Start the Conversation

Honeypot Field to Catch Bots
Honeypot Field to Catch Bots

DFIN Security Overview

StadiumStadium

Our systems, processes and experts leverage numerous tools to secure our clients data

SOC 2 Type II audits

AES 256-bit encryption used to protect data at rest

Data is encrypted end to end and while in transit using industry-leading encryption technology

Multifactor Authentication and Single Sign-On (SSO) integration

Secure Software Development support via static and dynamic application testing (SAST/DAST), code reviews, and software release analysis

24/7 365 security monitoring and alerting

Industry leading perimeter controls and next gen firewalls

2Advanced email and threat prevention technologies

Comprehensive, ongoing vulnerability scans are conducted across all applications to quickly identify and mitigate cyber vulnerabilities

Use of next-gen antivirus and antimalware technologies

Commitment to GDPR and other data protection regulations

Annual third-party penetration testing with each finding’s remediation effort independently validated

Extensive employee security awareness and training

Rigorous governance and compliance controls

IT Governance,Risk and Compliance

Service Organization Control (SOC) Reporting

SOC 2 Type II

  • Annual SOC 2 Type II new ActiveDisclosure Audit and Report
  • Annual SOC 2 Type ii Global Investment Companies (GIC) Audit and Report
  • Annual SOC 2 Type II Venue + HiTrust Audit and Report
  • Annual SOC 2 Type II Global Capital Markets (GCM) audit and report

ISO 27001 certificate for Venue

AICPA Trust Service Principles

Rigorous Governance Program in Place Leveraging the AICPA Trust Service Principles of Security, Availability, and Confidentiality

NIST CSF

  • Comprehensive IT Risk Management Processes
  • Dedicate Supply Chain Security and Third-Party Risk Management
  • IT Governance over Policy, Procedures and Standards
  • IT GRC Reports Directly to the Chief Information Security Officer

Application Security

Lock Icon White

Encryption

  • Data transmission is encrypted while in transit via TLS v1.2
  • Static and Dynamic Application Security Testing technologies are fully integrated into ActiveDisclosure software development lifecycles
  • AES 256-bit encryption is used to protect data while at rest
  • AES-256-bit encryption is used to protect database files
ID Card Icon White

Identity Access Management

  • Multifactor Authentication and customer Single Sign-On integration fully supported
  • Azure Key Vault used for key storage
Clock Icon White

Threat Management

Performed continuously, leveraging state-of the-art threat management tools

Penetration Testing

Annual third-party Penetration Testing for independent verification of DFIN product’s security posture

  • Findings are reviewed and resolved according to DFIN policy
  • The third party is brought back to validate that the remediation was effective
  • Executive Summary reports are available for client review

Application Development

Code Icon White

Code reviews

Performed multiple times throughout the development process

Checklsit Icon White

Rigorous QA

Testing process is in place to identify potential issues early in the development process including SAST and DAST testing

Gear Icon White

SDLC and Continuous Integration / Deployment

DFIN embraces modern Software Development Life Cycle (SDLC) and Continuous Integration & Continuous Deployment (CI/CD) best practices aligned to a multi-environment (Integration, Quality Assurance, Staging, and Production) release promotion process

Infrastructure

Comprehensive Network

Infrastructure Security controls are in place (firewalls, IDS & IPS, logging, and security monitoring)

Oversight

  • Regular network and server vulnerability scans
  • Regular OS patching (Microsoft security patches are applied each month)
  • Regular backup schedule
  • Hosted in Microsoft Azure
  • Hosted in AWS
  • On Premise Data Hosting

DFIN Security Team

Led by Dannie Combs

SVP, Chief Information Security Officer

Enterprise Security team supporting Security Incident and Response, Application Security, Network Security and Security Governance, Risk and Compliance, further supporting:

  • The use of security tools and utilities to scan and monitor DFIN assets
  • Security Response Team and process in place to address any potential vulnerabilities or events
  • Security monitoring and logging
  • Policy management - comprehensive policies including Information Security Policy and Security Awareness annual employee training
  • Cybersecurity incident response
  • Frequent, ongoing employee training programs and best practices

We can provide additional information, including our SOC 2 type II report, once a Non-Disclosure Agreement is signed.

or