Security by design

Security aspects are embedded from early stages of design, development and implementation of every technology systems within CPA Global to ensure highly secure, reliable and robust products for clients. The standards provide a consistent framework for all our technology professionals to identify all threat vectors, vulnerabilities and control weaknesses throughout the product development lifecycle. Instead of treating security as an afterthought, security by design offers a proactive and prescriptive response that is entrenched in the very DNA of CPA Global.

Design References

Early considerations of cyber security and compliance aspects during the design and development phase of our information systems or products not only helps to avoid present and future vulnerabilities but also reduce redesign and problem-solving costs. Instead of treating security and compliance as an afterthought or a tail-end task to projects, security and compliance by design offers a proactive and prescriptive response that is entrenched into the very fabric of how CPA Global designs its technology solutions.

Cyber Security and Engineering teams at CPA Global produce design references as architecture frameworks and checklists to define the key requirements for embedding security and compliance by design principles in technology acceptance, system design and development processes which includes but not limited to application security controls, data encryption standards, cloud design reference architecture, etc.

Secure Software Development

CPA Global has a defined Secure Software Development Lifecycle which is based on Microsoft’s Secure Development Lifecycle (SDL) for software development. All releases undergo several levels of security assessments prior to product deployment. Through controls like Establish Design Requirements, Analyze Attack Surface, and Threat Modeling, the Security Development Lifecycle helps CPA Global identify potential threats while running a service, exposed aspects of the service that are open to attack.

The software is assessed for exposure to a variety of both common and complex attack types and vulnerabilities. The quality assurance process at CPA Global for every feature and /or patch release incorporates security specific test plans around input validation, processing and output sanitization controls including access control, password control, administrative privileges, end-user role privileges, data access rules, and cross-customer data security.

Static Application Security Testing (SAST) of source code is the initial line of defence used during the product development cycle and CPA Global’s security team uses HP Fortify and Checkmarx tools to conduct end of sprint cycle tests by an inhouse dedicated team of application security experts. Veracode is being actively deployed across products in a continuous testing mode to conduct SAST and Dynamic Application Security Testing (DAST) during each code commit by the developers during the sprint cycle.

CPA Global utilizes third party services to conduct annual network and application security assessment to identify security threats and vulnerabilities. Formal procedures are in place to assess, validate, prioritize, and remediate identified issues.

Security Operations

All design references need our information systems and products to generate exception logs, enable auditing and log activities to detect suspicious behaviour which could lead to early indications of a full-blown attack and the logs help address the repudiation threat where users deny their actions.

CPA Global runs a 24x7 cyber security operations (SOC) team which monitors all threats, events and exceptions from logs captured through Security Incident and Event Management (SIEM) tool. The logs collected through the SIEM are encrypted end to end and is correlated with threat intelligence databases for anomaly detection and possible threats to the product or hosted environment. The team also subscribes to vulnerability notification systems to stay apprised of security incidents, advisories, and other related information to initiate actions; in collaboration with cloud operations team, on the notification of a threat or risk once confirmed that a valid risk exists, that the recommended changes are applicable to service environments, and the changes will not otherwise adversely affect the services. Access to logs is restricted and defined by policy and logs are reviewed on a regular basis. SOC team also conducts audit of cloud hosted assets using automated vulnerability assessment tools.

Security Incident Response

CPA Global has a well-documented Cyber Response Framework which establishes the policy and procedures to manage security incidents leading to suspected or confirmed data breach or compromise. The policy requires incidents to be effectively reported, investigated, and monitored to ensure that corrective action is taken to control and remediate security incidents in a timely manner.

Incident handling, management roles and responsibilities have been defined for management of the incidents. It outlines the steps to be taken to minimize the impact of a security incident, to investigate why, how and when it happened, identify any weaknesses and apply appropriate measures to reduce security risks to an acceptable level.

Security Operations & Incident Managers are responsible for overseeing investigation and resolution of security and privacy incidents with support from other functions. An escalation and communication plan to notify Privacy, Legal or Executive Management in the event of a security incident has been established.

Clients are notified within 24 hours in the event of a confirmed breach and 48 hours for a suspected breach.

 

More information

APPLICATION SECURITY CONTROLS

Download PDF (24 KB)

HOSTING SECURITY

Download PDF (288 KB)

SECURE SOFTWARE DEVELOPMENT

Download PDF (36 KB)

SOFTWARE SECURITY VUNERABILITY MANAGEMENT

Download PDF (46 KB)