Arc XP ISO 27001 Program

Arc XP's vulnerability assessment and management process is an integral part of our commitment to information security and compliance with the ISO 27001 standard. The process includes developer education, threat modeling, code and design reviews, code scanning, infrastructure assessment and scanning, and third-party vulnerability assessments.

In addition to these activities, Arc XP's platform is built on security best practices, which align with ISO 27001 requirements. These practices include data encryption in transit using TLS, as well as data encryption at rest featuring AWS platform-provided encryption and key management. Platform authentication is enforced through security industry leader, Okta, and access to all product resources and assets is enforced through SSO and MFA. AWS VPC and other network security features are used for logical separation and network segregation.

Arc XP regularly reviews least privilege and attack surface reduction principles, and active instances' security profiles are controlled by secured and centrally managed AMIs to reduce the risk of persistent attacks. Internet-exposed resources are tightly controlled and placed behind Akamai for best-in-class protection from web-based attacks as well as DDoS attacks. AWS platform-provided security services are used to identify and remediate infrastructure issues, detect threats in real-time using best-in-class machine learning techniques, and to respond and remediate issues as they are identified.

Data security is a critical component of Arc XP’s ISO 27001 compliance program. The Arc XP team has implemented data security measures aligned with ISO 27001 requirements.

Data encryption at rest is provided by AWS platform-provided symmetric encryption algorithms, and keys are managed in a dedicated keystore. User passwords are stored as cryptographically secure hashes, which is a standard security practice in the industry. Single Sign-On (SSO) and Multi-Factor Authentication (MFA) are enforced for all employee access to product resources and assets. All data is transmitted over HTTPs. 

To protect against known incoming attacks, Arc XP deploys Akamai WAF and AWS Shield. All EC2 instances and S3 buckets are placed behind an elastic load balancer and/or CloudFront. Infrastructure code changes are made through CloudFormation and CodePipeline, which enable more secure and standardized changes.

Additionally, to detect attacks and prevent malware, an EDR solution is installed on EC2 instances, providing threat intelligence. These security measures align with ISO 27001 requirements while protecting the Arc XP’s information assets from cyber-attacks and data breaches.

Arc XP has established robust Disaster Recovery processes to ensure the availability and resilience of its data centers. These processes include:

By following these measures, Arc XP ensures that its services remain available in case of unforeseen disasters, with minimal disruption to its customers. These practices align with the ISO 27001 standard, which requires organizations to establish and maintain a robust Business Continuity Management system to ensure the continued availability of its services.

Arc XP has implemented a security awareness training program for its team members to align with the requirements of the ISO 27001 standard. All employees are mandated to complete annual security awareness training to stay up to date on the latest threats, best practices, and organizational security policies. The ISO 27001 program's policies, including each employee's responsibility to adhere to these policies and specific steps they can take to fulfill their security objectives, are also covered in detail.

In addition to the mandatory annual training, critical application teams undergo instructor-led training brown bags that provide an in-depth review of key security topics, the threat landscape, and security best practices. As part of the security engineering process, the team also conducts threat modeling and architecture and design reviews, which serve as an opportunity for knowledge transfer and training. These activities ensure that every team member understands their role in maintaining the security of the organization and its assets.

At Arc XP, we recognize that incident response is a critical component of our Information Security Management System (ISMS) in line with ISO 27001. As such, we have established four tiers of incident response: Alert, Investigation, Incident, and Breach.

When we receive an alert, our security team conducts a risk assessment to triage the situation. If the alert is suspicious, an investigation may be initiated. An incident may be declared if an investigation reveals that the confidentiality, integrity, or availability of an Arc XP resource may have been impacted.

We categorize breaches into two types: platform breach and customer breach. A platform breach involves a vulnerability or weakness in the Arc XP platform that has led to a compromise. These breaches are the responsibility of the Arc XP team, and all breach procedures and policies will be followed. In contrast, customer breach relates to vulnerabilities or weaknesses in customer code or configuration, and the customer bears the responsibility for such breaches. In the event of a customer breach, the role of the Arc XP team is to provide notification and support to enable the customer to manage the breach using their incident response process.

We will declare a breach if there is confirmed impact to customer data or service by a threat actor. When a platform breach is called, this will activate procedures governed by contractual and regulatory obligations.

Each member of our incident response team has a defined role and responsibility. These include the Reporter, Incident Manager, Engineering Manager, Communication Manager, and Executive Owner. We have specific communication channels for internal and external communications during an incident to ensure that everyone is informed and working collaboratively to resolve the incident.

Our incident response values are built around Detect, Respond, Eradicate, and Improve. We work to detect incidents before our customers do, respond quickly and accurately when responding to an incident, thoroughly eradicate the incident, and improve our processes and strategies for the future.

We understand that incident response can be a high-pressure, stressful process. Nevertheless, we are committed to maintaining open and transparent communication with our customers during an incident, documenting our actions and improvements, and taking responsibility for our role in the event of an incident. As part of our ISO 27001 ISMS, we continually review and improve our incident response processes to ensure that we provide a robust and effective incident response capability for our customers.

Arc XP's adoption of the ISO 27001 standard demonstrates its commitment to maintaining the highest standards of information security management. Adherence to ISO 27001 provides a comprehensive framework for managing information security risks and ensuring the protection of sensitive information assets.

Our ongoing dedication to information security management is just one of the many ways in which the Arc XP team executes our mission of building a highly scalable, performant, secure platform on which you can create uniquely rich and impactful digital experiences.