Aurigo Security and Compliance Overview
Aurigo is committed to providing a highly secure and reliable environment for its customers. This includes maintaining the confidentiality of customers’ information and ensuring that customers’ information is available when needed. To achieve this, we use proven best-in-class security tools, technologies, practices, and procedures.
StateRAMP’s mission is to promote cybersecurity best practices through education, advocacy, and policy development to support its members and improve the cyber posture of state and local governments and the citizens they serve.
Aurigo offers the first StateRAMP ready solutions for capital planning and project management in America. Masterworks Cloud and Masterworks Essentials are now available on the StateRAMP authorized vendor list, verifying security compliance and risk mitigation best practices for ‘Public Agencies’ Capital Infrastructure Programs.
Aurigo Masterworks Cloud and Aurigo Essentials have been designated with “FedRAMP Ready” status. This government-wide compliance program provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
The FedRAMP process, is a stringent set of standards for cloud solutions that state and local agencies sometimes look for a product being secure enough to work with. Please find Aurigo’s FedRAMP Ready marketplace listing here.
ISO 22301:2019 Certified
Aurigo has successfully completed ISO 22301:2019, security and resilience – business continuity management systems certification.
ISO 22301:2019 is a management system standard published by International Organization for Standardization that specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented Business continuity management system. More details on Business continuity management systems can be found here.
Business Continuity Policy
Aurigo and its business units have established operational resilience and business continuity plans at the business unit level. The changing nature of the environment in which we operate means that our ability to continue operation uninterrupted cannot be completely assured without putting a comprehensive BCM (Business Continuity Management) system in place.
Our customers are entitled to expect that we do everything possible to ensure minimum disruption to our operations and the delivery of products. Aurigo has a BCM Program which results in a set of interlocking plans and arrangements to ensure the best response to any disruptive incident. These plans and arrangements are part of Aurigo’s Business Continuity Management System (BCMS) that are in accordance to the requirements of ISO 22301:2019 security and resilience – business continuity management systems. Objective of Aurigo’s BCMS is to provide acceptable assurance to interested parties that it’s operation resilience and recovery arrangements are fit for purpose. It is ensured that the key resources will be available to support business critical activities in case of a disruption.
In the event of a major disaster, priority will be placed upon the safety and welfare of our staff and visitors, above the restoration of business processes. While the two are not mutually exclusive, management focus and resources will be diverted, where necessary, from business process recovery actions to ensuring safety and welfare.
This policy adheres to the applicable legal, regulatory and contractual requirements of the organization. The BCMS will be continually improved based on the lessons learnt, by exercises, any incidents and periodic internal audits.
SOC 2 Type 2 (SSAE 18) certified
Aurigo has successfully completed a Service Organization Controls 2 (SOC 2) Type 2 audit with a third-party evaluator certified by The American Institute of CPAs (AICPA). This audit uses the Trust Services Principles, published by the AICPA, to evaluate the effectiveness of a service organization’s controls with respect to security, availability, processing integrity, online privacy, and confidentiality. More information on SOC 2 reports can be found here.
NIST 800-53 (Rev. 4) Moderate Baseline compliant
Aurigo Masterworks Cloud and Aurigo Essentials systems are NIST 800-53 Moderate (Rev. 4) baseline compliant. More details about NIST 800-53 (Rev. 4) standard is available here.
Hosting Environment and Physical Security
Aurigo is hosted on public cloud infrastructure from Amazon Web Services (AWS). Amazon maintains high standards of security for their data centers. You can read further about AWS security at aws.amazon.com/security/
Network and Data Security
The Aurigo Masterworks Cloud and Aurigo Essentials sites are only accessible over HTTPS. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. Aurigo follows current best practices for security, including the use of strong encryption algorithms. In essence, all customer data is encrypted in transit and at rest.
Aurigo also uses secure protocols for communication with third-party systems.
Aurigo uses a multi-tier architecture that segregates internal application systems from the public Internet. Public traffic to the website passes through a Web Application Firewall (WAF). Only filtered traffic is routed to internal systems running on private subnets. All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules. Network access is recorded into a centralized, secure logging system.
Application Development and Testing
Aurigo has a comprehensive software development lifecycle process that incorporates security and privacy considerations. Design and code reviews, as well as the unit and integration testing, are part of the process.
All developers receive regular training on secure coding practices, including prevention of the OWASP Top Ten web application vulnerabilities.
Aurigo undergoes an annual penetration test of the website by a qualified third party. In addition, regular internal vulnerability scans are conducted.
Aurigo has deployed a variety of security and monitoring tools for its production systems. There is 24×7 monitoring of the security status of its systems, and automated alerts are configured for security and performance issues.
For an unlikely event of a breach, Aurigo has put in place a comprehensive Security Incident Response Plan, which details roles, responsibilities, and procedures for effective response and/or recovery of a security incident.
All employees are subject to background checks that cover education, employment, and criminal history. Employment at Aurigo requires written acknowledgment and signing of Non-Disclosure Agreements and position’s roles and responsibilities, which includes the protection of user data and privacy.
Aurigo maintains an information security training program that is mandatory for all employees.