Operative Security Policy
At Operative, we take the security and privacy of your data very seriously. Accordingly, Operative implements a robust security program that includes, among other components, secure system architecture and providing security and privacy training to employees.
Compliance and Standards
Operative complies with several international standards and regularly participates in relevant audits.
ISO 27001:2013 – Operative is compliant and certified to the ISO 27001:2013 global standard for information security management.
SOC 1 Type 2 – Operative has several products that are audited and comply with the AICPA standards for Controls at a Service Organization, audited annually.
SOC 2 Type 2 – Operative has several products that are audited and comply with the AICPA standards for Controls at a Service Organization, audited annually.
Data Center Security
Operative cloud-based services and platforms are hosted on Amazon Web Services (AWS). AWS datacenters meet security regulations and standards with industry-leading physical and environmental controls. AWS is compliant with a wide range of standards, laws and regulations including CSA, various ISO standards, PCI, SOC reports and FedRAMP. Additional information can be found in the link.
Operative is committed to maintaining and improving the security of our environments. As such, we regularly review the services and information accessible on our servers and related security requirements.
Security controls are implemented within networks using a strict access control policy. Access points into the network are blocked from those deemed essential or business critical.
Encrypted Data In Transit
All transmission of data over the internet is communicated via HTTPS. Our services support Transport Layer Security encryption, providing the necessary levels of confidentiality, integrity and non-repudiation.
Endpoint and Server Security
Malware protection suites are installed and managed from a centralized location including monitoring and logging of events.
Operative performs various security tests and audits for our infrastructure and applications. These tests include:
- Software Composition Analysis
- Static code analysis
- Dynamic code analysis
- Network vulnerability assessment
- Network penetration testing
- Application vulnerability assessment
- Penetration testing of multiple environments and solutions
Access to data is controlled and provided to teams and members with specific business needs. Regular permission review is performed to prevent permission overlap, permission creep and conflict of interests.
Security and Privacy Awareness
Operative performs various activities to improve the awareness around security and privacy. Some of these include annual awareness training sessions for both security and privacy.
In order to improve and ready both employees and leadership for cyber incidents, Operative performs various testing and internal simulations. The results are analyzed and studied to continuously improve the security program.
Business Continuity and Disaster Recovery
Operative maintains disaster recovery capabilities to minimize the impact of disruptions to our operations.
Operative implements a robust alert and monitoring solution to continuously identify potential cyber security incidents. Dedicated Incident Response personnel are on call 24/7 to ensure that security incidents are managed end-to-end.