Corti actively applies security threat management practices to eliminate vulnerabilities, protect against known threats and detect and respond to security-related incidents.
Security Risk Management
Corti is keenly aware of the threats to our customer's highly sensitive PHI and other personal information that represents an attractive target for a range of threat actors. We aim to ensure that we identify all credible threats and that adequate security controls are in place to mitigate these threats. To ensure this threat identification process is comprehensive, we apply complementary risk management techniques to achieve the required coverage.
A system-driven risk management process analyses the Corti system as a whole. Independent security auditing, including vulnerability scanning and penetration testing, is applied to the Corti service and the underlying Azure infrastructure.
A component-driven risk management process incorporated into development processes analyses technical components as we develop them using vulnerability scanning and testing processes.
Threat Detection and Controls
Corti employs Azure’s network and infrastructure protection solutions to provide a multi-layered shield to surround customers’ data. Configuration of security controls follows industry best practices and Azure’s recommendations. These controls are then subject to annual third-party security auditing to provide confidence.
Microsoft Defender for Cloud provides workload protection and security posture management to identify and track threats, guide the hardening of services based on identified weaknesses and vulnerabilities and provide a threat detection and response solution. We aim to provide customers with a proactive threat management solution to protect their data within the Azure environment.
DDoS Protection provides adaptive real-time traffic monitoring and threat response to maintain service availability during DDoS incidents.
Incident Response and Recovery
Incident management processes handle security events with the potential to adversely impact customer data confidentiality, integrity, or availability. Investigations establish the severity of incidents based on their impact on the Corti service and customer data. Processes then identify response actions that are applied to halt any attack, recover systems and data and investigate additional security controls necessary to prevent reoccurrence.
We achieve this by having monitors and alerts set up on critical paths that will alert our internal teams to react to any suspicious or unintended activity. Handling of incidents is centered of first civilization while a report after any incidents is documented for root cause analysis and mitigation. A summary of these reports can be expected every six months or earlier by request. The incident response includes timely and transparent communications with affected stakeholders, including the affected customer and the service hosting environment, as applicable. Corti recognizes that business success depends on establishing a trust-based relationship with customers, reliant on openness and transparency.
Business Continuity
Corti maintains a Business Continuity & Disaster Recovery Plan (BCDR) with goals that include maintaining customer services while fulfilling legal and regulatory obligations.
This plan covers internal and customer-managed environments using the redundancy and resilience capabilities of the Azure hosting infrastructure. In addition, we help customers achieve their Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) using the configurable service offerings available from the Azure service.