Unifonic’s security framework is based on the ISO 27001 Information Security Management System, which is a defined, documented management system that consists of a set of policies, processes, and systems to manage risks to organizational data to ensure acceptable levels of information security risk. Ongoing risk assessments help identify security threats and vulnerabilities that need to be managed through a set of controls.
Having an established ISO 27001-compliant ISMS, this helps Unifonic manage the confidentiality, integrity, and availability of all data in an optimized and secure way.
Unifonic maintains a risk-based assessment security program. The framework for Unifonic’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. Unifonic’s security program is intended to be appropriate to the size and complexity of Unifonic’s business services and operations.
The ISMS includes: Policies and Procedures, Asset Management, Access Management, Cryptography, Operations Security, Communications Security, Physical Security, Information security aspects of business continuity management, Human Resources Security, Product Security, Cloud and Network Infrastructure Security, Supplier Relationships, Vulnerability Management, and Security Monitoring and Incident Response. Security is governed at the highest levels of the company, with Unifonic’s Head of Information Security meeting with executive management regularly to discuss issues and coordinate company-wide security initiatives.
Information security policies and standards are reviewed and approved by management at least annually and are made available to all Unifonic employees for their review and acceptance.
A list of certifications can be found below.
Cybersecurity Controls and Management
ISO 27001 is the only auditable international standard that defines the requirements of an ISMS (information security management system). An ISMS is a set of policies, procedures, processes, and systems that manage information security risks, such as cyber-attacks, hacks, data leaks, or theft.
Cybersecurity Controls and Management - Cloud
ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing: - additional implementation guidance for relevant controls specified in ISO/IEC 27002; - additional controls with implementation guidance that specifically relate to cloud services
Cybersecurity Controls and management - PII and Personal Data
ISO/IEC 27018:2019 is a code of practice that focuses on the protection of personal data in the cloud. It is based on ISO/IEC information security standard 27002 and provides implementation guidance on ISO/IEC 27002 controls applicable to public cloud Personally Identifiable Information (PII).
Cloud Provider Assessment Certification
The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. This technology-neutral certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix.
A SOC 2 Type I report—also written SOC 2 Type 1—is an attestation of controls at a service organization at a specific point in time. SOC 2 Type I reports on the description of controls provided by the management of the service organization and attests that the controls are suitably designed and implemented.