Trust Center  >  Security  >  Aeris Security Standards

Security

Aeris Security in Brief  |  Information Security Policy  |  Aeris Security Standards  |  Security Standards for Customer Data  |  Watchtower Brief

Aeris Security Standards

Aeris is committed to maintaining the best industry standards of security for Aeris information (its own and Customer Data). These standards align with ISO / IEC 27001 and ISO/IEC 27002 and focus on confidentiality, integrity, and availability and are derived from ISO 27001. Aeris Security Awareness training is conducted for all employees to ensure understanding of compliance obligations and best practices.

Security Controls

1   Information Security Governance

  • Aeris maintains a dedicated governance framework aligned with ISO/IEC 27001 and ISO/IEC 27002 , including periodic internal audits, security reviews and risk assessments, ensures compliance with legal, contractual, and customer requirements.
  • Aeris maintains a formal Information Security Policy to guide data protection efforts and ensure a systematic approach to managing information security risks.
  • Roles and responsibilities related to security are clearly defined, assigned, and documented to ensure accountability.

Security policies are reviewed and updated annually or as necessary to reflect changes in security risks and business operations.

2   Risk Management

  • Regular risk assessments are conducted to identify, evaluate, and mitigate potential threats to Aeris information in conjunction with the stakeholders needs and expectations, legal & contractual requirements and Aeris ISMS scope.
  • Threat intelligence processes are implemented to proactively manage risks by collecting and analyzing security-related data from trusted sources regarding the Aeris business context.
  • Security measures are adjusted based on emerging risks, vulnerabilities, and changes in the threat landscape.
  • Risk treatment plans are maintained for identified risks and the mitigation strategies employed.

3   Information classification and handling

All information is classified and labeled in accordance with the established policy and procedure for information classification and approved confidentiality levels. Classification is based on the business impact, sensitivity, and regulatory requirements for Aeris in the event of wrongfully disclosure. Policies governing the handling of customer information are in place, and it is mandatory for customer support staff to attend training in how to handle customer information, including personal data.

4   Data Protection

  • Data is classified and labeled and access control applies role based access principles, the principle of least privilege, segregation of duties.
  • Encryption is applied to data in transit and at rest using industry-standard cryptographic techniques.
  • Secure data transfer mechanisms, such as VPNs and encrypted communication channels, are employed to protect data in motion.
  • Acceptable use policies define appropriate handling, storage, and transmission of Customer Data, ensuring compliance with best practices.
  • Documentation of processing activities of information including PII is maintained with respect to GDPR legislation.
  • Data retention policies establish guidelines for how long information is stored and when it should be securely deleted.
  • Aeris uses approved, secure deletion software to permanently delete information to help ensure information cannot be recovered by using specialist recovery or forensic tools.
  • In case of disposal of hardware and information Aeris uses approved, certified providers of secure disposal services. Disposal mechanisms shall be appropriate for the type of storage media being disposed of (e.g., degaussing hard disk drives and other magnetic storage media).

Intrusion Detection & Prevention systems are deployed on networks processing personal data and are configured with rules to enable appropriate detection and prevention of intrusions that are a threat to the personal data.

5   Access Control

  • Aeris establishes a secure and regulated environment for accessing and managing the organization’s information systems.
  • Aeris established to control access applying role-based access principles, the principle of least privilege, segregation of duties, ensuring Aeris manages identities, protect authentication information, and assign appropriate access rights, with strict adherence to information access restriction, safeguarding access to source code and ensuring secure authentication practices.
  • Multi-factor authentication (MFA) is required for access to sensitive systems, ensuring additional layers of protection.
  • Segregation of duties is enforced to prevent unauthorized actions, reducing the risk of conflicts of interest or accidental data exposure.
  • Access rights are regularly reviewed and promptly revoked upon role changes or employee departures (at least twice a year).
  • Privileged access accounts should be reviewed on a more frequent basis according to the system owner and security team requirements.
  • Default vendor passwords are altered following installation of systems or software.
  • A password change process is in place when a person with access to a system account password leaves employment or changes their role.
  • System account passwords are stored in a secure password vault. Passwords are not included in any automated log-on process, such as stored in a macro, script or function key.
  • System account passwords must be unique to a specific environment.
  • Aeris implements digital identity and password standards and password change based on policy specifications, such as expiration period or event-driven criteria (e.g. password owner leaves employment or changes role).

6   Asset Management

  • Aeris data and associated information assets are inventoried, tracked, and assigned clear ownership.
  • An asset management policy ensures that information assets are inventoried, tracked and protected throughout their lifecycle.
  • Secure return and disposal procedures ensure that data is securely erased or destroyed when no longer needed.
  • Physical and logical security controls protect information assets from unauthorized access, theft, or damage.

7   End user device

  • Acceptable use rules (policies and procedures) for the information are documented and observed by Aeris personnel.
  • Aeris personnel is not authorized to access, copy, or disseminate internal or classified information without appropriate approval.
  • Aeris prohibits installing any copyrighted software for which Aeris or end-users, as applicable, do not have an active license.
  • Aeris prohibits the introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, ransomware, etc.).
  • Aeris prohibits revealing Aeris users accounts their account password to others or allowing use of their account by others.
  • End user devices must be kept updated, together with the software installed.
  • Antimalware and antivirus solutions are installed in order to identify end user equipment vulnerabilities and keep patching up to date.
  • Aeris personnel shall use cloud solutions provided by the company for the lifecycle of the information managed.

8   Back-up and Business Continuity

  • Business continuity plans are defined in order to manage disruptive events and Aeris assesses the effectiveness of its business continuity management including disaster recovery, and compliance with availability requirements.
  • All Domain Areas in Aeris identify the necessary Backups and Back-up Schedule and implement Back-up procedures.
  • Back-ups are tested periodically, at least annually (unless otherwise agreed).
  • Information of back-ups is classified and managed in accordance with the confidentiality of the information.

9   Vulnerability Management

  • Vulnerability scanning is performed in all networks/devices.
  • Identified vulnerabilities are scored, prioritized, and patched according to contextualized risk.
  • Penetration testing is performed on systems processing personal data.

10   Logging and monitoring

  • Active logging of activities is performed, based on risk level, exceptions, faults, and security events, as well as the implementation of comprehensive monitoring activities and automated log monitoring in order to ensure the continuity and security of our operational environment.
  • Logs are kept securely, with restricted access for an approved retention time depending on the criticality of the system.

11   Physical Security Measures

  • Aeris physical security framework takes local threats, vulnerabilities, and building codes into account and contains requirements based on industry standards.
  • Aeris defines security areas to segment physical access and provide protection according to, and in proportion with, the level of sensitivity and criticality of the information, assets and operations contained within.
  • Aeris offices are secure and protected by a defined perimeter with appropriate security barriers and entry controls.
  • Access is restricted to authorized personnel only.
  • All personnel and visitors must comply with internal physical security procedures.
  • Physical assets are maintained for ensuring optimal working condition and performance, safety and security.

12   Management of security and privacy incidents

  • Documented procedures for security and privacy incidents are implemented, maintained and improved.
  • A structured incident response plan ensures rapid detection, containment, and mitigation of security incidents.
  • Security incidents are logged, analyzed, and documented to enhance response capabilities and prevent recurrence.
  • Business continuity plans, including disaster recovery procedures, are in place to maintain service availability in case of disruption.
  • Regular incident response drills and tabletop exercises are conducted to ensure preparedness.

13   Information security in supplier relationships

  • A risk-based approach to supplier selection, evaluating potential information security and privacy risks at each stage of the supplier lifecycle. The depth and formality of any due diligence should be determined by the degree of perceived risk of the supplier relationship, the continued performance of services in the event of a disaster, Aeris’s familiarity with the supplier, and the stage of a supplier selection process.
  • Aeris verifies that supplier agreements reflect our information security requirements, facilitating a mutual understanding and responsibility for security practices. ISO 27001 certification is not mandatory, but highly desirable.
  • Security requirements for third-party providers handling Aeris Information are defined, enforced, and included in contractual agreements.
  • Aeris regular reviews and audits of supplier services to ensure ongoing compliance and identify opportunities for improvement.
  • A third-party risk management program is maintained to assess and mitigate risks associated with external service providers.

14   People security

  • Aeris provides or ensure periodical security and privacy awareness training specific to the nature of roles and duties.
  • Aeris provides regular phishing awareness and tests in order to limit disclosure of confidential or restricted information.
  • Aeris performs background checks for employees with access to a relevant technology role.
  • Aeris performs security clearance check when granting access to specific assets.
  • Disciplinary process is in place for security and privacy incidents related to personnel activities.

15   Secure development and operations

  • Aeris implements rules for the development lifecycle of software and systems including change and review procedures.
  • Aeris establishes, documents and maintains principles for secure system architecture and secure development.
  • Aeris establishes and appropriately protects secure development, testing, staging and production environments that cover the entire system development lifecycle.
  • Aeris ensures that confidential information involved in application services, passing over public networks shall be protected from fraudulent activity, unauthorized disclosure and modification.
  • Changes to systems within the development lifecycle are controlled using formal change control procedures.
  • Security enhancement is performed on all systems based on Aeris guidelines or in accordance with supplier recommendation.

16   Compliance and Legal Requirements

  • Aeris ensures compliance with applicable data protection laws, industry regulations, and contractual obligations.
  • Regular audits, including internal and external assessments, are conducted to validate adherence to security controls and regulatory requirements.
  • Privacy policies and notices are maintained to ensure transparency in data processing activities.