Information Security Program

Overview
The privacy and security of IMO intellectual property and customer data, along with confidence in IMO’s ability to deliver our products and services without disruption, are critical to the success of our business. The purpose of this program is to provide a security framework that will ensure the protection of IMO information and systems, as well as the customer and partner information stored in such systems, from unauthorized access, loss, or damage. Accordingly, this program has been established to achieve these key objectives:

  • To communicate a general approach to information security.
  • To detect and forestall the compromise of information security such as misuse of data, networks, computer systems, and applications.
  • To protect the reputation of the company with respect to its ethical and legal responsibilities.
  • To observe the rights of the customers. Providing effective mechanisms for responding to complaints and queries concerning real or perceived non-compliances with the policy is one way to achieve this objective.

 

The safeguards set forth in this program are meant to protect the integrity, confidentiality, and availability of sensitive information, and to protect against any anticipated threats or hazards to the security or integrity of sensitive information.

For the purpose of the program, sensitive information is any information for which loss, alteration, misuse, or disclosure could adversely impact the interests of IMO, its employees, customers, partners, or relationships. By default, this includes any such information held by IMO, whether such information is subject to legal protections or restrictions.

Specific examples of sensitive information are:

  • Credit card, bank statement, or other financial information
  • Personally identifiable information (PII) pertaining to individuals (employees, customers, applicants, vendors)
  • Protected Health Information (PHI) as defined by HIPAA (Health Insurance Portability and Accountability Act of 1996)
  • Proprietary and/or copyrighted data, such as source code and other intellectual property assets
  • Confidential legal or financial data

 

Policy
IMO has implemented specific policies and procedures that help to determine whether management’s directives are carried out. These control activities, whether automated or manual, have a range of objectives and are applied at various organizational and functional levels.

Internal controls
IMO’s internal controls provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

 

IMO has created an effective internal control system by establishing the following:

  • Policies and procedures
  • Segregation of duties and responsibilities
  • Change management, authorization, and approval process
  • Performance monitoring and control procedures
  • Asset management program
  • Internal control assignment and review
  • Regulatory compliance and risk management

 

These controls are documented within a governance and compliance enterprise application. Each control activity is mapped to the appropriate regulatory and audit requirements (e.g., SOC2 and HIPAA) as well as identified risks within the risk registry. The control activity is assigned an owner who is responsible for reviewing the effectiveness of the control on a semiannual basis. Owners are trained on the review process to ensure coverage and completeness of the established controls.

Access controls
Access entitlements are established based upon business need and least privilege principle. Users are only provided with the absolute minimum access rights, permissions to systems, services, information, and resources that they need to fulfil their business role.

Access to IMO systems, third party applications, and product infrastructure is systematically managed through a combination of directory services infrastructure and single sign-on (managed throughout the employee onboarding, offboarding and change ticketing process). Access to an information system requires the use of a unique user identifier in conjunction with an associated password and multifactor authenticator (MFA).

Risk management
The IMO Risk Management Team includes representation from the following departments:

  • Information Security
  • Legal and Compliance
  • Human Resources
  • Finance
  • Software Engineering
  • Product Management

 

The Risk Management Team discusses findings and recommendations resulting from the periodic reviews with relevant IMO personnel. IMO’s security practices are evaluated to determine where improvement is necessary to limit risks – including, but not limited to – ongoing security awareness training; organizational compliance with regulations; security policies and procedures; methods for detecting and preventing security system failures; and the upgrade of safeguards, if necessary. This process includes business impact assessments, classification, and risk mitigation, in addition to vendor risk management programs.

Business continuity and disaster recovery
The objective of the Business Continuity Plan is to coordinate recovery of critical business functions in managing and supporting the business recovery in the event of a disaster or any incident affecting IMO’s services or the ability to conduct IMO operations. In accord with industry best practices, IMO has developed a Disaster Recovery Plan for our SaaS service. This plan is updated as appropriate and tested for assurance annually.

Software development life cycle (SDLC) and secure coding
Standard best practices are used throughout our software development cycle from design through implementation, testing, and deployment. All code is checked into a permanent version controlled repository. All code changes require a code review and continuous integration testing to screen for potential security issues, in addition to regular static code analysis. All changes released into production are logged and archived, and alerts are sent to the engineering team automatically in the event of any application or infrastructure anomalies. Access to IMO source code repositories requires approval, strong credentials, and two-factor authentication.

Vulnerability management program
IMO performs vulnerability assessments and external penetration testing on a frequent basis. Software development includes static code analysis to mitigate vulnerabilities prior to promotion into production environments. Findings are evaluated, prioritized, and remediated whenever necessary.

Data management
No customer data persists on IMO laptops. We apply the principle of least privilege in all operations to ensure the confidentiality and integrity of customer data. All access to systems and customer data within the production network is limited to those members of the workforce with a specific business need. Access is managed through directory services and requires multi-factor authentication. A best effort is made to troubleshoot issues without accessing customer data; however, if such access is necessary, all actions taken by the authorized workforce member are logged. Upon termination of work at IMO, all access to IMO systems is immediately revoked. IMO monitors its systems for potential breaches of security.

Security incident response
Upon the occurrence of a security incident, IMO will assemble an Incident Response Team and incident response procedures will be followed. Mandatory post-incident review will be conducted and documented by an assembled Security Incident Response Team following any actual or suspected breach of security. This exercise includes documentation of the actions IMO took in response to such a breach, including any changes IMO made to its business practices relating to the safeguarding of sensitive information.

Data center management
IMO leverages Amazon Web Services (AWS) data centers for all production systems and customer data. AWS offers state-of-the-art physical protection for the servers and complies with an impressive array of standards. The infrastructure in AWS is highly scalable, secure, and reliable. AWS complies with leading security policies and frameworks, including SSAE 18, SOC framework, ISO 27001, and PCI DSS.

Encryption and virus protection
IMO leverages AWS Key Management Service (KMS) to manage encryption keys and AWS Secrets Manager for easier management of secrets. Data at rest and in motion are encrypted using Advanced Encryption Standard (AES).

IMO utilizes VPN and other encryption technologies that meet or exceed industry standards for defined points of connectivity to protect the transmission of data and communications between the enterprise and users connecting to the enterprise either from within or external to its networks.

IMO installs antivirus software on all workstations, laptops, and servers supporting such software. The antivirus program covers any piece of software or hardware that may be accessing the network, both internally and externally. Storage for laptops, smart phones, and tablets is encrypted.

Antivirus software is configured to receive daily updated virus signature.

Security awareness
IMO makes the information security policy documents available for review by members of its workforce. Each workforce member will:

  • Promptly upon hiring or the provision of services, and annually thereafter, participate in training relevant to the IMO Information Security Program.
  • Have access to and follow privacy and security policies.
  • Report any suspicious or confirmed unauthorized access, use, or disclosure of sensitive information.
  • Comply with the Information Security Program at all times.
  • Be subject to disciplinary action for violation of this Program.

 

IMO provides a compliance hotline that allows third parties to anonymously submit concerns. Cases are investigated, monitored, and documented throughout the resolution process.