_SOC_NonCPA

Security Commitments

LAST UPDATED: DECEMBER 5, 2022

This Security Commitment serves to provide Lumos’ clients and prospective clients with an objective description of system infrastructure and security. Lumos’ collective background in banking and financial services has instilled the team with a strong discipline surrounding data and information security. It is paramount in the development of Lumos’ products and procedures.

Infrastructure

Lumos  partners with and utilizes well-known and respected third parties to secure its infrastructure and users’ data. The infrastructure is built atop Amazon Web Services (AWS), secured by Auth0 for authentication, and displayed via Tableau (a Salesforce subsidiary). These same technologies are trusted by government agencies and are prevalent in commonly used applications. All three of these vendors continually manage risk and undergo recurring assessments to comply with industry standards. Listed below are the accreditation of each of these vendors.

  • Amazon:
    • ISO 27001
    • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
    • PCI Level 1
    • FISMA Moderate
    • Sarbanes-Oxley (SOX)
  • Auth0:
    • GDPR
    • HIPAA and HITECH
    • CSA STAR
    • ISO 27001/27018
    • PCI DSS
    • SOC2 Type II
  • Tableau (Salesforce):
    • SOC 2
    • SOC 3
    • ISO 27001 / ISO 27017 / ISO 27018
    • CSA CAIQ
    • GDPR

 

Core Principles

Lumos recognizes that secure operations are dependent upon employee participation, commitment, and accountability. All activities must adhere to the general principles laid out in the company’s Code of Conduct, Privacy Policy, and other Internal Policies. Any employee found in violation of our policies will face immediate disciplinary action up to and including dismissal.

A background check is performed on all employees prior to onboarding to ensure Lumos’ commitment to security remains intact with each addition to the team. All employees are educated on all  security policies, go through security training as part of the onboarding process and receive yearly security training. 

All employees of Lumos must follow the password security requirements, have two factor authentication, and must be connected via VPN when working remotely or in the office. Additionally, all of Lumos’ employees are using Google Single Sign-On service that enables them to securely access their accounts and applications.

Lumos’ product development process is infused with many security measures to safeguard the integrity of our data and to make sure that no single employee may change the Lumos codebase without going through code review and approval.

Data Quality & Protection

The underlying data used in Lumos’ products is carefully and thoroughly cleaned, vetted, and verified. Each time a new data product is released (e.g., dashboards, models, etc.), it is reviewed by a member of the Lumos team not responsible for the development, creation, or update of the new data product.

Data at Lumos is classified according into one of the following categories:

  • Restricted: Segregation of internal data such as HR or Finance information.
  • Confidential: Datasets or files that may contain PII or other privileged information.
  • Internal: Contains Lumos intellectual property and isn’t meant for public consumption.
  • Public: Does not contain any information that is proprietary or confidential.

Lumos has in place an active management framework for model risk in order to maintain a practice of sound development, implementation, validation, and use of complex models within the organization. Each one of the models is accompanied by a Model Risk Management document and is available to clients upon request. In addition, a third party audit is also performed. 

Endpoint Security

All endpoint devices are protected according to our Security Policy. The Security Policy includes requirements that all endpoint devices have disc encryption, malware protection, guest access disabled, firewall enabled, and a regularly updated OS. In addition, Lumos performs quarterly checks to make sure that this high level of security is maintained.

Monitoring

Security monitoring is performed on information collected from internal network traffic and the knowledge of vulnerabilities. Internal traffic is checked for any suspicious behavior. DataDog and other various security scanning tools help to drive network analysis and monitor the health of Lumos’ services on an ongoing basis. The status of services is made available to clients via the Status Page. Clients may also subscribe to be alerted in the event of degradation or outage of service. 

Vulnerability Management

Lumos has a vulnerability management policy that includes processes such as regular web scans and scans for potential threats. Once a vulnerability requiring attention has been identified, it is tracked, given a priority according to urgency, and assigned appropriately as a ticket. The Security Team tracks issues and follows up regularly until resolution is verified.

Incident Management

Lumos has well-defined incident management processes for security events that may affect the confidentiality, integrity, or availability of clients’ resources or data. If an incident occurs, the Security Team identifies it, reports it, assigns it to the correct resolver, and gives it a resolution priority based on its urgency. Events that directly impact Lumos’ clients are always assigned the highest priority and shortest resolution time. This process involves plans of action, procedures for identification, escalation, mitigation, and reporting.

 

Contact Us

For questions regarding this security statement please contact us at:

Lumos Technologies

Attention: Lumos Security Team

7242 Wrightsville Ave.

Wilmington, NC 28403

Phone: (910) 579-3630 

Email: security@lumosdata.com