Security Standards

The below is a general description of Aura’s security standards and practices as of the date hereof. Aura is continuously reviewing its practices and the following may change without notice as Aura deems reasonably necessary to improve its security standards and practices.

Aura has separate Corporate and Production Networks

• All personal data of end-users of Aura’s products or services (“Customer Data”) is accessible only on the Production Network by authorized Aura employees or contractors. 
• Customer Data never leaves the production environment except as needed to provide Aura products and services to the end-user or otherwise in accordance with Aura’s privacy policy. 
• Web access, where end-users access their Customer Data, is entirely segregated from the rest of Aura’s technical architecture. 
• No administrative access to Aura’s architecture is available directly from the Internet.

Aura Security Program is overseen by Aura’s Board of Directors and Executive Management via the Master Security Program Policy. The execution of the Security Program is delegated to the Information Security Department. In addition, the Master Security Program delegates the maintenance of issue specific policies to the Information Security Department. The issue specific policies are reviewed annually and include the following:

• Account Management Policy
• Approved Software Policy
• Change Management Policy
• Controls Against Malicious Software Policy
• Cloud Computing Policy
• Data Classification Policy
• Data Handling Policy
• Encryption Policy
• IT Asset Management Policy
• Password Management Policy
• Electronic Mail Policy
• Information Backup Policy
• Network Controls Policy
• Remote Access Policy
• Security Monitoring and Incident Response Policy
• Corporate Business Continuity Plan (incorporating IT Disaster Recovery)
• Vendor Management Policy
• Information Security Breach Policy and Procedures
• Corporate Records and Email Retention Policy 
• Physical Security Policy

The following steps are taken to identify vulnerabilities in equipment and services hosted by Aura as determined necessary by Aura.

• Monthly/Quarterly Internal Vulnerability scans.
• Quarterly External Vulnerability Scans.
• At least annual internal and external penetration tests of Aura applications and networks.
• Risk based penetration testing for new code built by Aura.
• Weekly dynamic code scans of all Aura production services.
• All code developed by Aura is run through static analysis as part of the SDLC, and static analysis is integrated into the build process.
• All critical and high findings are remediated as soon as possible. Systems are rescanned until a clean scan is obtained.

• Aura identifies all assets (hardware and software) and maintains an active list of them. Corporate IT is the custodian of all assets at Aura. 
• Asset lifecycles are controlled and managed. Corporate IT is responsible for managing the life cycle and secure destruction of decommissioned assets. Corporate IT is responsible for capacity management as well.

Protecting data starts with an understanding of the types and locations of data within an organization. Aura classifies all data into three categories:

• Public data: Any data elements that have been approved by Legal for public consumption. These include public web pages, press releases, job postings, public financial reporting etc. This information may be freely shared.
• Internal-Use-Only: Any data that does not fall into the Public or Sensitive category. This information does not leave the corporate network under any circumstances. Access to this data is limited by Business Need.
• Sensitive data: Any data that is confidential in nature. This includes all Customer Data, and any personal data received by Aura from its business partners. This data is stored in secured locations and encrypted as described in Section 7.  Access is limited by roles and business need and monitored daily for appropriate use.

• Electronic Sensitive Data is stored in the Production Environment only in  authorized, secure storage locations
• Physical media is stored in locked facilities where access is limited to authorized personnel
• Sensitive Data does not move out of the Production environment unless required to provide Aura products or services, or as otherwise set forth in Aura’s privacy policy. 
• Any movement of Customer Data outside the production environment is in encrypted format and over encrypted media.
• Destruction of electronic data is carried out using approved methods for secure overwriting
• Physical media is physically shredded by a third party under supervision and a certificate of destruction obtained.

Transmission Encryption

All sensitive data is transmitted encrypted when traveling beyond Aura networks.

• TLS ver. 1.2 for Web Sites and data exchange with Vendors and Partners
• sftp for File Transfers with PGP encrypted attachments
• All emailed data and reports are PGP encrypted attachments

Storage Encryption

• Structured Storage: Database Encryption using AES 256
• Unstructured Storage: Data encrypted using the AES 256 encryption algorithm
• Backup: Backup data is encrypted with AES 256 based encryption

Device Encryption

• All laptops are encrypted using Bitlocker or FileVault

Key Management

• Aura’s key management uses Aura managed keys (where possible)

• There is no direct access to any master keys

• Key Encryption Keys are maintained by Information Security and are cycled periodically

• The assignment of account privileges throughout the organization are guided by the “Least Privilege Principle”, “Need to know” and the use of Role Based Access. Least privilege principle holds that each user will be assigned the minimum account privileges necessary to do their job and no more.
• All roles are preapproved by the relevant Aura data owner
• Ad hoc data access request is individually approved by the data owner based on a business need and a finite period.
• All access to Customer Data is reviewed by the Data Owner and Information Security on a quarterly basis.
• All privileged access to Aura assets is reviewed by Corporate IT on a quarterly basis at least
• Roles are established at the time of hire by Human Relations and are provisioned by Corporate IT using scripted tools
• On termination, all access is removed within 24 hours of separation.
• Accounts are role-based using the principles of Least privilege and need-to-know
• Accounts are always traceable back to an individual. 
• Shared accounts are not permitted and, where not avoidable, the passwords are set to unmemorable values and stored in an auditable password management database.
• Passwords are required to be of a minimum length of 10 characters (16 characters for privileged accounts) and must include complexity. These rules are enforced by an identity provider solution.
• Passwords expire after 60 days for corporate employees and 30 days for call center agents. The last 15 passwords may not be reused.
• All access to the production environment (successful and failed) are monitored by Information Security
• Sessions are set to lock out after 10 minutes of inactivity

• All employees undergo a Information Security and Privacy orientation at time of hire and annually 
• All employees and contractors are provided a security handbook that encapsulates the security policies and priorities for the organization.

• All endpoints are protected by industry standard malware prevention and detection software. The software signatures are updated at least daily. The configuration prevents the end – user from being able to disable the software.
• In addition, malware detection is carried out at the perimeter on the Firewall as well as the Email gateways

• Secure areas are protected by appropriate entry controls to ensure that only authorized personnel are allowed access. Visitors are always escorted when they are in the building
• Our cloud systems are housed in Tier 1 data centers that are protected with security fencing, 24x7 security staff, biometric controls, and video surveillance.
• Our internally managed data centers have limited access and monitored by CCTV

• Access is limited and reviewed by Corporate IT monthly.

• Aura uses an Agile development methodology and deployments are in 2-week sprint cycles.
• Aura maintains a Software Development Life Cycle (SDLC) which incorporates Information Security at multiple levels starting with Requirements gathering phases through testing and deployment to production.
• All applications are tested against OWASP top 10 vulnerabilities as well as Business Logic aberrations.
• Development and testing is carried out in a separate environment using a manufactured data set. No production data is ever used in development or testing.
• Static Code analysis is carried out as part of the development pipeline.
• Dynamic Code analysis is carried out on testing as well as production code weekly.

• All changes follow a formal change management process.
• All changes are approved by business before they are released, with clear separation of duties.
• A high-level risk assessment is carried out for each major initiative and, where necessary, Information Security controls are put into place.
  

• The Aura network is designed with the “Defense in Depth”, “minimized attack surface” and full redundancy as core design principles
• All network segments are separated by firewalls with point to point rules.
• The edges are protected by next generation firewalls and web application firewalls.
• Intelligent threat intelligence/detection, and vulnerability protection systems are deployed across the network.
• Data Loss Prevention systems are employed on network and file system levels.
• All changes to any firewall rule are approved by Information Security.
• All connections to the Internet are through a Web Proxy and traffic is limited using a combination of Allowlists and Blocklists.
• Wireless is limited to the Corporate environment and terminates in a DMZ. There is no direct access to production data from the wireless networks.

• There is no direct administrative access to the Production network.
• All remote access is through an identity  provider solution or VPN, which requires Multi Factor authentication, and is monitored through an access security broker.
• All remote access requests are approved by Information Security

• Information Security is responsible for all security event monitoring
• All logs are centralized and managed exclusively by Information Security

• All events are also forwarded to a third party SOC for 24x7 coverage and log retention and integrity.
  

• Security incidents are managed by the Aura Computer Incident Response Team (CIRT)
• Incidents are classified by severity levels (Critical, High, Medium, Low)
• If it is determined that there is a breach of Customer Data, Legal is informed.
• Legal makes the determination of customer, client, law enforcement notification

Aura certifies to the following security standards:

• PCI DSS
• SSAE 18 SOC2 Type II