At Vulcan Cyber, we take security very seriously. We recognize the importance of protecting our clients’ data and systems, and we are committed to providing a secure platform for vulnerability remediation and orchestration.
This public-facing security policy outlines the measures we take to ensure the security and integrity of our platform, as well as our commitment to continuous improvement.
Infrastructure security
The Vulcan Cyber platform is deployed on a secure network that is protected by WAF and other security mechanisms. The platform is configured to run on secure ports, and any unnecessary ports are closed. All incoming and outgoing network traffic is monitored for signs of malicious activity.
Vulcan Cyber uses the following cloud services for its internal infrastructure:
AWS
Azure
Access to these cloud services is limited according to the role of the Vulcan Cyber employee and is reviewed quarterly as well as via regular onboarding/offboarding tasks for new and departing employees.
Data security
Vulcan Cyber employs a comprehensive set of measures to ensure the security of our clients’ data. All data transmitted between the Vulcan Cyber platform and users’ devices is encrypted using industry-standard encryption algorithms. All data stored by the platform is also encrypted. Access to the platform is granted only to authorized users with valid credentials, and user access permissions are strictly enforced.
Encryptions standards used:
Data at Rest is encrypted with AES 256
Data in transit is encrypted with at least TLS 1.2
Customer Environment Access
Vulcan Cyber is committed to keeping our customer’s confidential data protected at all times. Access privileges to customer information are granted on a “need to know” basis, and need to be approved by a member of Vulcan’s management team. Access to production environments is restricted to Vulcan support personnel and a limited number of Vulcan's development team.
To maintain data security, we do not store customer information on physical servers within Vulcan Cyber offices or in printed format. In instances where it becomes necessary to copy production information to an employee's local computer, we take measures to anonymize the data, thereby preventing any potential privacy breaches. Once the data is no longer required, it is promptly deleted.
Any access to a customer environment, either by a customer or Vulcan Cyber personnel, is logged in Vulcan’s production environment and kept available for future analysis. Logs are stored for a minimum period of 30 days .
Access by Vulcan Cyber personnel to customer environments is performed with individual users that requires using multi-factor authentication, support person identity is tracked internally in Vulcan's audit system.
If, for any reason, a client prefers to limit further the access to their tenant for support purposes, this can be arranged. However, it's important to note that this may make support processes slightly more complex and potentially impact efficiency.
Corporate security
Vulcan Cyber implements robust corporate security policies to protect our employees, facilities, and assets. This includes physical security measures to restrict access to our facilities, video surveillance, and security alarms. We also employ background checks and security training for all new employees. Our IT systems and networks are secured using firewalls, antivirus software, and intrusion detection systems. Access to sensitive data and systems is restricted and monitored, and employees are required to use strong passwords and two-factor authentication. These measures help us to ensure that our corporate infrastructure is secure and our employees and clients are protected.
Governance and Compliance
Vulcan is audited annually against the SOC2 Type 2 standard. We can provide a copy of this certification upon request, under NDA.
Vulcan Cyber conducts a penetration test on an annual basis by an external third party vendor with the proper qualification.
Vulcan Cyber updates its Cyber Risk Assessment on an annual basis in order to keep pace with the evolving threat landscape.
Vulnerability management
Vulcan Cyber actively monitors and tracks the existence of security vulnerabilities in its software and infrastructure. New findings are reviewed and assigned a risk rating according to business impact and technical severity.
Incident Response
Vulcan Cyber has a well-defined incident response plan in place. This plan outlines the steps to be taken in the event of a security breach or other incident. The plan is regularly reviewed and updated to ensure it is up-to-date and effective.
Secure development
Vulcan Cyber follows a secure software development life cycle (SDLC) process to ensure that security is integrated into every stage of our platform's development. Our development team is trained to follow secure coding practices, and our platform is subject to regular security code reviews and testing to identify and remediate vulnerabilities early in the development cycle.
Security Awareness Training
All Vulcan Cyber employees receive regular security awareness training. This training covers topics such as password management, phishing prevention, and safe browsing habits.
Third-Party Security
Vulcan Cyber works with third-party vendors and partners to provide the best possible service to our clients. We carefully vet these partners to ensure they meet our security standards, and we require them to adhere to our security policies and protocols.
Continuous Improvement
At Vulcan Cyber, we are committed to continuously improving our security posture. We regularly review and update our security policies and protocols to ensure they are up-to-date and effective. We also conduct regular security audits and assessments to identify areas for improvement.
By following these measures and continuously improving our security posture, Vulcan Cyber is committed to providing a secure platform for complete risk management.
Contact us with any security related issue at security@vulcan.io