Updated 1/14/2025
Claroty implements and maintains a robust, multi-layerd data protection and information security program. Our data protection program involves implementing a wide variety of technical, organizational, and procedural controls, which Claroty finds necessary to protect customer data, safeguard Clarory environment against cybersecurity threats, and comply with regulatory requirements (ISO 27001, ISO 27701, SOC2 Type 2, GDPR, HIPAA, and local privacy laws, as well as best practice provisions).
Claroty’s infosec and data protection strategy includes the following key components:
Governance, Risk, and Compliance (GRC)
Corporate security policies
Organizational security
Security Risk Management Program
Asset classification and control
Personnel/Human Resources secure management
Information Security Awareness
Cryptography
Communications Security
Vendor Security Risk Management
Change management
Physical and environmental security
Operational security
Security Vulnerability Management
Access controls
Secure systems development and maintenance
Disaster recovery and business continuity
Corrective action program
Regulatory compliance
Information Security Policies: Establish and enforce policies for data protection, security, and compliance with standards such as HIPAA, GDPR, SOC 2, and ISO 27001.
Data Classification: Classify data according to sensitivity (e.g., confidential, internal, public) and apply appropriate security controls for each class.
Risk Management Framework: Implement a formal risk management process to identify, assess, and mitigate security risks.
Compliance Monitoring: Continuously monitor compliance with regulatory frameworks such as GDPR, HIPAA, and industry standards.
Internal Audits: Regularly audit internal security processes and controls to ensure compliance with established policies and standards.
Incident Response Plan: Develop and maintain an incident response plan that includes roles, responsibilities, and procedures for handling security breaches.
Identity and Access Management (IAM): Implement IAM solutions to manage and control user access to systems, applications, and data.
Role-Based Access Control (RBAC): Ensure users have access only to the resources necessary for their job roles.
Multi-Factor Authentication (MFA): Enforce MFA for accessing critical systems and data, both for employees and customers.
Least Privilege: Apply the principle of least privilege to limit access rights for users to the minimum necessary.
Single Sign-On (SSO): Implement SSO to streamline authentication and improve security.
Account Review and Recertification: Conduct periodic reviews of user access permissions to ensure they are up to date and appropriate.
Encryption at Rest: Encrypt all data at rest using strong encryption algorithms (e.g., AES-256) for databases, file systems, and backups.
Encryption in Transit: Use TLS/SSL to encrypt data in transit between the SaaS platform and customers.
End-to-End Encryption: For highly sensitive data, implement end-to-end encryption to ensure data remains encrypted from origin to destination.
Encryption Key Management: Securely manage encryption keys, including key rotation, storage, and access controls.
Firewalls: Deploy firewalls to control incoming and outgoing network traffic and prevent unauthorized access.
Intrusion Detection and Prevention Systems (IDPS): Use IDPS to monitor network traffic for suspicious activity and block malicious behavior.
Network Segmentation: Segment the network into different zones (e.g., production, development, testing) to limit the spread of an attack.
Virtual Private Networks (VPN): Use VPNs for secure remote access to internal systems, especially for employees working off-site.
DDoS Protection: Implement Distributed Denial of Service (DDoS) protection mechanisms to guard against large-scale attacks on network availability.
Antivirus and Anti-malware: Install and maintain up-to-date antivirus and anti-malware software on all endpoints.
Endpoint Detection and Response (EDR): Implement EDR solutions to detect and respond to malicious activity on endpoint devices.
Patch Management: Ensure that all endpoint devices are regularly updated with security patches and software updates.
Mobile Device Management (MDM): Apply MDM solutions to manage, secure, and monitor mobile devices used by employees.
Secure Software Development Lifecycle (SDLC): Integrate security throughout the development process, including secure coding practices, code reviews, and vulnerability assessments.
Static and Dynamic Application Security Testing (SAST & DAST): Perform automated testing to identify vulnerabilities in code and applications during and after development.
Penetration Testing: Conduct regular penetration tests to identify security weaknesses in applications.
Security Patching: Apply patches for application vulnerabilities as soon as they are identified.
Web Application Firewalls (WAF): Use WAFs to protect web applications from threats such as SQL injection, cross-site scripting (XSS), and other attacks.
Data Anonymization and Pseudonymization: Use techniques like anonymization and pseudonymization to protect personally identifiable information (PII) and other sensitive data.
Data Minimization: Limit the collection and processing of personal data to only what is necessary for the business purposes.
Data Retention and Deletion: Implement policies for the retention and secure deletion of customer data in compliance with privacy regulations.
Data Subject Rights Management: Provide mechanisms to comply with customer requests regarding data access, rectification, deletion, and portability as required by GDPR and similar regulations.
Cloud Access Security Broker (CASB): Use CASB to enforce security policies for cloud usage, monitor access to cloud services, and protect cloud-hosted data.
Container Security: Implement security controls for containers (e.g., Docker, Kubernetes), including image scanning and runtime protection.
Infrastructure-as-Code (IaC) Security: Secure infrastructure configurations deployed using IaC tools like Terraform or AWS CloudFormation by validating configuration files for security misconfigurations.
Cloud Resource Isolation: Use cloud resource isolation techniques (e.g., VPCs) to ensure customer data is segregated and isolated in multi-tenant environments.
Regular Backups: Perform regular backups of critical data, ensuring backups are encrypted and securely stored in geographically separate locations.
Disaster Recovery Plan (DRP): Develop and maintain a disaster recovery plan that outlines procedures for restoring systems and data in the event of a disaster.
Backup Testing: Periodically test backup and restore procedures to ensure that data can be recovered effectively.
Security Information and Event Management (SIEM): Use SIEM systems to collect and analyze security logs in real-time to detect and respond to security events.
Continuous Monitoring: Implement continuous monitoring of systems, networks, and applications for suspicious activities.
Log Retention: Retain security logs for a period defined by regulatory requirements and business needs to facilitate auditing and forensics.
Audit Trails: Maintain detailed audit trails of user and system activities, including changes to data, configuration, and access control settings.
Regular Vulnerability Scanning: Conduct regular vulnerability scans of networks, applications, and systems to identify potential security issues.
Patch Management: Implement a formal patch management process to ensure that all critical vulnerabilities are patched in a timely manner.
Bug Bounty Programs: Consider running a bug bounty program to encourage external security researchers to find vulnerabilities.
Data Center Security: Ensure physical security at data centers, including biometric access controls, 24/7 surveillance, and environmental controls (e.g., fire suppression, climate control).
Access Control for Offices: Use access control mechanisms like badges, biometrics, and CCTV in office buildings to prevent unauthorized access.
Incident Response Plan (IRP): Establish a documented IRP that defines the steps to be taken in the event of a security incident.
Incident Detection and Reporting: Implement processes for detecting, reporting, and managing security incidents in real-time.
Post-Incident Review: Conduct post-incident reviews to analyze the root causes of incidents and improve future response efforts.
Security Awareness Training: Provide ongoing security awareness training to employees on topics like phishing, social engineering, and proper data handling.
Phishing Simulations: Run regular phishing simulations to test and improve employee awareness of social engineering attacks.
Security Policies Education: Ensure all employees are educated about the company’s security policies and procedures.
Vendor Risk Assessment: Perform security assessments of third-party vendors to ensure they adhere to the same security and privacy standards as the company.
Third-Party Audits: Require critical vendors to undergo regular security audits (e.g., SOC 2, ISO 27001) and provide reports for review.
Data Processing Agreements: Ensure that contracts with third-party processors include data protection clauses that comply with regulatory standards like GDPR and HIPAA.
Business Continuity Plan: Develop and maintain a BCP that ensures the continuity of critical operations in the event of an extended outage or disruption.
Business Impact Analysis (BIA): Conduct a BIA to identify critical business functions and resources required for continuity during disruptions.
