Security

Security

How We Protect Customer Data 

Nahan prioritizes information security, data governance and risk management to protect the confidentiality, 
integrity, and availability of information by using multiple layers of technical, physical and administrative 
controls to protect our customers, all managed data and our business by securely processing all managed 
data in addition to diligently managing data, processes, systems, employees, contractors, vendors, and 
consultants.

Overview
This document provides an overview of Nahan’s information security, data governance and risk management 
processes and how we protect our customers by collectively protecting all Nahan systems and all data 
created and/or managed by Nahan by ensuring Information Security, Data Governance and Risk 
Management is built into everything that we do.

Features of Our Information Security, Data Governance and Risk Management Programs:

  • SOC2 Type 2 (AICPA) + HITRUST CSF Compliant (Annual Third-party SSAE18 Audit/Report)
  • PCI DSS Level 2 Certified (Annual Third-party QSA Audit)
  • HIPAA and GDPR Adherence
  • S2Score Scoring as part of Annual Third-party Penetration Testing and Risk Assessments
  • Information Security & Technology Program and Policies, Standards, Procedures and Plans Portfolio
    • Frameworks used include AICPA TSC, ISO/IEC 27001/27002, CIS Framework
  • Information Security Awareness Training Program (Company-wide, Group and Department Specific with  Monthly and Annual Training Campaigns)
  • Vulnerability Management Program
    • PCI DSS ASV External Vulnerability Scanning (Monthly)
    • Penetration & Network Segmentation Testing (Semi-annual)
    • Internal and External Vulnerability Scanning Program (Monthly)
    • OS, Application, Appliance and Device Patch Management Program
    • Asset Management Program
  • Co-managed Third-party Threat Detection and Response + SIEM Including 24/7 Security Operations 
  • Center (SOC) Services & Alerting
  • 24/7 Incident Response Procedures and Reporting Processes
  • Internal Risk Assessment (Annual)
  • Internal Phishing Training Campaigns (Monthly)
  • Enterprise Endpoint Antivirus and Behavioral Detection and Response (Realtime Update)
  • Multi-Factor Authentication (SSO/MFA, Authenticator Apps, PIN Pads + Proximity Card and TOTP’s)
  • Segregation of Duties
  • Physical Security (Photo Identification, External and Internal Access Control, Video Surveillance, etc.)
  • Business Continuity and Disaster Recovery Plans and Exercises (BCP and DRP)
  • Change Management with Change Advisory Board
  • Chartered Information Security Leadership Oversight Committee (ISLOC)
  • Modern Industry-standard and Verified SSL/TLS for Encrypted Communications
  • Email DLP Controls and Encryption Mechanisms
  • Encrypted Secure File Transfer – Utilizing modern secure transport protocols, Secure FTP (SFTP), and PGP 
  • File Encryption
  • Secure Data Processing Environment:
    • Additional Access Controls and Physical Segregation
    • Video Surveillance
    • Highly Trained Staff (Monthly and Annual Sessions)
  • Secure Online Industry-standard Proofing Application
  • Customer Data Access Protected with MFA, ACL’s, Audit Trail Logging, and File Integrity Monitoring (as required)
  • Encryption of Data At-rest and In-transit
  • Offsite Encrypted Data Backups
  • Encrypted Long-term Storage (as required)
  • Secure Data Deletion with Certificate of Destruction (as required)
  • Secure Shredding with Certificate of Destruction (as required)
  • NAID Certified Third-party Secure Document Destruction with Certificate of Destruction (as required)