Howspace Security Overview
1. Purpose
Howspace is the platform that organizations use to foster culture and reshape how work happens in order to align everyone for the greatest impact. Our scalable solution for collaboration and learning provides the platform for designed and guided collaboration journeys for however people best work, wherever they are.
With more than 100+ employees around the world, Howspace empowers organizations to bring their people together to learn, collaborate, and drive progress. Thousands of consultants, facilitators, organizational development professionals, and learning & development professionals trust Howspace when they want to create a lasting impact.
Howspace empowers consultants, facilitators, leaders, learning experts, and community managers to:
- Put the worker at the center by leveraging fluid working methods and supportive tools for synchronous and asynchronous work.
- Incorporate an open and experimental learning approach (rather than focusing on the final destination) to create impact together.
- Leverage technology to make sense of large-scale conversations across locations, cultures, and languages.
2. Security Certification
Howspace has achieved certification for its Information Security Management System (ISMS) under ISO 27001:2013 standards. This certification encompasses all aspects of the company’s business processes related to the development, provision, and management of the Howspace online collaboration platform.
We are always up to date with all applicable laws and regulations, including the General Data Protection Regulation (GDPR).
All our hosting providers are ISO/IEC 27001:2013 compliant, the globally recognized information security standards for Information Security Management Systems (ISMS).
3. Information Security Management System at Howspace
The goal of information security and the Information Security Management System (ISMS) at Howspace is to protect the confidentiality, integrity, and availability of information to the organization, employees, partners, customers, and the (authorized) information systems, and to minimize the risk of damage occurring by preventing security incidents and managing security threats and vulnerabilities.
Our Information Security lead, with the support of the leadership team, ensures that applicable regulations and standards are factored into our security frameworks. We have a number of policies that refer to the handling and labeling of sensitive, personal, and customer data. All our information security policies are reviewed annually.
We have a Security Steering Committee (SSC) which provides a consistent, dedicated environment where management and staff can be directed in the Business As Usual (BAU) aspects of Howspace security in its maintenance of regulatory compliance.
The Security Steering Committee (SSC) is accountable for information security and needs to formally approve decisions regarding the ISMS. The Leadership Team will review the ISMS on a yearly basis to verify its actuality and to draft plans to address identified non-conformities.
We do not consider that security and privacy are a single person’s responsibility. All Howspace employees are responsible for safeguarding company assets. All our employees are screened for expertise, experience, and integrity. Anyone who works with information within and on behalf of Howspace must adhere to the requirements of Howspace’s Information Security Policy. Employees are informed about security and privacy at the onboarding stage and have full access to the security workspace where security updates, training, and additional information are shared regularly.
4. Security and Privacy Awareness Program
Security and data protection training is available for all employees in the security workspace, in addition, all new employees have to complete the security onboarding training as part of the general onboarding program. Security updates, news, and additional information are shared in the workspace and the approved communication channels within the organization.
5. People Security
All employees working at Howspace undergo a screening process prior to being granted access to any system. The screening process consists of background, education, and employment history checks.
Employees at Howspace must follow the Acceptable Use Policy that defines and describes acceptable information security practices for the use of hardware, software, and network resources provided by Howspace to the employee.
Prior to employment, all personnel are required to sign confidentiality agreements to protect customer information, as a condition of employment.
6. Security Policies and Procedures
Our information security program is set up in a systematic and well-organized way. In addition, legal and regulation requirements apply to ensure the confidentiality, integrity, and availability of information to the organization, employees, partners, and customers. All these are translated into our information security policies, procedures, and guidelines. The Security Steering Committee (SSC) led by the Information Security Lead are responsible for these policies and for working with the wider organization to allow them to accomplish their tasks while protecting our customer’s data.
Other main policies are Howspace Security Policy, Howspace Data Protection Policy, Howspace Data Breach Policy, Howspace Data Retention Policy, Howspace Access Rights Policy, Cryptographic Policy, and Software Development Policy and Acceptable Use Policy.
7. Incident Management Program
The Information Security Lead is involved in any incident where the content of the incident is related to the following scope:
- Physical security incidents
- Third-party IT security policy violations, attacks, or intrusions
- Internal IT security policy violations
- Attempted policy violations, attacks, or intrusions.
We have policies that define our standards and guidelines of the program, with documented procedures that detail handling, communication, and reporting to customers, regulators, and law enforcement.
The team will follow the Security Incident Handling Procedure to notify relevant internal and external parties. Security incidents are reviewed regularly by the Security Steering Committee, which includes the COO and CEO.
8. Infrastructure Security
Howspace data is stored on Amazon Web Services premises across multiple physically separated devices spanning a minimum of three Availability Zones, each separated by miles across the region. Active user-generated content and files are stored in Amazon Web Services region eu-north-1 (Stockholm, Sweden).
All of our applications, services, and tools are hosted on Amazon Web Services (AWS). The engineering team has fully isolated development, staging, and production environments.
All customer data is logically segmented.
Other controls are:
- Multi-factor authentication
- Data Encryption
- Logging and monitoring
- Third-party penetration tests
Howspace takes a unified approach to patch and vulnerability management to ensure that our standard SLA timelines are maintained whether vulnerabilities exist in our underlying infrastructure, operating platforms, or source code.
9. Change Management
Howspace follows a consistent change management process for all the changes in the production environment. The control process ensures that changes proposed are reviewed, authorized, tested, implemented, and released in a controlled manner; and that the status of each proposed change is monitored.
10. Encryption
All personal data is encrypted in transit and at rest, and, to the extent relevant from a security standpoint, treated as if it were classified as sensitive data. AWS stores encrypted data by default. We have also taken further measures by implementing record-level encryption of sensitive and customer data.
Information is always transmitted over TLS with up-to-date encryption methodologies by default.
11. Access Management
Howspace follows the principles of “need to know“ and least privilege. We promote the use of Role-based access control. Provisioning and de-provisioning are overseen by the Information Security and People Lead, with SSO and 2FA implemented by default.
Owners have been defined for each information asset who is responsible for ensuring access to their systems is appropriate and reviewed on a regular basis. Whenever dealing with sensitive information or taking critical action, we use the four-eyes principle.
Access is terminated on the same day if and when an employee leaves Howspace.
12. Data Retention
When a workspace is deleted, all data stored in the workspace is deleted from the active data storage automatically after a 30-day retention period. After 12 months all the data is deleted from all the systems, including active databases and backups.
In cases where workspaces are not deleted manually and the customer agreement has ended, data is deleted automatically from the active data storage after 6 months retention period, followed by the 12-month backup retention period. During the 6 month retention period customers can manually delete all their workspaces to shorten the 6 month retention period. At any time during the agreement, customers can also schedule workspace archival and deletion to suit their internal retention policies and controls.
13. Application Security
Applications are designed and developed based on Howspace’s Secure Code Guidelines:
- Appropriate corrections are implemented prior to release
- Code changes are reviewed by skilled individuals (who are familiar with code review and secure development) other than the originating developers
- Code reviews are performed to ensure code is developed according to secure coding guidelines such as OWASP
- Applications will undergo rigorous application security testing to identify any new threats and vulnerabilities at least annually (in accordance with industry standards and best practices).
- All code changes for applications that are pushed to production environments are reviewed using manual and/or automated processes
- Penetration tests are conducted bi-annually and on a case-by-case basis on new products/features. Automated source code analysis tools are being used to detect security defects in code prior to deployment.
14. Third Party Risk Management
In order to ensure that third-party security management is applied consistently and continuously throughout the provision of the services, a third-party Risk Management procedure has been defined and implemented:
Howspace manages third-party services and security by applying a strict risk-based approach.
15. Business Continuity and Disaster Recovery
Howspace’s business continuity policy is to prepare Howpace in the event of extended outages caused by factors beyond its control and to restore services to the broadest extent possible in a minimum time frame.
All of our business continuity plans were designed to ensure the recovery and restoration of our platform services while minimizing negative impact. We understand the services we provide are mission-critical to our customers and therefore have very little tolerance for service disruptions. We strive to maintain a 99.8% system uptime. Our timeframes for recovery are designed to ensure we can meet our obligations to all of our customers. Customers can subscribe to real-time status updates for all Howspace Services at https://status.howspace.com/