Security Policy

Protecting your data with enterprise-grade security practices and rigorous compliance standards

Our Commitment to Security

At Triden Group, security isn't just what we do for our clients—it's how we operate. As a leading cybersecurity consulting firm serving healthcare, financial services, and government organizations, we hold ourselves to the highest standards of data protection, operational security, and compliance.

We understand that when you trust us with your sensitive information, you need confidence that we've implemented the same rigorous controls we recommend to our clients. This page outlines our security program, certifications, and commitment to protecting your data.

Certifications & Standards

SOC 2 Type II Certified
ISO 27001 Aligned
NIST CSF 2.0 Compliant
GDPR / CCPA Compliant
HIPAA Compliant
PCI DSS Aligned

SOC 2 Type II Report Available: We maintain continuous SOC 2 Type II certification and can provide our latest report to qualified prospective clients under NDA. Contact us at [email protected]

Security Framework

Our comprehensive security program addresses all five SOC 2 Trust Services Criteria and follows industry best practices:

🔒 Security

Multi-layered security controls including:

  • Multi-factor authentication (MFA) required for all system access
  • Role-based access control (RBAC) with least privilege
  • Annual penetration testing by certified third parties
  • 24/7 security monitoring with SIEM
  • Endpoint detection and response (EDR) on all devices

Availability

Enterprise-grade infrastructure ensuring business continuity:

  • 99.9% uptime SLA on critical systems
  • Cloud-based infrastructure with redundancy
  • Daily automated backups with immutable copies
  • Documented business continuity and disaster recovery plans
  • Annual DR testing and validation

🎯 Processing Integrity

Quality controls ensuring accurate service delivery:

  • Formal change management with approval workflows
  • Peer review process for all client deliverables
  • Segregated development, test, and production environments
  • Quality assurance checklists and validation procedures

🔐 Confidentiality

Protecting sensitive information throughout its lifecycle:

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Data classification and handling procedures
  • Client data segregation and access controls
  • Secure data disposal and retention policies
  • Background checks for all employees

👤 Privacy

Comprehensive privacy program protecting personal data:

  • Compliance with GDPR, CCPA, and HIPAA requirements
  • Data processing agreements with all clients
  • Privacy impact assessments for new initiatives
  • Data subject rights request procedures
  • Appointed Data Protection Officer

🛡️ Incident Response

Prepared to detect, respond, and recover from security incidents:

  • 24/7 security operations center monitoring
  • Documented incident response procedures
  • Quarterly tabletop exercises and testing
  • Cyber insurance coverage
  • Client notification protocols

Data Protection & Encryption

Encryption Standards

  • Data at Rest: AES-256 encryption for all stored data
  • Data in Transit: TLS 1.3 for all network communications
  • Email Communications: Encrypted email gateway for sensitive communications
  • Backup Encryption: All backups encrypted with separate key management

Data Handling

  • Client data segregated by logical boundaries with restricted access
  • Data Loss Prevention (DLP) tools monitor for unauthorized data movement
  • Secure file sharing portal for client deliverables
  • Documented data retention and secure disposal procedures
  • Regular data inventory and classification reviews

Access Control & Identity Management

Authentication & Authorization

  • Multi-factor authentication (MFA) required for all users
  • Single sign-on (SSO) implementation reducing password sprawl
  • Role-based access control (RBAC) with least privilege principles
  • Privileged Access Management (PAM) for administrative accounts
  • Just-in-time (JIT) access provisioning for elevated permissions

Access Reviews & Monitoring

  • Quarterly access reviews by system owners
  • Monthly access log reviews for critical systems
  • Automated alerting for suspicious access patterns
  • Immediate access revocation upon employee termination
  • Session recording for privileged administrative access

Security Operations

Continuous Monitoring

  • Security Information and Event Management (SIEM) with 24/7 monitoring
  • Endpoint Detection and Response (EDR) on all company devices
  • Vulnerability scanning on weekly cadence
  • Automated security alerting with defined escalation procedures
  • Threat intelligence integration for proactive defense

Testing & Assessment

  • Annual third-party penetration testing
  • Quarterly vulnerability assessments
  • Monthly phishing simulations with targeted training
  • Annual social engineering assessments
  • Regular red team / purple team exercises

Employee Security

Hiring & Background

  • Comprehensive background checks for all employees
  • Non-disclosure agreements (NDAs) signed before access to systems
  • Security-focused onboarding program
  • Clear desk and clean screen policies

Training & Awareness

  • Security awareness training for all employees annually
  • Specialized training for roles with elevated access
  • Monthly security bulletins and threat briefings
  • Quarterly phishing simulations with remedial training
  • Security champions program across departments

Remote Work Security

  • VPN required for all remote access
  • Company-issued and managed laptops
  • Full disk encryption on all endpoints
  • Network Access Control (NAC) enforcing device compliance
  • Home network security guidance provided

Vendor & Third-Party Risk Management

  • Vendor security assessments for all critical suppliers
  • SOC 2 Type II reports required from high-risk vendors
  • Contracts include comprehensive security requirements
  • Limited vendor access with least privilege principles
  • Quarterly vendor access reviews and recertification
  • Separate network segmentation for vendor access

Business Continuity & Disaster Recovery

Continuity Planning

  • Documented Business Continuity Plan (BCP) with defined recovery objectives
  • Recovery Time Objective (RTO) of 4 hours for critical systems
  • Recovery Point Objective (RPO) of 24 hours for data restoration
  • Alternative work locations identified and tested
  • Cross-training and succession planning for key roles

Backup & Recovery

  • Daily automated backups of all critical systems and data
  • Immutable backup copies stored offline (air-gapped)
  • 3-2-1 backup strategy (3 copies, 2 media types, 1 offsite)
  • Monthly backup restoration testing
  • 30-day backup retention with separate encryption keys

Testing & Validation

  • Annual full-scale disaster recovery test
  • Quarterly tabletop exercises
  • Post-test documentation and improvement plans

Compliance & Governance

Governance Structure

  • Designated Chief Information Security Officer (CISO)
  • Appointed Data Protection Officer for privacy matters
  • Quarterly management security reviews
  • Board-level reporting on security posture
  • Risk management program with formal risk register

Policy Framework

  • Comprehensive information security policy suite
  • Annual policy reviews and updates
  • Employee acknowledgment of policies required
  • Documented procedures for key security processes

Audit & Assessment

  • Annual SOC 2 Type II audits by independent auditors
  • Quarterly internal security assessments
  • Regular compliance reviews for HIPAA, GDPR, CCPA
  • Continuous control monitoring and evidence collection

Infrastructure Security

Cloud Security

  • Cloud Security Posture Management (CSPM) tools deployed
  • Infrastructure as Code (IaC) with security scanning
  • Cloud Access Security Broker (CASB) monitoring
  • Monthly cloud configuration reviews
  • Least privilege IAM policies across cloud platforms

Network Security

  • Network segmentation with firewall controls
  • Intrusion Detection/Prevention Systems (IDS/IPS)
  • Web Application Firewall (WAF) for internet-facing applications
  • Secure VPN access with MFA for remote connections
  • Network traffic analysis and anomaly detection

Reporting a Security Concern

We take security vulnerabilities seriously and appreciate responsible disclosure. If you believe you've discovered a security issue with our systems or services:

Email: [email protected]

PGP Key: Available upon request for encrypted communications

We commit to acknowledging security reports within 24 hours and providing regular updates on remediation efforts.

Questions About Our Security?

We're happy to discuss our security practices in detail with prospective and current clients. Our team can provide additional documentation, including our SOC 2 report, security questionnaire responses, and compliance attestations.

Contact Our Security Team

Last Updated: January 2026 | Version 1.0

This page is reviewed and updated quarterly to reflect our current security posture and certifications.