![white-logo.png]](https://www.livingsecurity.com/hs-fs/hubfs/white-logo.png?height=40&name=white-logo.png){kind=logo}
Compliance - Common FAQs
Compliance Teams generally share a swath of industry standard questions that Living Security likes to address.
📚 Overview
Compliance processes tend to be lengthy, with a number of questionnaires and requests for information being performed during the sales and onboarding process. Living Security likes to ensure transparency for our customers and their compliance concerns, and have compiled a list of frequently asked questions by category to address your compliance policy requirements and concerns.
🗒️ If your question is not addressed in this article, we recommend you reach out to your Living Security Customer Success Manager or help@livingsecurity.com so that we can best address questions outside of this article.
🌐 Product Architecture and Infrastructure
-
How does Living Security manage their infrastructure's physical security?
-
Living Security's HRM Platform operates under a Shared Responsibility Model with AWS. In this article, Living Security breaks down what responsibilities we manage, and what is the responsibilities of AWS. Physical Security of the Infrastructure falls on AWS.
-
-
How does Living Security ensure scalability during high capacity/load?
-
Living Security utilizes the AWS Lambda Serverless infrastructure to ensure that our application can scale at load, allowing for flexibility depending on demand.
-
-
How does Living Security conduct backup management for application data?
- Living Security uses AWS Point-in-Time recovery, allowing for client data to be restored to the nearest minute.
-
Does Living Security have a Disaster Recovery Plan?
-
For Infrastructure, we rely on AWS to manage the Disaster Recovery based on their policies.
- AWS is built around AWS Regions and Availability Zones. For their documentation on how Availability Zones meet resilience standards, please see this link.
-
Living Security maintains it's responsibilities due to code related disasters, for access to this plan, please reach out to your CSM.
-
-
What is Living Security's Patch Management Process?
-
AWS Cloud Services maintain/patch all infrastructure related services.
-
For Living Security’s Code Patches/updates, We operate on a SCRUM/Agile development cycle, with each sprint consisting of 2-3 week release cycles. During these cycles, all commits are subject to automated testing prior to release, and our normal release schedule is every 3 weeks to a month for standard external facing releases.
-
-
What policies does Living Security maintain around firewall changes?
-
AWS Lambda environments do not allow direct incoming connections so a firewall, and requisite RFC are not applicable.
-
-
Is the HRM Platform production environment logically separated from the staging/development environment?
-
Yes, Living security maintains logically separate production, staging and development environments. Additionally, we do not allow production data to be utilized in any capacity in our staging or development environments.
-
-
What is Living Security's software incident response plan?
-
Current Code Critical Issue Time to Mitigate is within 8 Hours, Time to Resolve is within 48 Hours, and Incident Reporting to be completed within 7 business days. For a copy of Living Security's detailed Incident Response plan, please reach out to your Customer Success Manager.
-
👤 Access Management
- Does Living Security conduct Audit Logging of access to its product?
- Yes, Living Security logs access and reviews access periodically to reduce and/or remove access when necessary.
- Does Living Security require user access requests to be conducted prior to granting access?
- Yes, Living Security requires all users to submit requests to our IT and Engineering teams.
- Does Living Security have a Password Policy?
- Living Security utilizes a password generator method inside our password manager to generate passwords. These passwords are built based on a password policy set with a minimum of 12 characters, includes special character requirements, locks users out of secure applications on failed attempt.
- Does Living Security require IAM and Multi-factor Authentication?
- Living Security relies on Okta as an Identity and Access Management tool for granting access to sensitive application services. We require 2FA and a password manager(1Password) to gain access to Okta.
- Does the Application support role-based access as a default?
- Living Security grants customers different roles based on level of access not just to the application, but to functionality by product role. Roles for role-based access are as follows: Teams Participant, Training Participant, Teams Administrator, Training Platform Administrator, LS Phishing Administrator, Unify Administrator.
🔒Data Control, Residency and Cryptography
- Where is data physically located for Living Security's application?
- Living Security's application stores data for US customers out of AWS US-East-1 Region. EU customer's data resides out of EU-West-1.
- How is data segregated within your product?
- Living Security logically separates customer data by tenant.
- How does Living Security use AI or ML in products?
- The AI and machine learning (ML) capabilities of our platform are not applied during the integration phase with the customer. Whether the customer sends us data via push or pull integration, our system focuses on ingesting that data. Once the data is ingested, we leverage AI and ML to analyze, aggregate, and correlate it, transforming the raw information into actionable insights.
- These insights are then presented to administrators through our tool or as a scorecard to end users. While the customer can export the data back to their systems, the AI/ML processing has already been completed by this stage. To clarify, our AI/ML is applied only after data ingestion—not during the process of receiving or exporting the data.
- Does Living Security allow production terminals to be utilized, as well as hardened endpoints in line with industry best practices within its product environment?
- Living Security products operate in a Serverless environment, so all product infrastructure is maintained by AWS, which meets all industry standards.
- How does Living Security encrypt data at rest?
- Living Security utilizes AWS Key Management Service to create our cryptographic keys. AWS KMS allows us to ensure that we are utilizing approved cryptographic functions/algorithms.
- For Unify Insights data, we go beyond the standard encryption practices, to create custom KMS keys per tenant to ensure optimal security of this data.
- Living Security utilizes AWS Key Management Service to create our cryptographic keys. AWS KMS allows us to ensure that we are utilizing approved cryptographic functions/algorithms.
- How does Living Security encrypt data in transit?
- Living Security utilizes Cloudflares Certificate service to generate and manage Certificates for our products. The primary certificate uses a P-256 key, is SHA-2/ECDSA signed, and will be presented to browsers that support elliptic curve cryptography (ECC). The secondary or fallback certificate uses an RSA 2048-bit key, is SHA-2/RSA signed, and will be presented to browsers that do not support ECC. Once issued, certificates are valid for one year. Renewals are set by our domain controls.
- How long does Living Security data retained for?
- Data is retained indefinitely, or until a customer requests that the data be deleted.
