Security & Privacy

Identify

• Asset Management: Mobile Heartbeat runs periodic discovery scans to identify any new assets in its environments. The inventories of systems and software exists in different forms such as device management systems.

• Governance: Mobile Heartbeat’s information security program is headed by its Information Security Officer. Mobile Heartbeat has established information security policies and communicates those to its employees and key vendors. Mobile Heartbeat’s Information Security Steering Committee chaired by the Information Security Officer meets on a monthly basis to review the state of the information security program at Mobile Heartbeat. In addition, a group of colleagues from different parts of Mobile Heartbeat participate into the InfoSec Champs program to support our information security efforts.

• Risk Assessments: Mobile Heartbeat conducts information security risk assessments annually where assets, threats, and vulnerabilities are identified, their likelihood and impact are qualitatively rated with an output of prioritized risks documented in its risk register. The risks are treated (mitigate, accept, transfer, avoid) and these decisions are documented.

• Third-party Risk: Mobile Heartbeat has an inventory of technology vendors rated based on criticality to Mobile Heartbeat business. New vendors are reviewed by multiple stakeholders for different risk dimensions including information security.

Protect

• Identity and Access: Mobile Heartbeat manages identities and credentials as part of its onboarding and offboarding processes. All new colleagues go through background screening upon hire as permitted by the local laws and regulations, and each new colleague signs a Non-Disclosure Agreements. Remote access to the Mobile Heartbeat network requires VPN via multi-factor authentication. In addition, each Mobile Heartbeat laptop must have a digital certificate for device-level authentication. Role-based Access Controls (RBAC) based on least-privilege and need-to know principles are used to manage authorization.

• Awareness: All Mobile Heartbeat colleagues are required to take information security awareness training upon joining the company. In addition, throughout the year, the Information Security Officer communicates awareness messages using multiple modes of communication.

• Data security: All Mobile Heartbeat laptops are encrypted using full disk encryption. Mobile Heartbeat uses TLS to encrypt data in transit with external parties. Data-at-rest is also encrypted using keys and authorized cryptographic algorithms and key sizes. Mobile Heartbeat maintains documented cryptography and key management guidelines. Production and non-production environments are kept separate. Outbound web traffic is inspected which would identify security risks such as unauthorized data transfers.

• Information protection: Regular system and data backup are performed to recover data if necessary. Procedures for disaster recovery and information security incident response are in place and are tested regularly.

• Protective technology: A range of protective technologies such as firewalls, anti-malware tools, load-balancers, and internet proxies are placed according to the defense in depth approach.

• Secure SDLC: Mobile Heartbeat follows industry best practices such as OWASP in secure software development. We utilize a combination of static and dynamic software security testing tools as well as software composition analysis tools throughout the development process. Mobile Heartbeat also subjects its software products to penetration tests by internal and external parties.

• Cloud Security: Mobile Heartbeat cloud environments are only accessible from Mobile Heartbeat networks and require multi-factor authentication. Once authenticated, role-based Access Controls (RBAC) based on least-privilege and need-to know principles are used to manage authorization. Segregation of duties controls are enforced in a way that developers cannot access the production environment. The cloud workloads are only accessible via a gated process enabled by bastion hosts. Mobile Heartbeat uses TLS to encrypt data in transit within the cloud environments as well as any egress and ingress traffic. Data-at-rest is also encrypted using platform-managed keys and authorized cryptographic algorithms and key sizes. The data in our cloud environment resides in the US regions of our cloud provider.

• Threat and vulnerability management: Mobile Heartbeat implements patches to its operating system and applications on a pre-established cadence as well as need-to-update basis, as determined in accordance with the Common Vulnerability Scoring System (CVSS). Mobile Heartbeat’s cloud environments are subject to penetration tests by an accredited and qualified security firm at least once per calendar year. Upon request, we will provide you with a summary letter of engagement that includes the number of high, medium, and low issues identified.

• Physical security: At Mobile Heartbeat offices, we follow industry best practices to employ physical security controls that are appropriate to the level of risk posed by the information stored and the nature of operations in our offices. We: (i) issue access cards for all personnel through formal provisioning processes; (ii) limit access to restricted areas to personnel with a need to access those areas to carry out their job functions; (iii) require visitors to sign in and execute a non-disclosure agreement, (iv) revoke personnel access promptly upon termination.

Detect

• Anomalies and Events: Mobile Heartbeat maintains a security event monitoring system that ingests logs and event data from multiple sources such as firewalls, servers, anti-malware tools, and internet proxies. These logs and events are periodically reviewed, and any identified suspicious events are investigated.

• Security Continuous Monitoring: Mobile Heartbeat conducts periodic vulnerability scans on its systems. Additional vulnerability information is sourced from vendors and government sources. These vulnerabilities are reviewed, and tickets are created for remediation according to their assessed severity.

Respond & Recover

• Response Planning: Mobile Heartbeat has developed an information security incident response plan with all the involved stakeholders. We have created an Information Security Incident Response Team (ISIRT) with the relevant stakeholders. The plan is exercised by the technical ISIRT members as well as by the senior management.

• Communications: The stakeholder roles and responsibilities are documented and are communicated to the ISIRT members. How to report security incidents is communicated to colleagues in multiple awareness messages throughout the year.

• Analysis: Detection and Analysis steps and the detection tools used to source indicators as well as the incident categorization approach are documented within Mobile Heartbeat’s information security incident response plan. Vulnerability advisories received from vendors and government sources are reviewed by the Information Security Officer and, where applicable, tickets are created for the appropriate stakeholders to plan and remediate these vulnerabilities.

• Mitigation: Mobile Heartbeat has documented playbooks for common incident categories to be used in an incident scenario.

• Recovery: Mobile Heartbeat has developed disaster recovery plans for its IT operations that would be executed during or after a security incident. Post-incident actions include a lessons-learned session as required by our information security incident response plan. Our incident response plan includes processes for appropriate communications internally (with colleagues and management) and externally (with customers, media, and the general public).