Information security management system ISO / IEC 27001:2013 and audit
The Yva.ai team is officially certified to the international standard for information security management system ISO / IEC 27001:2013. This means that Yva.ai collaboration analytics platform and the company's internal processes in the field of information security fully comply with recognized international standards.
Yva.ai applies a systematic approach to information security risk management.
The process is divided into the following stages:
- definition of the domain of data operation,
- inventory of physical and logical information assets (servers, data warehouses, etc.),
- threat identification and risk assessment for information assets,
- selection of protection and safety equipment,
- creation of tools to eliminate remaining risks, etc.
Yva.ai minimizes the risks of attacks by protecting survey results, reports, and other data using a strong encryption method.
Yva.ai conducts regular audits of contractors and imposes the same information security requirements on contractor employees as on its own employees.
Yva.ai prevents the threat of viruses and phishing attacks: together with Sophos, we use artificial intelligence technology to protect all staff and non-staff members.
The protection level of Yva.ai is assessed by an independent expert. Each year, Yva.ai will confirm compliance with the standards through an independent certification audit, proving that the clients' data are fully protected against unauthorized access or hacking, both in the cloud and on-premise.
All information is stored and processed on the company's servers, the data is never saved on desktops of Yva’s employees.
ISMS policies and processes
To ensure data security, Yva has implemented ISMS policies that regulate information security processes, activities are carried out with the maintenance of ISMS logs and records. Yva conducts staff screenings and training, using Sophos Phish Threat with the subsequent assessment of competencies. All Yva employees sign NDA. Technical tools and systems for monitoring, control and ensuring data security have been deployed, access control and logging of user actions are carried out. Yva conducts regular audits of information systems and processes, external and internal pentests.
Yva information security policies developed in accordance with ISO 27001:2013. Yva's ISMS include policies:
ISMS Policy, ISMS Scope, ISMS Roles and Responsibilities Procedure, ISMS Management, RACI Matrix, ISMS Information Security Risk Management Procedure, ISMS IT Infrastructure Management Procedure, ISMS Access Management Procedure, ISMS. Credentials Usage Procedure, ISMS Information Security Incident Management Procedure, ISMS Business Continuity Procedure, ISMS Business Continuity Strategy, ISMS Information Handling Procedure, ISMS Audit Management Procedure, ISMS Secure Development Policy, ISMS. Information Security User Manual, ISMS. Statement of Applicability, Information Security Threat Model, Asset Inventory Report, Information Security Risk Assessment Report, Information Security Risk Treatment Plan, Physical Security Procedure.
Operational procedures and responsibilities
Within the ISMS, the following roles are assigned to the Company's employees to maintain the compliance with security policies, procedures, and standards for each employee in the organization:
- ISMS Owner,
- Data Protection Officer (DPO),
- IS Manager,
- IT Manager,
- Business Continuity Manager.
Data protection officer (DPO)
Yva.ai has a Data Protection Officer (DPO) as an employee, who:
- Is responsible for the company's compliance with personal data protection requirements.
- Informs and advises on obligations.
- Acts as a contact person for users, contractors, or regulatory authorities.
The DPO is responsible for various procedures and documents enabling ISMS, establishing the protection of the information assets of the Yva.ai, Inc., it’s customers and partners, creating and maintaining conditions under which information security risks are constantly monitored and are at an acceptable level, confidential information is protected, and the business processes functioning continuously.
Human resource security
Yva’s employees and contractors commit themselves to confidentiality and have signed the confidentiality agreement. Prior to hiring, all employees are subject to a background check. Logical access is given on a need-to-know basis, in compliance with the least privilege principle: a user has only those privileges which are essential to perform their job, as per our access control policy. Access is controlled using the role-based access control model.
Incident management plan
Yva.ai uses the requirements of GDPR (Act. 33) for Breach notification procedure to the tenant using our SaaS solution.
Business continuity strategy
Yva.ai has the Business Continuity Strategy that is aimed to determine the general approach to ensuring the continuity of the main business process within the scope of the information security management system for the processes of Yva.ai, Inc. This documentation includes the Restore Point Objective and the Restore Time Objective for each process.
Yva.ai uses Azure Sentinel for merging of internal and external events from different sources for the SaaS solution.