Security Policy
Protecting your data with enterprise-grade security practices and rigorous compliance standards
Our Commitment to Security
At Triden Group, security isn't just what we do for our clients—it's how we operate. As a leading cybersecurity consulting firm serving healthcare, financial services, and government organizations, we hold ourselves to the highest standards of data protection, operational security, and compliance.
We understand that when you trust us with your sensitive information, you need confidence that we've implemented the same rigorous controls we recommend to our clients. This page outlines our security program, certifications, and commitment to protecting your data.
Certifications & Standards
SOC 2 Type II Report Available: We maintain continuous SOC 2 Type II certification and can provide our latest report to qualified prospective clients under NDA. Contact us at [email protected]
Security Framework
Our comprehensive security program addresses all five SOC 2 Trust Services Criteria and follows industry best practices:
Security
Multi-layered security controls including:
- Multi-factor authentication (MFA) required for all system access
- Role-based access control (RBAC) with least privilege
- Annual penetration testing by certified third parties
- 24/7 security monitoring with SIEM
- Endpoint detection and response (EDR) on all devices
Availability
Enterprise-grade infrastructure ensuring business continuity:
- 99.9% uptime SLA on critical systems
- Cloud-based infrastructure with redundancy
- Daily automated backups with immutable copies
- Documented business continuity and disaster recovery plans
- Annual DR testing and validation
Processing Integrity
Quality controls ensuring accurate service delivery:
- Formal change management with approval workflows
- Peer review process for all client deliverables
- Segregated development, test, and production environments
- Quality assurance checklists and validation procedures
Confidentiality
Protecting sensitive information throughout its lifecycle:
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Data classification and handling procedures
- Client data segregation and access controls
- Secure data disposal and retention policies
- Background checks for all employees
Privacy
Comprehensive privacy program protecting personal data:
- Compliance with GDPR, CCPA, and HIPAA requirements
- Data processing agreements with all clients
- Privacy impact assessments for new initiatives
- Data subject rights request procedures
- Appointed Data Protection Officer
Incident Response
Prepared to detect, respond, and recover from security incidents:
- 24/7 security operations center monitoring
- Documented incident response procedures
- Quarterly tabletop exercises and testing
- Cyber insurance coverage
- Client notification protocols
Data Protection & Encryption
Encryption Standards
- Data at Rest: AES-256 encryption for all stored data
- Data in Transit: TLS 1.3 for all network communications
- Email Communications: Encrypted email gateway for sensitive communications
- Backup Encryption: All backups encrypted with separate key management
Data Handling
- Client data segregated by logical boundaries with restricted access
- Data Loss Prevention (DLP) tools monitor for unauthorized data movement
- Secure file sharing portal for client deliverables
- Documented data retention and secure disposal procedures
- Regular data inventory and classification reviews
Access Control & Identity Management
Authentication & Authorization
- Multi-factor authentication (MFA) required for all users
- Single sign-on (SSO) implementation reducing password sprawl
- Role-based access control (RBAC) with least privilege principles
- Privileged Access Management (PAM) for administrative accounts
- Just-in-time (JIT) access provisioning for elevated permissions
Access Reviews & Monitoring
- Quarterly access reviews by system owners
- Monthly access log reviews for critical systems
- Automated alerting for suspicious access patterns
- Immediate access revocation upon employee termination
- Session recording for privileged administrative access
Security Operations
Continuous Monitoring
- Security Information and Event Management (SIEM) with 24/7 monitoring
- Endpoint Detection and Response (EDR) on all company devices
- Vulnerability scanning on weekly cadence
- Automated security alerting with defined escalation procedures
- Threat intelligence integration for proactive defense
Testing & Assessment
- Annual third-party penetration testing
- Quarterly vulnerability assessments
- Monthly phishing simulations with targeted training
- Annual social engineering assessments
- Regular red team / purple team exercises
Employee Security
Hiring & Background
- Comprehensive background checks for all employees
- Non-disclosure agreements (NDAs) signed before access to systems
- Security-focused onboarding program
- Clear desk and clean screen policies
Training & Awareness
- Security awareness training for all employees annually
- Specialized training for roles with elevated access
- Monthly security bulletins and threat briefings
- Quarterly phishing simulations with remedial training
- Security champions program across departments
Remote Work Security
- VPN required for all remote access
- Company-issued and managed laptops
- Full disk encryption on all endpoints
- Network Access Control (NAC) enforcing device compliance
- Home network security guidance provided
Vendor & Third-Party Risk Management
- Vendor security assessments for all critical suppliers
- SOC 2 Type II reports required from high-risk vendors
- Contracts include comprehensive security requirements
- Limited vendor access with least privilege principles
- Quarterly vendor access reviews and recertification
- Separate network segmentation for vendor access
Business Continuity & Disaster Recovery
Continuity Planning
- Documented Business Continuity Plan (BCP) with defined recovery objectives
- Recovery Time Objective (RTO) of 4 hours for critical systems
- Recovery Point Objective (RPO) of 24 hours for data restoration
- Alternative work locations identified and tested
- Cross-training and succession planning for key roles
Backup & Recovery
- Daily automated backups of all critical systems and data
- Immutable backup copies stored offline (air-gapped)
- 3-2-1 backup strategy (3 copies, 2 media types, 1 offsite)
- Monthly backup restoration testing
- 30-day backup retention with separate encryption keys
Testing & Validation
- Annual full-scale disaster recovery test
- Quarterly tabletop exercises
- Post-test documentation and improvement plans
Compliance & Governance
Governance Structure
- Designated Chief Information Security Officer (CISO)
- Appointed Data Protection Officer for privacy matters
- Quarterly management security reviews
- Board-level reporting on security posture
- Risk management program with formal risk register
Policy Framework
- Comprehensive information security policy suite
- Annual policy reviews and updates
- Employee acknowledgment of policies required
- Documented procedures for key security processes
Audit & Assessment
- Annual SOC 2 Type II audits by independent auditors
- Quarterly internal security assessments
- Regular compliance reviews for HIPAA, GDPR, CCPA
- Continuous control monitoring and evidence collection
Infrastructure Security
Cloud Security
- Cloud Security Posture Management (CSPM) tools deployed
- Infrastructure as Code (IaC) with security scanning
- Cloud Access Security Broker (CASB) monitoring
- Monthly cloud configuration reviews
- Least privilege IAM policies across cloud platforms
Network Security
- Network segmentation with firewall controls
- Intrusion Detection/Prevention Systems (IDS/IPS)
- Web Application Firewall (WAF) for internet-facing applications
- Secure VPN access with MFA for remote connections
- Network traffic analysis and anomaly detection
Reporting a Security Concern
We take security vulnerabilities seriously and appreciate responsible disclosure. If you believe you've discovered a security issue with our systems or services:
Email: [email protected]
PGP Key: Available upon request for encrypted communications
We commit to acknowledging security reports within 24 hours and providing regular updates on remediation efforts.
Questions About Our Security?
We're happy to discuss our security practices in detail with prospective and current clients. Our team can provide additional documentation, including our SOC 2 report, security questionnaire responses, and compliance attestations.
Contact Our Security TeamLast Updated: January 2026 | Version 1.0
This page is reviewed and updated quarterly to reflect our current security posture and certifications.

