System Security Practices
1.0 Company Overview
Resolute Building Intelligence (“Resolute”) provides cloud-based building-performance analytics and reporting solution that enables customers to quickly, reliably, and securely use real-time data, analytics-driven insights, and on-demand reports to better manage building performance and achieve quantifiable results.
At the core of our solution is Resolute Cloud™, which collects an array of diverse Building Automation System (BAS) and device-building performance data from the building level up to entire building portfolios. This collected data is then aggregated and run through Resolute’s analytics engine, transforming massive amounts of incoherent data into actionable insights and reports used to help customers better understand and improve building performance. Some of these quantifiable results include:
- Improved building operations
- Enhanced equipment performance and extended equipment life
- Informed business decisions and prioritized capital expenditures
- Better managed building owner service needs and Service-Level Agreements (SLAs)
- Reduced energy consumption and costs
2.0 Principle Service Commitments and System Requirements
Resolute uses on-premise devices to collect equipment-performance data at user facilities. This data is loaded into the Resolute solution for analysis by users. Resolute commits to securing these connections, preventing any inbound access to user networks, and restricting access to collected data to authorized parties. Resolute has implemented VPN tunnels to secure the connections from the Resolute Cloud™ to user facilities. Firewalls are in place for devices located at user facilities to prevent access. Inbound port access has also been disabled to prevent Resolute devices from connecting to user networks. Resolute performs annual user access reviews to ensure access to the Resolute environment is restricted to authorized users only. Resolute commits to notifying impacted users in the event of a change in commitments through statements of work and master service agreements.
Resolute commits to providing 99.95% uptime for its software. Resolute utilizes AWS to provide data center hosting. Resolute monitors reports from AWS monthly to track system performance. Resolute also uses separate monitoring applications to monitor security and availability. Reports for these monitoring applications are reviewed monthly. Additionally, Resolute reviews AWS SOC report annually to ensure environmental and physical security controls are in place.
2.1 Subservice Organizations
In conjunction with established Resolute controls, certain controls at subservice organizations are necessary to provide reasonable assurance that Resolute service commitments and system requirements will be achieved. These complementary subservice organization controls and the related trust services criteria are described below. Subservice organizations are responsible for implementing such controls. Resolute uses AWS (subservice organization) for data center hosting services.
Applicable Trust Services Criteria | Expected Controls to be Implemented by the Subservice Organization |
---|---|
CC 6.4: The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives. | - A user access review of individuals with access to the data center is performed and reviewed. - All entrances to the building and data center are locked and access is properly restricted. |
CC 6.5: The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives. | - Server hard drives are destroyed in a secure manner when no longer in use. |
AVA 1.2: The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. | The following controls are in place within the data center: - Equipment kept on racks - Smoke and fire detection system - Fire suppression system - Fire extinguishers - Dedicated A/C - UPS – tested at least quarterly - Generator – tested at least quarterly - Environmental monitoring software exists and alerting is in place - Business continuity and disaster recovery plans are updated at least annually |
2.2 Data Privacy
Resolute respects privacy and is committed to protecting it through compliance with our Privacy Policy.
3.0 Management Process
3.1 Control Environment
3.1.1 Commitment to Integrity and Ethical Values
An ethics policy and mission statement have been defined and are included in the Resolute Employee Handbook. The security policy and Employee Handbook address workforce conduct standards and sanctions that could be enforced if security and availability standards are violated. Roles and responsibilities are defined in written job descriptions and are maintained by the Chief Administration Officer.
3.1.2 Oversight Responsibility and Structure
The Employee Handbook is maintained by the Chief Administration Officer (CAO) and communicated to employees upon hire. The Board of Directors is responsible for oversight of internal controls. The Chief Technology Officer (CTO) and the Chief Information Security Officer (CISO) are responsible for the performance of internal controls and are not part of the Board of Directors. Results of internal control monitoring are reported to the Board of Directors annually. Reporting lines are defined by senior management and documented within the organizational chart.
3.1.3 Commitment to Competence and Accountability
Prospective employee qualifications are evaluated during the hiring process by the hiring manager. New-hire technical evaluations and reference checks are performed by a third party prior to hire, as applicable. Technical evaluations are performed based on the source of the employee referral and job position. A performance appraisal is performed for each employee annually.
3.2 Risk Assessment
The risk assessment procedure is formally documented and defines the objectives as well as the scope and frequency of the assessment of risk to those objectives. The Director of DevOps, the COO, and the Security Consultant review the risk assessment annually. The risk assessment addresses the following items:
- Potential threats and associated risks
- Probability of threats
- Significance of threats
- Identification of responses to risks
- Tolerance level for acceptance of risk
Upon identification of risks, Resolute identifies controls in place or controls to be put in place to mitigate the risks identified. Fraud and the reliability of information used in the performance of controls are specifically addressed as a part of the risk assessment. In addition, the governance committee meets monthly to discuss any current environmental, governmental, and regulatory issues; status of projects; and strategy. The Risk Assessment document ties controls to the risks they mitigate, including manual, automated, preventive, and defective controls. The Risk Assessment document is reviewed annually as part of the risk-assessment process.
3.3 Information and Communication
3.3.1 Internal User Communication
The boundaries of the system are communicated to internal users through internal network and application diagrams. These diagrams and company policies are available to users on the internal wiki site.
Internal users are informed of the organization’s commitments and responsibilities for security and availability during new-hire onboarding. This process requires new hires to acknowledge the Resolute Technology Security Policy, Employee Handbook, and a confidentiality agreement. Additionally, the organization’s commitments and responsibilities are also communicated annually to internal users during mandatory security training. Participation in annual security training is tracked using PhishingBox.
Included in the Resolute Technology Security Policy is the responsibility for Resolute employees to report incidents and instructions for how incidents should be reported.
3.3.2 External User Communication
Security and availability commitments are communicated to new external users of the system through statements of work and master service agreements. These documents are signed by new clients during the client onboarding process. A help center website is available for clients to report issues related to security and availability.
Significant changes impacting the security or availability of external users are communicated to impacted parties prior to implementation via email or in-person meetings.
3.4 Monitoring
Resolute uses both internal monitoring applications and AWS Trusted Advisor to monitor system security and availability.
- AWS Trusted Advisor monitors system performance and security. It provides an aggregated monthly summary report that is reviewed by the DevOps team.
- Internal monitoring applications are in place to monitor system security and availability. The outputs of these applications (DataDog application performance monitoring and GuardDuty) are reviewed by the security team monthly.
- The AWS SOC 2 report is reviewed annually by the Director of DevOps and the consultant to assess third-party controls and the effectiveness of those controls.
- The annual risk assessment includes the consideration of the risk posed by the reliance on inaccurate or incomplete information as a part of performance of controls. Resolute has defined alerting rules through the DataDog application. Alerts are also generated to the DevOps team in the event a rule is not functioning.
- Remediation actions are taken in response to alerts and issues identified during reviews. The annual risk assessment is updated to reflect these threats.
4.0 Control Activities
Control activities include information technology general controls and preventative, detective, automatic, and manual controls that contribute to the achievement of objectives. The risk assessment considers risks related to segregation of duties. On a monthly basis, the Director of DevOps, the Consultant, and the Chief Operating Officer (COO) meet to review the performance of security controls.
This includes a review of the following items:
- Monitoring application reports (GuardDuty, AWS Trusted Advisor, and DataDog)
- Backup Logs
- Antivirus reports
- Security events
- Windows and Linux patch status
- Onboard and Offboard events
4.1 Organization and Management
Resolute has a documented organizational chart that defines reporting lines. A development team, which reports to the CTO, develops the application. Additionally, there is an engineering team, which includes an energy engineer and integrators, who are responsible for the implementation and operation of the system at customer locations. The engineering team reports to the Director of Engineering. Both the CTO and Director of Engineering report to the CEO, who sits on the Board of Directors.
The CTO and Director of DevOps are responsible for system security and availability. Security and availability responsibilities are also included in the written job descriptions for all employees, which are maintained by the CAO. The Information Security Policy addresses workforce conduct standards and sanctions that could be enforced if security and availability standards are violated.
During onboarding, prospective employee qualifications are evaluated by the hiring manger. In addition, reference checks are performed by a third party. On an ongoing basis, annual performance appraisals are completed for every employee to ensure each employee maintains the necessary competencies necessary to carry out his or her job responsibilities.
Physical access to local facilities is restricted to users with keys or through screening by administrative staff. Doors remain locked at all times. Resolute does not have any customer information stored on site at its facilities. Visitors are escorted at all times when on site. All production data is stored at AWS. Therefore, the physical access controls are the responsibility of AWS.
4.2 Logical Access
A unique ID and password are required to log into the Resolute solution. Shared user accounts are prohibited in the Information Security Policy. Multifactor authentication is required for internal staff for access to the development or production resources of the Resolute solution.
The following default authentication parameters are currently in place for external users:
- Complexity enabled
- Minimum of eight characters
- Passwords do not expire
Administrative access to the Resolute solution is restricted to authorized employees through the Administrative Authority Group. Access to the production and development root accounts requires dual-factor authentication. Public and private keys are used to control all access to production and development resources. A user access audit of all in-scope systems is performed by the CTO and Director of DevOps annually.
For new Resolute employees, approval from the Director of DevOps or HR is required for access to the Resolute solution. Access for terminated employees is removed within one business day of termination and documented within an offboarding ticket.
During the onboarding process, clients are given a superuser account. Clients are required to approve the creation of this account. Once this account has been created, clients are responsible for the administration of access for any additional client users.
4.3 Internet Access
The Resolute solution obtains its information from Java Application Control Engine (JACE) devices located throughout the customer facilities. The JACE devices receive information from the building and report to the Resolute Gateway Appliance (RGA). The RGA sends this data to the Resolute Cloud™ for use within the software.
Remote access for RGA devices is disabled except for VPN. The passwords for these devices are stored in LastPass. Access to the passwords is restricted to the Client Services Manager, IT management and authorized members of the DevOps Team. Upon setup of RGA devices, a VPN tunnel is established from inside the customer network to report outbound to the Resolute Cloud™. There is no inbound traffic to the customer network. JACE devices do not have inbound port access from the internet.
Multiple firewall devices are configured to restrict access to the Resolute Cloud™ and RGA devices. RGA device firewalls are fully closed on default and ports are opened only as needed for the project. Device firewall changes are approved by the Product Support Engineer. End-user and server workload traffic is segmented to support customer data isolation. Administrative access to the firewall is limited to members of DevOps and IT. Firewall rule sets are reviewed by the DevOps team annually as part of the Annual Security Review meeting.
4.4 Data Security
Resolute uses encryption to secure production data, including hard drive encryption on development computers and encryption of backups of customer metadata. Encryption is also used to secure transmissions by requiring connections to hosts to be encrypted via certificates and TLS. Public and private keys are used to control all access to production and development resources. Backups of customer metadata are encrypted. Hard drive encryption is installed on all development computers during the computer setup process. The AWS key management system is used to rotate encryption keys.
4.5 Antivirus
Antivirus software is installed on all Windows servers and workstations. Definition files are updated hourly. Antivirus reports are reviewed monthly as part of the Security Checklist.
4.6 System Operations
Firewall logs are retained, and they are monitored by the DevOps team when issues are identified in system performance or security. Alerts are sent to the DevOps team for changes to firewall rules. If an alert is received, it is investigated. If after an initial investigation, a potential security incident is suspected, it is tracked in a JIRA ticket.
Internal monitoring applications are in place to monitor system security and availability. The outputs of these applications (Guard Duty and DataDog application performance monitoring) are reviewed by the Security team monthly. AWS Trusted Advisor, a monitoring service from Amazon Web Services that monitors system performance and security, is aggregated into a monthly summary report and reviewed by the DevOps team.
Procedures for handling security events and incidents are documented in the Incident Response Plan. Events are evaluated by IT personnel for their potential impact. Incidents are required to follow the documented process, including reporting and acting on the incident. Incidents are tracked through JIRA. Roles and responsibilities are defined within the incident response plan. A root-cause analysis is performed for each incident.
Business Continuity and Disaster Recovery Plans are established and reviewed annually.
4.7 Change Management
A change control process is defined. Changes are requested by product owners and assigned to developers by the Development Lead. The developers and product owners together create change requirements. Development is tracked to implementation in JIRA.
Change requirements are initiated based on identified needs during the risk assessment, project planning, and identified deficiencies noted during system operations. These requirements are compiled into change requests within JIRA.
Every two weeks, a sprint planning meeting is held. During this meeting, all changes to be included in the next release are discussed. The changes to be implemented in the next release are authorized as a result of the meeting.
Changes are then developed in the development environment, which is segregated from the production environment. Once developed, bug fixes are tested by the Product Management team to confirm the changes will behave as expected when applied and will not adversely impact performance. New features are also tested by QA personnel for each release.
Approval for implementation is received during the Go/No Go meeting to provide appropriate oversight and understanding of business impact. Every two weeks after a developmental sprint, changes to be deployed into production are demonstrated for the production team members to review and provide final signoff.
In the event a change must be implemented urgently and cannot wait for the next sprint, it will follow the emergency change or hotfix process. Any hotfix changes must be approved by the CTO or Development Manager prior to implementation.
Servers and workstations are configured to automatically install security patches monthly. This process is monitored by the DevOps team as part of the Monthly Security Review.
Baseline configurations are maintained within AWS for servers. RGA and JACE configurations are also maintained. Changes to the configurations must be approved by the CTO.
4.8 Risk Mitigation
The risk for cyberinsurance is assessed annually and a cyberinsurance policy is in place. A vendor risk assessment is performed annually by the Director of DevOps and the Consultant and includes the following:
- Vendor
- Vendor type
- Business impact risk
- Risk scoring
- Risk mitigation (high-risk vendors)
Reviews of the subservice organizations SOC 2 reports are performed annually by the Director of DevOps and the Consultant, including the report opinion, complementary user entity controls, and results of tests to determine proper controls are operating effectively at the subservice organization.
4.9 Availability
Resolute uses DataDog application performance monitoring to monitor system performance and availability metrics. Dashboards are configured and utilized by the DevOps team to monitor these metrics. AWS Trusted Advisor, a monitoring service from Amazon Web Services, is aggregated into a monthly summary report and reviewed by the DevOps team.
Resolute also utilizes a web load balancer to monitor and promote availability and reliability of the system. All production data is stored at AWS and, therefore, environmental controls are the responsibility of AWS.
Database backups are performed daily. RGA configuration files are static and are backed up remotely for offsite storage. If a backup fails, an alert is generated and sent to the DevOps team for resolution. Backup restorations are performed annually to validate the viability of the backup data.
A business continuity and disaster recovery plan has been established and is reviewed annually. A tabletop test of a plan for recovering from an incident is performed annually.
5.0 System Components
5.1 Infrastructure
The Resolute Cloud™ environment is entirely hosted by Amazon Web Services. For legacy clients that utilize the RGA devices, these devices are located at the client’s facility and the physical security of these devices is the client’s responsibility
5.2 Software
The primary application in scope is the Resolute Cloud™ System (Resolute solution). Resolute uses the following software to support the Resolute solution.
- DataDog – Cloud monitoring
- LastPass – Password management
- Bit Defender – Anti-virus and malware protection
- JIRA – Ticketing software
5.3 People
The Resolute personnel supporting the Resolute solution are divided into the following groups:
- Engineering – Responsible for the integration of the system
- Product – Responsible for the maintenance of the system
- Development – Responsible for the development of the system
- Human Resources – Responsible for employee onboarding and annual performance evaluations
- Board of Directors – Ultimate responsibility for the security and availability of the system
6.0 Complementary User Entity Controls
In designing the Resolution solution, it was assumed that certain controls would be required to be implemented by user entities, and that those controls, in conjunction with Resolute controls, would be necessary to provide reasonable assurance that Resolute service commitments and system requirements would be achieved. These complementary user entity controls and the related trust services criteria are described below. User entities are responsible for implementing such controls.
6.1 Common Criteria: Logical and Physical Access 6.4:
User entities are responsible for the physical security of the RGA and JACE devices once implemented within their facilities.
7.0 User Entity Responsibilities
For user entities to derive the intended benefits of the Resolute solution, the following additional user-entity responsibilities are required:
- User entities are responsible for restricting client-initiated network changes to the RGA and JACE devices once implemented within their networks.
- User entities are responsible for distributing and maintaining user access for their organizations.