Security

Service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. IT Weapons has been audited under the Statements on Standards for Attestation Engagements (SSAE) No. 18, Reporting on Controls at a Service Organization, since 2010.

IT Weapons currently maintains a SOC2 Type 2 report. The SOC 2 Type 2 is an in-depth, security focused, audit that attests to the controls we have in place governing the security and availability of customer systems and data. Our controls map to Trust Service Principles (TSPs) established by the American Institute of Certified Public Accountants (AICPA).

Human Resources

Prior to joining IT Weapons, and periodically after that, criminal background checks are performed. All employees are bound by confidentiality agreements which are binding during and after employment.

All employees receive security awareness training upon hiring and complete ongoing monthly training.

Physical Security

IT Weapons’ private cloud is hosted within two Canadian data centres that provide 24/7 infrastructure management and high availability.

Video Surveillance and Access Monitoring

• Building access points monitored 24/7
• Identity management is used to control entry to all ITW Facilities
• Security guard on site 24/7
• Video monitoring and image capture systems both inside and outside all ITW Facilities

Access

• Approved employees access data centre facilities via electronic access systems
• All visitors must sign-in, provide picture identification and be accompanied by an ITW Staff member that has the appropriate access to the facility

Environmental Controls

• Redundant backup power generators, redundant UPS power, multiple HVAC units
• Advanced fire detection systems, double lock pre-action fire suppression system, localized dry-pipe two stage water system
• Raised or dual layer interstitial flooring

Information Security

Network Security

• Redundant advanced firewalls providing dynamic anti-virus and anti-spam protection, Intrusion prevention, application control and URL filtering
• Proactive 24/7 monitoring
• Multiple carrier fiber-based delivery Access Control, diverse fiber entry points to the building

Endpoint Protection

• The use of advance endpoint protection is required on all systems in the environment

Access Control

• Principles of least privilege and segregation of duties are applied
• Multi-factor authentication required for access to critical systems and remote access
• IT Weapons’ employees access IT Weapons systems using individual credentials
• Administrative rights are provided using a separate account per employee
• Onboarding and offboarding processes are in place to ensure only required access is provided, and that all access is removed in a timely fashion when required
  
  

Operational Controls

Incident Management

• IT Weapons maintains an incident management program that ensures incidents, including critical security incidents, are responded to appropriately, minimizing impact and downtime

Patch and Vulnerability Management

• To ensure systems are at the current, secure operating system level, IT Weapons Windows systems are patched monthly
• An ongoing vulnerability management program is in place, covering IT Weapons internal environment, to ensure vulnerabilities are identified, analyzed, prioritized, mitigated, and remediated

Change Control

• All modifications to IT Weapons production systems fall under the Change Management policy, and adhere to ITIL best practices for change management

Risk Management

• IT Weapons risk management framework includes established processes to identify and consider the impacts of relevant risks.
• Annual risk assessments are performed, with tracking, periodic reporting and review ongoing

Backups and Disaster Recovery

• IT Weapons Data Protection Services are used to backup all IT Weapons’ systems in our private cloud. Nightly backups are performed and sent to our secondary facility to house our off-site copies of all data.
• Disaster recovery plans are maintained to ensure quick recovery of critical IT Weapons systems, and plans are tested annually