Information Security Practice

Overview

At Briza we are committed to information security, it is our mission to be the gold-standard for security and privacy for insurance infrastructure. We take a risk-driven and a multi-layered approach to implementing information security controls that ensure the confidentiality, integrity and availability of the organization’s information and assets. We adopt the principles of  security by design, zero trust, and continuous security to prevent unauthorized access to company’s data.

Briza’s services are architected using Infrastructure and CI/CD platforms that primarily adopts AWS and Github serverless technologies. Automated scaling, patch management, high availability, are built-in by design. Our focus is on tightly managing user and programmatic access to resources and data, without implicitly trusting any physical and network location of the user. At Briza, we have implemented layers of prevention, detection, alerting and response capabilities to the devops pipeline and the cloud infrastructure. We continuously monitor our infrastructure accounts, version control tools, task trackers, endpoints, hosts, HR tools, corporate applications to ensure adherence to company security policies, procedures and standards.

Top

People

We are committed to attract, develop and retain competitive talent aligned to the company's objectives. Our hiring and onboarding process is rigorous and effective. Semi-annual performance evaluation ensures that the employees stay on course and aligned with business objectives. Mandatory security awareness training is required of all employees and contractors. Our human resources team has enforced a code of conduct, anti-harassment, and whistle-blower policy to ensure a safe work environment for all employees. To foster a culture of security, the information security team runs a comprehensive security awareness program.

Briza’s board is composed of highly competent individuals, with the breadth of experience to oversee management's design, implementation and operation of information security controls.  The by-laws of Briza empower the board of directors to function independently.

Top

Communication and Information

The company management has established, approved and assigned Information Security roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls. Information security policies are established and communicated to all employees, these policies are reviewed periodically. Service terms, description and changes to control implementation are promptly communicated to external parties.

Top

Risk Management

Briza has established a risk management program that includes guidance on identifying potential risks, rating the significance of the risks, and implementing mitigation strategies for those risks. We conduct periodic workshops with a cross-functional group to identify top risks to the organization. Briza has a vendor risk management program that periodically reviews vendor security and privacy requirements.

Top

System operations and monitoring activities

Briza performs control self-assessments periodically to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. Penetration testing is performed periodically, a remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs. Vulnerability scans are performed periodically on all external-facing and internal-facing systems and the vulnerabilities are tracked to remediation. Infrastructure monitoring tools are utilized to monitor systems, infrastructure, and performance. We utilize log management tools to identify events that may have a potential impact on the company's ability to achieve its security objectives. Intrusion detection system is deployed to provide continuous monitoring of the company's network and systems and early detection of potential security breaches.

Top

Access Controls

Access to in-scope system components is based on job role and function. Our access control enforcement is as granular as possible to enforce least privilege needed to perform the action and prevents unauthorized access to data and services. Single-sign-on and account provisioning automation is leveraged extensively. We perform periodic access reviews of privilege access to identified critical systems. Access requests are documented and approved by system owners and managers.

Top

Change Management

Changes to the software and infrastructure components of the service are documented, tested, reviewed and approved prior to being deployed to the production environment. We have documented a system development life-cycle (SDLC) methodology, which provides guidance on deploying services to the production environment. Test, Sandbox and Production environments are isolated from each other, changes get sequentially deployed and tested first in the test environment and then in the sandbox environments before deploying to the production environment.

Top

Cryptographic Controls

We use secure vaults and related services such as Ansible vault, 1Password, AWS-KMS, etc. to manage the life-cycle of secrets such as password, API keys, access keys, SSH keys, etc. We employ industry standard encryption algorithms. With Google Workspace as the identity provider for employees, we leverage multi-factor authentication (MFA), single-sign-on (SSO) and automated provisioning of accounts in 3rd-party services.

Top

Security Incident Management

Briza has implemented security monitoring and detection tools, and a process that enables us to watch for anomalies and protect the services against attacks. In the event of a security breach we will promptly notify impacted users of any actual or suspected unauthorized access to their systems and data.

Top

Business Continuity

We have a proactive approach to identifying potential single points of failure in people, process, infrastructure and services. And continuously evolve mechanisms to minimize the single point of failures. Our services hosted in the AWS cloud are highly available and scale automatically. Databases and infrastructure state is automatically backed-up.

Top

SOC 2 Announcement: Establishing Trust in Briza’s Unified-API

We know how essential data security is to our partners, which is why we are pleased to announce that Briza is now SOC 2 Type II compliant. Meeting SOC 2 compliance is a key part of Briza’s ongoing commitment to our existing and future customers who can be confident about the security of their insurance data with Briza.

A SOC 2 Type II report is granted after a company undergoes an auditing process administered by an independent, third-party audit firm. Successfully completing the SOC 2 examination signifies Briza has voluntarily developed and implemented a system of controls and operational processes to meet a renowned security standard of excellence.

What is SOC 2, and why does compliance matter?

Briza has successfully completed a System and Organization Control (SOC) 2 Type II audit. The SOC 2 Type II report was attested to by a licensed and independent audit firm and issued without any noted exceptions, and therefore was issued with a “clean” audit opinion. 

Top
AICPA | SOC logo

SOC 2 Type II Report

This is a report on the suitability of the design and operating effectiveness of the controls implemented on our core systems, ancillary system components and business processes that enable our principal service which is Briza’s unified API and other supporting services. Importantly, it provides assurance to external parties with respect to security and availability of the systems enabling Briza’s unified API, and confidentiality of the information processed by these systems.

Top

SOC 2: Significance

SOC 2 audits are rigorous, and SOC 2 Type 2 reports are attested per the SSAE-18 standards published by AICPA. The SOC 2 framework includes the 17 principles of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control — Integrated Framework, along with supplemental controls. Briza’s implementation of security controls aligns with the COSO principles and the supplemental controls. 

We have put in place continuous monitoring of the health of these controls by leveraging automations in almost all areas, and we have a dedicated team that oversees its performance. Below are some numbers that give an overview of the efforts that we had put in for the 2021 SOC 2 audit cycle.

  • 3 Trust Service Criteria: Security, Availability and Confidentiality
  • 17 COSO Principles
  • 86 Security controls implementation
  • 117 Audit tests of the effectiveness of control implementation
  • 37 Security related documentations
Top

Our Commitment

Briza has committed to ensuring that the company adopts industry best security practices, and will be proactive in mitigating risks related to the confidentiality, availability, and security of the information that we process and handle. We continue to make significant investments in this regard. The achievement of the SOC 2 report with a clean audit opinion is a testament to this commitment, and provides assurance to our partners present and future. 

If there is a requirement to review Briza’s SOC 2 Type 2 report, please write to marketing@briza.com. For any questions pertaining to the SOC 2 report, please write to security@briza.com

Top

Responsible Disclosure
If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at
security@briza.com. We will acknowledge your email within one week. Researchers that wish to report a possible security issue may request our PGP public key by sending an email to security@briza.com.