Security and privacy at Atlantic BT
Security Principles
Our policies are based on the following foundational principles:
- Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege.
- Security controls should be implemented and layered according to the principle of defense-in-depth.
- Security controls should be applied consistently across all areas of the enterprise.
- The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction.
Data protection
Data at rest
Sensitive data is encrypted even before it hits the database so that neither physical access, nor logical access to the database, is enough to read the most sensitive information.
Data in transit
Atlantic BT uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. We also use features such as HSTS (HTTP Strict Transport Security) to maximize the security of our data in transit. Server TLS keys and certificates are managed by AWS and deployed via Application Load Balancers.
Enterprise security
Endpoint protection
All corporate devices are centrally managed and are equipped with mobile device management software and anti-malware protection. Endpoint security alerts are monitored with 24/7/365 coverage. We use MDM software to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.
Vendor security
Atlantic BT uses a risk-based approach to vendor security. Factors which influence the inherent risk rating of a vendor include:
- Access to customer and corporate data
- Integration with production environments
- Potential damage to the Atlantic BT brand
Once the inherent risk rating has been determined, the security of the vendor is evaluated in order to determine a residual risk rating and an approval decision for the vendor.
Secure remote access
Atlantic BT secures remote access to internal resources using a modern and decentralized VPN platform.
Security education
Atlantic BT provides comprehensive security training to all employees upon onboarding and annually through educational modules from KnowBe4.
Atlantic BT ’s security team shares regular threat briefings with employees to inform them of important security and safety-related updates that require special attention or action.
Identity and access management
Atlantic BT uses centralized account management and single sign on (where supported) to secure our identity and access management.
Atlantic BT employees are granted access to applications based on their role, and automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application.