Security and Privacy Awareness Training
All BigID employees are required to take annual security and privacy awareness training at onboarding and annually thereafter to ensure that they are up to date on the latest security protocols and best practices.
BigID employees are tested regularly on phishing awareness. If an employee takes the bait, they are required to take additional security training.
All BigID employees are subject to background checks that include a thorough review of their past employment and education, as well as a criminal history check.
Security is baked into every phase of BigID’s development lifecycle. This includes mandatory peer reviews, automated software composition (SCA), infrastructure as code scanning, and static analysis (SAST) checks to identify any vulnerabilities and unsafe configurations. Formal release procedures ensure only approved changes are deployed to production.
We follow key management best practices to ensure that keys are generated properly, safely stored, rotated when their cryptographic period ends, are only accessed by authorized entities to fulfill their function and that their utilization is properly monitored.
Our Bug Bounty program gives us the ability to force multiple the security testing of our cloud products to identify real time vulnerabilities.
BigID encrypts data at rest and in transit, using AES-256, SSH, and TLS 1.2+ encryption protocols. All data is stored in a secure, encrypted vault, and access is strictly controlled and monitored.
Identity and Access Management
BigID follows the principle of least privilege when assigning access controls and permissions. This means that users are only granted the minimum amount of access needed to perform their job duties.
BigID regularly performs risk assessments throughout the year to stay on top of the issues that can impact the service commitments to our customers and employees.
Third Party Risk Management
All of our vendors are assessed to ensure they have the security controls to meet BigID’s standards. Critical vendors are re-evaluated for risk on at least an annual basis to ensure that any new risks associated with their services are identified and mitigated.
We use a combination of Industry leading endpoint protection and AWS native security tooling to detect malicious and suspicious activity on endpoints in the cloud (and corporate assets). All of the telemetry from our Malware prevention technologies are fed to our Managed Detection and Response (MDR) and actioned to our BigID 24/7 Security operations team via automated workflows.