Start Your Free 14-Day Trial Today!

Security Compliance Program

Overview of Security Controls Implemented

SOC 2 Type II Compliance

SOC2 TYPE
Inprogress

This document outlines the security controls implemented by LLUMO AI as part of our SOC 2 Type 2 compliance. These controls are designed to safeguard your systems, data, and infrastructure, ensuring continuous adherence to stringent security, availability, processing integrity, confidentiality, and privacy standards. Through this program, LLUMO AI demonstrates its commitment to maintaining robust and effective security practices in alignment with industry-recognized frameworks.

Access Control and Authorization

  • Access granting process used – Implement a defined procedure for access provisioning, ensuring privileges are allocated strictly following the principle of least privilege. Require at least one authorized personnel to approve any new access requests.
  • Dormant accounts disabled – Perform routine audits of user accounts to identify and deactivate those unused for a prolonged period, mitigating the risk of exploitation through dormant credentials.
  • Employee access is regularly reviewed – Conduct scheduled evaluations of user access rights to promptly revoke permissions for individuals who no longer require system access, maintaining strict access boundaries.
  • MFA required for critical services – Mandate multi-factor authentication (MFA) for accessing essential systems and services. MFA enhances security by requiring additional verification steps beyond standard password use.
  • Password management policy enforced – Ensure consistent enforcement of the organization’s password policy by implementing technical controls, monitoring compliance, and addressing any violations to uphold security standards.

Data Management and Protection

  • Data encrypted at rest – Ensure that all sensitive information is encrypted when stored on systems or devices. This measure protects data from unauthorized access in the event of physical or logical compromise.
  • Data encrypted in transit – Apply encryption protocols to secure data while it is being transmitted across internal and external networks. This prevents interception and unauthorized access during data exchange.
  • Data inventory maintained- Maintain a precise and continually updated inventory of all data assets, including those housed in databases, file repositories, and cloud platforms.
  • Data management and retention policy established- Implement a formal policy that governs the lifecycle of data, detailing retention durations management practices to ensure compliance and operational efficiency.

Disaster Recovery

  • Automated backups enabled- Enable automated backup mechanisms for all critical systems and high-risk data. This ensures regular and secure backups, minimizing data loss risks during disasters or cyber incidents.
  • Business continuity and disaster recovery policy established- Develop a formal BC/DR policy detailing organizational procedures for maintaining operations during disruptions and efficiently restoring services.
  • Data recovery process established- Establish structured data recovery workflows to address data loss, corruption, or system failures, ensuring rapid restoration of essential information.
  • Disaster recovery plans tested- Conduct regular tests of disaster recovery strategies to validate their effectiveness and identify areas for optimization.
  • Recovery data isolated- Ensure recovery data is stored separately from the production environment to prevent accidental overwrite or compromise. safeguarding backup integrity.

Email Security

  • DMARC policy and verification used- Deploy Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies and verification to defend against email spoofing and phishing. This ensures unauthorized use of organizational email domains is detected and blocked.
  • Email account access restricted-Limit access to administrative email accounts exclusively to authorized admins, preventing delegation to non-admin users.
  • Email settings block malicious content- Configure email security settings to automatically block harmful content, including malicious attachments, embedded links, and executable scripts.

Endpoint Security

  • Anti-malware deployed on end-user devices-install and maintain anti-malware solutions on all end-user endpoints (eg, laptops, desktops) to guard ogainst threats introduced through user actions.
  • Data encrypted on end-user devices- Encrypt all data residing on user devices to ensure confidentiality in the event of device loss or unauthorized Occess
  • Firewall maintained on end-user devices-Deploy and maintain host-based firewalls on end-user systems to monitor and restrict unauthorized incoming and outgoing network traffic.

Infrastructure Security

  • Active discovery tools used-Use automated discovery tools to actively scan and identify all assets connected to the enterprise network. Schedule scans to run at least daily to ensure asset visibility remains up to date.
  • Automated security scanning performed on infrastructure-Deploy automated security tools-including antivirus, intrusion detection systems, and breach monitoring-across servers and network components to detect malware and malicious activity proactively.
  • Buckets not exposed publicly- Ensure cloud storage buckets are configured to block public internet access, preventing accidental data exposure due to misconfigured permissions.
  • Configuration management system established-Implement a configuration management system to track, control, and standardize configurations across all systems and infrastructure. This maintains environment integrity and reduces misconfiguration risks.
  • Firewall restricts public access to infrastructure-Configure firewalls to block unauthorized external access to infrastructure components. This helps reduce the organization's exposure to internet-based threats.
  • Infrastructure deployed using an infrastructure-as-code tool- Utilize infrastructure-as-Code tools to provision and manage infrastructure, enabling repeatable, version-controlled deployments and minimizing manual configuration errors.
  • Production deployment access restricted-Restrict access to production deployment environments strictly to authorized personnel. This prevents unapproved changes and helps maintain service stability.
  • Unauthorized assets addressed and removed-Establish a process for regularly auditing and removing unauthorized assets from the environment. This ensures only approved systems operate within the enterprise network.
  • Unique production database authentication enforced-Require unique authentication credentials-such as individual usernames, passwords, or SSH keys - for all access to production databases to strengthen access control and traceability.

Monitoring and Incident Response

  • Audit log management process maintained- Maintain a comprehensive audit log management process with defined protocols for log generation. storage, and real-time monitoring. This ensures the integrity and availability of critical event data used for forensic analysis and compliance.
  • Audit logs collected- Ensure continuous collection of audit logs from key systems and applications. These logs document vital events, enabling effec incident investigation, threat detection, and regulatory compliance.
  • Incident response policy established- Establish a formal incident response policy detailing detection, containment, eradication, recovery, and post-Incident review processes to manage cybersecurity Incidents effectively.
  • Infrastructure performance monitored-Continuously monitor the performance of infrastructure components to identify anomalles, bottlenecks, or potential security risks that may compromise system integrity or uptime.
  • Log management used- Deploy a centralized log management system to aggregate and analyze log data across systems. Centralization enhance visibility, simplifies correlation, and supports rapid response to suspicious activities.
  • Network infrastructure monitored-Enable continuous monitoring of network infrastructure to detect unauthorized access, anomalles, and potential Intrusions, ensuring consistent network reliability and security.

Organizational Security

  • Acceptable use policy established-Establish and maintain an Acceptable Use Policy that defines appropriate use of organizational systems, networks, and data by employees, contractors, and third-party users.
  • Asset inventory maintained- Maintain an accurate and continuously updated inventory of all organizational assets capable of processing or storing data-including endpoints, servers, network hardware, and lot devices.
  • Asset management policy established-Define a comprehensive Asset Management Policy to guide the classification, use, maintenance, and disposat of assets across their lifecycle.
  • Code of conduct acknowledged by employees- Ensure all employees formally acknowledge the organization's Code of Conduct, which sets behavioral expectations and professional ethics.
  • Code of conduct established- Develop and publish a Code of Conduct that promotes ethical behavior, accountability, and a respectful workplace culture.
  • Company commitments externally communicated-Clearly communicate externally-facing policies such as the Master Service Agreement (MSA). Terms of Service, and Security documentation to provide transparency and build trust with customers and partners.
  • Confidentiality Agreement acknowledged by employees- All personnel are required to sign a confidentiality agreement, committing to the protection of sensitive information and proprietary data.
  • External support resources available (le, documentation)-Offer publicly accessible support materials-such as product documentation, knowledge bases, and FAQs-to empower users and reduce dependency on support teams.
  • Offboarding process established-Implement a formal offboarding process to recover company assets and revoke system access when employees exit the organization.
  • Onboarding process established-Standardize a structured onboarding process to train new hires, assign system access, and facilitate smooth Integration into organizational workflows.
  • Performance evaluations conducted-Conduct periodic employee performance reviews to provide feedback, guide professional development, and recognize high performance.
  • Physical access restricted-Enforce physical access restrictions to facilities and systems, ensuring only authorized personnel have entry to sensitive areas
  • Reference calls performed for employees- Perform reference checks during the hiring process to validate candidate experience and assess suitability for the role.
  • Roles and responsibilities specified-Clearly document and assign responsibilities for each role to ensure operational accountability and role clarity ocross teams.
  • Security awareness training conducted-Conduct routine security awareness training for all employees. Topics should include phishing and social engineering prevention, secure password practices, use of multi-factor authentication (MFA), and data protection best practices.
  • Service description communicated- Provide customers with clear and comprehensive service descriptions that outline features, functionality, limitations, and expectations.
  • Software development lifecycle established-Adopt a formal Software Development Lifecycle (SDLC) process to ensure secure coding practices, version control, and rigorous quality assurance in all software development efforts.

Risk Management

  • Risk management policy established- Develop and enforce a comprehensive risk management policy that defines the organization's methodology for identifying, evaluating, and mitigating information security risks.
  • Vendor inventory maintained-Keep an accurate and current inventory of all vendors engaged by the organization. This inventory should document the nature of services, contractual agreements, and the level of access provided to each vendor.
  • Vendor management program established-Establish a formal vendor management program to evaluate and control third-party risk. This program ensures vendors adhere to required security and compliance standards throughout the engagement lifecycle.

Vulnerability Management

  • Penetration testing findings remediated- Implement timely remediation for all vulnerabilities discovered during penetration testing to eliminate exploitable weaknesses in systems and applications.
  • Penetration testing performed-Perform penetration testing on a routine basis to uncover security flaws within infrastructure, applications, and services by simulating real-world attack scenarios.
  • Vulnerability management policy acknowledged by employees- Ensure all employees acknowledge and comply with the organization's vulnerability management policy, which details the procedures for identifying and resolving security weaknesses.
  • Vulnerability management policy established- Define and implement a structured vulnerability management policy outlining steps for discovery, risk evaluation, prioritization, and remediation of vulnerabilities across the IT environment

Let's make sure

Your AI meets excellence now