TeleSign’s web services are colocated in Tier IV data centers located in the US and EU. All our data centers are SSAE 16 SOC 2 Type II compliant. These data centers are designed such that each data center is capable of handling 100 percent of our forecasted traffic for the year and are highly available individually, including fully redundant Internet access using disparate access providers. All data centers are inter-connected for replication purposes.
Customer traffic is distributed via geo-load balancing among these active data centers. All data centers are externally monitored by a third-party on a 24x7x365 basis. In the event of a disaster impacting one or more active data centers, TeleSign will shift traffic away from the impacted data centers within minutes as part of our Disaster Recovery (DR) process.
TeleSign regularly shifts traffic in conjunction with scheduled activities including deployment of new releases, hot fixes, applying security patches, controlled performance testing and operational events that impact a subset of active data centers i.e. this DR process is regularly tested and exercised.
TELESIGN INFORMATION SECURITY
Global Information Security Policy (GISP)
TeleSign has an internal Global Information Security Policy (GISP) based on the ISO 27002:2013 standard for information security management. The GISP is reviewed and approved at least annually—based on the results of the annual Enterprise Risk Assessment (ERA), see “Compliance” section below—and are enforced by TeleSign’s Privacy and Security Office (PSO). All employees must consent to receiving, reading and complying with the GISP annually. In addition, the GISP applies to all vendors, subcontractors and relevant external parties via legal contracts with those entities. Violations, including a formal disciplinary process up to and including termination of employment or contract, and Exceptions are covered in the GISP. The GISP also includes a Mobile Device Policy and a Remote Access Policy.
The security and privacy of your data is of paramount importance here at TeleSign.
Information Security Organization
Human Resource Security
TeleSign maintains an inventory of all technology assets and physically protects them from theft or loss. Unauthorized hardware is prohibited from the network and enforced using a Network Access Control (NAC) system. Procedures are in place for asset decommissioning, including secure destruction of data from electronic media. The usage of removable media (e.g. USB drives) is prohibited and enforced by technical means.
An Acceptable Use Policy governs usage of all assets, and includes a clean desk policy, PIN requirement and lockscreen timeout for mobile devices, and screensavers for workstations.
TeleSign has a Mobile Device Policy that addresses BYOD. Personally-owned devices are not allowed on the secure network, and this is enforced by the NAC. TeleSign has an information classification policy, which categorizes data into three categories: Sensitive, Confidential and Public. This categorization takes into account the value, sensitivity and criticality of the data. Procedures are in place to address best practices for handling the storage and transmission of each of the three categories of data (e.g. Sensitive/Confidential data must be encrypted when transmitted over the Internet). Guidelines are also available for the labeling of Sensitive/Confidential data.
Communications & Operations Security
System Acquisition, Development And Maintenance
TeleSign employs various independent third parties to perform an ISO 27002-based Enterprise Risk Assessment (ERA) across the entire network on an annual basis to measure our compliance with the ISO-based standard as well as the GISP. The results of the ERA are used to build a Security Roadmap that encompasses security projects tied to each of the ERA’s findings as part of the remediation process. High-level details of the roadmap can be shared upon request.