Fyllo Data Security

Last update on July 26, 2023

Go back

Fyllo has adopted and deployed industry standard security controls relating to the confidentiality, integrity and availability of information leveraging the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to manage and prioritize cybersecurity risk.  Fyllo has a dedicated security team focused on ensuring all relevant security controls and subsequent policies are effectively implemented. Fyllo follows a Defense-in-Depth model for implementing security that consists of a combination of industry-accepted administrative, physical and technical security controls at the organization, system and network layers. The Information Security Program maintains a long-term strategy that is documented and approved by senior leadership.

The following summary details Fyllo’s security controls:

  • Remote access to information systems requires Multi-Factor Authentication (MFA) where technically feasible using an industry recognized Virtual Private Network (VPN).
  • Application development pipelines leverage best practices with regards to continuous vulnerability scanning using industry recognized vulnerability scanning technology.
  • Web Application Penetration Testing is conducted annually at minimum by an independent third party.  All associated vulnerabilities are tracked and remediated per the organization’s service level agreement (SLAs) timeframes.
  • Industry recognized Endpoint Detection & Response (EDR) is deployed across all endpoints where able and monitored 24/7/365 by an independent third party.
  • Incident Response Plan is implemented and socialized across the organization.
  • Advanced email threat detection is deployed and configured to leverage industry best practices including DMARC/DKIM best practices, malware blocking and removal and email quarantining where applicable.
  • Threat intelligence is conducted by an independent third party and shared across various organizational entities as needed.  This includes, but is not limited to monitoring dark web activity, anomalous activity, compromised email accounts, etc.
  • Access to secure areas is restricted to authorized personnel and/or visitors for approved purposes only.
  • Various software platforms hosting organizational data are continuously scanned and reported via an IAM scanning platform.  Findings are reviewed continuously and addressed as needed.
  • Access is provided based on an individual's specific job assignment(s) or responsibilities. Requests for access are approved by pertinent stakeholders and we revoke access privileges of terminated employees as part of the termination process.
  • User accounts are managed centrally under our account management procedures.
  • User ID creation or deletion requests submitted by authorized persons or entities are actioned by our ID provisioning team. All members of our staff are assigned a unique login ID.
  • Passwords must comply with our security standards. This includes requirements for length, complexity, age, history and other factors as mentioned below. User level passwords should be composed from at least two of these symbol subsets, and should have a length of not less than 12 characters.
  • Access to all applications both internal and external, privileged and unprivileged, is conducted on a quarterly basis.
  • Single Sign On (SSO) is leveraged where technically feasible using organizationally approved and adopted technology.
  • An enterprise adopted information security policy is in place.  The information security policy is tailored to incorporate relevant security controls recommended within the NIST CSF.  This policy is periodically audited to ensure implementation and relevance against existing best practices. In addition, a process exists to document and review any security policy exceptions.
  • Employees are required to take cybersecurity training upon initial hire and annually thereafter.  In addition, Fyllo leverages an industry recognized software platform to conduct monthly phishing training that is required by all employees.
  • Fyllo holds an active cybersecurity insurance policy from a reputable third party insurance provider.
  • Disaster Recovery plans are implemented and tested at least annually to ensure effectiveness in the event of an incident.
  • Backups are conducted daily, onsite and offsite to ensure proper redundancy in the event of an incident.
  • Data in flight leverages industry recognized encryption technology.
  • Data at rest for mobile endpoints leverages industry recognized technology.
  • An asset management program in place to manage allocation and ownership of assets. Employees are required to return company assets upon termination of employment.
  • Information classification and handling guidelines address information handling requirements.
  • Third party vendors with data and system access have a risk assessment performed using an internal process developed that measures the vendor’s risk against the NIST CSF.  In addition, third party hosting providers with inherited controls such as physical security of infrastructure hosting Fyllo data are reviewed periodically for effectiveness.
  • NIST Controls are reviewed quarterly to monitor effectiveness.  In addition, the state of the security program is reviewed on a monthly basis with key stakeholders across all disciplines in the company.
  • SOC 2 Type I:  Fyllo currently holds an active SOC 2 Type I certification from an accredited third party firm.