Security

Our approach to security is based on the following four pillars:

1. Meet customer expectations and information needs around Snobal security and practices;
2. Approach security practises from an agile perspective including continually reviewing practises and approach ensuring it takes account of current cybersecurity information, trends and requirements;
3. Approach security as a shared responsibility between Snobal and  our customers and partners. 
4. Continually evaluate our approach to security (including in comparison to our industry peers) with the aim to identify opportunities for continous improvement. This includes examining potential vulnerabilities with the aim to reduce identified risk to an acceptable level.

The information on this page applies to Snobal platform and products unless otherwise specified.

We have a designated security team made up of key Snobal senior leadership and technical experts. This team meets regularly to review and analyse our approach to security. 

Also, all Snobal team members play a key role in enabling us to meet our security requirements and needs and to this end our team are made aware of our mission, vision and goals as well as our approach to security from their commencement and through to workflow processes.

In terms of Snobal’s shared security approach, customers are responsible for protecting all their endpoints and for following best practises for password construction requirements.

Snobal follows recommendations from the The NIST Password Guidelines also known as NIST Special Publication 800-63B. These guidelines were originally published in 2017 and updated in March of 2020 under” Revision 3 “or” SP800-63B-3. They are considered one of the most influential standards for password creation and use policies. As such, all Snobal employees, including vendors and partners with access to Snobal’s systems are responsible for taking the appropriate steps to select and secure their password.

• Encryption of data

All data with Snobal is encrypted at rest and in transit with one of the strongest ciphers available: 256-bit Advanced Encryption Standard (AES-256), with AWS Key Management Service (KMS), server-side encryption (SSE-S3), and Transport Layer Security (TLS). AWS KMS is designed in a way that no one, including AWS employees, can decrypt or access the data.

• Backup

All Snobal data has automated backup.

Snobal recognizes that security vulnerabilities are an inherent part of any software development and that vulnerability management and remediation is addressed at all stages including at the earliest stages of the Snobal software development life cycle. To that end, we have implemented a multi-faceted approach to vulnerability management that relies on a combination of both automated and manual processes. We’re constantly evolving our approach by incorporating the latest tools, and methods to ensure our handling of vulnerabilities remains effective into the future.

If you would like to view a copy of our cybersecurity policy please request off your Snobal account manager.

We understand that effective protection of business information creates a competitive advantage and is important to preserve the reputation of Snobal and helping reduce the risk of the occurrence of negative events and incidents. As such at Snobal:

• We limit access to information only to those that need it for processing.
• We classify information into different categories so that we can ensure that it is protected properly and that we allocate security resources appropriately.
• We expect all customers and partners as well as Snobal employees and contractors to take responsibility to manage access to their endpoints.
• We require all employees to comply by industry stanadard password guidelines
• We request Snobal customers and Snobal employees follow industry standards when selecting passwords
• User profiles and priviliges and passwords are used to manage access to the platform and extensions.
• From July 2021 access will be managed by multi-factor authentication / SSO

All data with our platform is encrypted at rest and in transit with one of the strongest ciphers available: 256-bit Advanced Encryption Standard (AES-256), with AWS Key Management Service (KMS), server-side encryption (SSE-S3), and Transport Layer Security (TLS). AWS KMS is designed in a way that no one, including AWS employees, can decrypt or access the data including:

• Encryption in transit across all sites via TLS.
• Encryption at rest enabled by default

Snobal has established identity and access management policies and procedures as well as implemented technical measures including:

• Policies and procedures established to store and manage identity information about every person who accesses to Snobal infrastructure and to determine their level of access.
• Access to the platform infrastructure and application is appropriately restricted following the rule of least privilege based on job function
• Policies developed to ensure Snobal employees and suppliers are aware not to leave unattended workspaces openly visible (e.g., on a desktop) with sensitive documents and user computing sessions open
  
• Policies developed to Snobal ensure employee and supplier awareness are made aware of their roles and responsibilities for maintaining compliance with maintaining a safe and secure working environment

The goal of the Snobal Incident Response is to detect and react to computer security incidents, to enable the determination of security scope and risk, respond appropriately to all incidents and to ensure we communicate the results and actions to all stakeholders in a timely and transparent manner seeking to ensure the likelihood of similar incidents not happening again. 

Snobal  recognises that an incident response is not in the hands of one team member but rather requires the input of the Snobal incident response team (ITR). 

The Snobal IRT  is a mix of Snobal experienced, technical, and non-technical personnel who work together to understand the scope of the incident, and how it can be mitigated, and ultimately remediated.

• The plan:- outlines the roles and responsibilities of the Snobal IRT.
• Severity rating – incidents are categorised according to the potential for data exposure or criticality of resources using the following severity rating.
• Cyber Incidents and responses – provides a list of common cyber incident types, along with the corresponding response activities (which form the typical minimum response).
• Potential threat vectors -outlines potential threat vectors which seek to support Snobal in identifying potential weak spots or commonly targeted aspects of our network and systems.
• Checklist for process – outlines checklist for incident process response.
• Incident response lifecycle – outlines the incident response lifecycle

All platform and extension system and infrastructure change requests to the production environment follow an approved process and methodology of a specific project in development with clear lines of reporting and accountability.

All Snobal employees and suppliers receive security awareness training when appropriate. All individuals with access to Snobal organizational data receive appropriate awareness training and updates on organizational procedures, processes, and policies relating to their professional function relative to the organization.

All Snobal employees and supplier agree to a set of principles or IT ethics designed to assist in engaging in sound professional judgement while upholding ethical ideas and obligations around our platform, products and information system use. 

Snobal seeks to ensure appropriate data handling procedures are followed to uphold the security and integrity of customer data. This includes that any data that considered to be reasonably sensitive, vulnerable or subject to privileges is subject to authorisation by Snobal  in compliance with any confidentiality procedures.

All files in the platform are stored in S3 and have a retention period of 90 days after deletion. Data stored in the database are backed up daily via database snapshot and have a retention period of 30 days.

All Snobal suppliers and vendors are onboarded and managed in accordance with Snobal’s supplier and vendor due diligence process.

The Snobal supplier and vendor disclosure process articulates Snobal’s expectations so that suppliers and vendors do not have to guess. It establishes Snobal’s leadership regarding expectations of conduct with a supplier or vendor.  It encourages all Snobal suppliers and vendors to help shape Snobal’s aspirations so it can achieve its mission in a constructive way.

Snobal recognizes that security vulnerabilities are an inherent part of any software development. To that end, we have implemented a multi-pronged approach to vulnerability management that relies on a combination of both automated and manual processes. We’re constantly evolving our security approach by incorporating the latest tools, methods and to ensure our handling of vulnerabilities remains effective into the future.

Broadly speaking:

Infrastructure  ( Snobal infrastructure)
All EC2 instances and database cluster sits on AWS private VPC behind Cloudfront and AWS WAF.

Application  ( Snobal )
Security audit of the application dependencies for vulnerabilities NPM Audit is run as part of our software development life cycle (SDLC) to ensure software dependencies are updated regularly and all patches are up-to-date.

Snobal is regularly asked by government, educational and enterprise customers to provide details of its third party security auditing and penetration testing reports. Penetration testing is an authorised third party simulated cyber attack to assess for exploitable vulnerabilities.

If you would like a copy of a recent penetration testing report please discuss it with the sales representation at your personalised demo.

Snobal defines a vulnerability as a bug, weakness or flaw in the software or system that could allow unauthorized access to the system.  If you believe you have located a vulnerability in Snobal please submit a ticket to our security and technical support team.

Include the following information:

• Type of issue
• Snobal platform or APK version and/or XR solution and version
• Step-by-step instructions to enable replication of the issue