SecureDawn Security Portal

Overview

SecureDawn is a product that enables teams to more efficiently convey their security posture to users of their products by automating the completion of security questionnaires and providing a framework to communicate with customers.   


SecureDawn was built by a team of security professionals with decades of experience providing security and software development services to startups, fortune 100 organizations, the United States federal government, and the Department of Defense.

Risk Management

Vendor Management Review

Subcontractors do not have access to customer data - with the exception of AWS whose security processes are outlined in the AWS SOC2 Report.

Approved Risk Management Program

SecureDawn periodically evaluates its compliance with security standards, by conducting security risk assessments.

SecureDawn conducts a documented assessment of security controls at least annually. The assessment is conducted to determine the extent to which controls are implemented correctly, operating as intended, and producing the desired outcome. Technical and non-technical evaluations are also conducted periodically to identify any new risks or to determine the effectiveness of the Security Policies and Procedures.

Solution Security

Data Encrypted at Rest

SecureDawn configures all systems housing customer data to encrypt data at rest.  Data is encrypted using the AES-256 encryption algorithm with encryption keys managed by a key management solution.

Customer Data Removal

Customer data is removed from SecureDawn systems within 30 days of account deletion.

Single Sign On

SecureDawn currently supports GSuite authentication integration.

Our team is currently investigating implementing SAML.

Service Level Agreement

A service level agreement is available to enterprise tier customers.  Contact support@securedawn.com for more information.

Data Encrypted in Transit

All data transmitted and received by the SecureDawn platform in encrypted in transit utilizing TLS 1.2.

Threat Management

Anti-Malware Policy

External Vulnerability Scanning

Internal Vulnerability Scanning

Vulnerability Management Process

Vulnerabilities that are discovered they are patched according to criticality and the schedule below:

  • Critical - within 24 hours

  • High - within 24 hours

  • Medium - within 7 days

Penetration Testing

Penetration testing is performed annually by the SecureDawn red team.

Privacy

Protected Health Information (PHI)

SecureDawn does not collect Protected Health Information.

Personally Identifiable Information (PII)

Our product collects a minimal set of information needed to setup user accounts that utilize the SecureDawn suite of products, as well as for potential customers that request information about your security program.  We will never sell or share your information.

For user accounts, and customers requesting information about your security posture, we collect the following information:

  • First and Last Name

  • Email address

Children's Online Privacy Protection Rule (COPPA)

Network Security

Intrusion Detection

The SecureDawn team utilizes an industry leading intrusion detection, prevention, and EDR solution on all endpoint devices.

Intrusion Prevention

The SecureDawn team utilizes an industry leading intrusion detection, prevention, and EDR solution on all endpoint devices.

Network Device Hardening

SecureDawn configures restrictive AWS the use of private subnets and Security Groups internally and externally to ensure systems cannot communicate with unintended systems.  

End User Device Security

Mobile Device Management Solution

Customer data is not stored on mobile devices.

Log Review and Alerting

End user devices run a best in class endpoint protection solution which reports threats and policy violations to a cloud dashboard managed by the endpoint solution vendor.  Issues generate email alerts which are sent to the SecureDawn security team to be classified and prioritized.

Compliance

Internal Compliance Department

Business Resiliency

Recovery Point Objective

SecureDawn's recovery point objective is 24 hours.

Business Continuity Plan

SecureDawn has documented policy for business continuity and disaster recovery that has been approved by management.

Recovery Time Objective

SecureDawn's recovery time objective is 24 hours.

Incident Event and Communications Management

Formal Incident Response Plan

SecureDawn has a formal Incident Response Process that can be viewed upon request.

Application Security

Secure Web Traffic

All web traffic in and out of SecureDawn is encrypted using HTTPS TLS 1.2

Patching Schedule

Production Change Control

Changes can only be applied to our production environment by select senior members of our engineering team and must be reviewed prior to deployment.

Software Development Lifecycle

Code changes undergo internal code review for completeness and security.  All team members undergo security training provided by a senior security member of our the SecureDawn team.

Access Control

Staff Scoped Data Access

SecureDawn staff are not routinely granted access to customer data.   If a customer requests a SecureDawn employee have access to their account information a written access request.

Employee access to customer accounts is reviewed quarterly by the internal compliance department.

Internally Shared User Accounts

The SecureDawn team does not share user accounts.

Physical Security

Physical Security Controls

Human Resources

Background Screening

All SecureDawn employees and contractors are required to have a federal and local background check prior to accessing customer data.

Off-boarding Process

When off-boarding an employee, the SecureDawn management team follows an employee dismissal checklist stored in our Human Resources system.

Disciplinary Process

Disciplinary infractions are reviewed by the executive management which decides how the organization should respond as dictated by internal policies.

Employee Agreements

All employees and contractors must agree to an Employee Agreement and a Mutual Non-Disclosure Agreement prior to working with SecureDawn Inc.  

Organizational Security

Designated Security Point of Contact

Security Policy

Policy Review Cadence

The SecureDawn information security policy is reviewed at least annually or if any major changes occur.

Information Security Policy

The SecureDawn information security policy is owned by the Chief Information Security Officer and approved by the Chief Executive Officer.

Certifications
certification

SOC 2

planned
certification

CCPA

scheduled 03/31/2022

Powered By