Globality has comprehensive security measures in place to ensure the complete privacy and protection of our customers’ data. Our security systems are compatible with ISO27001 and regularly assessed by independent auditors. We are currently in the process of obtaining our official ISO27001 certification.
Policies and standards
Globality protects the data of our clients and service providers through comprehensive data privacy and security practices. Our business code of conduct dictates legal, ethical and socially responsible choices. We also maintain a set of policies, standards and procedures for all employees and contractors using Globality’s IT Systems.
Our security policy covers:
- Change control
- Acceptable use of our information systems
- Incident report procedures
- Disaster recovery
- Business continuity plans
- Mandatory security training for all employees
- Use of encryption
- Strong password policies
- Data classification
- Ethical and legal standards for business conduct
- Regular security audits, vulnerability assessments and penetration tests
All our policies are under continuous review – they evolve as we evolve, and are regularly updated to maintain pace with our IT systems.
Data Disclosure Requests
Globality strictly adheres to the company’s Data Disclosure Policy and we will never disclose any data contained in our information systems and databases, except to the original owners of that information or as required by law.
Globality has strict practices in place for all Globality employees and independent contractors — those with direct access to Globality’s IT systems or access to any of Globality’s offices.
Each new employee or contractor must sign confidentiality and non-disclosure agreements, pass background and drug testing, and participate in regular security training sessions. This training covers topics including device security, data privacy, social engineering, incident reporting, acceptable use policy and computer ethics.
We maintain an industry-leading user entitlement system that immediately and automatically de-provisions and blocks terminated employees from all our IT systems. Our security policies are periodically published and distributed.
Periodic security and privacy training
All employees are required to take annual refresher courses on IT security policies and practices. Employees with advanced or classified system privileges and security clearance receive specific additional training and certifications. All employees are obligated to report any security issues or infractions to Globality’s Security officer. We strictly enforce all security policies with zero tolerance for data, security or privacy violations.
Dedicated security professionals
Globality has a dedicated Information Security Management team responsible for:
- Product Security
- Security Operations
- Incident Response
- Risk and Compliance
Audits, compliance and third-party assessments
Globality maintains multiple channels to continuously test and improve its security program.
As part of its security certification process, Globality annually engages independent auditors to ensure all IT Systems and security practices conform to Globality’s security policies as well as industry standards.
Globality annually conducts comprehensive penetration tests with independent security companies. Tests are executed against the Globality infrastructure, corporate office IT systems and all customer-facing applications. Globality’s IT management team carefully reviews the test results, and the Globality Security Team prioritizes product and infrastructure updates to address any issues or vulnerabilities found. Customers who would prefer to conduct their own independent penetration tests or audits are invited to contact Globality Technical Support to set it up.
Designed for security
Secure Development Lifecycle
An integral part of each engineering project at Globality is a detailed security evaluation by the Risk management and Engineering teams. Security implications of changes to code and infrastructure are considered and assessed per Globality’s SDL policies. The teams produce a set of recommendations that must be met before any feature or specific product is released to Production. In order to detect potential vulnerabilities early on, Globality also makes use of multiple automated security tools to continuously scan its development and testing environments.
Globality applies strict change control processes to all production systems, including multiple automated and manual code tests on multiple environments. These procedures ensure that any changes that potentially impact customer data and data security are documented and approved before deployment.
Detection of malicious code
When engineers are ready to submit new code to our repositories, they must get their submission reviewed by at least one other engineer before it can be merged in. This eliminates the possibility of introducing malicious code into Globality’s products.
Globality uses custom, pre-built images to create all its server instances. These images have been carefully constructed and configured to eliminate any unnecessary applications and services. All the required security patches are routinely applied to ensure all images remain current.
Globality uses a set of automated tools to construct, configure and populate its entire stack. These are restricted via individual session keys, to be used by authorized personnel only.
Contractors and third parties
Whenever we use third parties or contractors, Globality ensures they follow at least the same strict guidelines and policies implemented by Globality. Contractors and third parties never have any access to Production customer data — this is reserved to a handful of Globality employees.
Secure customer data
Globality’s security program focuses on preventing unauthorized access to our customers’ data. Our Engineering and Security teams are always at work to ensure that Globality’s applications and infrastructure are secure and up-do-date with current industry practices.
Data encryption at rest and in transit
Globality’s data infrastructure is hosted in data centers maintained by industry-leading cloud service providers. This ensures state-of-the-art physical protection for Globality’s operating environment of servers, databases and networking infrastructure. Individual security compliance reports for these service providers are available upon request.
Globality encrypts all customer data though encryption keys that are inaccessible to anyone except select employees who manage our Production systems. We use FIPS 140-2 compliant encryption standards and a minimum of 2048 bits for all encryption keys, which are delivered to processes at the boot time, never written in any files and retained in memory only while in use. Customer data is segregated and access is controlled at the specific URL and API call level using a combination of authentication, authorization and entitlement mechanisms.
Any data transferred between Globality customers and Globality’s applications over the internet uses industry-standard encryption. Globality uses the latest secure cipher algorithms to encrypt all traffic in transit, such as the TLS 1.2 protocol, AES256 encryption and SHA2 signatures (depending on individual client support). Globality implements new encryption technologies as they become available, while maintaining compatibility with older standards (Globality does not support SSL3.0 or TLS1.0).
Globality’s IT systems are segregated by role and functionality. We maintain multiple identical, separate environments for development, testing and production. For security reasons, each environment operates in silo, where components in the silo have access only to their neighbors. For example, our data layer is only accessible to the services that control and handle data, but never to our web servers, application servers or network infrastructure. Access to the Production infrastructure is highly controlled and monitored, limited only to select individuals who are specifically trained and authorized.
The only part of the Globality platform that is publicly accessible over the internet is our front-end web application firewalls, which protect our load balancers and actual Web servers. We restrict public access based on layer-3 security (network ACLs, port control) and layer-7 security (application-level).
Globality protects its information systems from DDoS attacks using a combination of application-level performance adjustment mechanisms and infrastructure-embedded technologies that are developed and maintained directly by the cloud service provider where those systems are hosted.
Network-based and host-based intrusion detection systems are deployed throughout the infrastructure and on the relevant instances and components. These are configured to alert security personnel about any irregular use at the network or application layers.
Globality classifies all data through a system that determines the appropriate handling, encryption, backup, recovery, incident response and auditing/monitoring levels. Customer data of any kind is always classified at the highest level, regardless of the data type.
Globality restricts and monitors the flow of customer-classified data from the databases on which they are stored and ensures data cannot leak from the Production environment to any of the other environments.
Globality strictly adheres to the principle of least privilege — employees are only authorized to access data and systems that are necessary for them to perform their job duties. To ensure that users are properly restricted, Globality enforces the following:
- All systems used by Globality employ authentication mechanisms that require unique user IDs. Logon/logout activities are monitored and audited quarterly.
- All entitlements to IT systems are managed in a central entitlement, authentication and authorization system. This is audited quarterly to ensure the user still requires the provisioned access.
- User onboarding and termination are highly controlled and supervised by using automated mechanisms to ensure users are provisioned only the systems they require, and are immediately de-provisioned from all systems upon termination.
- Any requests for access above the default authorized systems (such as the corporate messaging service) require an approval process that includes at least one technical reviewer and one executive reviewer.
Globality’s Authentication and Entitlement system enforces two-factor authentication requirements for any user accessing an IT system remotely. Administrative access requires multi-factor authentication and access to production systems requires a physical hardware token that is kept locked in a dedicated safe.
Strong password policies (at least 12 characters long, no dictionary words, etc.) are combined with Single Sign-On and password management facilities. When accessing Production system instances, administrators must use an SSH key and are also restricted via network ACLs.
System monitoring, logging and alerting
Globality monitors servers, workstations and mobile devices to obtain a comprehensive security status on its Production and Corporate networks.
We log all instances of administrative access, use of privileged commands and system calls on our Production systems. Production logs and alerts are collected and stored on a system separate from all other development and test environments. These are retained for a minimum period of 1 year and regularly reviewed to anticipate any potential issues before they occur.
All Globality endpoints are fit with anti-virus, anti-malware and local firewalls. Endpoints report their status to a central server monitored by security administrators.
All workstations issued to employees are pre-configured by Globality to comply with our strict security policies and standards. These workstations are pre-installed with anti-malware and anti-virus, regularly run monitoring software and have encrypted hard drives. Employees do not have administrative access to their workstations. All USB ports are disabled for portable storage (such as USB flash drives) and Globality does not provide workstations with CD/DVD drives.
Globality’s remote endpoint management system continuously monitors all workstations and alerts the security team about any potential security breaches or non-compliance.
Mobile device management
Mobile devices used to conduct company business are installed with an MDM monitoring agent that ensures compliance with Globality’s mobile device policy, and immediately blocks access to company resources and data systems if there is a violation. Globality requires mobile devices to be encrypted, have a screen saver PIN and lock after one minute of inactivity. The security team is immediately notified by the central MDM server about any potential security breaches or non-compliance.
Responding to security incidents
Globality has an established Incident Response Procedure, managed by a designated Incident report team. If an incident occurs, a member of the executive team is informed of all developments until the matter has been fully resolved. This procedure is tested and updated at least once a year.
Globality is committed to protecting our customers’ privacy. Any disposed paper material is kept locked in a secure location and professionally destroyed, periodically. Data drives are automatically scrubbed by our hosting provider before they are re-purposed. Hard drives inside employee workstations are physically and permanently destroyed at the end of their useful lives.
Globality implements cutting-edge technology to store and protect secrets, such as keys and certificates. Access to secrets is controlled by user entitlement, logged and monitored.
Disaster recovery and business continuity
Globality maintains continuous access to data centers in multiple geographical locations, including the East and West coasts of the U.S., Japan and Europe. Since we rely exclusively on automated deployments and configurations, in case of emergency, we are able to quickly re-deploy our entire infrastructure into a different data center. This means there is virtually no down time, even in case there is a catastrophic disaster in our main data center. Data backups (performed daily), are encrypted and securely stored in multiple data centers. Our static resources are all stored on CDNs, so they are always available from multiple locations.