Security & Trust
Built to keep your data safe.
A transparent view of the security controls, policies, and procedures that protect your media operations.
Product Security
7 ControlsSecure Software Development Lifecycle established
The company follows a Secure Software Development Lifecycle (SDLC), embedding security from initial design through deployment and maintenance. This approach prioritizes security to mitigate vulnerabilities and bolster compliance.
Penetration Testing conducted
The company performs annual third-party penetration tests to simulate cyber attacks and uncover system vulnerabilities. These tests assess internal and external security and conclude with a report detailing remediation plans for critical findings, boosting compliance and security.
Change Management procedures enforced
Our Change Management procedures mandate that all software and infrastructure modifications undergo authorization, formal documentation, and thorough testing. Change requests are tracked via tickets, ensuring each links to relevant pull requests for full traceability. Changes must be reviewed and approved before deployment, as dictated by our comprehensive Change Management Policy.
Vulnerability scanning procedures established
The company has implemented comprehensive vulnerability scanning procedures to assess the security of their production environment regularly. The company conducts application scans against Common Vulnerabilities and Exposures (CVEs), addressing findings as mandated by their Vulnerability Management policy. The Company ensures that host-based scans are performed quarterly on all external-facing systems, with critical and high vulnerabilities tracked until remediation.
Secure product architecture defined
The company defines and documents a secure product architecture. This includes the structure and components of the production environment to ensure clarity, security, and alignment with best practices.
Production environment segregation enforced
The company enforces production environment segregation by separating it from development and staging environments. This reduces the risk of unauthorized access or unintended changes to live systems, maintaining operational security and stability.
Intrusion Detection systems utilized
The company utilizes intrusion detection systems to continuously monitor network activity. These systems enable early detection of potential security breaches, supporting rapid response and risk mitigation.
Access Management
9 ControlsRole Based Access Control (RBAC) established
The company enforces RBAC via a central identity provider, ensuring system access aligns strictly with user roles and needs. Our RBAC Matrix is regularly reviewed and updated to maintain the least privilege principle and stringent access controls. This includes examining vendor documentation and configuration settings, making prompt adjustments to rectify any discrepancies.
Multi Factor Authentication implemented
The company implements Multi-Factor Authentication (MFA) for all sensitive access. This includes privileged accounts and access to the production environment, ensuring an added layer of security beyond standard credentials.
User Access Reviews conducted
The company conducts scheduled user access reviews on production systems, databases, and applications. System owners validate that access aligns with job responsibilities, referencing HR data to identify discrepancies. Each review is formally documented and signed off for the defined review period.
Password policy enforced
The company enforces a Password Policy that defines required password strength across all systems. The policy sets standards to ensure secure authentication and minimize the risk of unauthorized access. Compliance with the policy is regularly monitored.
Restricted production access maintained
The company maintains restricted access to the production environment, allowing only authorized users with a documented business need. This control minimizes the risk of unauthorized changes and enhances system security.
Privilege access restricted
The company restricts privileged access to critical systems, granting it only to authorized personnel with a justified business need. This ensures tighter control over sensitive operations and reduces the risk of misuse.
Access control policies and procedures defined
The company has defined access control policies and procedures outlining how user access is provisioned, modified, and revoked. The policy also specifies the frequency and method for conducting user access reviews to ensure appropriate access is maintained.
Production database access restricted
The company restricts access to production databases to authorized personnel only. Production data is not used in development or testing environments unless necessary for debugging, minimizing exposure of sensitive information.
Access request and approval process defined
The company has defined an access request and approval process requiring access to be based on job role and function. Access is only provisioned after submission of a documented request and manager approval.
Security and Continuity Procedures
7 ControlsBusiness Continuity and Disaster Recovery plans established
The company’s Business Continuity and Disaster Recovery Plans secure operational resilience amid disruptions. Annually tested, these plans detail steps to maintain information security and specify communication strategies for critical personnel unavailability. Governed by a formal policy, they prescribe quick restoration of services and infrastructure post-disaster.
Continuity and Disaster Recovery plans tested
The company validates their Business Continuity and Disaster Recovery (BC/DR) plans with annual tests. These tests evaluate the integrity of our backups and include periodic restoration exercises, ensuring our capability to efficiently resume operations after a disruption.
Incident Response plan tested
The company tests its Incident Response Plan at least annually through tabletop exercises or similar methods. Test results are reviewed, and updates are made as needed to strengthen the plan and improve incident handling.
Data backups and restoration procedures tested
The company performs regular backups of production data, storing them separately from the production environment. Backup restoration procedures are tested periodically to ensure data integrity and successful recovery.
Production multi-availability zones utilized
The company utilizes multiple availability zones in its production environment to ensure redundancy and high availability. This strategy supports continued operations in the event of system downtime or facility loss.
Production monitoring implemented
The company has implemented monitoring across its production environment to track system performance, availability, and security. Continuous monitoring helps detect issues early and supports prompt incident response.
Audit logging established
The company enables audit logging to record key events across application and infrastructure layers. Logged events include logon attempts, data deletions, system errors, and changes to software, configurations, or system files. Logging activity is continuously monitored to support security and compliance efforts.
Data Security
4 ControlsEncryption at rest implemented
The company secures data at rest using industry-accepted encryption standards, such as AES256. This ensures that all stored data, whether in databases or other storage forms, is protected against unauthorized access and breaches.
Encryption in transit implemented
The company implements encryption in transit using industry-accepted standards such as TLS 1.2 or newer. Deprecated protocols are avoided to ensure the secure transmission of data over public networks.
Encryption key management process established
The company has established an encryption key management process that restricts access to authorized users with a valid business need. This ensures the secure handling and protection of encryption keys.
Network and firewall access restricted
The company restricts network and firewall access by configuring firewalls to limit unnecessary ports, protocols, and services. Access rules are periodically reviewed and approved to maintain a secure network posture.
Organization Security
9 ControlsRisk Assessment and treatment established
Our robust risk management program includes an annual company-wide risk assessment and quarterly follow-ups with risk owners. We conduct formal assessments to identify and analyze threats concerning security, availability, confidentiality, and fraud. Governed by our Risk Assessment and Treatment Policy, this process assesses threats, vulnerabilities, likelihood, and impacts to define risk tolerance and mitigation strategies.
Vendor Risk Management established
The company assesses all new vendors according to the Vendor Risk Management Policy before engagement. Vendor risk is reassessed at least annually to ensure ongoing compliance and identify any emerging risks.
Asset Management maintained
The company maintains an inventory of physical and virtual assets, governed by a Configuration and Asset Management Policy. The inventory includes asset ownership, classification (e.g., secure, confidential, public), and location. This ensures proper control and accountability of sensitive systems.
Security Awareness Training implemented
The company implements a Security Awareness Training program covering key information security topics. Employees complete training within 30 days of hire and annually thereafter to promote ongoing awareness and reduce security risks.
Secure Development LifeCycle (SDLC) Training implemented
The company implements Secure Development Lifecycle (SDLC) training for software engineers, conducted annually and based on industry best practices. A formal SDLC methodology and Secure Development Policy guide the secure development, maintenance, and change management of information systems.
Defined roles and responsibilities established
The company has defined roles and responsibilities for information security, availability, and confidentiality. Responsibilities are formally assigned through job descriptions and relevant policies to ensure proper management of security controls.
Service Level Agreement established
The company maintains a Service Level Agreement (SLA) committing to 99.9% service availability. Services are provided 24/7, excluding Planned Downtime with advance notice and outages due to Force Majeure events. Commercially reasonable efforts are made to meet this availability standard.
Candidates screening checks
The company conducts screening checks for new hires and internal transfers to verify qualifications, experience, and role suitability. All new hires are required to sign confidentiality agreements upon joining.
Confidentiality agreement acknowledged by employees
The company requires all employees to acknowledge and sign a confidentiality agreement during onboarding. This ensures understanding and commitment to protecting sensitive company and customer information.
Endpoint Security
4 ControlsEndpoint Detection and Response established
The company has established Endpoint Detection and Response (EDR) to continuously monitor and respond to threats across all endpoints, enhancing overall security posture.
Disk encryption enforced
The company enforces disk encryption on all organizational devices to protect sensitive data. This includes applying strong AES-256 encryption to both removable media and internal drives, especially for devices storing Personally Identifiable Information (PII). The company's approach ensures that data remains secure, whether on fixed or mobile storage solutions.
Threat and Malware protection enforced
The company enforces threat and malware protection across all systems using advanced security tools. This includes real-time detection, prevention, and removal of malicious software to safeguard organizational assets.
Endpoint Management policies established
The company enforces Endpoint Management policies requiring strong passwords, anti-virus protection, and hard drive encryption on all managed devices to ensure device security and compliance.
Reports and Documents
Policies
Sub-Processors
See how MediaLab fits your media operations.
In 15 minutes, we’ll show how MediaLab integrates with your existing tools, reduces operational risk, and simplifies media workflows without replacing what already works.