Core Strengths’ security logs are collected, aggregated, and correlated using a centralized security information and event management (SIEM) solution. Industry-standard log protection mechanisms are in place to ensure the integrity of the logs generated.
Core Strengths has security incident response procedures in place and a designated Incident Response Team to immediately respond in the event of any security breach. These procedures include areas that cover roles and responsibilities, investigation, communication, event logging, and mitigative actions to be taken.
Availability of data is protected through the use of data replication and backup services provided by AWS. Full data backups are captured on a nightly basis according to a defined schedule.
Business continuity and disaster recovery plans and processes are maintained for responding to an emergency or adverse event that could damage Customer Data or production systems that contain Customer Data. Data restore testing exercises are undertaken annually employing methodologies based on best practices.
Independent penetration testing and automated testing in our secure development practices are conducted to enable the identification and mitigation of vulnerabilities.
Core Strengths leverages third parties for independent penetration tests of our applications, services, and businesses as a whole. These have resulted in continuous updates to our environment and processes for improving security and reliability. These assessments are part of ongoing compliance and security requirements to maintain Core Strengths as a trusted provider of services.
1. Initial onboarding & data load
The onboarding of Core Strengths Relationship Intelligence Platform users is by invitation only, and an invitation link is sent to specific individuals that are manually added.
Core Strengths requires members to provide first name, last name, email address, and (optionally) job title to create an account on the Core Strengths Platform.
Core Strengths does not ingress or egress any customer data. Users of the Relationship Intelligence Platform establish an account by invitation and provide their data to us. This is done via a secure browser session that uses a TLS 1.2 connection with AES 256-bit end-to-end encryption.
2. Data protection
Data is encrypted in transit and at rest using industry-standard ciphers and methods. This includes the use of AES-256 and TLS encryption ciphers. Encryption keys are stored securely with limited access using Key Management Services (KMS) that AWS fully manages.
The Core Strengths Relationship Intelligence Platform is a multi-tenant system and does not support Bring-Your-Own-Key (BYOK) for customers. Advanced encryption is applied to various application infrastructure layers, including disk, application, and database encryption.
Asset disposal and repurposing follow the process and procedure outlined in our Asset Management Policy which is a part of our ISMS. An Independent Auditor has validated the existence of this policy and the related controls as part of the ISO 27001 certification audit. Upon a customer’s written request for data erasure, Core Strengths shall remove the customer’s data within thirty (30) days of the request. Unless otherwise instructed or pursuant to applicable law, Core Strengths will retain for perpetuity. Upon request, Core Strengths will provide a log or copy of the data that was deleted.
Cloud-Based (AWS) Media
When AWS determines that media has reached the end of its useful life or it experiences a hardware fault, AWS follows the techniques detailed in Department of Defense (DoD) 5220.22-M (“National Industrial Security Program Operating Manual”) or NIST SP 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. Please refer to the AWS website for more information: https://aws.amazon.com/compliance/data-center/controls/
Customer data is hosted in an AWS data center located in N. Virginia with AWS designation us-east-1.
Core Strengths is a multi-tenant platform, and the customer data is logically segregated using Application Code, Role Based Access Control, and various other technologies.
3. Access controls
Not at this time. However, Core Strengths is in-flight with the implementation of a service that will afford our customers many new functionalities, including SSO.
Passwords are encrypted using secure algorithms such as BCrypt.
No. Requests for any role changes must be made by enlisting the help of Core Strengths Customer Support.
Customers can submit an account termination request by e-mailing the Core Strengths support team at firstname.lastname@example.org.
Core Strengths has automated off-boarding for our internal employees and contractors.
Core Strengths uses the principle of least privilege to limit access on a need-to-know basis. Access to customer data is limited to a specific group of individuals based on Role and job responsibilities, such as Customer Support and Production Support Engineers. Core Strengths leverages a Role-Based Access Control (RBAC) model.
Core Strengths performs quarterly reviews of access to the Relationship Intelligence Platform and managed resources to ensure that employee access is appropriate. Any issues identified as a result of the review are communicated and resolved.
Yes. Core Strengths uses MFA to authenticate employees that have direct access to Core Strengths’ owned and managed resources. Employees are required to use Multi-Factor Authentication (MFA) for key application and privileged access.
4. Security logging & monitoring
Yes! Core Strengths has an ISMS in place.
Yes. Core Strengths has a DLP solution.
Core Strengths uses the AWS service CloudWatch for logging and monitoring. CloudWatch provides data and actionable insights for use to monitor our application, respond to system-wide performance changes, and optimize resource utilization. CloudWatch collects monitoring and operational data in the form of logs, metrics, and events providing us with a unified view of operational health while providing complete visibility of our AWS resources, application, and services.
No. Core Strengths is a multi-tenant system, and logs are not made available.
5. People security
Yes. Core Strengths has contracted an external agency to perform a background check for all its employees. The vendor and the reports they generate are managed by the Human Resources function and include the following:
- An identity check
- A criminal record check
- Verification of education qualifications or other skills claimed
- A debarment check, where required
- Verification of entitlement to employment through the use of work permits or similar documents
- Previous employment reference check
- Verification of dates of employment claimed for the previous five (5) years. [ACS1]
Third parties are required to perform background checks for their employees as part of the service contracts.[ACS2]
Yes. Core Strengths requires all employees to acknowledge an Acceptable Use Policy (AUP).
Yes. The violations, enforcement, and potential disciplinary actions are defined in our Information Security Management System. These policies are easily accessible to all employees.
The Core Strengths Information Security Management System (ISMS) and all related policy documents are published in a company-wide-access G-Suite directory. To ensure that security and privacy remain important topics spanning all day-to-day activities, formal training, and tests of the materials are mandated as part of the onboarding process and for all employees on an annual basis.
6. Vulnerability management
Yes. We perform annual penetration tests that include vulnerability testing and OWASP compliance testing. This annual test is performed by Cobalt, an outside 3rd party company specializing in such testing and audits.
Core Strengths utilizes a number of AWS services to complete our security model. Among the services we utilize are Amazon Inspector and Amazon GuardDuty.
Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure.
Amazon GuardDuty identifies unusual activity, analyzes the security relevance of the activity, and gives the context in which it was invoked. This allows the Core Strengths Team to determine if they should spend time on further investigation and to assist in the determination of steps to be taken to mitigate further such occurrences.
7. Security incident response
No. Core Strengths is a multi-tenant system and all impacted customers will be notified for confirmed security breaches.
No. Core Strengths does not provide a separate SLA for security incident response. The SLA associated with incident response will be in accordance with our generic SLA or in accordance with a customer-specific MSA.
8. Business continuity management
Full backups of the Core Strengths Relationship Intelligence Platform are performed daily by an automated process.
Core Strengths is happy to provide uptime information upon request.
9. Mobile app security
No. Core Strengths does not store credentials on the mobile device.
No. Any user with access to the Apple store and/or Google Play store will be able to download the Core Strengths mobile app.
10. Endpoint security
Yes. Core Strengths owned and managed laptops provisioned to the Engineering Team are encrypted.
Yes. Currently, Core Strengths employees do have local admin privileges and are required to acknowledge an Acceptable Use Policy.
Core Strengths uses the anti-malware functionality contained with Amazon GuardDuty.
Yes. All employees must adhere to the mandatory policies governing Acceptable Use and use of external mass storage devices.
Yes. Core Strengths will honor any valid request to delete data that is made in writing. Permanent deletion of data will occur within 30 days of receipt of the written and validated request.
11. Encryption key management
No. The Core Strengths Relationship Intelligence Platform is a multi-tenant system, and BYOK is not supported.
Core Strengths takes advantage of the fully-managed key management service from AWS, known as Amazon KMS.
12. Third-party risk management
Yes. Core Strengths relies on a single 3rd party in the delivery of our Relationship Intelligence Platform. That vendor is Amazon Web Services (AWS). AWS has certification for compliance with ISO/IEC 27001:2013, 27017:2015, and 27018:2014. These certifications are performed by independent third-party auditors. Their compliance with these internationally-recognized standards and code of practice is evidence of their commitment to information security at every level of their organization and that the AWS security program is in accordance with industry-leading best practices.
13. Service level agreements (SLAs)
Yes. We provide Service Level Agreements in our contracts/agreements.
Yes. During business hours for the local geography, we are staffed with Customer Support Representatives (CSRs) that accept telephone, email, and chat-based inquiries. During after-business hours, customers can leave voice messages or use an automated Chat functionality that automatically creates a Support Case within our case management system. In both instances, a CSR will reach out the next business day to address the inquiry.