THE RISKSENSE PLATFORM The RiskSense® Platform transforms cyber risk management into a more pro-active, collaborative, and real-time discipline. The platform embodies the expertise and deep knowledge RiskSense has gained from defending critical networks against the world’s most dangerous cyber adversaries. The award-winning platform is delivered as a Software-as-a-Service (SaaS) solution and as such RiskSense is committed to protecting and securing not only the underlying cloud infrastructure, but more importantly the data our customers access, store, and process. RiskSense maintains appropriate administrative, technical, and physical procedures to safeguard and secure the RiskSense Platform, infrastructure, and associated customer data. RiskSense is aware of laws and best practices governing customer data and implements effective controls to ensure appropriate processing and protection.

THE RISKSENSE PLATFORM& SECURING

PROTECTING

www.RiskSense.com

RiskSense Platform Security

TECHNOLOGY BRIEF

Smart ConnectorFramework

TicketingSystem

ReconciliationEngine

CorrelationEngine

WorkflowEngine

Business Intelligence / Visualization

Engine

ContextualizationEngine

Risk AnalysisEngine

External Threat Information

Inte

rnal

Sec

urity

Inte

llig

ence

Business Criticality

• Hardened Security Infrastructure• Scales to 1,000,000+ Assets• Enables Large Number of

Concurrent Users• Superior Time-to-Value

SaaS PLATFORM

CLOUD INFRASTRUCTURE AND COMPLIANCE To deliver its pro-active cyber risk management software platform, RiskSense has partnered with the world leading hosting service provider, Amazon Web Services (AWS). The RiskSense Platform is hosted in the AWS GovCloud (US), which is an isolated AWS Region designed to fulfill the most stringent regulatory and compliance requirements of U.S. government agencies and security-conscious clients. The AWS GovCloud (US) is compliant with the U.S. International Traffic in Arms Regulations (ITAR) and the Federal Risk and Authorization Management Program (FedRAMP). Furthermore, AWS GovCloud (US) has received an Agency Authorization to Operate (ATO) from the U.S. Department of Health and Human Services (HHS), utilizing a FedRAMP accredited Third-Party Assessment Organization (3PAO) for several AWS services. The AWS GovCloud (US) Region provides the same fault-tolerant design as other regions, with two availability zones. In addition, the AWS GovCloud (US) Region is a mandatory AWS Virtual Private Cloud (VPC) service by default to create an isolated portion of the AWS Cloud and launch Amazon EC2 instances that have private (RFC 1918) addresses. More information about AWS GovCloud (US) is available on the AWS website: http://aws.amazon.com/govcloud-us/  The AWS cloud infrastructure has been designed and managed in alignment with regulations, standards and best-practices including:

Upon request, RiskSense can make AWS GovCloud (US) compliance reports and certifications (e.g., SOC 1, SOC 2, FedRAMP) available to customers and / or prospects. To gain access to these reports, you would have to sign a mutual non-disclosure agreement with AWS, as these reports are considered confidential information.

CLOUD INFRASTRUCTURE SECURITYThe RiskSense Platform resides behind network-based, redundant, highly-available firewalls and intrusion monitoring solutions. In addition, AWS GovCloud (US) has effective controls in place to protect against physical penetration by malicious or unauthorized people.

Server access is limited to RiskSense DevOps Team members and access control is enforced with two-factor authentication. The data at disk level is encrypted so that system administrators will not have access to the data itself. DBAs are restricted to only maintenance and tuning tasks to limit the access.

APPLICATION SECURITY RiskSense utilizes some of the most advanced technology for Internet security available today. When you access the application using a RiskSense-supported browser, Transport Layer Security (TLS) technology protects your information using both server authentication and classic encryption, ensuring that your data is safe, secure, and available only to registered users in your organization. In addition, the RiskSense Penetration Test Team oversees the security of the software platform.

• HIPAA• SOC 1 / SSAE 16 / ISAE 3402 (formerly SAS70)• SOC 2• SOC 3

• PCI DSS Level 1• ISO 27001• FedRAMP• DIACAP and FISMA

• ITAR• FIPS 140-2• CSA• MPAA

TRANSFORMING CYBER RISK MANAGEMENT

Access ControlsRiskSense ensures authentication and authorization controls are appropriately robust for the risk to the data, application, and platform. The RiskSense Platform is accessible only over encrypted SSL / TLS channels. It requires users to use two-factor authentication to log in to the platform. The RiskSense Platform uses a Role-Based Access Control (RBAC) policy with two pre-defined user and two manager roles. This ensures each user is assigned to the minimum required privileges. In addition, users can be assigned to specific groups in conjunction with the role to restrict the access to assets and Web applications.

Password PoliciesThe RiskSense Platform enforces a strong password policy for all active user accounts. The policy includes, but is not limited to:

• The user is provided with a one-time password when the account is created. Subsequently, the user must pick a new password before s/he can log in to the platform.

• The password must contain at least 8 characters, an uppercase letter, a number, and a special character. • The password can be configured to expire after one week to a maximum of 16 weeks. • Passwords are encrypted using a one-way hash. • The user will be locked out after 10 unsuccessful authentication attempts and an IP address will be

blocked after 1,000 unsuccessful attempts within a defined time range. This can be configured by an administrator.

• The user is not allowed to use the prior password when changing or resetting her / his password.

Continuous Application Scanning and MonitoringRiskSense continuously gathers and analyzes information regarding new and existing threats and vulnerabilities, actual attacks on the infrastructure or others, and the effectiveness of the existing security controls. Monitoring controls include related policy and procedure, virus and malicious code, intrusion detection, as well as event and state monitoring. Related logging processes provide an effective control to highlight and investigate security events.

RiskSense performs regular network scans, application scans, and manual vulnerability assessments. Application scans are performed every quarter to identify OWASP Top 10 and Top 25 Programming Errors. Network scans are also performed on a quarterly basis. Security events are logged (log files), monitored (appropriate individuals), and addressed (timely action documented and performed). Network components, workstations, applications, and any monitoring tools are enabled to monitor user activity.

Organizational responsibilities for responding to events are defined. Configuration checking tools are utilized (or other logs are utilized), which record critical system configuration changes. RiskSense monitors access rights to ensure access adheres to the least privilege principle commensurate with the user’s job responsibilities, logs all access and security events, and uses software that enables rapid analysis of user activities. The log permission restricts alteration by administrators. The retention schedules for various logs are defined and adhered to.

When it comes to vulnerability management, RiskSense follows a well-defined process to remediate findings based on risk ratings. RiskSense performs platform updates on a weekly basis so that any security patches can be applied in a timely fashion. In case of critical vulnerabilities, RiskSense applies patches immediately.

To assure application stability and availability, the RiskSense Cloud Operations Team is being notified in case of excessive network bandwidth utilization, low performance thresholds, a server crash, an application crash, etc. to ensure a timely response. RiskSense also utilizes load balancing techniques for optimized resource utilization, maximized throughput, reduced latency, and fault-tolerant configurations.

www.RiskSense.com

TRANSFORMING CYBER RISK MANAGEMENT

DATA SECURITY Data SegregationRiskSense protects your organization’s data from all other customer organizations by using a unique organization identifier, which is associated with each user’s session. Once you log in to your organization, your subsequent requests are associated with your organization, using this identifier. Stored data is kept in an encrypted format. RiskSense encrypts each user’s data uniquely, so that only the user who created the data can access it.

Data EncryptionCustomer data within the RiskSense Platform application is encrypted at all times, both in transit and at rest. Data at rest is secured through database encryption and file system encryption using the AES 256 algorithm. Data in transit encryption is managed through TLS v1.2. All data files (e.g., uploaded scanner reports) are stored on an encrypted drive with restricted access. The key management for above mentioned encryption solutions is handled by AWS GovCloud (US).

Geolocation LockingFor customers that procured a dedicated cloud instance of the RiskSense Platform, the application can be geolocation locked to specific geographic locations or a range of IP addresses. Within the RiskSense Platform infrastructure, communication is restricted via firewall access control lists (ACL), using whitelisting of applications and machines.

DATA BACKUPRiskSense performs incremental data backups at five-minute intervals, retaining the data for the last 72 hours. Customer data is stored on AWS GovCloud (US) and encrypted by default. A full data backup is performed daily and retained for seven days.

DS_RiskSense_RSPSec_0716© RiskSense, Inc. All rights reserved. RiskSense and the RiskSense logo are registered trademarks of RiskSense, Inc.

ABOUT RISKSENSERiskSense, Inc., is the pioneer and market leader in pro-active cyber risk management. The company enables enterprises and governments to reveal cyber risk, quickly orchestrate remediation, and monitor the results. This is done by unifying and contextualizing internal security intelligence, external threat data, and business criticality across a growing attack surface. The company’s Software-as-a-Service (SaaS) platform transforms cyber risk management into a more pro-active, collaborative, and real-time discipline. The RiskSense Platform™ embodies the expertise and intimate knowledge gained from real world experience in defending critical networks from the world’s most dangerous cyber adversaries. As part of a team that collaborated with the U.S. Department of Defense and U.S. Intelligence Community, RiskSense founders developed Computational Analysis of Cyber Terrorism against the U.S. (CACTUS), Support Vectors Intrusion Detection, Behavior Risk Analysis of Vicious Executables (BRAVE), and the Strike Team Program.

Contact Us Today to Learn More About RiskSenseRiskSense, Inc. | +1 844.234.RISK | +1 505.217.9422 | info@RiskSense.com