Compliance for customers and partners
Security and Compliance is a shared responsibility between Stax, AWS and the customer. Stax take compliance seriously and understand its significance to both our customers and partners. For this reason, Stax has obtained independent third-party auditor certifications with Payment Card Industry Data Security Standard as a PCI-DSS Service Provider, and the AICPA's SOC for Service Organizations, SOC 2 Type II. Further, Stax is continually rolling our SOC2 Type II audits each year so that we maintain a high-level of security throughout our product, services and internal operations of our company.
You can request our PCI-DSS AoC, SAQ-D and Responsibility Matrix or SOC 2 Type II report via your Customer Success Manager.
Acknowledgement of PCI Service Provider Responsibilities
As a PCI-DSS service provider, the Stax team acknowledges our shared responsibility to the extent that it could impact the security of the customer’s cardholder data environment. For further information please consult the Stax PCI Responsibility Matrix.
Security Practice at Stax
Stax information security program is based on a continual lifecycle of improvement through measured Risk, Execution (Policies, Controls & Capabilities), Operation and Assurance Testing cycles to inform risk with baseline coverage and efficacy of controls and capabilities.
Identity and Access Management
Internally within Stax
The Stax Information Security Policy sets out functional security objectives for the control of identities, including privileged identities. This is a core pillar of Stax Security, as such centralized Identity and Access Management (IDAM) is functionally integrated with all the key applications and services and the Zero Trust Network solution that protects the Stax Information Asset pool.
Identity and Access Management encompasses, personnel screening, re-screening, Identity Account management, provisioning, multi-factor authentication, least privilege, frequent user access reviews, and account off boarding.
Note: Identity Management for Stax Customers is explained in the Identity and Access section of the documentation
Zero Trust Network
Stax uses its Zero Trust Network solution that has integrated Endpoint Threat Detection and Response as well as Multi-Factor Authentication. Users are required to authenticate the device onto the Zero Trust network using MFA. User and the device posture (via Zero Trust Assessment) governs what Key applications and systems a given device (and user) is authorised to access based on the security posture of the device and privileges of the identity.
Security Training and Developer Assessments
Security Training is required for all Stax staff by policy, the standard security awareness training is required to be completed annually.
Technical Teams are required to additionally undertake advanced security training that contains specific content for secure coding that follows the OWASP top 10. Advanced Secure Coding assessment must be completed each year in addition to the standard security awareness training.
Stax adheres to an agile change management process that encompasses the entire development and release lifecycle. Change is subject to quality assurance, peer review and approval before being released into production. All change is documented and prioritized based on capacity, necessity, and strategic direction. Major changes are planned, penetration tested before release into production and noted in the Stax changelog.
Multi-factor authentication is used to access the various Stax code repositories. Every pull request must be signed and goes through a peer review that is required to be approved for merge to master by designated code-owners, whether it's a new feature or bug fix. Further, every merged PR is automatically subjected to a pipeline of rigorous tests and analysis as appropriate for the code being merged.
Stax has integrated vulnerability management controls whose purpose is to ensure Stax systems that service Stax core infrastructure are designed and engineered securely.
Vulnerability Management spans the entire Stax Information Asset pool, including:
- Endpoint devices for the fleet, integrated into the zero trust network
- Scanning of Stax Web Consoles, API’s, and Containers.
- Quarterly PCI ASV Scans
- Compliance scans of Stax AWS accounts for secure configuration aligned to CIS Benchmark and PCI compliance.
- Code Scanning and 3rd Party libraries
Vulnerability Management is also integrated into the CI/CD Process with scanning of Containers, 3rd-party libraries and code scanning of Stax' core components. This is governed as part of PCI related operational activities for modules such as, but not limited to, those related to the Stax control plane.
Logging, Monitoring and Security Incident Response
Stax uses a centralised logging and monitoring service to aggregate events and alerts (as per the Stax Responsibility matrix) from key applications and services to provide telemetry for anomaly detection based on common use cases, indicators of compromise, policy violations and other operational thresholds. Stax monitors systems with automated alarms based on Threat Risk and are integrated with PagerDuty incidents.
Stax Security acknowledge bug bounty reports from independent security researchers, however Stax does not offer financial rewards for reports.
Security Testing and 3rd Party Assurance
Stax uses external certified penetration testing services to perform penetration tests on the Stax platform, including internal, external, network segmentation and web application testing of all consoles and APIs. This is governed by the security team as part of mandatory compliance testing and is performed at least twice a year as required by Stax' compliance objectives.
Third Party Assurance
As a cloud native subservice organization, Stax must ensure that security of the Stax Information Assets encompasses third-party systems that either provide services to Stax as a business system or form part of the Stax Product Service offerings.
The Stax 3rd party assurance is required by policy to engage with a third-party service provider. Due diligence must be undertaken to ensure the service provider abides by adequate controls and any threats are identified with threat risk assessments and mitigating controls. With mitigating controls commensurate to the highest level of data classification with the service; The Information Classification and Handling policy asserts the Key Services Classification and Controls Mapping to further align business criticality with controls.