Welcome to the twoday Security Program
The twoday Security Program is designed to empower the twoday organization in managing their own security. We provide specialized tools, capabilities, and training to help building a strong security culture and making good security decisions.
High standards for security
We believe that security should not be a gatekeeper or someone who takes control away from people. Instead, we want everyone in twoday to be a security decision maker. That's why we focus on training and guidance, so that everyone can be confident in their ability to protect our data.
We set high standards for security in twoday, based on industry leading practices, our own research, and our own expectations. We believe that good security comes from people who are competent and confident.
A safe and secure digital environment
Our Security Programs are the driving force behind our commitment to maintaining a safe and secure digital environment. Owned by the Group and managed by dedicated personnel within twoday, these programs are always active, with clearly defined responsibilities and functions. Each program is built from several services with routine actions, demonstrating a strong focus on continuous improvement and operational excellence.
Infrastructure
This program manages the Azure Infrastructure, M365, endpoint protection, physical offices and on-premise digital infrastructure, logging and monitoring, and SOC services. It ensures the robustness of our technical infrastructure, safeguards our digital assets, and guarantees the smooth operation of our IT systems. By continuously monitoring and logging system activities, the program is designed to detect any potential threats and promptly respond and handle incidents, ensuring the security of our infrastructure.
Our Infrastructure Program plays a crucial role in ensuring the seamless operation of our digital environment. It balances our cloud-first approach with the requirements of our on-premise data centers and offices. Our infrastructure is multifaceted, with networks, connected devices, and diverse data locations. This requires a careful and comprehensive approach to security.
Compliant and operational
To guide this approach, we have developed policies covering numerous infrastructure areas, including network management, access control, logging and monitoring, personal computer management, endpoint protection, DMZ equipment, remote access, server security, vulnerability and patch management, and routine audits. Each of these policies addresses a unique aspect of infrastructure security, from data access to the very hardware that supports our operations.
The primary objective of the Infrastructure Program is to ensure that all units within twoday adhere to these policies, establishing a compliant infrastructure and operational model. This program focuses on facilitating adherence to these policies, supporting each unit in maintaining a secure and reliable operational infrastructure.
Through continuous monitoring, regular audits, and ongoing improvements, the Infrastructure Program plays a pivotal role in fortifying our digital defenses, physical offices, and maintaining the robustness of our infrastructure. This ensures that we operate in a secure, efficient, and policy-compliant environment.
Products
This program includes threat modeling, technical risk analysis, software composition analysis, and static application security analysis as part of SSDLC (Secure Software Development Lifecycle). It ensures that our applications and products are as secure as possible, thereby minimizing vulnerabilities and protecting our systems and customers.
Our Products Program, also known as the AppSec Program, is committed to ensuring the highest level of security across all our applications, whether they are products or services offered to customers, or systems (Applications, APIs, Services, Low-Code/No-Code apps, etc.) developed or maintained internally for our own use.
At the core of this program are key activities such as Threat Modelling and Technical Risk Assessments, which aim to identify potential vulnerabilities and quantify the associated risks. Through these activities, we proactively seek to address possible threats before they impact our applications.
Additional layer of security
Additionally, the AppSec Program incorporates Software Composition Analysis (SCA) and Static Application Security Testing (SAST). These services are fundamental in identifying and addressing vulnerabilities within the application's code and its components. SCA and SAST provide an additional layer of security, checking the software's composition and statically analyzing the code to find any potential weak spots. Tools range from IDE integrations to fully automated scans and tests ran as part of the development pipelines.
The objective of the AppSec Program is not only to protect our applications from potential threats but also to create a security-centric mindset during application development and maintenance. By incorporating these security measures from the early stages of application development, we ensure that security is an integral part of our products and services, offering enhanced protection to our customers and our internal systems.
People
People are both the first and last line of defense. This program focuses on awareness training, security training, and security news and updates. It creates a security-conscious culture by ensuring every team member understands the importance of security, is aware of potential threats, and knows how to respond effectively. The program also disseminates security news to keep all personnel up to date with the latest trends and threats in the cyber landscape.
Our People Security Program acknowledges that the human element plays a vital role in the security landscape. This program's primary objective is to ensure all employees are equipped with the necessary knowledge and tools to maintain security within their respective areas of responsibility.
It incorporates strategies for ensuring a secure work environment, with safe usage of devices and equipment. Whether employees are operating within the office or working remotely from various locations such as travel destinations, client offices, or public places, the program guides them on how to maintain security.
Security year-round
Staying informed is a significant part of this program. We regularly disseminate news and updates regarding emerging security threats and trends. The program includes e-learning initiatives, an annual October Security Month, workshops, and presentations, all designed to keep employees informed about the latest best practices and developments in cybersecurity.
But security is, of course, not limited to the month of October – we have a strong emphasis on security and conduct activities and training sessions throughout the year.
The program also places emphasis on communication and reporting. Clear channels exist for employees to report any security incidents or events, enabling prompt response and mitigation.
Security is a shared responsibility
The People Security Program is about empowering employees. It equips them with the knowledge and tools necessary to navigate the digital landscape securely. It encourages them to use technology wisely and safely, ensuring they know what to do and who to contact in different situations. This program aims to foster a culture of security-consciousness, where everyone plays a role in protecting our digital environment. Security is a shared responsibility.
Our Security Programs are designed to ensure a proactive, ongoing, and comprehensive approach to maintaining a secure digital and physical environment. These programs, focused on Infrastructure, Applications, and People, are an integral part of our continuous effort to improve our security posture. They help ensure that we stay ahead of potential threats, protect our digital assets, and maintain the trust and confidence of all our stakeholders.