Security & Trust

Systems are configured to authenticate users via a unique user account, MFA, and minimum password requirements or SSH keys prior to granting system access.

Predefined security groups are used to assign role-based access privileges and segregate access to in-scope systems and data.

Administrative access privileges to in-scope systems are restricted to user accounts accessible only by authorized personnel.

Internal user access requests are documented in an automated ticketing system and require manager approval prior to access being granted.

Termination checklists are completed and system access is revoked for all employees as a component of the termination process.

User access reviews, including privileged access, are performed by management on a quarterly basis to ensure access is restricted to authorized personnel.

Web servers use TLS > 1.2 encryption for all web communication sessions. Unencrypted HTTP connections are rejected.

An EDR application is installed on all entity-owned workstations to detect and respond to cyber threats in real time.

Production data is stored encrypted using AES-256-bit encryption.

Documented policies and procedures guide personnel in the handling and encryption of stored data across all systems.

Penetration testing is performed by a third-party vendor annually.

Automated vulnerability assessments are performed on a monthly or more frequent basis.

An IDS is configured to report network events.

Engineering personnel review infrastructure and system capacity monthly. Planning is conducted to mitigate the effects of infrastructure or system changes on availability.

Logging and monitoring software collects data from system infrastructure components and endpoints to monitor performance, security vulnerabilities, and resource utilization, with alerts for unusual activity.

An automated backup system performs scheduled backups of all production data on a daily basis.

BC/DR plans are in place to guide personnel in procedures to protect against disruptions caused by unexpected events.

A documented BC/DR plan is tested by in-scope functional areas on an annual basis to validate recovery procedures.

Backup data restore tests are performed by IT personnel at least annually to verify backup integrity and recovery capability.

Access to modify production system source code is restricted to user accounts accessible only by authorized personnel.

Version control software is configured to enforce pull request review by personnel other than the change author before merging changes into production.

Application and infrastructure changes are authorized, peer reviewed, tested, and approved prior to implementation in production.

Development and test environments are strictly segregated from production environments. Production access requires explicit authorization.

CI/CD software is configured to notify engineering personnel when changes are merged to production.

Management performs monitoring activities for all third-party vendors annually to ensure compliance with Hazel's security requirements.

Vendor management policies specify access requirements for all vendors and business partners with access to Hazel systems.

A postmortem analysis is performed for all security incidents, covering impact analysis, resolution, lessons learned, and tracked action items.

A documented IR program defines roles, containment, remediation, operational restoration, communication protocols, and lessons learned processes.

Documented escalation procedures guide personnel in identifying and reporting security failures, incidents, concerns, and other complaints.