EPAM Cloud is used for development of different types of applications, including financial and healthcare applications. Naturally, EPAM Cloud which is a part of EPAM ecosystem, meets the requirements of all security certifications and standardizations that EPAM has passed.
This page is dedicated to the security policies that EPAM Cloud keeps to. In the attachments, you can find the detailed information on related Audit Certifications.
Network Security Controls
At the border we have Cisco ASA firewall, which protects LAN and various DMZ's (Wi-Fi access, project VLAN's, etc.). Intrusion detection system (IDS) is used in each EPAM office. All network devices are configured to mirror all kinds of traffic (internal/external) to IDS servers. Centralized Log Management Center is used for event management. The IT Security Team is dedicated to continuous monitoring of the IDS logs.
Computer Security Controls
EPAM applies industry best practices and recommendations for enhancing the protection of its systems. The following security practices are used:
- - Standard software images are implemented by the local IT
- - OS patching is performed in managed manner
- - Software is scanned regularly to ensure that only authorized software is installed
- - Windows firewall is enabled
- - Centrally managed Symantec antivirus software is installed on all Windows-based workstations and servers. The scanning engine and the virus definition files are updated immediately when a newer version is available
- - Virus scanning is performed in real-time. The new updates are forced to all computers
- - Session time-out is 10 min
- - The computer names are generated according to the company resource naming convention
Access control and other security measures
Physical access control includes the following measures preventing unauthorized access to data processing systems:
- - Data Center access is granted after a 2-factor authentication, i.e. proxy card + PIN code
- - The Data Center is unobtrusive and gives no indication of computing activities
- - The Data Center is accessible only for authorized persons according to their job duties
- - The access rights are reviewed by the management on the monthly basis
- - The access rights are revoked immediately if the employee is dismissed or his/her position is changed
- - Visitors are registered and must wear visitor badges
- - Visitors are accompanied during their visit
Logical access control:
- - Each user working in EPAM corporate environment is assigned a unique User ID (Login name). Prior to obtaining the User ID and password, the user must sign the Employment Contract and Non-Disclosure Agreement
- - The Resource Manager is responsible for managing access privileges (granting, revoking, changing, reviewing, etc.)
- - Information access is granted to users on the "minimum necessary" and "need-to-know" basis
- - The user account is revoked immediately when the employee is dismissed
Data is transmitted via site-to-site VPN using a strong encryption algorithm. The access to internal resources is restricted by access policies on the firewall. Sensitive data is transmitted via secure protocols (HTTPS, SFTP, IPSec).
Every project has its own repository in the version control system (SVN, Git) to store and control program sources, documents, etc. With such arrangement, the data of each project is separated from each other. Only the project team has access to the project repository. This feature is based on an internal system granting data access according to the project participation. Users being members of a particular project have access to the project repository.
The backups are performed by Global IT Service Center department. All production servers and databases are subject to backup. For development servers, the PM arranges the backup details with Global Enterprise Support team. The backup logs are reviewed on a daily basis. The management performs monthly reviews of the backup procedure. The data stored on backup media is encrypted and password-protected. The tapes are stored on-site and off-site in environmental protected area as described in the related company policy. The access is limited only to authorized IT persons.
Awareness and Training:
EPAM Systems has an active IT Security Awareness Training Program. Each employee has to complete the IT Security Awareness training on an annual basis. The status of the security training is continuously followed-up by the management
Sensitive Information Protection
EPAM Systems classification framework defines the appropriate security levels and protection controls applied to sensitive information access during:
- - Handling
- - Storing
- - Accessing
- - Transmitting
- - Speaking
- - Watching on monitors / computer screens
- - Archiving
- - Destroying
- - Securing physically
For the summary of EPAM audit certificates and the description of audits please refer to the documents further on this page.