Fonolo has a dedicated security team that guides the implementation of controls, processes, and procedures governing the security of Fonolo and its customers. The Fonolo security team is responsible for developing, implementing, and maintaining an information security program that reflects the following principles:
- Align security activities with Fonolo’s strategies and support Fonolo’s objectives.
- Leverage security to facilitate confidentiality, integrity, and availability of data and assets.
- Utilize Fonolo’s security resources efficiently and effectively.
- Utilize monitoring and metrics to facilitate adequate performance of security related activities.
- Manage security utilizing a risk based approach.
- Implement measures designed to manage risks and potential impacts to an acceptable level.
- Leverage industry security frameworks where relevant and applicable.
- Leverage compliance/assurance processes as necessary.
- Analyze identified or potential threats to Fonolo and its customers, provide reasonable remediation recommendations, and communicate results as appropriate.
Data Center Security, Availability, and Disaster Recovery
- Fonolo leverages leading data center providers to house our physical infrastructure.
- Our data center providers utilize an array of security equipment, techniques, and procedures designed to control, monitor, and record access to the facilities.
- We have implemented solutions designed to protect against and mitigate effects of DDoS attacks.
- Fonolo maintains geographically separate data centers to facilitate infrastructure and service availability and continuity.
- On at least an annual basis, we conduct risk assessments and business impact analysis (BIA) to understand and mitigate risk.
- For more details, see our Business Continuity and Disaster Recovery summary.
Application Level Security
- Fonolo hashes passwords for user accounts and delivers all services over industry standard SSL.
- Fonolo utilizes multiple layers of firewalls (hardware and software based).
- Regular pen testing is performed on the Fonolo platform, the results of which are analyzed and remediated (as appropriate) by our engineering and security teams.
- Customers are provided the ability to customize password policies, including optional 2-factor authentication, SSO, and IP access limiting.
- Customers can segment privileges based on roles, limiting access to functionality to only those who require it.
- Audit logs are maintained for all customers, including successful and failed login attempts, and all changes made to customers systems and configurations.
Incident Response
- In the event of an issue related to the security of the Fonolo platform, the Fonolo security team follows a formal incident response process.
- We analyze identified or potential threats to Fonolo and its customers, provide reasonable remediation recommendations, and communicate results as appropriate.
- For more details, see our Incident Response Plan summary.
Fonolo Building and Network Access
- Physical access to Fonolo offices and access to the Fonolo internal network is restricted and monitored.
Systems Access Control
- Access to Fonolo systems is limited to appropriate personnel.
- Fonolo subscribes to the principle of least privilege (e.g., employees, system accounts, vendors, etc. are provided with the least amount of access for their job function).
- Fonolo leverages multifactor authentication.
Security Risk Management
Threat intelligence and risk assessment are key components of Fonolo’s information security program. Awareness and understanding of potential (and actual) threats guides the selection and implementation of appropriate security controls to mitigate risk. Potential security threats are identified, and assessed for severity and exploitability prior to being classified as risks. If risk mitigation is required, the security team works with relevant stakeholders and system owners to remediate. The remediation efforts are tested to confirm the new measures/controls have achieved their intended purpose.