“Products and Services” means, for the purposes of this Security Overview, collectively, the IQGeo Products and Services: IQGeo Platform, Network Manager Telecom, Network Manager Electric, Network Manager Gas, Workflow Manager, Inspection & Survey, OSPInsight Fiber System of Record (Web9), Network Revenue Optimizer, Comsof Fiber, Comsof Heat, Comsof Cloud and Comsof Area License Server.
This Security Overview describes IQGeo’s security program, security certifications, and technical and organizational security controls to protect (a) Customer Data from unauthorized use, access, disclosure, or theft and (b) the Products and Services. As security threats change, IQGeo continues to update its security program and strategy to help protect Customer Data and the Products and Services. As such, IQGeo reserves the right to update this Security Overview from time to time; provided, however, any update will not materially reduce the overall protections set forth in this Security Overview. The then-current terms of this Security Overview are available at www.iqgeo.com/security-overview. This Security Overview does not apply to any (a) Products and Services that are identified as alpha, beta, not generally available, limited release, developer preview, or any similar Products and Services offered by IQGeo or (b) communications services provided by telecommunications providers.
IQGeo maintains a risk-based assessment security program. The framework for IQGeo’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Products and Services and confidentiality, integrity, and availability of Customer Data. IQGeo’s security program is intended to be appropriate to the nature of the Products and Services and the size and complexity of IQGeo’s business operations. IQGeo has separate and dedicated Information Security staff that manage IQGeo’s security program. The security staff facilitates and supports independent audits and assessments performed by third parties. IQGeo’s security framework is based on the ISO 27001 Information Security Management System and includes programs covering: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Disaster Recovery Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, and Security Monitoring and Incident Response. Security is managed at the highest levels of the company, with IQGeo’s Chief Information Security Officer (CISO) meeting with senior management regularly to discuss issues and coordinate company-wide security initiatives. Information security policies and standards are reviewed and approved by management at least annually and are made available to all IQGeo employees for their reference.
IQGeo has controls in place to maintain the confidentiality of Customer Data. All IQGeo employees and contract personnel are bound by IQGeo’s internal policies regarding maintaining the confidentiality of Customer Data and are contractually obligated to comply with these obligations.
5.1 Employee Background Checks. IQGeo performs background checks on all new employees at the time of hire in accordance with applicable local laws. IQGeo currently verifies a new employee’s education and previous employment and performs reference checks. Where permitted by applicable law, IQGeo may also conduct criminal, credit, immigration, and security checks depending on the nature and scope of a new employee’s role.
5.2 Employee Training. At least once per year, IQGeo employees must complete a security and privacy training which covers IQGeo’s security policies, security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training. IQGeo’s dedicated security team also performs phishing awareness campaigns and communicates emerging threats to employees. IQGeo has also established an anonymous hotline for employees to report any unethical behaviour where anonymous reporting is legally permitted.
6.1 Vendor Assessment. IQGeo may use third party vendors to provide the Products and Services. IQGeo carries out a security risk-based assessment of prospective vendors before working with them to validate they meet IQGeo’s security requirements. IQGeo periodically reviews each vendor considering IQGeo’s security and business continuity standards, including the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal or regulatory requirements. IQGeo ensures that Customer Data is returned and/or deleted at the end of a vendor relationship. For the avoidance of doubt, telecommunication providers are not considered subcontractors or third-party vendors of IQGeo.
6.2 Vendor Agreements. IQGeo enters into written agreements with all its vendors which include confidentiality, privacy, and security obligations that provide an appropriate level of protection for Customer Data that these vendors may process.
IQGeo holds the following security-related certifications and attestations:
Certification or Attestation:
8.1 Amazon Web Services. The IQGeo Products and Services are offered as an on-premise or as a cloud service. The IQGeo hosted offering is available on Amazon Web Services (“AWS”) in the customer’s region of choice and protected by the security and environmental controls of Amazon. The production environment within AWS where the IQGeo Products and Services and Customer Data are hosted are logically isolated in a Virtual Private Cloud (VPC). Customer Data stored within AWS is encrypted at all times. AWS does not have access to unencrypted Customer Data. More information about AWS security is available at https://aws.amazon.com/security/ and https://aws.amazon.com/compliance/shared-responsibility-model/. For AWS SOC Reports, please see https://aws.amazon.com/compliance/soc-faqs/.
8.3 Products and Services. For the Products and Services, all network access between production hosts is restricted, using access control lists to allow only authorized services to interact in the production network. Access control lists are in use to manage network segregation between different security zones in the production and non-production environments. Access control lists are reviewed regularly. IQGeo separates Customer Data using logical identifiers. The IQGeo APIs are designed and built to identify and allow authorized access only to and from Customer Data. These controls prevent other customers from having access to Customer Data.
AWS data centers are SSAE 16 certified, proving that they meet high standards for security. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication (2FA) a minimum of two (2) times to access data centre floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data centre has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. In addition, IQGeo headquarters and satellite office spaces have a physical security program that manages overall office security.
IQGeo follows security by design principles when it designs the Products and Services. IQGeo also applies the IQGeo Secure Software Development Lifecycle standard to perform numerous security-related activities for the Products and Services across distinct phases of the product creation lifecycle from requirements gathering and product design all the way through product deployment. These activities include, but are not limited to, the performance of (a) internal security reviews before deploying new Products and Services or code; (b) usage of static application security testing tooling; and (c) penetration tests of new Products and Services by independent third parties.
11.1 Provisioning Access. To minimize the risk of data exposure, IQGeo follows the principles of least privilege through a role-based-access-control model when provisioning system access. IQGeo personnel are authorized to access Customer Data based on their job function, role, and responsibilities. An employee’s access to Customer Data is promptly removed upon termination of their employment. To access the production environment, an authorized user must have a unique username and password and multi-factor authentication enabled. IQGeo logs high risk actions and changes in the production environment. IQGeo leverages automation to identify any deviation from internal technical standards that could indicate anomalous/unauthorized activity to raise an alert within minutes of a configuration change.
11.2 Password Controls. IQGeo’s current policy for employee password management follows the NIST 800-63B guidance, and as such, our policy is to use longer passwords, with multi-factor authentication, but not require special characters or frequent changes. When a customer logs into its account, IQGeo uses secure hashing algorithms couple with salting to hash the credentials of the user before it is stored. A customer may also require its users to add another layer of security to their account by using two-factor authentication (2FA) or single-sign on (SSO).
IQGeo has a change management process it follows to administer changes to the production environment for the Products and Services, including any changes to its underlying software, applications, and systems. Each change is reviewed and evaluated in a test environment before being deployed into the production environment for the Products and Services. All changes, including the evaluation of the changes in a test environment, are documented using a ticketing system. An assessment is carried out for all high-risk changes to evaluate their impact on the overall security of the Products and Services. Deployment approval for high-risk changes is required from the correct organizational stakeholders. Plans and procedures are also implemented in the event a deployed change needs to be rolled back to preserve the security of the Products and Services.
For the IQGeo Products and Services, (a) the databases that store Customer Data are encrypted using the Advanced Encryption Standard (AES-256-GCM) and (b) Customer Data is encrypted when in transit between Customer’s software application and the Products and Services using TLS (RSA 2048 bits). Customer Data is encrypted at rest using the Advanced Encryption Standard (AES-256-GCM).
IQGeo maintains controls and policies to mitigate the risk of security vulnerabilities in a measurable time frame that balances risk and the business/operational requirements. IQGeo uses a third-party tool to conduct vulnerability scans regularly to assess vulnerabilities in IQGeo’s cloud infrastructure and corporate systems. Critical software patches are evaluated, tested, and applied proactively. Operating system patches are applied through the regeneration of a base virtual-machine image and deployed to all nodes in the IQGeo cluster over a predefined schedule.
IQGeo performs penetration tests and engages independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated promptly.
IQGeo maintains security incident management policies and procedures. IQGeo’s Security Incident Response team assesses all relevant security threats and vulnerabilities and establishes appropriate remediation and mitigation actions. IQGeo retains security logs for one hundred and eighty (180) days. IQGeo utilizes third-party tools to detect, mitigate, and prevent Distributed Denial of Service (DDoS) attacks.
IQGeo will promptly investigate a Security Incident upon discovery. To the extent permitted by applicable law, IQGeo will notify Customer of a Security Incident in accordance with the IQGeo products & services privacy statement supplement. Security Incident notifications will be provided to Customer via email to the email address designated by Customer in its account.
The cloud service infrastructure for the IQGeo Products and Services (a) spans multiple fault-independent availability zones in geographic regions physically separated from one another and (b) is able to detect and route around issues experienced by hosts or even whole data centres in real time and employ orchestration tooling that can regenerate hosts, building them from the latest backup. Specifically, for the OSPInsight Fiber System of Record(Web9), Comsof Fiber, Comsof Heat, Comsof Power, Comsof Cloud and Comsof Area License Server Products and Services, resiliency of the hosting infrastructure is limited to a single availability zone. Offsite backups and plans are in place to restore these Products and Services promptly in the event of a major disruption.
IQGeo performs regular backups of Customer Data, which is hosted on AWS’s data center infrastructure or on Citrix Sharefile. Data that is backed up is encrypted in transit and at rest using the Advanced Encryption Standard.
Ensuring the security and integrity of the IQGeo Products and Services is critical to the service we provide to our customers. We are committed to providing a secure product and appreciate help in responsibly identifying ways for us to improve.
If you have identified a vulnerability, please report it via security@iqgeo.com.
Please be respectful and don’t violate anyone’s privacy, interfere with anyone’s account, destroy any data or degrade our services. Please give us a reasonable amount of time to respond before publicly disclosing your findings.
Security Overview statement updates
We may change this Security Overview statement supplement from time to time. If and/or when IQGeo makes changes to this supplement, the updated version will be posted in place of this supplement. If we make any material changes, we will notify you by means of an announcement prior to the change becoming effective.
Contacting us
Questions regarding IQGeo Security Overview statement or information practices should be directed to security@iqgeo.com
For information regarding IQGeo's general privacy practices please review the IQGeo Privacy Policy
This version was last updated on 25 April 2024.
IQGeo UK Ltd. is a subsidiary of IQGeo Group plc, a public listed company (AIM:IQG) with offices worldwide.
Company number for IQGeo UK Ltd: 11559043
Company number for IQGeo Group plc: 05589712
VAT number: GB 887 1388 72
Registered office address:
IQGeo UK Ltd, Nine Hills Road, Cambridge, CB2 1GE
Copyright © 2024, IQGeo UK Limited. IQGeo is a registered ® trademark