Our Chief Information Officer, Martin Riit, tells us about some security aspects of Mitigram.
Soon after the idea of the Mitigram Marketplace was born, we recognized that security and regulatory compliance will be the key factor for building trust with our clients, who must comply with extensive regulatory and internal requirements for handling the confidential data that will be entered into the Marketplace.
We have therefore chosen a classic hosted environment at a high availability data center and apply a control framework based on ISO/IEC 27002, which is the ISO standard in the financial industry. This ensures that we at all times have the proper control of our environment that is required for our clients to comply with the various security and regulatory requirements. Our control measures are spread across the following categories:
User access management and monitoring – User access and monitoring is of key importance to any system handling confidential data. We provide several layers of protection to users in order to ensure the security of our user accounts. Our clients can decide to augment the login procedures of their users by requiring additional two step authentication or restricting access to user accounts from certain IP-address ranges, thereby ensuring compliance with their regulatory requirements.
Logging and monitoring – All accesses to and activities on the platform, including any illegal attempts to access the data in the system, are logged and monitored, and logs are available upon request to our clients for investigation or compliance purposes. The logs are stripped off any sensitive data, to ensure that sensitive data never leaves the control framework of the core databases.
Security scanning and testing – The security of our services is independently verified via weekly automated internet vulnerability scanning, quarterly full-scale automated security scanning and an annual full-scale manual security penetration test performed by an independent auditor. Such practices ensure that if even if our rigorous testing procedures of new releases were to fail to find a security fault, we would be notified of any potential vulnerability in a timely manner
Data encryption – We are in the process of implementing user based data encryption. With this in place, the risk for unauthorised data access will be eliminated even if the system were to be compromised by a third party. We will be one of the very few platforms in the financial industry with this advanced security feature.