Infrastructure and Network Security
Physical Access Control
Ninth Brain Suite is hosted on Microsoft Azure. Microsoft Azure data centers include extensive safeguard such as:
- Access and request approval
- Perimeter fencing
- Staffed building entrances
- Biometric
- Metal detectors
Ninth Brain Suite employees do not have physical access to Microsoft Azure data centers, servers, network equipment, or storage.
Logical Access Control
Ninth Brain Suite administers their own infrastructure on Microsoft Azure. Only designated authorized Ninth Brain Suite team members have access to configure the infrastructure. Each platform instance (production, development) is contained within a separate Microsoft Subscription. The subscription infrastructure provides granular access control to all aspects of the infrastructure. Access from external locations is controlled through configuration and firewall rules. Access is granted on an as-needed basis and is secured using multi-factor authentication over a virtual private network.
Penetration Testing
Ninth Brain Suite undergoes periodic security audits and penetration testing conducted by a third party.
Information about any security vulnerabilities successfully exploited through penetration testing is addressed by the Ninth Brain team based on the severity of the vulnerability.
Ninth Brain is willing to share attestation of these tested upon request.
Third-Party Audits
Microsoft Azure undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. Full details this auditing can be found at Microsoft’s Trust Center.
Ninth Brain Suite also undergoes third-party independent audits on a regular basis. Results and attestations are available upon request.
Business Continuity and Disaster Recovery
High Availability
Redundancy and high availability were at the forefront of design for the Ninth Brain Suite infrastructure. All critical components of the application are designed to have minimal impact on customer workloads in the event of an issue.
Business Continuity
Ninth Brain Suite keeps offsite backups in multiple regions of Microsoft Azure. This provides for recovery of production data in worst case scenario situation.
Disaster Recovery
In the event of a region-wide outage, Ninth Brain Suite has a detailed disaster recovery plan to migrated to a duplicate environment in another Microsoft Azure region. This plan is tested on an annual basis.
Data Flow
Clients access Ninth Brain Suite using standard web browsers utilizing Transport Layer Security (TLS) 1.3 or above for encrypted communications. Ninth Brain Suite also supports many integrations which all require secure a secure connection such as SFTP.
Ninth Brain Suite’s latest SSL Labs Report can be found here.
Data Security and Privacy
Data Encryption
All data on Ninth Brain Suite’s servers is encrypted at rest. Microsoft Azure provides a Key Management Service to store and manage all data cryptography keys. Even in the case of a physical breach to the storage devices, the data would be worthless with the cryptographic keys.
Data in transit is securely sent over HTTPS transports layer security (TLS 1.3) encrypted connections.
Data Retention
Ninth Brain Suite will retain all client data for the length of the contract unless otherwise specified in a signed user agreement.
Data Removal
Upon termination of a client contract, all client data will be purged from the system within 90 days unless otherwise specified in a signed user agreement.
Application Security
Single Sign-On
Ninth Brain Suite offers single sign-on (SSO) to all clients. This must be configured by the client and requires an active Identity Provider to be used. All SSO is done using SAML 2.0. Ninth Brain Suite has been tested with Okta, OneLogin, ADFS but should work with any Identity Provider that supports SAML 2.0. All accounts must be previously provisioned prior to logging into Ninth Brain
REST API (API Key)
Ninth Brain Suite offers an optional API an auth token for authentication. Authentication tokens are passed using the auth header and are used to authenticate a user account with the API.
Secure Application Development (Application Development Lifecycle)
Ninth Brain Suite has a strict policy on secure development practices. A rigorous code review process for all changes along with testing of all changes by the QA team significantly decreases the likelihood of a security issue and improves the response time to and the effective eradication of bugs and vulnerabilities.
Corporate Security
Malware Protection
At Ninth Brain, we make sure good security starts from within. With that in mind, we equip all employees with company owned workstations equiped with Mobile Device Management and an enterprise-grade security platform for preventing, detecting, investigating, and responding to advanced threats.
Risk Management
Ninth Brain Suite, has an in-depth Risk Management policy with a methodology structured around NIST 800-30
Contingency Planning
The Ninth Brain Suite team includes service continuity and threat remediation among its top priorities. We keep a contingency plan in case of unforeseen events, including risk management, disaster recovery, and customer communication sub-plans that are tested and updated on an ongoing basis and thoroughly reviewed for gaps and changes at least annually.
Security Policies
Ninth Brain Suite maintains an extensive library of all security policies. These policies are updated on an ongoing basis and reviewed annually at minimum. All employees are expected to read, understand, and follow all policies. These policies include, but are not limited to:
- Access Management
- Change Management
- Data Request
- Data Management
- Information Security
- Incident Response
- Policy Management and Maintenance
- Risk Management
- Vendor Management
- Vulnerability Management
Background Checks
Prior to hire, all Ninth Brain Suite employees must submit to a background check. Additionally, all employees are monitored against the OIG database on a continuous basis.
Security Training
All Ninth Brain Suite employees receive security training during their onboarding and then subsequently on an annual basis at minimum. This training includes general cybersecurity awareness training as well as a review of all company polices and security policies.