Overview
Airbo has provided its cloud-based Employee Communication Platform to a wide variety of organizations and industries since 2011. We maintain the trust of our clients, from public school districts to Fortune 500 enterprises, by ensuring we follow industry standard security management without compromising functionality or ease-of-use.
This document describes the following topics related to information security at Airbo:
Internal Policies and Procedures
System Architecture & Configuration
Third Party Services and Tools
Internal Policies and Procedures
Hardware Security
Airbo is a completely cloud-based company. This is true for both our internal systems as well as our client facing systems. We do not maintain our own physical infrastructure (servers, network appliances, etc.) other than company issued laptops.
All Airbo issued laptops are required to be password protected with strong passwords changed at a regular interval. When required, client information is downloaded to a password protected encrypted partition on the employee computer.
Personnel
In addition to conducting thorough reference checks, Airbo also conducts full criminal background check on all employees as part of our hiring process.
All Airbo employees are provided comprehensive training on security standards and policies as well as industry best practices regarding information security.
Access to Technical Systems and Resources
Airbo restricts employee access to sensitive resources and systems based on job function and role. For example, all Airbo developers have access to the private source code repository on www.github.com, but only designated development team members can submit code changes. Similarly, only pre-approved team members can submit code changes to the running production environment.
Similarly, access to the production application and data is provided to designated team members only. All non-privileged developers are restricted to using development and QA environments with dummy or test data.
Access to Non-Technical Business Systems and Resources
Airbo restricts employee access to non-technical information such as client contracts and communications, personnel data, financials, etc. to only those employees whose job duties require them to have access to this information.
Third Party and Vendor Services
As mentioned above Airbo is fully cloud based. We have taken great care to partner with and procure services from industry leading providers of Papas, IaaS and SaaS hosting. Our partners have extensive experience and expertise in information security management and have adopted the most stringent industry standards and certifications such as SSAE16 and ISO 27001.
Airbo works closely with our vendors and partners to ensure that Airbo and its employees follow all best practices and guidelines set forth by our partners and vendors. These include following:
Enforcement of secure login and password storage for access to vendor and external interfaces
Enforcement of cryptographically strong passwords
Use of Role Based Access Control with least privileges granted as a default.
Rotation of administrative passwords every 60 Days
Prompt application of all vendor recommended software updates and patches related to security
Personnel Security
Incoming Employees
All Airbo employees are screened prior to employment with the following checks:
Six years address history.
Three years employment history .
Education Verification.
Criminal background checks.
Airbo employees with authorized access to production and test environments are screened prior to access being granted.
Outgoing Employees
Upon termination of employment, the departing employee's access to all Airbo resources and systems is immediately blocked. We undergo the following procedure:
Revoke, disable or remove all system and accounts associated with the employee (including databases, code repository, application).
Change administrator passwords in all systems to which the employee had access.
Disable employee access to email but keep the account active in order to monitor any security related communications.
Secure Development
All of Airbo's services are developed with stringent OWASP derived industry standard practices.
For regular updates on Common Vulnerabilities and Exposures, the Airbo development team subscribes to industry mailing list such as:
Our development team implements all recommended security patches and mitigations with 24 - 48 hours.
Airbo also subscribes to a 3rd party service (Code Climate: http://www.codeclimate.com/) that scans the code base on every code push to our master repository. The code is evaluated for code quality and potential security vulnerabilities.
Policies and Procedures
Hosting Providers & External Interface Protection
Airbo has partnered with industry leaders in PaaS and IaaS hosting. These organizations have well-established governance programs in place. They adhere to the most stringent security management methodologies and standards such as ISO 27001, AT101, and SSAE16.
Asset Protection And Resilience
Airbo has partnered with some of the industry's leading infrastructure providers who have adopted AT101, SSAE16 and industry practices for the physical protection of information processing assets. ISO 27001 certified policies and processes ensure that all endeavors to protect information assets have been verified and audited by an external independent 3rd party.
Data In Transit Protection
Airbo protects all data in transit with the HTTPS/TLS protocol, which utilizes strong ciphers capable of up to 256 bits.
Data At Rest
Airbo encrypts all customer data in an encrypted database.
Separation Between Customers
Airbo's services are multi-tenanted and follow stringent industry practices. This ensures that no unintended information disclosure is permitted between Airbo customers. The confidentiality, privacy and ownership of information is maintained at all times. All access must be explicitly granted via user interaction within the product.
Secure Customer Management
Airbo uses RBAC architecture to restrict access to resources to the appropriate users. Access is granted on "least privilege" basis. There are four types of roles, each with specific privileges.
Guest User: May view content at a public URL on the airbo.com domain. Airbo does not track who the user is, but does add a cookie to track subsequent sessions.
Ordinary User: May view content and alter own information. May not access name, but not email addresses, of other users.
Client Administrator: Users designated by customer as administrators. May create content, send digest emails to group, add new users, and designate other Ordinary Users to be Client Administrators.
Site Administrator: Airbo staff only. May perform all the same functions as a Client Administrators, switch between any instance, and access additional reporting.
Staff Segregation of Duties is applied to critical operations such as deletion of a client instance, which requires C-level password approval.
Secure Use of Service By Customer
End users are provided with the knowledge of how to best implement and manage the product to ensure content remains accessible and available on a need to know basis which is achieved through the utilization of:
Customer Success Managers
Extensive online help
Live online support portal
Identity and Authentication
All Airbo users must provide valid username and password to access non-public features of the website.
In certain scenarios, authenticated users with a non-expired session can access Airbo via a secure randomly generated authentication token attached to link in an email.
Audit Information and Provision to Customers
Airbo provides end-user and administrative reports that detail usage and access to all content stored in its services.
Appendix
Vendor Certifications & Security Policies
Software Code & Static Analysis & Vulnerability Detection