Assurance standard

Introduction


Security assurance is an umbrella term for several processes aimed at ensuring individual system components can adequately protect themselves from attacks. The implementation of these processes is not a one-time effort but spans the complete system lifecycle.  The key processes that contribute to Altus Group security assurance program are:  

  • Security Hardening - Security hardening describes the minimization of a system’s attack surface and proper configuration of security functions. 

  • Security Testing - Security testing aims to assess a system’s security by trying to identify any weaknesses or vulnerabilities remaining after security hardening. This comprises of internal testing and third-party assurance.



Environment


  • No high or critical vulnerabilities are introduced into production 

  • Any newly discovered vulnerabilities in production are assessed with controls in place to identify whether they are actively exploitable.  

  • Third party assessments are undertaken on the non-production environment unless this is not a facsimile of the production environment.  

  • Any changes to existing client application infrastructure are assessed by the Information Security team to determine whether third party assessment is required.  



Design, development & documentation


  • Hardening is considered in the planning stages for every new infrastructure application development. 

  • Application documentation is kept up to date to ensure clear guidance for third party testers.  

  • Application source code is reviewed for vulnerabilities during development.  



Data protection & information security


  • The data type and classification of data being stored or transferred by application components informs the hardening process.  

  • Altus approved security testing tools do not send client data out of Altus environments at any time.  

  • Third party assurance tests must comply with the relevant data protection laws for the data contained within the environment tested.  



Testing


  • Altus client applications are scanned with Altus approved vulnerability management tools. 

  • New applications or significant changes to applications are tested by a third party prior to being used in production.  



Remediation


  • Vulnerability remediation is completed within the SLA time frame.  

  • If it is not possible to remediate the vulnerability, then compensating controls are applied to reduce the risk.  

  • Vulnerabilities discovered by third party tests are retested following remediation.  



Release management & deployment


All new infrastructure and applications must be hardened and implemented in accordance with the relevant standard or guideline.  

  • Cloud infrastructure is assessed against NIST cybersecurity framework using an Altus approved posture management tool.  

  • New application code is reviewed prior to deployment  


Trust Center quick links
Access controlAssurance standardChange managementCorporate governanceCryptographic standardHR securityIncident response planMobile devices and laptopsNetwork securityPhysical and environmental securityRisk managementSecure development