Our security framework is built on leading information security standards and delivered by an in-house team of experts in cloud, application and information security. This Security Overview page lays out measures defined in our Information Security Program that we take to identify and protect from emerging threats.
Norstella maintains an information security program designed to protect the confidentiality, integrity, and availability of data. The program is regularly tested, monitored and evaluated for applicability and effectiveness, including security incident response procedures. Our program includes, but is not limited to, the following components:
Our staff are subject to our code of conduct encompassing our company’s values and mission. They are made aware of their responsibilities including adhering to ethical guidelines, maintaining professionalism, and reporting any violations, to foster a respectful and compliant workplace environment. Our policies and standards are regularly reviewed by our Information Security team to establish best practices relating to data security.
In accordance with relevant laws and regulations, adequate background verification checks are performed while recruiting an individual as permanent staff to ensure the authenticity of the individual and to reduce the possibility of threat to critical information assets.
Our staff are bound by obligations of confidentiality and understand the consequences for failing to adhere to our policies and their responsibilities.
An employee off-boarding process is followed at Norstella which involves revocation of system permissions/access rights and return of company assets in a timely manner.
Norstella has a well-defined process for granting access to its information assets. Privileges and access rights are granted to employees based on a “Need-to-know” basis and the “Principle of Least-Privilege (PoLP)” to protect information assets against unauthorized access and disclosure. Norstella’s password policy is enforced across the board on information assets, which ensures a minimum length, complexity, password expiry, history and account lockout requirements in case of failed attempts.
Norstella maintains information security policies, standards, and guidelines designed to protect the confidentiality, integrity, and availability of sensitive data hosted in the Services, which includes the following:
Norstella maintains a dedicated privacy function to oversee our privacy program and monitor compliance with all applicable privacy and data protection laws. Our privacy notices are available here.
Our privacy program dictates a governance structure whereby we:
Where Norstella uses any third party to process personal information on our behalf (for example, cloud hosting, research services, etc.), we enter into applicable agreements and conduct appropriate due diligence to ensure that they (as well as Norstella) meet and understand their/our data protection obligations.
Norstella has a suite of policies and procedures that govern privacy and data protection. These include without limitation, documentation relating to privacy, data retention, data subjects’ rights, personal data breaches and privacy and data protection impact assessments.
With regard to privacy by default and privacy by design, Norstella products, and systems which support them, are developed in collaboration with the privacy team. Any processing of personal data in Norstella is vetted by the privacy team to ensure the processing is lawful and in line with applicable obligations.
Norstella takes steps to ensure that personal data transfers when customers use our products are conducted in accordance with applicable privacy and data protection laws. Any internal transfers of personal data within the Norstella group are coordinated by the privacy team through appropriate safeguards and intra-group data sharing agreements.
We conduct mandatory information security training on an ongoing basis and provide supplemental training to specific target groups and individuals as required. For example:
Our services are offered through public and private networks. Communications are protected against eavesdropping by secure channels, and industry standard encryption for data in motion and at rest. Norstella has secured its perimeter with industry leading remote access solutions as well as intrusion detection systems (IDS) / intrusion prevention systems (IPS), and application / network-based firewalls.
There are tiered controls, including the use of network segmentation, to ensure the appropriate level of protection to systems and data. Data Loss Prevention controls are also deployed for email security.
In line with our policies, all Norstella owned and supported operating systems hosted in our data center, or deployed in cloud environments are required to be configured with industry standard Endpoint Detection and Response (EDR) solutions.
We gather, review, and integrate security threat intelligence from our internal vulnerability management tools, vendors and third-party security organizations into our patch management process. Our patch management standard provides appropriate patching practices to our technology teams. At times, additional security controls may be implemented to provide mitigation against known threats.
Centralized security logging and monitoring of the Norstella enterprise environment is continuous through our Security Operations Center (SOC) for real-time awareness, event correlation and incident response.
An enterprise incident response process is in place to address incidents as they are identified. Incidents are managed by our incident response team which follows documented procedures for mitigation and communications. The plan is implemented according to various recognized standards and industry best practices such as: 1) NIST Computer Security Incident Handling Guide, 2) VERIS Community Database (VCDB) and 3) Verizon Data Breach Investigations Report (DBIR).
Norstella’s Incident Response process requires incidents to be effectively reported, investigated, and monitored to ensure that corrective action is taken to control and remediate security incidents in a timely manner.
Device management is an important aspect of Norstella’s asset management program. Norstella ensures compute instances are properly configured, monitored, and maintained to prevent unauthorized access and data breaches. This involves implementing robust security policies, such as enforcing strong passwords, enabling encryption (at rest and in transport), and regularly updating software to protect against vulnerabilities. Additionally, our IT team ensures Norstella devices are compliant with industry standards and regulations. Operations Security
Changes to Norstella operating information systems environment which includes changes to servers, network equipment, cloud assets, and software are subject to documented change management processes.
Norstella maintains backup copies of information and software for data recovery in case of events such as system malfunctions or any accidental deletion of information.
Monitoring of systems, services and operations are implemented to ensure the health of our operating environments. Management tools are implemented to monitor and maintain an appropriately scaled and highly available environment.
Our Information Security Team leads a vulnerability scanning and policy compliance capability that product and technology teams’ reference for internal and external vulnerability and configuration remediation. Internet-facing sites on our global network are periodically scanned as a practice in our program focused on vulnerability management.
Our product and technology teams engage information security subject matter experts regularly to provide risk assessments services. Architecture reviews, external vulnerability scans, application security testing and technical compliance reviews are several of the services performed during risk assessment activities.
Following risk assessment activities our Information Security Risk Management team consults with product and technology teams to develop remediation plans and roadmaps to address gaps in compliance, or areas of identified risk.
Additionally, our Governance, Risk and Compliance (GRC) team performs scheduled audits against policies, standards and regulatory requirements, and registers findings for review and remediation initiatives within the business.
We leverage a number of third-party service providers at Norstella to support the development of our product as well as internal operations. We maintain a vendor management program to ensure that appropriate security and privacy controls are in place. The program includes inventorying, tracking, and reviewing the security programs of the vendors who support Norstella.
Appropriate safeguards are assessed relative to the service being provided and the type of data being exchanged. Ongoing compliance with expected protections is managed as part of our contractual relationship with them. Our Information Security, Privacy, Legal, and Compliance teams coordinate with our business stakeholders as part of the vendor management review process.
A variety of secure methods are used to control access to our facilities to ensure that physical access is only gained in a controlled way on an operationally necessary basis. Depending on the sensitivity of the facility, these methods may include some or all of the following: the use of security staff, ID cards, electronic access control incorporating proximity card readers, physical locks and pin numbers.
We’re looking for agile, growth-oriented team players who are passionate about client success and helping patients get access to the care they need.
Work with usHave questions about Norstella or its brands? Or do you want to know more about how to solve your market access challenges?
We want to hear from you