Welcome to the second article in our security series where we take a closer look at the extra layers of security that we provides for each document handled at Ripcord's facility in Hayward, California.
Numerous safety and compliance standards are required to manage data privacy and global cybersecurity for Ripcord. Having such an accomplished leader as Prasad Yenigalla to build the necessary compliance and security controls is a huge plus, considering his 25 years of experience in developing security solutions throughout various industries.
Yenigalla, Ripcord’s CCO, has a background that required the design of enterprise risk and governance programs for such industries as healthcare, high tech, government, utilities, and energy. With each industry he leveraged best practices and frameworks to identify, protect, detect, respond, and recover from threats and attacks to business and customer critical data.
This included classified and sensitive data that’s subject to such well-known industry regulations as the Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS), General Data Protection Regulation (GDPR), Sarbanes-Oxley Act (SOX), and Gramm-Leach-Bliley Act (GLBA). A broad array of regulations to comprehend and direct to the appropriate industry, but also an impressive foundation of regulation knowledge for Yenigalla.
Yenigalla says his diverse background adequately supports his twofold responsibilities at Ripcord. The first of these is to secure business systems, networks, data center, and cloud infrastructure, while the second is to design, build, and deploy a compliance program that aligns with global, federal, local regulations and applicable laws. He also stated that Ripcord’s controls are structured around five pillars of information assurance: availability, integrity, authentication, confidentiality, and non-repudiation.
“In terms of security protocols the key is identification of risk areas and mapping them to high impact controls, foundational controls and organization controls, all to mitigate business and operational risk," said Yenigalla.
To name a few specific controls, Yenigalla speaks of the program he’s put in place that identifies authorized and unauthorized devices in our infrastructure. Data protection is also one of the key and core requirements for Ripcord’s business model, and this is done by securing applications via disaster recovery and cloud security.
“We conduct security audits and secure configurations for hardware and software. We also do continuous vulnerability assessments and figure out the remediation activities to mitigate those risks, and we put together programs in place where we monitor controlled usage of access privileges across our AWS and on-premise environments. We also harden our email and web infrastructure for data protection, and provide malware defense to our end point systems and user community, networking, monitoring, and data recovery capabilities.”
Yenigalla says Ripcord has also conducted a discovery and gap assessment to identify vulnerabilities and gaps across their systems, applications, cloud storage, data center, and network infrastructure environment. To remediate security and data privacy in such risk areas as credential theft, data loss, hacking, and social engineering attacks, his team has risk-ranked and prioritized actionable information and selected compensating security and privacy controls using industry best practices and frameworks such as Information Technology Infrastructure Library (ITIL), Federal Risk and Authorization Management Program (FedRAMP), and FISMA.
Controls have been implemented that are specific to user access and authentication controls, as well as application controls that address vulnerabilities in Ripcord software. Also installed are operational security controls such as firewalls, intrusion detection systems, patch management automation, network security and monitoring, data loss prevention systems, antivirus and malware scanning systems. There are even systems in place to monitor Ripcord’s network and application landscape for potential threats and breaches.
“From an organizational control’s point of view, we’ve put together applicable policies, procedures, standards, and guidelines to achieve operational excellence, and all of our security and privacy controls are basically designed to address the most stringent of regulatory compliance requirements, across HIPAA, PCI, GDPR, GLBA, and other relevant regulations.”
With so many regulations to keep in mind, it’s imperative Ripcord maintains controls and measures that align with any specific regulation that relates to either federal or global compliance.
Yenigalla spoke about how the European Union (EU) regulates the GDPR so that it protects any data that could identify a living person, and how it’s a “non-prescriptive framework” that defines a set of rules and regulations to guide organizations around the world in dealing with personal data of EU residents.
Complying with these specific regulations “requires a design and deployment of compensating controls to achieve alignment with the data life cycle management that includes collection, processing, storage, transfer, and disposal” of the documents submitted to the facility.
On the other hand are federal and local regulations such as PCI-DSS, a data security standard, and the California Consumer Privacy Act (CCPA), which was passed in 2018 to improve privacy rights and consumer protections for California residents.
“All the regulations require a varying degree of security and data protection controls, policies, and organizational measures, to demonstrate compliance against the most challenging regulatory standards that require continuous monitoring of networks, cloud environments, and end points," said Yenigalla.
“The goal of certification and attestation, in the regulatory space, is basically to ensure that proper policies and controls are in place to reduce risk, to set up a system of checks and balances, to alert persons when new risks materialize, and to manage business processes more efficiently and proactively.”
From a global regulation point of view, Yenigalla says Ripcord is also considering ISO 27001, an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
For federal compliance the business has adopted NIST 800-53, a catalog of security controls published by the National Institute of Standards and Technology, and the SOC 2 audit certification, considered the “gold standard” that consists of a comprehensive set of controls that substantially overlap with other key privacy and security requirements.
With all this in mind, Ripcord has maintained a robust level of regulation compliance. “Our objective and goal is to establish an enterprise risk management program that continuously monitors our security, privacy, risk and compliance posture, and identify best practices and frameworks to mitigate the risk by deployment of organizational and technical measures," said Yenigalla.
Head over to the Ripcord YouTube channel to hear the full interview with Prasad Yenigalla.