Security FAQs

Visier's responses to commonly asked questions from customers.

Introduction

We proactively compiled answers to top questions about security at Visier to help you get a better sense of our practices. Please also visit the Security page to learn about our approach to security at an organizational, platform, and operational level.

Compliance and Risk

What information security standards and frameworks do you follow?

Visier policies, practices and internal controls are generally based on standards and frameworks including and not limited to:

  • ISO/IEC 27001; ISO/IEC 27002
  • ITIL and COBIT frameworks
  • Relevant publications from the United States National Institute of Standards and Technology (NIST)
  • Personal Information Protection and Electronic Documents Act (PIPEDA)
  • EU General Data Protection Regulation (GDPR)
  • E.U. – U.S. and Swiss – U.S. Privacy Shield Frameworks

Yes. Our Risk Management Program and practices are based on the Visier Enterprise Risk Management Policy in addition to supporting guidelines and standards. These practices also adhere to industry best practices in identifying, assessing, addressing, reporting, and monitoring risks.

The Governance, Risk and Compliance (GRC), Information Security (IS), Privacy, and Legal teams regularly conduct internal and external risk assessments. Such risk assessments include relevant acquisitions, new initiatives and changes across the organization; as well as changes in the external technological landscape, and legal and regulatory requirements. Significant risks are routinely reported to Executive Management to ensure there is continuous and adequate oversight.

We provide our customers and prospects with a SOC 2 Type II audit report upon request each year. Presently, Visier does not pursue the SOC 1 report as it is not applicable to the nature of our service offerings.

We are continually enhancing our security, data privacy, and governance practices. Visier provides customers with reasonable assurance on a robust internal control environment through several sources, including third-party audits and attestations, certifications, and self-assessments. Examples include and are not limited to:

  • Undergoing a SOC 2 Type II audit on an annual basis, and an external web application penetration test on a quarterly basis.
  • Achieving CSA STAR Level 1 status and making our responses to the CSA CAIQ publicly available on the CSA STAR Registry.
  • Providing customers with access to the Visier Trust Assurance Package (TAP). Updated on a continuous basis, this package contains several artifacts mentioned above, architectural diagrams, frequently asked questions, and more. 

Visit the Compliance page to learn more about our audits and certifications. To request for the Visier Trust Assurance Package, please contact your Customer Account Manager or Account Executive. 

General Security

Do you have a Threat and Vulnerability Management Program?

Yes. Visier’s Threat and Vulnerability Management Program is based on industry best practices and emerging security trends. Our Information Security (IS) team performs assessments of threats via vulnerability scans for potential flaws across information assets within Visier’s offices and data centers. From this assessment, operational teams then deploy a risk-based approach to prioritizing and remediating any vulnerabilities.

We are continuously monitoring our global infrastructure to identify potential threats and vulnerabilities. Visier’s Security Information and Event Management (SIEM) tools are configured to send close-to-real-time notifications of any abnormal events and activities to relevant teams (e.g. Information Security, Information Technology and Site Reliability Engineering) for their review and action (if required).  

Click here to read more about how we maintain a secure and robust infrastructure.

We do not share infrastructure-level reports externally. Visier makes considerable investments in engaging a reputable third-party public accounting audit firm to provide a report on our internal control environment via the annual Visier SOC 2 Type II report. The auditors review the existence and management of infrastructure-level protections as part of such audits annually.

Our SOC 2 Type II report has sufficient information to provide customers reasonable assurance on our secure processes and practices. To obtain a copy of this report, please contact your Customer Account Manager or Account Executive.

Visier fully supports single-sign-on (SSO) using identity provider (IdP) initiated logins via Security Assertion Markup Language (SAML) compliant solutions. We make pre-built security roles and configurations readily available within our solution so your administrators can easily manage user access to meet your organization’s security requirements.

Yes. Our Security Incident Response Plan (SIRP) is based on the Visier Security Incident Management Policy, as well as industry best practices, guidance from the US NIST, and other leading information security frameworks and standards. Our Information Security (IS) and Privacy teams educate employees on how to report security and privacy incidents. Once reported, the Incident Response Team (IRT) investigates to confirm, contain, recover, and assess severity and impact.

In the event of a confirmed incident involving customer data, we will notify designated contacts at affected customer organizations within stipulated timelines (in accordance with mutually signed service agreements and contracts).

To report a security issue to Visier’s Information Security (IS) team, please contact [email protected]

Data Security

Who has access to my data?

Only a very limited number of authorized Visier employees have access to customer data in order to provide customer support and manage customer-requested changes. Access to customer data must be requested, reviewed, and approved by management per Visier’s change management process. Visier uses a role-based access control (RBAC) process that incorporates the principles of least privilege and segregation of duties (SoD).

Yes. Customer data is always encrypted at rest and while in transit using leading industry standards. To encrypt your data, we use a strong encryption key that is unique to you. This key is managed via a robust and secure key management process and periodically rotated to ensure the continued confidentiality of your data. Your data will remain encrypted while being transmitted within our secure networks using the Advanced Encryption Standard (AES).

Your data is stored only in data centers that are located within your chosen geographic region (either in Canada, the United States, or Germany). Your data is restricted from being replicated and/or stored outside of your chosen geographic region through technical measures and controls.

Your data is securely destroyed within 30 days upon termination of the service subscription. We use industry best practices and leading standards to facilitate and ensure the irrevocable deletion of your data.

Business Continuity and System Resiliency

How has COVID affected business continuity at Visier?

Our well-rehearsed business continuity strategy became a critical asset in navigating the turbulence of COVID-19. Guided by Visier’s overarching Business Continuity Policy, each operational team triggered their continuity plans/processes and worked cross-functionally to coordinate the execution of our strategy. During the first weeks of the pandemic, Senior Management led several meetings to validate the effectiveness of our plans and to ensure all critical plans were reviewed in detail. Changes were made as necessary to enable us in continuing business operations as usual.

Our integrated approach for ensuring the resiliency/recovery of our services and operations is guided by the Visier Business Continuity Policy. Several teams across Visier work together to maintain business continuity plans and processes to ensure the organization is capable of operating critical functions during a major disruption or disaster (e.g. natural calamities, pandemic outbreak). 

Visier’s Business Continuity Plan (BCP) addresses risks across several areas (including human, business, and technology) to ensure we are able to continue business operations in the event of a disaster. To ensure the plan addresses different teams and requirements, our business continuity planning process involves the whole organization. Amongst other areas, the plan covers the following:

  • Secondary and alternative measures are considered and implemented when primary resources or functions are impacted as a result of a disaster.
  • Pandemic Planning, and the maintenance of holistic health and safety plan to ensure the well-being of Visier employees, customers, and stakeholders. 
  • Ensuring employees are well-equipped with secure technologies to work remotely for prolonged periods during times Visier’s offices are unavailable for any reason.
  • Performing regular testing and other validation procedures to ensure we are still able to meet security and availability commitments to customers.
  • Identifying and training resources (e.g. table-top exercises, other simulated activities) to ensure critical resources can be recovered within the stipulated timelines.

With most of our employees working from home, our Information Security (IS) and Information Technology (IT) teams have reviewed their infrastructure and network plans to ensure our workforce has secure and uninterrupted connectivity to corporate resources. Further, only company-issued and authorized devices can connect to Visier’s corporate network. Employees’ access to the corporate network must be done securely through VPN and multi-factor authentication (MFA).

All corporate laptops are fully-encrypted. Customer data always resides within the secure confines of Visier’s data centers and remains protected via robust technical controls.

All corporate devices are securely configured against Visier’s system hardening standards which are based on industry standards and best practices. Such requirements also cover the provisioning of endpoint detection and response software, tamper-proof security settings, and regular system/application security patches and updates by default. 

Our infrastructure is designed and architected to be highly available. Visier’s data centers are physically dispersed within each of our geographical regions (Canada, the United States, and Germany) for redundancy and to minimize impacts to the availability of our solution in the event of an environmental disaster. 

Apart from maintaining geographically dispersed data centers, we also rely on Amazon Web Service’s (AWS) Availability Zones (AZ) for system resiliency and multi-site redundancy that enable encrypted and near-time data replication and recovery. This structure enables customers to access their data despite environmental threats in their region.

We designed our solutions to be available around-the-clock except during maintenance windows, which are used to perform system updates, infrastructure, security, and technology upgrades. You can view our near real-time system uptime reporting at https://status.visier.com/.