Information Security Practice

Overview

At Briza we are committed to information security, it is our mission to be the gold-standard for security and privacy for insurance infrastructure. We take a risk-driven and a multi-layered approach to implementing information security controls that ensure the confidentiality, integrity and availability of the organization’s information and assets. We adopt the principles of  security by design, zero trust, and continuous security to prevent unauthorized access to company’s data.

Briza’s services are architected using Infrastructure and CI/CD platforms that primarily adopts AWS and Github serverless technologies. Automated scaling, patch management, high availability, are built-in by design. Our focus is on tightly managing user and programmatic access to resources and data, without implicitly trusting any physical and network location of the user. At Briza, we have implemented layers of prevention, detection, alerting and response capabilities to the devops pipeline and the cloud infrastructure. We continuously monitor our infrastructure accounts, version control tools, task trackers, endpoints, hosts, HR tools, corporate applications to ensure adherence to company security policies, procedures and standards.

Top

People

We are committed to attract, develop and retain competitive talent aligned to the company's objectives. Our hiring and onboarding process is rigorous and effective. Semi-annual performance evaluation ensures that the employees stay on course and aligned with business objectives. Mandatory security awareness training is required of all employees and contractors. Our human resources team has enforced a code of conduct, anti-harassment, and whistle-blower policy to ensure a safe work environment for all employees. To foster a culture of security, the information security team runs a comprehensive security awareness program.

Briza’s board is composed of highly competent individuals, with the breadth of experience to oversee management's design, implementation and operation of information security controls.  The by-laws of Briza empower the board of directors to function independently.

Top

Communication and Information

The company management has established, approved and assigned Information Security roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls. Information security policies are established and communicated to all employees, these policies are reviewed periodically. Service terms, description and changes to control implementation are promptly communicated to external parties.

Top

Risk Management

Briza has established a risk management program that includes guidance on identifying potential risks, rating the significance of the risks, and implementing mitigation strategies for those risks. We conduct periodic workshops with a cross-functional group to identify top risks to the organization. Briza has a vendor risk management program that periodically reviews vendor security and privacy requirements.

Top

System operations and monitoring activities

Briza performs control self-assessments periodically to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. Penetration testing is performed periodically, a remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs. Vulnerability scans are performed periodically on all external-facing and internal-facing systems and the vulnerabilities are tracked to remediation. Infrastructure monitoring tools are utilized to monitor systems, infrastructure, and performance. We utilize log management tools to identify events that may have a potential impact on the company's ability to achieve its security objectives. Intrusion detection system is deployed to provide continuous monitoring of the company's network and systems and early detection of potential security breaches.

Top

Access Controls

Access to in-scope system components is based on job role and function. Our access control enforcement is as granular as possible to enforce least privilege needed to perform the action and prevents unauthorized access to data and services. Single-sign-on and account provisioning automation is leveraged extensively. We perform periodic access reviews of privilege access to identified critical systems. Access requests are documented and approved by system owners and managers.

Top

Change Management

Changes to the software and infrastructure components of the service are documented, tested, reviewed and approved prior to being deployed to the production environment. We have documented a system development life-cycle (SDLC) methodology, which provides guidance on deploying services to the production environment. Test, Sandbox and Production environments are isolated from each other, changes get sequentially deployed and tested first in the test environment and then in the sandbox environments before deploying to the production environment.

Top

Cryptographic Controls

We use secure vaults and related services such as Ansible vault, 1Password, AWS-KMS, etc. to manage the life-cycle of secrets such as password, API keys, access keys, SSH keys, etc. We employ industry standard encryption algorithms. With Google Workspace as the identity provider for employees, we leverage multi-factor authentication (MFA), single-sign-on (SSO) and automated provisioning of accounts in 3rd-party services.

Top

Security Incident Management

Briza has implemented security monitoring and detection tools, and a process that enables us to watch for anomalies and protect the services against attacks. In the event of a security breach we will promptly notify impacted users of any actual or suspected unauthorized access to their systems and data.

Top

Business Continuity

We have a proactive approach to identifying potential single points of failure in people, process, infrastructure and services. And continuously evolve mechanisms to minimize the single point of failures. Our services hosted in the AWS cloud are highly available and scale automatically. Databases and infrastructure state is automatically backed-up.

Top

If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@briza.com. We will acknowledge your email within one week. Researchers that wish to report a possible security issue may request our PGP public key by sending an email to security@briza.com.