Mumba security

Security is woven into the fabric of Mumba’s products, processes and culture — our business quite simply depends on it.

Mumba’s approach to security follows industry best practices and aligns to global enterprise standards so that our customers can rely on Mumba and confidently take our solutions forward within their businesses.

Mumba engages with industry-leading providers to support our security efforts and ensure that the entire Mumba eco-system including; infrastructure, development tools, third-party applications, general office software, hardware, BYOD devices and management processes all maintain the highest levels of security and reliability.

Mumba’s commitment to the delivery of information security includes the most senior levels of the organisation and is demonstrated through our security policies, and procedures and is maintained by our team of people dedicated to managing Mumba’s security on a day-to-day basis.

The Mumba Security Team comprises the following roles:

• Information Security Steering Group

• Information Security Manager/Officer

• Information Security Administrator

• Information Asset Owner

• Information Security Risk Owner

• Information Security Auditor

• Customer Information Security Administrator / Data Protection Officer

Mumba is dedicated to continually improving our approach to security and the specific policies and procedures that we have in place to manage security. The Mumba Security Team meets regularly to review current issues, threats and opportunities for improvements within our security landscape and work to evolve our approach to security to ensure we continue to meet global standards and meet the latest security challenges in an ever-shifting environment.

Mumba takes a pragmatic approach to managing risk and we have several processes in place to ensure we are continually monitoring and assessing the various business, operational and security risks on an ongoing basis. Mumba’s risk management approach includes:

• Management planning – we regularly assess risks that may inhibit us achieving our information security objectives

• We regularly assess Information Security and IT Service Continuity risks

• We regularly assess the risk of changes via our Change Management Process

• As part of major projects to achieve business change e.g. adoptions of new computer systems or applications across the business

• High level risk assessments are reviewed at least annually or upon significant changes to the business or the services we provide

Mumba understands the critical importance staff play in managing and maintaining our security standards. Mumba ensures that all staff involved in the business, regardless of their role, are trained in matters of security and are competent within their roles based on appropriate education, training, skills and experience.

Security training and education is conducted on an ongoing basis to ensure all staff and contractors meet Mumba’s security requirements.

Mumba understands it is vital that regular reviews take place regarding how well information security processes and procedures are being adhered to. These reviews take place across three levels:

• Structured regular management review of conformity to policies and procedures

• Internal audit reviews against the ISO/IEC 27001 standard (and accompanying codes of practice) by the Mumba Internal Audit Team (or an external contract team as decided by senior management are planned as part of Mumba’s ISO27001 accreditation (see Compliance with regulations and standards below)

• External audit against the standard by a Registered Certification Body (RCB) in order to gain and maintain certification is planned as part of Mumba’s ISO27001 accreditation (see Compliance with regulations and standards below)

All information security policies and plans at Mumba are documented and we maintain an ISMS that includes document numbering, version tracking and a documentation log.

The keeping of records is a fundamental part of our ISMS. Mumba is committed to maintaining our records by ensuring that controls are in place to gather, store and manage our records - should evidence be required to confirm that processes are being carried out effectively at Mumba.

The first step in achieving effective security is to ensure the safety of the internal environment. Several distinct processes are utilised to accomplish this goal.

When it comes to protecting our networks, Mumba uses a layered approach. We put controls in place at every level of our cloud environments by separating them into zones, environments, and services. We have rules in place that segment network traffic in certain zones. We also separate production and non-production environments, we don't copy production data outside of production environments and you can only get into production networks and services from within those networks that are protected by industry-standard encryption and security.

Through an authentication whitelist, services must be given permission to talk to other services. We use the virtual private cloud (VPC) routeing, firewall rules, and software-defined networking to control who can get into our sensitive networks. All connections to those networks are encrypted.

Mumba has a clear method for granting or removing user access to all systems and services. This is called "provisioning." Access Control is based on ‘least privileged’ methodologies to make sure that staff only have access to what they need for their jobs. Before a user can access data, applications, infrastructure, or network components, the account must be approved by management.

We enforce multi-factor authentication across all our applications to make sure that our authentication processes are resistant to phishing and man-in-the-middle attacks.

We work hard to make sure security is built into every part of our day-to-day operations.

The infrastructure for our production systems is provided by cloud service providers. Due to the nature of the service, these systems are not tracked down to the hardware level. Mumba maintains a register of all our information assets across our business which is regularly reviewed and updated.

Mumba has developed a robust change management process to ensure that changes to IT services and their associated components are recorded and then evaluated, authorized, prioritized, planned, tested, implemented, documented and reviewed in a controlled manner.

Only a limited group of engineers and architects are allowed to install or upgrade software in our production environments. We use configuration management tools to keep track of how servers are set up and what changes are made to them. This makes sure that everything remains consistent and can be relied upon. We use infrastructure as code on standard Amazon Machine Images (AMIs), and any changes to our AMIs or operating systems must go through our standard change management process. We keep track of and report on exception configurations, and we've set up resource isolation so that problems with one service don't affect other services.

Logs are reviewed from different sources, we then apply monitoring and alerting rules to the logs, that flag any activity that seems suspicious. Our internal processes outline how these alerts are prioritised, further investigated, and sent to the right people. Key system logs are sent from each system to our security team via alerts and we investigate for signs of compromise. Logs are a key component of our overall incident detection and response strategy as data from key system logs is used along with data logged from our Intrusion Detection System to identify threats.

Furthermore, logs are used extensively by our team to see if there are any problems with availability or performance.

Mumba utilises various methods of monitoring availability of our services and applications. When an issue is found, we’re alerted and have various procedures in place to notify customers and end-users, based on the issue at hand.Furthermore, logs are used extensively by our team to see if there are any problems with availability or performance.

Mumba utilises various methods of monitoring availability of our services and applications. When an issue is found, we’re alerted and have various procedures in place to notify customers and end-users, based on the issue at hand.

At Mumba, we run a thorough backup process. This also applies to our internal systems and our backup strategies are created to meet various system recovery needs. For all Mumba products, we have robust backup procedures in place, especially for customer and application data. Mumba creates automated backups at intervals that reflect the amount of flux and importance to achieving the desired recovery point objectives.

Backups are secured with industry-standard encryption and are tested to ensure they are valid. Backup data is duplicated to several data centres within a certain AWS region rather than being kept elsewhere.

Mumba production application and databases implement backup systems with inbuilt redundancy

Our physical and environmental security policy ensures comprehensive physical security on-premises and in the cloud. This policy includes secure working locations, safeguarding our IT equipment, controlling access to our buildings and offices, and monitoring physical entry and exit points. Our physical security methods include receptionists at work and visitor registration.

Our partner data centres comply with SOC-2 and ISO27001. These certificates include physical and environmental security, biometric identity verification and limited access to data centres to authorised staff. Physical security methods include guards, CCTV, man traps, and intrusion prevention.

Leadership engagement in BC and DR planning ensures responsibility reaches all teams. Our BC and DR planning efforts analyse service 'recovery time objective' (RTO) and 'recovery point objectives' (RPO) to balance cost, benefits, and risk.

Our BC and (DR) approach involves the following activities:

•    factoring redundancy measures to meet resiliency requirements

•    testing and verifying those redundancy measures

•    learning from tests to continuously keep improving BC and DR measures

Our products are designed to best use cloud service providers' availability zones and regions for redundancy (while still ensuring customer data remains within Australian sovereign borders).

We monitor a variety of data metrics to identify problems early. Based on these matrices, alerts are created to warn our staff when thresholds are violated so we can respond quickly.

We us annual Business Impact Assessments (BIAs) to examine important service risks. BIAs drive our DR and BC strategies and we ensure our critical services include effective DR and BC strategies.

We make every effort to keep customer data secure, available, and under customer control.

Amazon Web Services (AWS) in Australia hosts Mumba's products and data. We employ redundancy and failover for best performance. Multiple availability zones in Australia ensure that a data centre failure won't influence product or customer data availability.

Biometric methods are used to verify authorised personnel's access to AWS data centres, where customer data is stored. AWS uses on-site security guards, CCTV, man traps, and other intrusion defence methods.

Mumba encrypts all customer and user data in transit over public networks using industry standard encryption to prevent unwanted disclosure or alteration. When allowed by the browser, our implementation of TLS and HTTPS requires the usage of strong cyphers and key-lengths.

Customer and User Data stored in our database or files stored on our servers use industry-standard encryption.

Mumba manages its keys using the AWS Key Management Service (KMS). AWS regularly inspects and verifies the encryption, decryption, and key management processes as part of their current internal validation procedures. Each key has a designated owner who is responsible for ensuring that keys are subject to the appropriate level of security controls.

All customer data is deemed to be very sensitive and we therefore apply strict safeguards to protect the data. Our internal staff and contractors receive regular awareness training regarding the importance of customer data and on the value of and best practises for handling customer data throughout the on-boarding process and during their employment with Mumba.

Only authorised Mumba employees have access to customer data kept in our databases or on our servers. The servers only allow inbound SSH connections from Mumba and internal data centre locations, and authentication is performed using unique passphrase-protected public keys. Unless requested and verified, all access is restricted to privileged groups, with extra authentication requirements including 2FA and a VPN when appropriate. All non-system generated read and write activity is specifically audited.

Access to customer data in an unauthorised or improper manner is considered a security incident and is addressed through our incident management procedure.

Mumba follows procedures of retention and deletion of data according to our License Agreement which may vary according to customer requirements. Please contact us for further information regarding the retention and deletion of data or if you are an existing Mumba Customer, please refer to your current License Agreement.

When using Mumba's products, our customers share a common cloud-based information technology infrastructure. However, we have put safeguards in place to ensure that these customers are logically separated from one another. As a result, the actions of one customer will not affect the data or service of other customers.

We are committed to ensuring that every member of our team is equipped with the knowledge and authority to carry out their tasks safely. Mumba's culture places a strong emphasis on instilling a security mindset amongst all our staff and contractors, which increases our overall resistance to possible cyberattacks.

In order to keep security "top of mind," we make sure that every employee receives security awareness training both during the onboarding process and on an ongoing basis. We expand security awareness training to encompass our contractors too, as we are aware that many of the dangers encountered by our team are also faced by our contractors. Our security awareness training covers a variety of subjects, such as current threats and scams, safe working procedures, potentially dangerous behaviours that increase security risks, and compliance and regulatory concerns.

Our developers have access to more specialised training on secure coding in addition to conventional information security training.

We keep open lines of contact between our staff members and the security team via instant messaging, blogs, FAQs and team meetings to ensure the security team and security relates matters are as accessible as possible to all Mumba workers.

Mumba wants to ensure we hire candidates who will positively influence the security-integrated culture we are fostering. All new recruits are subject to background checks, as allowed by local regulations and when appropriate, to help with this process. Background checks may also include credit checks, job verifications, education verifications, and criminal history checks, depending on the position.

Mumba is committed to making sure that security plays a significant role at every stage of our product life cycles. We employ a variety of techniques to do this.

Mumba includes code review as part of the standard development process.

All of Mumba's code repositories are regularly reviewed for:

• obsolete code dependencies that might lead to security issues

• identify any unintentional or inadvertent secret leaks in code repositories (e.g. authentication tokens or cryptographic keys)

• Identify any problematic coding patterns that can result in weaknesses in our code

We make sure our developers have access to the help they need to continuously increase their knowledge of pertinent security issues and dangers in order to ensure we produce the most secure solutions possible. In order to do this, we have an internal knowledge base for application security that our developers may use as needed in addition to ongoing training materials.

Our security testing strategy is based on a 'continuous assurance' testing model. We conduct targeted, point-in-time penetration tests along with ongoing internal security testing and reviews.

• Internal Security Review - Mumba regularly conducts security testing. Code review and application security testing are types of testing that focus on areas of vulnerability identified by risk assessment.

• External Penetration Testing - specialist security consulting firms conduct external penetration testing of our application and infrastructure.

Mumba is always attempting to lessen the severity and frequency of vulnerabilities in our products, services, and infrastructure. To do this, we use automated and human procedures to discover, track, and address vulnerabilities across our apps and infrastructure.

Automated scanners, internal assessments, and customer reports help us detect security flaws. Once a vulnerability is detected, a ticket is logged and assigned to the relevant team and worked through our processes to ensure the vulnerability is addressed in an appropriate timeframe.

We use automated vulnerability detection tools that are run regularly to identify vulnerabilities. This includes:

• Network scans – to find active services, open ports, apps, and network vulnerabilities

• AWS Configuration Monitoring – we monitor the configuration of our AWS environments

Mumba constantly examines new tools and adds them to our suite if they are believed to improve vulnerability detection.

Mumba has developed a robust strategy to deal with security incidents. Any situation in which the confidentiality, integrity, or availability of customer data, Mumba data, or Mumba's services is negatively impacted or compromised is regarded by us as a security incident.

We have a well-defined internal structure with documented responses for various incident types. Each document outlines the actions we must take at each level of incident response to ensure that our procedures are standardised, repeatable, and effective. These span the areas of incident analysis and detection as well as incident classification, containment, elimination, and recovery.

Detailed logging and monitoring of our products and infrastructure is in place to ensure we quickly detect and can investigate potential incidents.

We have systems in place to let our customers know if their data is involved in a confirmed incident. We also have a strong post-incident review process so that we can use what we learn from an incident to improve our practises and make it harder for bad actors to do their jobs in the future.

When Mumba contracts with other vendors (such as contractors or cloud service providers), we take great care to ensure that neither our customers' data nor their privacy is threatened in any way.

To achieve this goal, our legal and procurement teams conduct a review of all prospective third-party supplier relationships. Our security, risk, and compliance teams are required to conduct extra evaluations of any engagements that we determine to be of high or critical risk. Continual due diligence is also carried out by follow-up evaluations, which can be conducted annually or at contract renewals depending on the risk of the engagement.

As a condition of their relationship with Mumba, vendors are also required to adhere to minimal security standards. When applicable, these are enforced by inclusion in our supplier contracts.

The ISO 27001 Information Security Management System Standard is the foundation of Mumba's compliance and risk management program. This program creates a set of security requirements unique to Mumba using the controls described in many international security standards and also includes the security requirements of our customers.

The best strategy to apply such controls is determined, as well as if they are contextually relevant for our specific environment and business. Our Compliance and Risk Programs include:

• Policy Management – Comprises of ISO 27001-compliant security policies. All of our staff have access to our security policies so they understand what is expected of them. Policies are revised yearly and on an ad-hoc basis if new threats require policy updates.

• Risk Management – Our infrastructure, products and processes undergo ongoing risk assessments to analyse current risks and ensure controls properly manage them and we also evaluate various types of business risks. We conduct an annual risk assessment for ISO27001 compliance and implement various policy and process updates to minimise identified risks.

We recognise that our customers are seeking independent assurances that Mumba' security practices comply with well-known industry standards. For this reason, Mumba has aligned with industry-leading standards including ISO27001 and SOC2 compliance standards.

Mumba has a detailed privacy policy to ensure we uphold the highest standards for data privacy. Please see our Privacy Policy and End User Terms here.

We perform comprehensive security reviews as part of our annual compliance audits (e.g., ISO27001, SOC2), which includes independent assessments by external auditors.