English
Search
Close this search box.

Security and Privacy Customer Risk Assessment

Review the essentials of Sorenson’s security and privacy information, including measures to safeguard network, operations and data storage security

Sorenson Security Program Summary

Sorenson Communication LLC and its affiliates (hereafter “Sorenson”) have implemented an information security program, which includes (but is not limited to) administrative, physical, technical, and organizational measures designed to strengthen security of the network, operations, and data storage. This document describes the security program applicable to Sorenson’s services, in accordance with Sorenson’s Terms of Service or Service Level Agreements, as applicable.  Sorenson updates policy and procedure at least annually and/or as needed.  A quarterly continuous monitoring program reviews controls to re-confirm control ownership and performance by stakeholders.

Sorenson maintains policies and procedures that govern the risks around access and authentication to systems and data.

Sorenson maintains separation between user and non-user accounts implementing best practices in the form of unique identifiers, authentication mechanisms and access limitations based on “least privilege” requirements.  All non-standard access requires appropriate approvals.  Access is reviewed regularly by management and Sorenson employs a standard provisioning / deprovisioning process of less than 24 hours.  All access or authentication requests are logged and monitored.  Further details regarding access controls that could be used by an attacker to target Sorenson will not be disclosed here.  In summary, Sorenson employs industry standard or leading practices in managing accounts and access control to its systems and data.

Sorenson provides training to its workforce to maintain knowledge of current standards and threats.

Sorenson’s security awareness and training policies and procedures have been established for security and privacy programs, business processes, systems and data.  Training is mandatory for both new employees and independent contractors at time of hire and annually thereafter; access is disabled if security awareness training is not completed within prescribed timeframes. The training includes but is not limited to, general security hygiene, security awareness, acceptable use of company systems, the handling of sensitive information, supply chain risks, Personally Identifiable Information (PII), phishing and incident response.

Sorenson’s logging and monitoring policies and procedures were written to meet industry expected standards around event logging, audit record content, log storage, automated monitoring of logs, protection (including non-repudiation) of logging systems and log retention.  Also included in these policies and procedures are requirements for alerting and notification response based on risk and criticality of the event.  Logging and monitoring are tested as part of our annual SOC 2 attestation efforts.

Sorenson has an internal security compliance team responsible for the ongoing and continuous monitoring of Sorenson security controls.

Continuous monitoring, annual assessments, system design and development, systems security engineering and privacy reviews are performed regularly. Assessments help to ensure that Sorenson meets information security and privacy requirements, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Sorenson conducts assessments of the implemented controls as documented in security and privacy plans.

Sorenson employs a “Plan of Action and Milestone’ POA&M (PLAN OF ACTION & MILESTONES) process for the remediation of any non-compliant controls or risks. Control risks are assessed and updated at least annually and penetration testing is performed annually or as needed based on system changes.

Sorenson is assessed by third parties and follows industry standards like those outlined in SOC 2.

Sorenson’s network environment, supporting infrastructure and systems are protected from unauthorized changes via a documented Change Management Process.

Information technology products and software for which configuration settings can be defined have been identified and configuration baselines for those systems are maintained. Sorenson’s change management process accounts for risk, priority and impact of changes and certain changes are subject to review before approval by our Change Control Board (CCB). Changes must be approved by appropriate individuals other than those implementing said changes.  Only qualified and authorized individuals can access systems to implement changes.

Configuration and Change Management for organizational systems involves the systematic proposal, justification, implementation, testing, review and disposition of system changes, including system upgrades and modifications.

Sorenson maintains disaster recovery plans for customer supporting systems designed to ensure customer systems and services remain resilient in the event of failures, including natural disasters, infrastructure or system failures.  Plans are reviewed, updated and approved by management at least annually.  Cloud providers are utilized for infrastructure hosting services globally, leveraging High Availability (HA) features to ensure Sorenson’s services are not prone to single points of failure.

Video Remote Interpreting (VRI)

VRI services are available in several regions around the world.  Hosting of backends for these services are provided in datacenters physically located within the region using them.

Video Relay Service (VRS)

VRS services are provided only in the U.S. & Puerto Rico, therefore, the backend services are hosted only in U.S. based regions.

Sorenson has identification and authentication policies and procedures defined to address authentication requirements.

Users authenticate to production and non-production systems and infrastructure with unique accounts. Password criteria follows or exceeds industry best practices.  Access to systems and infrastructure is configured based on roles and follows a least-privilege policy.  Multi-factor authentication (MFA) is implemented for remote access, privileged accounts and user access to web-based application systems, where relevant.

Sorenson maintains policies and procedures to manage security incidents in alignment with best practices.  These procedures are practiced and updated.  Resources defined in the Incident response plan are trained in their roles and responsibilities.  Incident Response plans include considerations for identifying, triaging, responding to, classifying, limiting and recovering from various incident types.   Sorenson Incident practices also include parallel considerations for inclusion of external resources, communications and notification to customers should a security breach event take place.  Sorenson maintains a security and network operations center for ongoing monitoring and response to potential security incidents.

Sorenson develops, disseminates, reviews & updates procedures to facilitate the implementation of maintenance controls across the enterprise.

Sorenson maintains policies and procedures to adequately protect media and its usage.

All media containing sensitive information is encrypted to, or better than, industry standards.  External storage devices are not allowed without authorization from security teams.  Media containing sensitive information / system records is sanitized utilizing current industry standards.

Only authorized individuals are allowed access to Sorenson locations, facilities and assets.  Individuals without authorized access are escorted by individuals with appropriate physical access authorizations to ensure that information and sensitive assets are not compromised.  Visitor access is coordinated in advance and logged.  Sorenson actively monitors access points at all company locations utilizing current industry standards and technologies.

Sorenson maintains an information security program consistent with industry standards.  This program ensures the confidentiality, integrity and availability of information processed, stored and transmitted by Sorenson systems.

Sorenson has appointed a senior leader, the Chief Information Security Officer (CISO) to be responsible for implementing and maintaining the security program.  The program includes compliance, governance, architecture and operational teams to enforce program functions.  Sorenson’s security program maintains a Plan of Action and Milestone (POA&M) process to ensure that risks are understood and remediated appropriately.  Sorenson tracks the security requirements for an organization-wide information security program and describes the controls in place for meeting those requirements.  System inventories are maintained, and measures of performance are tracked.  Sorenson operates continuous monitoring functions to measure security program effectiveness.  Program Management includes insurance to help minimize the fiscal impact of cyber events.

Personnel screening activities are conducted for all staff (employees and contractors) to minimize personnel-based risks.
Personnel screening is compliant with applicable laws, regulations and policies. Examples of personnel screening include background investigations and agency checks. Upon termination, personnel are reminded at exit interviews of nondisclosure and confidentiality agreements.

Sorenson has developed its products and services to minimize the need for personally identifiable information (PII).  All PII is protected to industry standards.

The Chief Privacy Officer considers applicable requirements to include in organizational policies and updates the Privacy Policy at least annually.  Sorenson follows industry standards concerning authority to process personally identifiable information documented in Privacy Policies and Notices, System of Records Notices, Privacy Impact Assessments (PIA), Privacy Statements & notices, contracts and other documentation.  Sorenson considers protections of PII included in every step of the information life cycle including creation, collection, use, processing, storage, maintenance, dissemination, disclosure and disposal.

Video Relay Service (VRS)

Sorenson is committed to providing an accounting of client data to end users and restricting the use of client data as outlined in the Privacy Policy.  Video calls are not recorded; ASL (American Sign Language) interpretation services are conducted in real-time by a company Interpreter.  Non-disclosure agreements are signed by the Interpreters covering the conversation and parties on any video call.  Personal data is not recorded during any calls.  Data collection pertaining to the call detail records (including the number called, calling number and time & duration of the call) are used for billing purposes. Specifically, the data collected is telemetry data used to calculate minutes required for billing and related account information for the customer.

Sorenson maintains a risk assessment process to identify, analyze, classify and manage risks to our organization and technologies that support our service delivery.

Full risk assessments are conducted annually with ad-hoc assessments or updates being performed as needed. Risks are tracked, reported and remediated according to risk prioritization.  Sorenson also considers the potential adverse impacts to and from other organizations through our Third-Party Risk Management (TPRM) vendor assessment program.

Video Relay Service (VRS)

The Security Risk & Compliance team performs a quarterly assessment of key internal controls relevant to the achievement of Sorenson’s service commitments and system requirements.  Results are shared with the Executive team, tracked and remediated.  Controls have been established to ensure key processes operate as intended.  These activities are designed to address both the relevant business risks and the underlying infrastructure relevant to technologies providing services to customers.  The control activities are integrated into the policies and procedures outlined in the Policies and Procedures section above.

Sorenson maintains policies and procedures that ensure security is built into system & service acquisition & development processes.

All acquired services and technologies are vetted through our Third-Party Risk Management (TPRM) process.  All new or changing technology undergoes a Security & Privacy by Design (SPbD) process that captures the functions of the technology, assesses risks, assigns technical requirements to ensure security and privacy are enforced, documents the technology and validates / tests the technology prior to release.

Sorenson uses various industry standard controls and protections for the organization’s information and communications systems.  Sorenson uses encrypted file share systems, encryption for data in transit, means to encrypt emails and a secure data transfer portal tool.  Encryption technologies are used to protect communication and transmission of data over public networks.  Many of the systems Sorenson employs do not record any information about users.  Collected customer data is encrypted at rest.  Access to encryption keys is limited and by approval only.  Encryption keys are protected.  Sorenson identifies areas that require separation of system, security and user functionality, along with implementing protections for increasing Confidentiality, Integrity and Availability.

Sorenson uses several tools to monitor the organization’s information systems and data.  These monitoring tools actively correlate and alert on potential risk events within Sorenson assets / networks.

Sorenson tests software and firmware for flaws or potential side effects.  Malicious code protections at both network and endpoint layers are continuously updated and modernized.  Customer systems are developed with industry leading integrity, validation and code testing practices to ensure the protection of customer data.  Separation of duties is used to allow privileged admins to make changes per policy, although limits other users from making unauthorized changes.  As a time and cost-saving measure, Sorenson operates a Security & Privacy by Design (SPbD) program.  The focus is to adopt repeatable, methodical processes to seek out both security and privacy risks to reduce the chance of surprises.  This process addresses security issues in an orderly manner that gives Sorenson better assurance that gaps are closed properly and as quickly as possible and incorporates security and privacy considerations into the beginning parts of the development lifecycle to reduce the need for and costs of risk remediation.

Sorenson minimizes products and services provided by other countries and organizations and where applicable, requires said parties to undergo a compliance, legal and risk review.  Non-disclosure agreements are widely used to better ensure systems and intellectual property developed and owned by Sorenson and its affiliates are not exploited or stolen.  Sorenson requires notification agreements for supply chain vendors in the event of a security incident.

Sorenson assesses new vendors to identify internal and external risks associated with company technology, business partners, service commitments and fraud. Sorenson reviews the third-party service provider’s reports over security controls and risks (e.g., ISO certification, SOC 2 report, detailed questionnaire or alternate information) for compliance with Sorenson service needs, laws and contractual obligations. Identified issues are assessed for their impact to Sorenson and the company’s service commitments. High-risk vendors are reassessed annually.