Knock leveraged the ISO 27000 Series and CIS Critical Security Controls to define its security program governance and control set.
Knock employs role-based access controls based on need-to-know and least privilege. Each team member is assigned a primary role at hire or transfer which determines their access to systems and applications. Each role is formally defined, as is its access. In order to gain access outside an individual’s role, a support ticket must be submitted, approved, and provisioned.
Access control reviews are performed twice annually as part of routine internal audits.
Knock has established a formal Incident Management Program based on ISO 27035 that covers security and privacy incidents. For both types of incident, there are reporting, response, and retrospective requirements and supporting materials. Customer notifications are a formally documented requirement of response procedures.
Yes, Knock employs host-based IDS and IPS in both corporate and service environments, and infrastructure-based IDS in its service environments.
Yes, Knock employs a centralized SIEM, monitoring both service and corporate environments.
Knock employs a multifactor VPN for remote network access to both corporate and service environments. Administrative access to critical service providers, such as AWS, is also gated by multifactor authentication.
Knock’s service environment is protected by AWS Shield for DDoS protection and hosted across multiple availability zones for scalability and reliability.
Yes. Each software developer undergoes annual secure software development training, plus additional training relevant to their area of development.
Knock employs AWS for its service environment infrastructure, and their data centers utilize proximity badges with access logging, 24/7 video surveillance, 24/7 staffing, and formal visitor management procedures.
You can contact our privacy team at email@example.com.