Information security is paramount at HID Global. To ensure we maintain our customers’ confidence, we have established a comprehensive Information Security Management System (ISMS) to exceed recognized security requirements and continue to be the world’s trusted source for identity security.
Security Staff
All HID employees are required to complete information security and privacy awareness training. Employees who may handle sensitive or customer data receive additional training specific to their roles as well as government security clearance (as needed). We have a dedicated staff of highly skilled security professionals, including the following functions and responsibilities:
ISMS Executive Steering Committee
- Fulfills all executive management requirements within the ISMS
- Ensures roles, responsibilities, and authorities relevant to information security are assigned and communicated
- Approves the overall risk management process including the risk assessment methodology (approach), impact and likelihood scales, risk acceptance criteria, selected controls, residual and accepted risks
Business Unit Steering Committee
- Ensures that the ISMS meets business requirements thus bringing additional value to the business unit’s products and services
- Reviews the risk management process for the risks related to the business unit
- Reviews ISMS policies, processes and procedures
Global Information Security Team
- Responsible for the overall implementation, maintenance and improvement of the ISMS
- Ensures all security incidents are investigated, communicated, documented and resolved in accordance with published policies, processes and procedures
- Develops an information security architecture that meets the current and future business needs of HID Global
Policies
HID Global maintains detailed internal Information Security and Data Privacy policies. All personnel must acknowledge they have read, understood, and agreed to abide by the terms of the Global Information Security Policy and supporting policies and procedures.
Assessments
HID Global is dedicated to the implementation of an active, analytics-driven approach to cyber security. Security testing and improvement is an ongoing activity incorporated into our vulnerability and threat assessment process. We perform continuous testing on all HID Origo solution components, and to ensure the highest possible level of security we regularly engage with external security auditors to validate our security posture. Ongoing application and system vulnerability threat assessments cover the following:
- Network vulnerability scans
- Penetration testing and code review with leading, independent third parties
- Security control framework review and testing
We strongly encourage customers to take all possible precautions to prevent unauthorized access. In case vulnerabilities are discovered, they should be reported directly to HID Global by either contacting HID Global Technical Support or through our Security Center in non-urgent circumstances.
Note: We do not permit third-party vulnerability and penetration tests without prior authorization. We have a responsibility to ensure smooth operations. Non-controlled tests carry the risk of impacting system performance negatively.
Security Incident Management
HID Global maintains security incident management policies and procedures and we apply appropriate root cause analysis and corrective action plans. We promptly notify impacted customers of any actual or reasonably suspected unauthorized disclosure of their respective customer data to the extent permitted by law. If a security incident is detected, the Global Information Security Team takes the necessary steps to evaluate, test and resolve the issue according to defined procedure:
- Investigate and diagnose
- Escalate to higher management if there is a suspected breach or loss of confidential data
- Perform corrective measures
- Test and validate
- Evaluate incident root cause analysis if an escalation occurred
How We Build Secure Products
We have an agile Software Development Life Cycle process based on SAFe (Scaled Agile Framework), that incorporates security best practices at all stages. Some of the steps in the continuous integration and deployment procedure are described below
Development
Static code analysis and audit checks of source code
Testing
- Application security tests and network security scans
- Security test results review and approval
Deployment
- Sensitive data masking
- Security standards and implementation verification and approval
- Governance compliance checks for architecture and security
- Environment isolation of production and non-production environment
Monitoring
- Monitoring and reviewing access control policies
- Firewall policies implementation and review of anomalies
- Periodical vulnerability assessments
- Implementation of log analytics tools