Security | White HTBOOK Software
HTBOOK provides Software as a Service (SaaS) products to 20k+ of users from UAE and worldwide to solve their business problems. Security is a key component in our offerings, and is reflected in our people, process, and products. This page covers topics like data security, operational security, and physical security to explain how we offer security to our customers. and secure client business data.
Contact Us 24/7 Support Team
Organizational security
We have an Information Security Management System (ISMS) in place which takes into account our security objectives and the risks and mitigations concerning all the interested parties. We employ strict policies and procedures encompassing the security, availability, processing, integrity, and confidentiality of customer data.
Security Awareness:
Each employee, when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Furthermore, we evaluate their understanding through tests and quizzes to determine which topics they need further training in. We provide training on specific aspects of security, that they may require based on their roles.
We educate our employees continually on information security, privacy, and compliance in our internal community where our employees check in regularly, to keep them updated regarding the security practices of the organization. We also host internal events to raise awareness and drive innovation in security and privacy.
Employee background checks
Each employee undergoes a process of background verification. We hire reputed external agencies to perform this check on our behalf. We do this to verify their criminal records, previous employment records if any, and educational background. Until this check is performed, the employee is not assigned tasks that may pose risks to users.
Dedicated security and privacy teams
We have dedicated security and privacy teams that implement and manage our security and privacy programs. They engineer and maintain our defense systems, develop review processes for security, and constantly monitor our networks to detect suspicious activity. They provide domain-specific consulting services and guidance to our engineering teams.
Internal audit and compliance
We have a dedicated compliance team to review procedures and policies in HTBOOK to align them with standards, and to determine what controls, processes, and systems are needed to meet the standards. This team also does periodic internal audits and facilitates independent audits and assessments by third parties.
Endpoint security
All workstations issued to HTBOOK employees run up-to-date OS version and are configured with anti-virus software. They are configured such that they comply with our standards for security, which require all workstations to be properly configured, patched, and be tracked and monitored by HTBOOK endpoint management solutions. These workstations are secure by default as they are configured to encrypt data at rest, have strong passwords, and get locked when they are idle. Mobile devices used for business purposes are enrolled in the mobile device management system to ensure they meet our security standards.
Physical security
At workplace
We control access to our resources (buildings, infrastructure and facilities), where accessing includes consumption, entry, and utilization, with the help of access cards. We provide employees, contractors, vendors, and visitors with different access cards that only allow access strictly specific to the purpose of their entrance into the premises. Human Resource (HR) team establishes and maintains the purposes specific to roles. We maintain access logs to spot and address anomalies.
At Data Centers
At our Data Centers, a co location provider takes responsibility of the building, cooling, power, and physical security, while we provide the servers and storage. Access to the Data Centers is restricted to a small group of authorized personnel. Any other access is raised as a ticket and allowed only after the approval of respective managers. Additional two-factor authentication and biometric authentication are required to enter the premises. Access logs, activity records, and camera footage are available in case an incident occurs.
Monitoring
We monitor all entry and exit movements throughout our premises in all our business centers and data centers through CCTV cameras deployed according to local regulations. Back-up footage is available up to a certain period, depending on the requirements for that location.
Infrastructure security
Network security
Our network security and monitoring techniques are designed to provide multiple layers of protection and defense. We use firewalls to prevent our network from unauthorized access and undesirable traffic. Our systems are segmented into separate networks to protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting HTBOOK production infrastructure.
We monitor firewall access with a strict, regular schedule. A network engineer reviews all changes made to the firewall everyday. Additionally, these changes are reviewed once in every six months to update and revise the rules. Our dedicated Network Operations Center team monitors the infrastructure and applications for any discrepancies or suspicious activities. All crucial parameters are continuously monitored using our proprietary tool and notifications are triggered in any instance of abnormal or suspicious activities in our production environment.
Network redundancy
All the components of our platform are redundant. We use a distributed grid architecture to shield our system and services from the effects of possible server failures. If there's a server failure, users can carry on as usual because their data and HTBOOK services will still be available to them.
We additionally use multiple switches, routers, and security gateways to ensure device-level redundancy. This prevents single-point failures in the internal network.
Server hardening
All servers provisioned for development and testing activities are hardened (by disabling unused ports and accounts, removing default passwords, etc.). The base Operating System (OS) image has server hardening built into it, and this OS image is provisioned in the servers, to ensure consistency across servers.
Intrusion detection and prevention
Our intrusion detection mechanism takes note of host-based signals on individual devices and network-based signals from monitoring points within our servers. Administrative access, use of privileged commands, and system calls on all servers in our production network are logged. Rules and machine intelligence built on top of this data give security engineers warnings of possible incidents. At the application layer.
At the Internet Service Providers (ISP) level, a multi-layered security approach is implemented with scrubbing, network routing, rate limiting, and filtering to handle attacks from network layer to application layer. This system provides clean traffic, reliable proxy service, and a prompt reporting of attacks, if any.
Data security
Secure by design
Every change and new feature is governed by a change management policy to ensure all application changes are authorized before implementation into production. Our Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines, as well as screening of code changes for potential security issues with our code analyzer tools, vulnerability scanners, and manual review processes.
Our robust security framework based, implemented in the application layer, provides functionalities to mitigate threats such as SQL injection, Cross site scripting and application layer DOS attacks.
Data isolation
Our framework distributes and maintains the cloud space for our customers. Each customer's service data is logically separated from other customers' data using a set of secure protocols in the framework. This ensures that no customer's service data becomes accessible to another customer.
The service data is stored on our servers when you use our services. Your data is owned by you, and not by HTBOOK. We do not share this data with any third-party without your consent.
Data retention and disposal
We hold the data in your account as long as you choose to use HTBOOK Services. Once you terminate your HTBOOK user account, your data will get deleted from the active database during the next clean-up that occurs once every 6 months. The data deleted from the active database will be deleted from backups after 3 months. In case of your unpaid account being inactive for a continuous period of 120 days, we reserve the right to terminate it after giving you prior notice and option to back-up your data.
A verified and authorized vendor carries out the disposal of unusable devices. Until such time, we categorize and store them in a secure location. Any information contained inside the devices is formatted before disposal. We degauss failed hard drives and then physically destroy them using a shredder. We crypto-erase and shred failed Solid State Devices (SSDs).
Administrative access
We employ technical access controls and internal policies to prohibit employees from arbitrarily accessing user data. We adhere to the principles of least privilege and role-based permissions to minimize the risk of data exposure.
Operational security
We monitor and analyse information gathered from services, internal traffic in our network, and usage of devices and terminals. We record this information in the form of event logs, audit logs, fault logs, administrator logs, and operator logs. These logs are automatically monitored and analyzed to a reasonable extent that helps us identify anomalies such as unusual activity in employees’ accounts or attempts to access customer data. We store these logs in a secure server isolated from full system access, to manage access control centrally and ensure availability.
Data Backup
We run incremental backups everyday and weekly full backups of our databases using HTBOOK Admin Console. Backup data stored in the same location and encrypted using AES-256 bit algorithm. We store them in tar.gz format. All backed up data are retained for a period of three months. If a customer requests for data recovery within the retention period, we will restore their data and provide secure access to it. The timeline for data restoration depends on the size of the data and the complexity involved.
From your end, we strongly recommend scheduling regular backups of your data by exporting them from the respective HTBOOK services and storing it locally in your infrastructure.
To learn more about how you work with HTBOOK to achieve a secure cloud environment, Discuss with us Click Here.