Security is important.
Security is quite literally our business here at Expel, and we’re committed to doing everything we can to protect our customers.
Compliance = things you need to do to keep your data and tech secure + someone verifying you’ve done those things
It’s important to make sure we’re meeting, or exceeding, our obligations to ourselves and our customers. Achieving a holistic security and privacy compliance program is a process that never stops evolving.
Compliance may feel overwhelming, but think of us as your compliance partner – we’ll dive into the pool of certifications, audits, laws and frameworks together. We can help you make sure you’ve got the right things in place to keep your tech and data secure, helping you breathe a little easier when it’s time for your next audit or assessment.
Certifications, frameworks and legal requirements
Trust is core to how we deliver world-class security. We’ve aligned our security and privacy compliance program with the industry’s best certifications, frameworks and legal requirements so you can get the peace of mind knowing that Expel is a managed detection and response (MDR) that’s reliable and practices what we preach.
SOC 2 – SOC for Service Organizations: Trust Services Criteria – (SOC) 2 Type 2 — With the help of an independent third-party auditor, Expel completes an annual SOC 2 Type 2 audit. Our audits cover a 12-month reporting period with reports issued in May of each year. Our latest SOC 2 Type 2 report can be provided upon request after signing a non-disclosure agreement (NDA) with Expel.
Stuff for you to know about SOC 2 Type 2 certifications and audits:
- SOC 2 Type 2 audits examine the Expel Workbench™ and MDR services we provide to our customers to include the suitability of the design and operating effectiveness of Expel’s internal controls.
- Expel’s SOC reporting schedule is a 12-month period spanning May 1st – April 30th each year. Our audit kicks off in April to ensure we have the audit report ready for annual reporting in May. A SOC report always looks back in time, and since Expel attests to controls covering a 12-month period, our audit reports will remain current.
- We create Bridge Letters to cover gaps if we can’t complete a full 12-month audit. For example, if the audit report covers May 1st – March 31st, we’ll create a Bridge Letter to cover the gap between April 1st and April 30th. Bridge Letters are required when attesting for time periods where we are due for an audit, but haven’t done so yet.
ISO 27001:2013 and ISO 27701:2019 (processor) — Expel is certified in ISO 27001:2013 and ISO 27701:2019 (processor) standards. By certifying Expel’s Information Security Management System (ISMS) and Privacy Information Management System (PIMS), Expel continues to demonstrate its commitment to building trust and transparent security and privacy.
European Union General Data Protection Regulation (EU GDPR) — We’re devoted to privacy and data protection within every aspect of our business. Not only do we comply with EU law, we’re also using the GDPR as our standard for creating privacy principles at Expel. This is why we’ve committed ourselves to undergo an EU GDPR compliance assessment on an annual basis to ensure that we’ve implemented appropriate measures to comply with the EU GDPR and safeguard personal information.
U.S. State Privacy and Data Protection Laws (i.e., CCPA, Virginia CDPA, etc.) — Expel reviewed its internal processes, updated its procedures and enabled internal controls to demonstrate compliance with U.S. State Privacy and Data Protection Laws. A majority of these laws require that businesses implement and maintain reasonable security procedures and practices. Security is Expel’s DNA and we have the tools to help protect us, our data and our customers so we can effectively comply with these laws.
NIST Cybersecurity Framework (CSF) — Annually, a third-party assessor reviews our progress on the NIST Cybersecurity Framework (CSF). Every quarter, we perform a self-assessment for CSF to ensure we’re on the right track with current goals and aren’t sliding backwards in any areas. We feel so strongly about the CSF that we’ve published a guide and tool for using it.
NIST Privacy Framework (PF) — Annually, a third-party assessor reviews our progress on the NIST Privacy Framework (PF). On an ongoing basis every quarter, we perform a self-assessment for the PF to ensure we’re on the right track with current goals. We take privacy as seriously as we take your security – maturing our privacy program while remaining transparent is fundamental to how we work with our customers.
How Expel supports your Compliance goals
We believe that any MDR you choose to work with should support you in meeting your compliance goals. Here’s a peek at how we can support you with these compliance requirements!
Payment Card Industry Data Security Standard (PCI-DSS) — Expel’s MDR service helps customers stay compliant with PCI-DSS by providing real-time analysis and response to security alerts. If you have this service, our SOC continuously monitors your security ecosystem so you can easily demonstrate compliance with these requirements. A designated PCI DSS auditor can analyze your compliance with this payment card data security standard. Expel can (and your MDR should) support your compliance by providing real-time analysis and response to security alerts.
Health Insurance Portability and Accountability Act (HIPAA) — Similar to PCI DSS, Expel can support your HIPAA compliance by analyzing and responding to your security alerts in real time. HIPAA’s Security Rule and Privacy Rule are critical areas highlighted within the Administrative Simplification rules under Title II of HIPAA, which aims to protect the confidentiality, integrity and availability of electronic protected health information (ePHI). Expel can support your organization to maintain its HIPAA compliance by monitoring your security tooling through the use of the Expel Workbench and Security Operations Center (SOC).
NIST SP 800-171 Rev 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations — Similar to the EU GDPR, there’s no official audit or certification available. The NIST SP 800-171 Rev 2 focuses on the protection of government unclassified information. Expel performs an annual independent assessment with a third party to demonstrate its compliance with the standard – we encourage you to do the same. Working with Expel can help you fulfill a lot of the standard’s requirements regarding monitoring, alerting, reporting and responding to incidents. Take a look at how we help you comply with the standard.
Cybersecurity Maturity Model Certification (CMMC), Level 3 — The CMMC is the latest security framework mandated by the U.S. Department of Defense (DoD) for any contractor or subcontractor that provides services to the Defense Department. The foundation of CMMC Level 3 includes 110 controls in the NIST SP 800-171, Rev. 2 as well as 20 additional practices to mitigate threats. Since the CMMC is still in a development stage, you can do what we did and have a third party perform an independent assessment to prepare for the rollout. If you have any questions, ask us!)
Things we’re doing to keep our customers safe
Sensitive data marking and handling guidelines — We take sensitive data marking and handling procedures seriously. We make sure Expel employees carefully manage every document they work with to help us understand what information is sensitive and manage its storage and transmission in a sensible way so that we protect Expel and its customers from competitive and legal harm.
Data retention policies — We define how long specific types of customer data are retained in our system(s) and have automated processes to securely dispose of that data.
Office security — Our corporate headquarters uses robust physical security (keycard access, security cameras, secure corporate and guest wifi).
Remote work security — Our staff can work from anywhere. We enable this through strong on-device and cloud security – monitored and protected by the Expel Security team and the Expel Workbench service. These measures include protection while on insecure or public networks, endpoint security and incident response software, encryption, remote locking and wiping capabilities, context-aware access to key systems and applications (RBAC), multi-factor authentication (MFA) and device trust capabilities that allow access only from authorized corporate devices that meet all security control requirements.
Comprehensive security and privacy program — We also have an array of other critical security policies internally that address Incident Response and Business Continuity, Disaster Recovery and Acceptable Use, just to name a few. We train all new Expel crew members on security and privacy, in addition to maintaining that knowledge through security awareness and phishing training monthly.
Third-Party Assessment Process — We can’t simply assess ourselves. As a cloud-native org, almost our entire infrastructure (that is, anything that’s not employee laptops) exists primarily on cloud-based services. So we need to make sure that the services we use are secure. We’ve developed a Third-Party Assessment Process (aka 3PA) that we use to quickly determine whether to make use of any individual outside service. This process has also been published for anyone else to use, along with the short, 10-part questionnaire that we send out as part of the process.
Encryption — Data at rest and in motion is always encrypted. This includes anything that supports the Expel service, employee laptops and mobile devices. We routinely measure the effectiveness of these standards through automated controls that ensure all assets are protected at all times.
Expel was born in the cloud! The ability to work from anywhere and use other service providers to bring you a better platform is core to our success. However, there are risks associated with being cloud native. We have numerous controls in place so our data and your data remains secure regardless of where it is in our architecture.
- All laptops include endpoint protection, which monitors for malware and abnormal user behavior. Laptops use full-disk encryption and are under remote device management to limit things like admin access (downloading potentially risky applications? Not on our watch).
- Inbound emails are scanned for phishing, malware and other dangerous attachments.
- Outbound internet traffic is monitored for attempted access to insecure parts of the internet, to reduce the risk of inbound malware.
- All our data security systems feed into the Expel Workbench, where we monitor ourselves just as we monitor for our customers.
- Rigorous application, extension and third-party approved policies and processes are in place within our organization.
It’s not enough to look at policies, procedures and generally ask: Is this the way we think we oughta do things? We also need to perform active testing. This, too, has several individual components:
- Application testing and network penetration testing – Once a year, we select some subset or aspects of our internal application and server infrastructure and perform a technical assessment against it. Also annually, we contract with a third party to perform the same tasks (though potentially against different targets) to ensure that we’re not missing anything due to being too close to the problem.
- Regular vulnerability scanning – Vulnerability scanning is performed monthly at Expel, which exceeds industry benchmarks. This helps us to verify what systems are currently in our development and production infrastructures, that they’re currently patched and that no unexpected services are running. Each month we go through a formal review of the results of vulnerability scans, which generate tasks provisioned to our engineering teams or IT/Security for correcting any issues. Corrections are typically prioritized in one of three categories:
- Critical – drop everything and fix this
- Priority – move this to the top of your stack
- Routine – make sure this is addressed in the next regular system update
Keeping your org safe isn’t your security team’s responsibility alone. It’s a group effort. That’s where human resources (HR) security comes in. We believe in taking a proactive approach when it comes to security. Here’s what we do to set our crew up for success.
- Annual security and privacy training – All employees receive security and privacy training shortly after being hired, and the entire company gets an annual refresher.
- Background checks – All employees are required to go through a background check prior to joining Expel.
- Phishing awareness training – All employees undergo bi-weekly phishing simulations where we perform custom phishing and industry simulations based on what we’re seeing in the wild.
- Security audits – We automate granting and revoking our Expletives’ – that’s what we call the Expel crew) – access to Expel resources during initial onboarding and termination (like offboarding). In addition to manual quarterly audits, the IT and Security team implemented sophisticated automation controls to perform audits in real time. This better equips us to deal with deltas when they happen, not weeks later.
IT/Security Operations and Response
Every security strategy should include a plan for when something goes wrong. This is what we have in place in case bad things happen.
- Backups – Our data, customer data, infrastructure. We can quickly stand up a whole new “instance” of our service, pull data from backups and get back up and running in a matter of hours, not weeks.
- Incident response and business continuity planning – We have formal policies and procedures in place for assessing security events, classifying them as incidents or otherwise managing how we respond and track them. We also have mechanisms in place to establish business continuity in case of a disaster, outage or impact on Expel personnel.
- Quarterly incident response – We use tabletop exercises to help identify areas of weakness that need further development or refinement. We also feel strongly about IR tabletops. Seriously. We built a role-playing game (RPG) around them. We call it “Oh Noes!” and you can read about it here.
- Disaster Recovery – Whether it’s a process to swiftly rebuild the service from the ground up, simply provide engineers with UPS batteries to use at home in case of hurricane-related power outages or primary, backup and tertiary internet service providers (ISPs) for our SOC – we’re doing everything we can so our service is up when our customers need it most – 24x7.
Our approach to
If you find a bug, defect, vulnerability, or even just something that seems a bit odd with anything Expel does, please let us know. We believe part of our responsibility is positive engagement with the community and facilitating discourse on making our products (and by extension your enterprise and the internet as a whole) more secure.
We recognize that public security research is a critical and ongoing component of the security industry and we welcome discussion with researchers. Our goal when working with researchers is to be transparent in what we are doing, respectful to all parties involved, and timely in our responses. It’s our vulnerability after all; we’re the ones that need to be responsible.