Security

How we protect customer data 

Customer Security

At Nahan, doing our work requires in-depth customer data. That’s why we protect that data in every way, at every turn. The following is a listing of security protocols and their benefits. It’s a long and comprehensive list. For our clients, it’s protection they can rely on.

The Nahan Information Security Program features these benefits: 

  • PCI DSS Level 2 certified (annual third-party QSA audit) 
  • AICPA SSAE18 SOC2 Type 2 + HITRUST CSF compliant (annual report) 
  • HIPAA compliant 
  • S2Score report (biennial third-party full risk assessment with annual updates) 
  • ISO/IEC 27001:2013 and ISO/IEC 27002:2013 international standards-based information security policies 
  • Information Security Awareness Training Program (weekly, monthly, and annual training sessions and modules) 
  • PCI DSS ASV monthly external network vulnerability scanning 
  • Semiannual penetration testing and network segmentation testing 
  • Internal vulnerability scanning and patch management 
  • Co-managed threat detection and response + SIEM with third-party 24/7 Security Operations Center (SOC) 
  • 24/7 Incident Response procedures and incident reporting system 
  • Annual internal risk assessment 
  • Monthly phishing tests 
  • Enterprise anti-virus and anti-malware 
  • Multi-Factor Authentication (MFA), including biometrics and time-based one-time passcodes (TOTP) 
  • Segregation of duties 
  • Physical security (photo identification, access control, video surveillance, etc.) 
  • Ongoing Business Continuity Plan (BCP) and Disaster Recovery Planning (DRP) and exercises
  • Change Management with active Change Advisory Board 
  • Chartered Information Security Leadership Oversight Committee (ISLOC) 

Data Security

Nahan ensures the confidentiality, integrity and availability of customer data though several layers of technical and administrative controls, including:

  • Secure communications via TLS and encrypted email 
  • Secure file transfer processes, including secure transport protocols, Secure FTP (SFTP), and PGP file encryption 
  • Secure Data Processing environment protected by: 
    • Access control and physical segregation 
    • Video surveillance 
    • Multi-Factor Authentication (MFA), including biometrics 
    • Highly trained staff with weekly, monthly, and annual security training sessions and modules 
  • Comprehensive Information Security Program and policies 
  • Secure online industry-standard proofing application 
  • Customer data access protected with ACLs, audit trail logging, and file integrity monitoring (if required) 
  • Data encryption-at-rest and offsite encrypted data backups 
  • Encrypted long-term storage (if required) 
  • Secure data deletion with Certificate of Destruction (if required) 
  • Nahan secure shredding with Certificate of Destruction (if required) 
  • Onsite NAID certified third-party secure shredding with Certificate of Destruction (if required)