The Ledger

A digital finance blog

The Ledger

Posted by Chandra Kulkarni

Security at every step

The importance of cyber security and secure product development cannot be overstated. Frequent news reports of data breaches and the rise of cyber-crime ensure that the topic is common in both our personal and professional lives.

At Aptitude Software, security is front and center in every aspect of our product lifecycle. From product design to third-party service provider management to our marketing practices, our processes are designed to ensure the confidentiality, integrity and availability of data. Today, we’ve asked our Head of Information Security, Chandra Kulkarni, to take over the blog and share his thoughts on how Aptitude ensures all our products are secure by design.

Secure Products

When it comes to product design, security cannot be an afterthought. To make sure security best practices are a foundational consideration in the development of any product, our teams follow a secure development approach to product planning, design, build, testing and deployment that considers the security of the application at every stage of the Software Development Life Cycle (SDLC) process.

We utilize the OWASP Application Security Verification Standard (ASVS) which provides a basis for testing our web application technical security controls and also provides our development team with a list of requirements for secure development. This approach ensures that security remains at the forefront of design and maintenance of an application throughout the lifecycle.

Our team uses state of the art static and dynamic testing tools for scanning which reduces risk exposure by identifying vulnerabilities early in the SDLC process. Our cloud based SaaS solutions are continuously monitored for vulnerabilities in production and we utilize formal information security management policies, procedures and controls to ensure the confidentiality, availability and integrity of client data. Our SaaS Solutions also undergo annual penetration testing by third party testers and our security controls are tested by independent auditors during our semi-annual SOC audits.

Secure Service Provider Partnership

We offer the Aptitude Lease Accounting Engine and Aptitude RevStream as SaaS solutions and ensuring that our cloud services providers are best-in-class when it comes to security is paramount.

Our Infrastructure Management Services partner, Apps Associates and Cloud Hosting Provider, AWS utilize industry leading security practices and have documented security controls and processes which are attested by various independent certifications and audits. Our partnership with AWS ensures we have geographically separate data centers through AWS Regions and Availability Zones. This geo-redundancy is often a key requirement for clients who need the assurance regarding our robust data recovery plan. An additional advantage is the option to host a client instance entirely within North American or International AWS regions in Europe (for certain SaaS solutions) to satisfy regulatory requirements specific to data storage of our global client base.

“We are now able to provide high performing cloud offerings to our customers with all the necessary controls, security, and improved failover rate and disaster recovery that they would expect from a cloud provider that manages financial data.” Mark Aubin, Chief Innovation Officer, Aptitude Software.

Blog _ Security _Apps Associates

Incident Response

As a global company working with leading clients in highly regulated industries such as insurance, financial services and telecommunications, we have a formal Incident Management Process. With our multiple locations globally, we can respond to internally or externally reported security incidents rapidly to resolve issues and mitigate the risk. From Poland to London to Boston to California to Singapore, our team is always ready to deal with such events.

Our incident response processes are audited during our SOC audit and we have formal organizational processes to ensure that the highest level of management is involved in the triage, escalation and resolution of incidents where required.

Independent Attestations

Our SaaS Solutions are audited by a independent third party SOC auditor and the SOC reports for these audits are published every 6 months. Each SOC report typically covers 12 months of activity (where applicable). One of the key benefits of our software is the auditability of data. Our products track and log each entry, change, adjustment or deletion performed by users. Further, all products contain significant forensic analysis features. If transactions were made within our application then a traceable, audit trail is available through summary reports or lookups.

We have produced a series of blogs on this topic if you are interested in more detailed information.

Does Your Revenue Software Need a SOC 1 or SOC 2 Report?
Why a SOC Report is Not a SOC Certificate
SOC 1, SOC 2, Type 1, Type 2. Which SOC Reports Matter to Revenue Recognition?

GDPR and Privacy Management

Aptitude Software products generally do not store or process personal data. However as a global company, we control or process various types of employee and third-party personal data. We are compliant with global regulations governing such personal data including the General Protection Data Regulations (GDPR) in Europe. We also comply with regional personal data requirements mandated by regulators in United Kingdom, Poland, North America and Singapore.

If you have more questions about our Security program or practices, please view our Security Trust Center web page or reach out to our security team at: information-security@aptitudesoftware.com

Share Tweet about this on Twitter Share on LinkedIn Share on Facebook Email this to someone

Related

Why a SOC Report is Not a SOC Certificate

Posted by Chandra Kulkarni

Read more

SOC 1, SOC 2, Type 1, Type 2. Which SOC Reports Matter to Revenue Recognition?

Posted by Chandra Kulkarni

Read more