We voluntarily adopt the same information security standards as our customers. We have designed our information security and cybersecurity controls based on FFIEC IT Booklets and on various industry guidelines.
Our IT and Information Security personnel, besides supporting our internal needs, also work as auditors, pen testers, and consultants for our clients. This allows us to keep up with the latest industry trends in data security and the deployment of technology, to apply to our own environment.
We use industry standard data-at-rest and data-in-motion encryptions on all storage devices, whether it is our cloud-based storage or physical devices (e.g., laptops). We use Box Enterprise as a primary means to exchange documents securely with our clients. In addition to performing ongoing monitoring on Box per FFIEC guidance, we have also hardened the platform and created various processes to protect our client’s data. We have an infographic outlining these controls that we can share with you.
An in-house security team pen tests our own environment annually, using the same industry and regulatory standards that we apply to our clients. That Pen Test report is available for our clients to review as part of their ongoing due diligence and monitoring process.
In addition, both the IT and information security team members use various risk assessment tools and methodologies to constantly assess and reassess our controls. This helps our organization to continuously improve our security posture. We take the protection of information very seriously.