Effective from January 1st, 2023
We understand that our clients, partners, and their consumers, depend on the security, performance, and the transparency of our systems and services. Our approach integrates security and privacy features and concepts into everything we do, from our software development lifecycle and data management, through to our reporting and training. We strive to protect the integrity, confidentiality, and availability of our clients’ and partners’ data while helping them stay flexible so they can adapt to the changing competitive, sustainability, and transparency landscape.
To this end, EON employs a security-first methodology with all of our teams, following industry recognized secure coding standards and data management. All EON Product Cloud and EON Exchange infrastructure is hosted by Microsoft Azure, in an ISO 27001 compliant data center.
Trust, Innovation, and Client Success guide how we work with clients, prospects, partners, and consumers.
Our clients and partners rely on the high security, performance, and transparency standards that are part of our systems and services. EON helps create trust by providing thought leadership and technological innovation in a rapidly maturing compliance and competitive marketplace that reduces risk to our clients and partners. We cultivate this trust through transparent communications with our clients and partners about the performance, security, and compliance of our solutions, services, infrastructure, and 3rd party relationships.
As a leader in a new and rapidly evolving technology industry, we are uniquely positioned to help our clients and partners develop innovative solutions to longstanding business challenges in a sustainable and scalable way. We integrate security requirements into all stages of the software development lifecycle to enable regular security-enabled releases throughout the year. This gives clients the confidence to innovate and capitalize on new opportunities and adapt to changing business requirements.
Success means something different to each of our clients and partners. From helping them meet their traceability, transparency, and sustainability obligations to creating new business models and building stronger consumer experiences, helping clients achieve their goals is at the core of our business. Our organization, people, process, policies, and approaches to solving client needs are designed to help our clients be successful.
EON’s security focus and approach to creating innovative solutions and services enables us to build trust and success for those we work with.
We employ both zero-trust and defense-in-depth approaches to the security of our technology, processes, policies, and data management. These approaches to security reduce single points of failure by layering defense mechanisms and creating redundancies. This approach is based on four key elements:
We consider our staff to be the first and most critical line of defense in protecting and securing the data of the company, our clients, our partners, and their consumers. We have a team of experienced information security experts that drives awareness, engagement, and education of our staff around security best practices and security feature adoption across our services. Our programs include new employee onboarding, annual security training, and role-based awareness education. We train staff to identify often-used attacks such as phishing emails and how to report them. This applies to every employee, contractor, and intern in the company. Dedicated training is required for developers to ensure proper knowledge of OWASP top security risks, common attack vectors, and Azure security controls.
In addition to our awareness programs, we review and update security policies and standards annually at a minimum, and more frequently as needed. Ethics and security contacts, and escalation processes, are in place to facilitate notification of any inappropriate or suspicious behavior. A formal sanctions process is enforced for staff who fail to comply with established information security policies and standards.
Our core technology and data storage is hosted on Microsoft® (Microsoft Azure®), a cloud-based service. EON has agreements with all providers to ensure a baseline for physical security and environmental protection to run our services. As cloud-based providers, certain elements such as access, monitoring, and environmental controls are directly managed by the provider and not EON.
Microsoft Azure certifications, including ISO-27001 and SOC2, can be found here.
Security Risk Management
Our comprehensive risk management programs enable us to make better decisions in support of our security commitments. We perform risk assessments to evaluate the likelihood and impact of potential events that could adversely affect our strategic assets and capabilities. These assessments help us to gain deeper visibility into security risks associated with critical assets across our organization, drive prioritization of investment decisions, and ensure integration of internal and external security and compliance obligations.
Our risk management programs map our security initiatives to the risks that they are meant to address, such as risks posed by third-party products, product infrastructure, and the data supply chain. We also engage with third-party assessors to perform independent and unbiased annual, at a minimum, assessments of our security practice.
To understand and manage risks effectively, EON employs a widely accepted end-to-end lifecycle process that encompasses five steps:
Our security risk management practices, processes, and policies are aligned with proven industry guidelines such as ISO 27001 and the Information Security Forum’s Standard of Good Practice for Information Security.
We integrate security requirements into every stage of the software development cycle—from conceptualization to release—using the EON Secure Development Lifecycle (SDLC) process. Using this process, our engineers address security issues and concerns prior to the general availability release and consistently across our services. This allows us to release new features and applications rapidly and in turn enable our clients to innovate and meet their ever changing market requirements.
As part of our SLDC, EON utilizes:
EON’s secure development lifecycle has seven stages, designed to align to the agile methodology. At each stage our development and security teams work to:
Changes to our platforms, network devices, other system components, and environment changes are monitored and controlled through a formal change control process. Changes are reviewed, approved, tested, and monitored post-implementation to ensure that the expected changes are operating as intended.
Through Microsoft Azure services our system continuously monitors for unauthorized activity, use of compromised credentials, unusual data access, API calls from malicious IP addresses and much more. When an incident is identified, EON’s Incident Response Plan and Policy provides guidance to staff who are responsible for responding to an Information Security incident. Incident events include, but are not limited to: security/data breach, loss of service, systems malfunction or overload, human error, non-compliance with policy or guidelines, malfunction of software or hardware, access violation, and new releases or patches.
EON’s response plan includes escalation paths, severity levels and definitions, severity based response times, communications requirements, mitigation guidelines, and post-incident reporting and analysis.
The key steps at a high level are as follows:
1. Prepare: This step is on-going as it includes annual training, security notice subscriptions, updates to the response team and escalation process, and expansion of scenario planning.
2. Identification: Identifying the type of incident helps determine what actions are needed. All employees and contractors are trained to identify an attack through annual data security training. This training includes how to escalate an incident internally and/or externally to set the plan in motion. While Identification and Containment steps are part of all incident responses, the type of incident and other key factors will determine to what degree additional steps are necessary.
3. Containment: Depending on the nature of the incident, actions may be taken ranging from removing access and changing passwords/encryption keys, to wiping hard drives and removing malicious code from systems. In the case of an incident involving data, as soon as a theft, data breach, or data exposure is identified, immediate action, including notification, is required to protect EON, client, and partner data, especially if sensitive or Personal Data is at risk.
4. Investigation: After an incident has been contained, EON will investigate its cause and impact. All investigation and mitigation efforts are carefully documented.
5. Recovery: The actions necessary to support recovery are dependent on the outcome of the Investigation step. This step may include any, or all, of the following: notification decisions and timeframe, point person designation, data subject notification, affected audience definition, legal authority notification, public notification, etc.
6. Update: This step includes fixing any identified vulnerabilities, reviewing and updating policies and implementation, changes to the secure development lifecycle, enhancing training, and evaluating response team performance.