Sportlogiq Technical and Organizational Security Measures

 

INTRODUCTION

Sportlogiq considers cybersecurity and confidentiality of utmost importance. The company aims to meet or exceed best practices, and applies relevant controls to protect our clients and the company.

 

Highlights of the company’s practices include:

 

  • 1. Physical controls to safeguard and protect the company’s data centers and storage facilities

2. Use of security technology at multiple layers within the Sportlogiq network, providing a defense-in-depth approach

3. Monitoring of the company’s infrastructure to detect vulnerabilities and intrusion attempts

4. Access management controls to identify and authenticate individuals for access to the company’s system resources

5. Protection, including encryption, for communications that are not of a public nature

6. Policies, standards and procedures to protect client confidentiality and privacy

7. Employee orientation and training that provides awareness and education on security practices, compliance requirements and the importance of client confidentiality

8. Business resiliency and incident management processes to ensure continued business operations

9. 3rd party vendor and partner management processes to identify and remediate information security risks posed by their use

 

Sportlogiq employs experienced cybersecurity experts that regularly monitor its information security program in an effort to minimize risks and improve security operations.

 

SECURITY PRACTICES OVERVIEW

 

Physical Security

1. Sportlogiq data center facilities maintain extensive physical controls, including security barriers, hardened walls, on-site security personnel, restricted key card entry, video surveillance, fire suppression, climate control systems, secured electrical and cooling rooms, redundant telecommunications lines and emergency power generation

2. Sportlogiq also utilizes 3rd party infrastructure services, which have been reviewed by Sportlogiq and found to have acceptable physical controls 

 

Access Control

 

1. Employee identity is verified at the time of employment via standard human resources processes, including criminal, education, employment history and reference checks

2. Access is restricted to authorized individuals who have a legitimate business need for such access given their roles and responsibilities

3. Access to the Sportlogiq production infrastructure requires multi-factor authentication.

4. Administrative access by technology support personnel is subject to logging and review

5. Remote access to company resources is controlled via VPN access

 

Incident Management and Business Resiliency

 

1. An incident management process is maintained and utilized to address security and operational issues affecting the environment.  The process includes escalation and crisis management.

2. Critical systems are architected and deployed to support business resiliency.

 

Infrastructure/Network Security

 

1. 24x7 monitoring of the company’s production infrastructure environment is performed by its cloud service providers

2. Security threat intelligence solutions from cloud service providers are used to assist in proactively identifying and mitigating potential threats to Sportlogiq’ systems

3. The company leverages its cloud service providers to manage the implementation of security patches and identify and remediate vulnerabilities.

4. Communications over public networks is encrypted via industry accepted encryption protocols

5. Security (hardening) baselines are documented for each server platform to ensure unnecessary services are disabled

 

3rd Party Risk Management

 

1. The company conducts due diligence on vendor solutions to identify technology and security risks

2. All vendor contracts contain security, confidentiality and privacy provisions

 

Awareness & Training

 

1. Sportlogiq’ cybersecurity team delivers security awareness content to company personnel, in the form of orientation and annual training, regular newsletters, departmental meetings, and periodic campaigns throughout the year

2. The team also executes regular phishing exercises throughout the organization