IMO intellectual property and customer data, along with confidence in IMO’s ability to deliver our products and services without disruption, are critical to the success of our business. The purpose of the Information Security program is to provide a framework that ensures the protection of IMO information assets, as well as customers and business partners information stored in such systems, from unauthorized access, loss, or damage. Accordingly, this policy has been established to achieve these key objectives:
The safeguards are meant to protect the integrity, confidentiality, and availability of sensitive information, and to protect against any anticipated threats or hazards to the security or integrity of confidential information.
IMO has implemented specific policies and procedures that help to determine whether management’s directives are carried out. These control activities, whether automated or manual, have a range of objectives and are applied at various organizational and functional levels.
IMO’s internal controls provide reasonable assurance regarding the achievement of objectives in the following categories:
IMO has created an effective internal control system by establishing the following:
Each control is centrally documented and mapped to the appropriate regulatory and audit requirements (e.g., SOC2 and HIPAA) as well as to identified risks within the risk registry. The control is assigned an owner who is responsible for reviewing the effectiveness of the control on a semiannual basis. Owners are trained on the review process to ensure coverage and completeness of the established controls.
The internal controls captured are typically tied to an IMO policy published and visible to all IMO personnel. These policy documents are reviewed in parallel as part of the internal control review. As a result, IMO policies are reviewed and updated as appropriate on at least a semi-annual basis.
Access entitlements are established based upon business need and least privilege principle. Users are only provided with the absolute minimum access rights, permissions to systems, services, information, and resources that they need to fulfil their business role.
Access to IMO systems, third party applications, and product infrastructure is systematically managed through various system tooling and managed throughout the employee onboarding, offboarding and change ticketing process. Access to an information system requires the use of a unique user identifier in conjunction with an associated password and leverage multifactor authenticator (MFA).
On at least a semi-annual basis, IMO conducts operational reviews of user accounts tied to various systems including but not limited to:
IMO’s SDLC policy defines the change control process required for all software implementations that are evaluated to determine the potential effect on security, availability and processing integrity throughout the release life cycle. Teams responsible for those releases 1) define and get approval for the release scope, 2) develop, configure, and test the approved release, 3) track and obtain approval for the release deployment via the internal ticketing system, 4) notify stakeholders of the pending system change and 5) evaluates the release once deployed. This process applies to not only planned releases but also to emergency changes required to remediate identified incidents.
IMO’s Risk Management program is intended to provide continuous risk analysis and assessment across the enterprise as it pertains to its ability to meet the objectives of security, availability and processing integrity. A risk analysis may be performed whenever environmental or operational changes have occurred that might impact the system security. IMO takes reasonable steps to ensure the risk analysis is completed, documented, and remediated in accordance with the IMO Information Security Risk Management Policy. In addition, IMO may consider additional evaluations intended to assess operational compliance with other regulatory agencies (e.g., SOC2, HITRUST).
IMO has established a Risk Management Team (RMT) Team made up of key personnel across the organization who meet on at least a monthly basis and whose responsibility is to identify areas of risk within the organization. Risks are captured in the risk registry within a risk management tracking tool and assessed by the RMT. This assessment takes into consideration the likelihood that the risk will occur and impact the risk has on the organization in the event it does occur.
The RMT reviews and applies existing internal controls to the risks as appropriate. If the controls are sufficient to mitigate the risk, no additional action is required. If the controls do not mitigate the risk, the RMT ensures that the risk has appropriate ownership assigned, and a remediation plan in place (documented for tracking purposes) until the risk has been remediated. Risks, whether remediated or active, are reviewed by the RMT at least annually.
Business continuity and disaster recovery
Disaster Recovery and Business Continuity tests are performed on at least an annual basis based on the principle that production environments are considered live and as such are tested several times throughout the year when standard configurations are pushed out as part of periodic infrastructure replacement. Those activities are tracked, and issues identified are documented and remediated in a timely manner as appropriate.
IMO determines what data is required for backup based upon its criticality to the organization, its availability requirements, and is measured against defined Recovery Time Objectives. These backups are monitored, and, in the event of failures, teams are alerted to take the necessary steps to investigate, address the failure and ensure the appropriate measures are put in place to avoid future occurrences.
Software development life cycle (SDLC) and secure coding
Standard best practices are used throughout our software development cycle from design through implementation, testing, and deployment. All code is checked into a permanent version-controlled repository. All code changes require a code review and continuous integration testing to screen for potential security issues, in addition to regular static code analysis. All changes released into production are logged and archived, and alerts are sent to the engineering team automatically in the event of any application or infrastructure anomalies. Access to IMO source code repositories requires approval, strong credentials, and two-factor authentication.
Vulnerability management program
IMO performs vulnerability assessments and external penetration testing on a frequent basis. Software development includes static code analysis to mitigate vulnerabilities prior to promotion into production environments. Findings are evaluated, prioritized, and remediated whenever necessary.
In addition, IMO Managed Detection and Response (MDR) services strategy is implemented to manage, monitor, and provide visibility across environments. The MDR monitors and analyzes events to address possible intrusions and vulnerabilities to networks, endpoints, and cloud environments. In the event of an intrusion or anomaly is detected notifications are sent to the Information Security Team who is responsible for the telemetry and investigation of the findings. Progress on remediation and exemptions are systematically tracked, communicated, and metricized for stakeholder consumption.
No customer data persists on IMO endpoint devices. We apply the principle of least privilege in all operations to ensure the confidentiality and integrity of customer data. All access to systems and customer data within the production network is limited to those members of the workforce with a specific business need. Access is managed through IMO Active Directory and requires multi-factor authentication. A best effort is made to troubleshoot issues without accessing customer data; however, if such access is necessary, all actions taken by the authorized workforce member are logged. Upon termination of work at IMO, all access to IMO systems is immediately revoked. IMO monitors its systems for potential breaches of security.
Security incident response
IMO’s Incident management policy defines the structures, processes, protocols, and resources to respond to incidents that impact security, availability and processing integrity. Incident management controls are reviewed on at least a semi-annual basis.
Incidents detected by monitoring or other escalation are triaged by the alerted team who appoints an Incident Commander. The Incident Commander coordinates the appropriate actions for containment, communication of the ongoing status of the incident, estimated time of recovery, and mitigation activities, including remediating identified vulnerabilities, to ensure that the impact is minimized until a permanent resolution is achieved. Disaster recovery procedures are executed as appropriate to restore services in a timely manner. Information Security is informed of incidents and engaged in investigation as appropriate.
Incident detail is documented in a ticketing system for historical review. Following service restoration, a post mortem is conducted to review the incident in detail, identify root cause and potential trends, and implement process, technical or detective changes in a timely fashion necessary to prevent future occurrences.
Data center management
IMO leverages Amazon Web Services (AWS) data centers for all production systems and customer data. AWS offers state-of-the-art physical protection for the servers and complies with an impressive array of standards. The infrastructure in AWS is highly scalable, secure, and reliable. AWS complies with leading security policies and frameworks, including SSAE 18, SOC framework, ISO 27001, and PCI DSS.
Encryption and virus protection
Encryption technologies are used to protect information both at rest and in transit in accordance with requirements outlined within contracts and as required by applicable law.
IMO managed servers supporting products and endpoint devices are protected with Next-Gen (NGAV) antivirus solution to detect and intercept malware and are configured to alert the Information Security team in the event an anomaly is detected. Once notified, the team investigates the finding and collaborates with other stakeholders as appropriate who may be required to take action to remediate the threat and restore the asset to inventory once the threat has been verified as contained.
IMO has developed and made available to its employees’ information security policies to establish guidelines on expected behavior and responsibilities as it pertains to security, availability, and processing integrity. These policies are generally created in concert with IMO’s established internal controls. They are designed to be built into everyday operations across the entire organization as part of procedures and processes necessary to manage tasks efficiently. In the event issues arise as part of the execution of the controls, employees escalate to the control owner for review and investigation.
IMO makes the information security policy documents available for review by members of its workforce. Each workforce member will:
IMO workforce members are required to comply with this, and all other policies and procedures established by the Company from time to time. Additional detail and considerations for a workforce member’s failure to comply is outlined in the IMO Workforce Compliance Policy.