Internal Security Policy

Security is our number one priority and is in our minds in everything we do, how we maintain our internal systems, and how we run our internal operations. Transparency is key and we want our clients to know how we handle their data. As a company, we have a high bar for our internal security.

Ops Security: All Concentric employees undergo extensive background investigations and we have a strict offboarding process that ensures access to systems and client data is removed immediately when an employee leaves or is terminated.

Physical Security: We utilize data centers that have been thoroughly vetted and have strict physical security controls (e.g. RFID badges, biometrics, barbed wire fences, video surveillance, motion detection, and access logging) to ensure the data centers are secure. The data centers limit access for entry and utilize the principle of least privilege for access. Additionally, we utilize SOC 2 audited/compliant data centers by geographic location whenever available by our data center providers.

Data Security: We leverage the philosophy of Principle of Least Privilege in conjunction with Data Classification to ensure data is secured properly and only those who need access have access to data.

Network Security: Our Internal network is protected by an enterprise-grade firewall/IDS/IPS system and we utilize Network segmentation to keep the network secure. Our network is protected against DDoS attacks, as well as other well-known network attacks. We routinely scan our Internal network for vulnerabilities and document remediations.

Device Security: All company devices are hardened, adhering to the highest security standards, utilize full-disk encryption, and have MDM software that allows for remote wiping if the device is ever lost.

Insider Threat Program: Concentric has created a custom Insider Threat Program to protect the company, intellectual property, and customer data from being compromised.

Cybersecurity Awareness: Whenever someone joins Concentric, they complete a mandatory Cybersecurity Training to bring them up to speed with cyber security principles and best practices. Topics covered include:

● Passwords & Multi-Factor best practices

● Attack vectors (e.g. phishing, social engineering, malware)

● Device security and how devices can be properly secured and hardened

● Digital footprint (e.g. PII and how it can be easily accessed online, social media best practices)

● We’ve built a custom management learning system to help further educate employees on cyber security best practices

All Concentric staff complete ongoing training related to cyber security and emerging threats to ensure staff are well trained and informed about potential security threats. Additionally, mandatory quarterly Cybersecurity Awareness trainings are completed by all employees.

Internal PenTesting: Concentric Internal networks and devices are pentested to determine vulnerabilities. If vulnerabilities are discovered, they are immediately remedied and documented. Additionally, all employees are randomly tested with various simulations (e.g. phishing, social engineering) to identify any weak points in cybersecurity awareness. If an employee fails an internal pentest simulation, they are coached on how to better handle future “attacks.” The goal of these internal simulations is to ensure all employees have a firm grasp on utilizing strong cyber hygiene and how to safely use devices and systems at work and at home.

Vetting: Any cloud app/service Concentric uses (e.g. e-mail, collaboration software, messaging apps, etc.) has been thoroughly vetted to ensure it adheres to our strict security requirements. If we can’t recommend it to a client, we won’t use it. Further, if we determine that an app/service we are using is no longer secure, we will immediately stop using it and switch to a secure alternative. All vetting is documented and outlines the security controls and weaknesses, along with a final synopsis on any risks with using the app/service.

Let’s Chat

Feel free to reach out anytime.