Information security at Keen
Keen takes securing your data seriously. Our Information Security program takes a multi-layer, ‘Defense in Depth’ approach to securing our products, networks, and the data our customers entrust us with.
Keen’s production network supporting the Keen Platform is physically segmented from the office network. Access to all production databases, systems, infrastructure and deployment pipelines require use of a VPN. Multi-factor authentication is required for access to all cloud and office platforms and infrastructure components.
Access to Keen’s offices is restricted. Employees are issued keyfobs for access to the HQ office. Guests must be admitted by an employee and escorted during their visit. Access reports are regularly reviewed.
The Keen Platform is hosted in the cloud. The cloud services used by Keen are SOC2 compliant.
Vulnerability and policy scans are automated. Any detected vulnerabilities are logged, prioritized, and remediated based on their criticality.
Identity and access management
Keen adheres to the practices of least privileged access. Role-based access control is employed to ensure Keen employees can only access information on a need-to-know basis relating specifically to their job function. All login attempts to Keen’s systems are logged and monitored.
Third-party penetration testing
Keen engages third-party partners to perform external penetration testing against applications and networks at a minimum on an annual basis.
Log and event management
Keen has deployed a SIEM (Security Information and Event Management) solution that collects and analyzes events from production systems to detect security anomalies. Any time an anomaly is detected, security and relevant operational teams receive real-time alerts and follow a defined process for investigation, triage and resolution.
All changes to production environments are reviewed prior to deployment. All non-emergency changes are tested in a lab environment prior to deployment, and are scheduled for deployment to production during off-peak times to minimize disruptions. Emergency changes require approval from the VP of Product Development. A back-out plan is required for all changes as well.
Keen has developed an Incident Response program with a documented policy and procedures which include a defined incident response team, procedures for tracking all reported incidents to resolution, a communication plan to notify impacted 3rd-parties as necessary, and documented playbooks and workflows for managing incidents.
Business continuity/disaster recovery
Keen maintains a BCP/DR plan that documents and tracks all incidents that could potentially impact our production and office environments. Specific procedures, aligned with our Risk Management guidelines, are documented to establish communication, provide continuity of service, and define the recovery process for business-critical applications and services. Disaster recovery tests are performed at minimum, annually.
Keen performs background checks on all candidates before extending an offer of employment. Additionally, new employees must complete security awareness training during their orientation, and annually thereafter.
All Keen computing devices are centrally managed and have next-gen anti-virus and anti-malware protection enabled.
Vendor risk management
Keen has established a vendor management program to ensure all vendors and contractors are assessed prior to establishing a working relationship, to validate they have appropriate controls in place to be compliant with Keen’s security policies and requirements. Critical vendors are reviewed annually to ensure they remain compliant with Keen’s policies.
Governance, risk, and compliance (GRC)
Keen employs a Risk Management framework based upon ISO:27005 Information Technology Information security risk management. Risk assessments are performed annually, at minimum, and remediation plans are developed for any identified control deficiencies.