Comprehensive Overview of Cyber Security Programs for Businesses

The Hedgehog Security Cyber Security Program Overiew - how we ensure that we keep you information and data safe from people who should never have it.

Peter Bassill
January 2, 2024
min read
Comprehensive Overview of Cyber Security Programs for Businesses

We are committed to following globally recognised security standards and frameworks to ensure we deliver secure and reliable services using principles and best practices established by the International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), BSIMM, OWASP ASVS, OWASP SAMM and other industry recognized security standards, frameworks, and maturity models.

Compliance, Regulations, Standards and Certifications

Hedgehog Security being a globally operated organization comply with different data privacy laws and regulations. We incorporate the required technical and organizational security measures and safeguard the protection of the rights of the data subject.

Information Security Training

Our associates and contractors are trained in information protection, data privacy, and compliance with our information security policy.

Information Assets

All company assets (including company networks) are provided for business use. We define acceptable uses of our data and assets.

Regulatory Compliance & Data

All users must comply with laws, regulations, and compliance programs regarding the use of data, network, and computer systems. personal data should only be stored in approved company applications, it should be collected and processed only for lawful and legitimate business purposes.

SOC Development Security

To bring enhanced security into the newly developed features of our digital ecosystem, our SOC Development Life Cycle (SDLC) follows the Software Assurance Maturity Model (SAMM) methodology and CIS benchmarks. Our Secure SDLC ensures all security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the development effort.

  • “Secure by design” model
  • Adherence to Open Web Application Security Project (OWASP)
  • Secure Software Development Lifecycle (S-SDLC)
  • Pen Testing performed on a yearly basis

As a part of the SAMM Education and Guidance practice, R&D associates participating in SDLC are trained on how to develop and deploy secure software. Our DevSecOps methodology focuses on embedded security in all phases of Hedgehog Security’s Secure-SDLC.

Penetration Testing

Hedgehog assets undergo internal penetration testing covering internet-facing applications and business critical services. Our penetration testing methodology aligns with industry standards and common testing frameworks, such as OWASP, and in accordance with ISO 27001.

Bug Bounty Program

We recognise the power of security as a community. As a result, we reward security researchers who discover and report vulnerabilities in our applications and ecosystem. These are awarded based on several factors including severity and impact of the vulnerability reported.

Access and Authentication

All user requests for access privileges adhere to a formal process for access request and approval following the least privilege principle.

  • Strong password management controls and use of a password manager to store encrypted passwords online.
  • Password expiration
  • Role-based access
  • Granular roles and rights management
  • Hierarchical and relational entities
  • Multiple directory integration Strong authentication including MFA (Multi-factor Authentication) enforcement for privileged access.
  • Periodical access reviews performed to ensure Zero Trust is always considered: Never trust, always verify!

Cryptography Policy

Outlines the requirements for the proper and effective use of cryptography to protect the confidentiality, authenticity, and/or integrity of information.

  • Special process for SSL certificates management
  • Key rotation process management
  • Key generation process management
  • Advanced Encryption Standard (AES) algorithm to encrypt data at rest. All data at the storage level is encrypted with AES256 by default. Traffic is encrypted in transit using Transport Layer Security 1.3 (TLS) with an industry-standard AES-256 cipher.

Operational Procedures and Policies

Ensure that operational procedures reflecting Hedgehog's position on security must be implemented to reduce the daily risks to our information systems and assets including but not limited to:

  • Change Management Formal Change Advisory Board (CAB)
  • Process follows ITIL/ITSM guidelines
  • CAB assesses, prioritizes, approves, and logs changes
  • Patch and vulnerability continuous scan
  • Backup management
  • Separation of development, testing, and operational environments
  • Continuous audits and improvement process
  • Business Continuity and Disaster Recovery