At CAF, we are committed to following the most effective security practices and measures, ensuring that access is controlled and data is safe and secure.
To continually improve our security posture, we use ISO27001 and CIS Controls to measure the maturity of our security programs.
Safety education and awareness
We consider our employees to be a critical line of defense in protecting our company's and our customers' data. We have a team dedicated to security awareness.
Our programs include the onboarding of new employees and ongoing training on security and protection of personal data.
We train employees to identify commonly used attack vectors, such as phishing, and how to report them. Through performance indicators, we measure the effectiveness of security awareness programs.
The training schedule is revised, always taking into account what has been happening in the market and the evolution of our employee's maturity.
We also send a newsletter every fortnight to establish constant communication about safety with all employees.
We continually create content with safety tips for our customers and followers on social networks.
Assets are centrally managed through an inventory management system that stores and tracks the owner, location and status of assets.
After acquisition, assets are verified and tracked, and assets under maintenance are verified and monitored for ownership, status and resolution. It is also worth mentioning that CAF operates 100% in the cloud and therefore, there is no need to inventory physical assets for AWS cloud resources.
Media storage devices used to store customer data are classified as critical and appropriately treated as high impact throughout their lifecycles.
AWS uses strict standards for how to install, maintain, and eventually dispose of devices when they are no longer useful. When a storage device reaches the end of its useful life, it is retired using techniques detailed in NIST 800-88. Media used to store customer data is not removed from control until it has been safely retired.
Access, Identification, and Authentication
CAF strictly controls and monitors access to production environments. Only employees whose job roles require access may qualify for permission to access our systems.
Privileged CAF employees, such as platform reliability engineers, need to use layers of two-factor authentication on company-managed computers to log in.
All computers have usage logs sent to our SIEM.
Repositories with platform codes are private, adding and removing users from the organization is part of the onboarding and offboarding processes.
Only CAF developers and tech leads have access to code repositories.
We adopt secure configurations and a robust password policy for accessing our systems, such as the minimum number of characters and special characters, not using the last passwords, session control and inactivity, and many more.
When an employee is terminated, notification from Human Resources triggers a set of tasks that protect access to the production system. Upon termination, privileged accounts are locked out, active connections are terminated, and two-factor authentication tokens are removed. Our access control team periodically review logical access and verify that terminated users have been removed from their systems via an internal ticketing system.
We also review employee transfers and ensure that network, server and database access to production systems is still appropriate for their new job role.
Data Classification and Protection
At CAF, the data must be classified considering the impacts of confidentiality, integrity and availability in high, moderate and low. This structure will result in one of four classifications: restricted, confidential, internal, or public.
Personally Identifiable Information (PII)
Our critical information must always be encrypted not only in transit but also at rest. Therefore, all sensitive data is encrypted.
CAF does not actively delete any data owned by our customers without their express consent. This also includes cases of compliance with the request of holders of personal data and termination of the client's contract with CAF, in which there is a request for us to delete the client's data, including personally identifiable data.
Secure Data Transfer
As previously mentioned, our customer’s data are extremely valuable and we preserve their integrity and confidentiality throughout their entire life cycle. Therefore, CAF does not transfer or disclose customer data, except to provide the services and prevent or solve technical or service problems, at the request of the customer in connection with support issues or as required by law. We comply with governance obligations under a variety of regional privacy and data protection regulations such as the European Union General Data Protection Regulation (GDPR) and the Brazilian General Data Protection Law (LGPD).
CAF is fully committed to complying with Data Protection Regulations; that's why we are constantly updating our personal data security and privacy procedures in compliance with all applicable data protection laws in the countries where we provide services.
CAF uses TLS for data in transit and AES 256 for data at rest.
Encryption keys are provided by the AWS service. Access keys are stored in a segregated environment with proper cryptographic protection. To manage cryptographic keys, we use AWS Key Management, which stores and protects cryptographic keys to make them highly available while providing strong and flexible access control.
CAF data center security
Our and our customer’s data is hosted on AWS, a public cloud infrastructure service provider. CAF has agreements with this provider to ensure a baseline of physical security and environmental protection to run our services.
Before choosing a location, AWS performs initial environmental and geographic assessments. The selection of datacenter locations is done with great care to reduce environmental risks such as flooding, extreme weather and seismic activity. Our Availability Zones are designed to be self-contained and physically separate from each other.
AWS allows only approved employees physical access to the data center. All employees who need to access the data center first must request access and provide a valid justification. It is also worth noting that AWS operates its datacenters in compliance with Tier III+ (UpTime Institute) guidelines.
AWS compliance standards are broken down by certificates and declarations; laws, regulations, privacy; alignments and frameworks.
All CAF services are available via a cloud provider (AWS). Resources are hosted in N. Virginia (us-east-1)and São Paulo (sa-east-1).
Data volumes and backups are encrypted with industry standard algorithms (AES-256).
Backups are taken daily and kept for 7 days in the mentioned regions.
CAF computers use operating systems that are configured and hardened in accordance with industry best security practices.
We adopt the following measures:
● Applying critical security patches to operating systems;
● Activation and centralization of system logs, so as not to lose important system information;
● Monitoring of stored data, to avoid misuse of our customer’s data;
● Activation of host firewalls;
● Disk encryption;
● Blocking of potentially dangerous ports and services, such as RDP and
● Removal of unnecessary and standard processes, accounts and protocols
to reduce the attack surface of the equipment;
● Synchronization with centralized time server;
● Screen lock after 5 min of inactivity;
● Enabling command-line logging on Windows systems;
● Removing administrator permission from local users;
● Installation of anti-malware software (EDR) with centralized logs and alerts.
Security Logging and Monitoring
The information security monitoring system consists of a series of resources and software related to Information Technology, used to prevent the important data of a business or its customers from being accessed and exploited by third parties.
Sensitive data in our environment is monitored and, with real-time alerts, allows us to take immediate action. Even privileged employee access is monitored.
Our critical services are monitored in order to identify possible anomalies and cyber threats. Event logs from CAF's internal infrastructure and infrastructure providers are collected and centralized by our detection and response system. Through predefined rules and using correlated detection logic, alerts are generated. When this occurs, our incident response team investigates the causes of these alerts using standard processes and procedures.
CAF rigorously evaluates resources by testing and identifying vulnerabilities, performing scans and penetration tests in our environments.
We have a schedule for vulnerability checks. These checks occur constantly and automatically through tools that identify changes in our domains and cloud environments.
Identified vulnerabilities are treated and addressed in our vulnerability management process, being properly managed throughout their life cycle.
In addition, we have contracts with external partners to do half-yearly pentests on our services.
Secure Development Cycle
At CAF we integrate security requirements into all stages of the platform development cycle, using the Secure Software Development Lifecycle (SSDLC) process.
Through this methodology, our development engineers work with agile processes, considering the safety issues and concerns of our products.
We care about following the best market guidelines when it comes to Secure Development, which is why CAF engineers develop following the OWASP Top 10 methods, in order to prevent any malicious code.
In addition, CAF has a code scanning system in the repository that acts by capturing possible vulnerabilities and errors within the software development cycles.
Management and Assessment of Third Parties
CAF has an established security risk analysis process for critical vendors, i.e. those who will handle sensitive data.
We assess the maturity and security posture of these vendors, with the aim of understanding what the risks and gaps are and directing these issues to the appropriate internal decision-making. In addition, all suppliers go through the risk assessment flow for adherence to personal data protection laws and business risk analysis. Only after all the necessary assessments and with an adequate level of maturity do we proceed with hiring.
Our Disaster Recovery plan is focused on ensuring the continuity of operations and the availability of critical resources in the event of a disaster, containing instructions on what actions to take and how to respond to unplanned incidents characterized as a crisis. These incidents can be related to natural disasters, cyber attacks and any other disruptive events.
To continually improve our security posture, we use the ISO27001 standard and CIS Controls to measure the maturity of our security programs. These frameworks are used to assess and identify areas for improvement.
We carry out a monthly Self Assessment, using the CIS Controls as guidance. From the identified problems, we built an implementation and adaptation roadmap.
It is also possible to define a score for our current state of maturity. By assessing current and target scores, we can quantify and track the overall maturity of our security posture over time.