+ Last Updated: September 15, 2020
Tcom Solutions is committed to taking our customers security and privacy concerns seriously and makes it a priority. We strive to implement and maintain security processes, procedures, standards, and take all reasonable care to prevent unauthorized access our customer data. We apply appropriate administrative, operational, and technical security controls to help ensure that our customer data is handled and processed in a responsible and secure manner.
This Security Statement is aimed at providing you with more information about our security infrastructure and practices. Our privacy notice contains more information on how we handle data that we collect.
Reporting a Security Vulnerability
Tcom Solutions reviews all reports of security vulnerabilities submitted to it affecting Tcom Solutions products and services. To report a vulnerability in one of our products or solutions or a vulnerability in one of our corporate websites, please contact our Secure Cyber Shield Incident Response Team (SCSIRT) at SCSIRT@TcomSolutions.com.
Information Security Policy
Tcom Solutions maintains a written Information Security policy that defines employee responsibilities and acceptable use of information system resources. The organization receives signed acknowledgement from users indicating that they have read, understand, and agree to abide by the rules of behavior, before providing authorized access to Tcom Solutions information systems. This policy is periodically reviewed and updated, as necessary.
Our security policies cover a wide array of security related topics ranging from general standards with which every employee must comply, such as account, data, and physical security, to more specialized security standards covering internal applications and information systems.
Information security roles and responsibilities are defined within the organization. The security team focuses on information security, global security auditing and compliance, as well as defining the security controls for protection of Tcom Solutions hardware infrastructure.
The security team receives information system security notifications on a regular basis and distributes security alert and advisory information to the organization on a routine basis after assessing the risk and impact as appropriate.
Tcom Solutions follows the NIST Cybersecurity Framework with layered security controls to help identify, prevent, detect, and respond to security incidents. Tcom Solutions also implements our Secure Cyber Shield solution & is Secure Cyber Shield Platinum Certified company. The information security manager is also responsible for tracking incidents, vulnerability assessments, threat mitigation, and risk management.
Tcom Solutions’ data and information system assets are comprised of customer and end-user assets as well as corporate assets. These asset types are managed under our security policies and procedures. Tcom Solutions authorized personnel who handle these assets are required to comply with the procedures and guidelines defined by Tcom Solutions security policies.
Tcom Solutions employees are required to conduct themselves in a manner consistent with the company’s guidelines, including those regarding confidentiality, business ethics, appropriate usage, and professional standards. All newly hired employees are required to sign confidentiality agreements and to acknowledge the Tcom Solutions code of conduct policy. The code outlines the company’s expectation that every employee will conduct business lawfully, ethically, with integrity, and with respect for each other and the company’s users, partners, and competitors. Processes and procedures are in place to address employees who are on-boarded and off-boarded from the company.
Employees are provided with security training as part of new hire orientation. In addition, each Tcom Solutions employee is required to read, understand, and take a training course on the company’s code of conduct.
Physical and Environmental Security
Tcom Solutions has policies, procedures, and infrastructure to handle both physical security of its data centers as well as the environment from which the data centers operate.
Our information systems and infrastructure are hosted in world-class data centers that are geographically dispersed to provide high availability and redundancy to Tcom Solutions and its customers. The standard physical security controls implemented at each data center include electronic card access control systems, fire alarm and suppression systems, interior and exterior cameras, and security guards. Physical access is centrally managed and strictly controlled by data center personnel. All visitors and contractors are required to present identification, are required to log in, and be escorted by authorized staff through the data center.
Access to areas where systems, or system components, are installed or stored are segregated from general office and public areas. The cameras and alarms for each of these areas are centrally monitored 24×7 for suspicious activity, and the facilities are routinely patrolled by security guards. Servers have redundant internal and external power supplies. Data centers have backup power supplies and can draw power from diesel generators and backup batteries. These data centers have completed a Service Organization Controls (SOC) 2 Type II audit and are SSAE16 accredited.
Tcom Solutions maintains a change management process to ensure that all changes made to the production environment are applied in a deliberate manner. Changes to information systems, network devices, and other system components, and physical and environment changes are monitored and controlled through a formal change control process. Changes are reviewed, approved, tested and monitored post-implementation to ensure that the expected changes are operating as intended.
Supplier and Vendor Relationships
Tcom Solutions` likes to partner with suppliers and vendors that operate with the same or similar values around lawfulness, ethics, and integrity that Tcom Solutions` does. As part of its review process, we screen our suppliers and vendors and bind them to appropriate confidentiality and security obligations, especially if they manage customer data.
Antivirus and Malware Protection
Antivirus and malicious code protection are centrally managed and configured to retrieve the updated signatures and definitions available. Malicious code protection policies automatically apply updates to these protection mechanisms. Anti-virus tools are configured to run scans, virus detection, real-time file write activity and signature file updates. Laptop and remote users are covered under virus protection.
Tcom Solutions has backup standards and guidelines and associated procedures for performing backup and restoration of data in a scheduled and timely manner on critical production systems.
Firewalls are utilized to help restrict access to systems from external networks and between systems internally.
Our next generation firewalls (NGFWs) provide adequate network segmentation through the establishment of security zones that control the flow of network traffic. These traffic flows are defined by firewall security policies.
Tcom Solutions continually works to develop products that support the latest recommended secure cipher suites and protocols to encrypt traffic while in transit.
Security assessments are done to identify vulnerabilities and to determine the effectiveness of the patch management program. Each vulnerability is reviewed to determine if it is applicable, ranked based on risk, and assigned to the appropriate team for remediation.
Tcom Solutions strives to apply the latest security patches and updates to operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities. Patch management processes are in place to implement security patch updates as they are released by vendors. Patches are tested prior to being deployed into production.
Secure Network Connections
HTTPS encryption is configured for customer web application access. This helps to ensure that user data in transit is safe, secure, and available only to intended recipients. The level of encryption is negotiated to either SSL or TLS encryption and is dependent on what the web browser can support.
Role Based Access
Role based access controls are implemented for access to information systems. Processes and procedures are in place to address employees who are voluntarily or involuntarily terminated. Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis. Access control lists define the behavior of any user within our information systems, and security policies limit them to authorized behaviors.
Authentication and Authorization
We require that authorized users be provisioned with unique account IDs. Our password policy covers all applicable information systems, applications, and databases. Password best practices enforce the use of complex passwords in all critical production systems. Employees are trained to enable and use 2FA/MFA in all scenarios where the use of that feature is possible.
Tcom Solutions employees are granted a limited set of default permissions to access company resources, such as their email, and the corporate intranet. Employees are granted access to certain additional resources based on their specific job function. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as defined by our security guidelines.
Tcom Solutions has a formalized incident response plan (Incident Response Plan) and associated procedures in case of an information security incident. The Incident Response Plan defines the responsibilities of key personnel and identifies processes and procedures for notification. Incident response personnel are trained, and execution of the incident response plan is tested periodically.
An incident response team is responsible for providing an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.
We apply a common set of personal data management principles to customer data that we may process, handle, and store. We protect personal data using appropriate physical, technical, and organizational security measures.
We give additional attention and care to sensitive personal data and respect local laws and customs, where applicable.