Overview


Organizations must adopt a comprehensive approach to ensure high-quality data for successful digital transformation. This approach involves integrating the right people, processes, and tools. Whether the goal is to enhance customer centricity, improve analytics, or comply with regulations, it is crucial to implement an enterprise data security and privacy control program. This program ensures that the data driving various initiatives are consistently trustworthy, high quality, and readily available to those requiring it. 


VIDIZMO is a robust video streaming and management platform that strongly emphasizes security and privacy. Its primary focus is to empower users by facilitating collaboration and enabling access to integrated, high-quality data that is dependable, safeguarded, and consistent. 


This document offers an overview of the security and privacy controls enforced by VIDIZMO, for the application level, on the cloud on Azure's Infrastructure (Commercial and Government), and on-premises in the customer's data center. It illustrates how these controls align with security requirements such as those stated in Section 3 of the NIST FIPS 200 publication. 


Confidence In Security & Privacy Controls: Leveraging Strong Features and Integrated Capabilities  


Comprehensive Encryption 

VIDIZMO provides comprehensive encryption that protects users' media in both "at rest" and "in transit" phases.  


End-to-End Governance  

VIDIZMO enables tight integration with organizational retention policies, access permissions, and network requirements, including:


  • Granular Role-Based Security 

Granular role-based security gives users precise control over creating videos, live events, channels, and categories. They can specify which users can make content public and establish approval workflows for video assets. 


  • Trusted Access Controls 

Trusted access controls provide the ability to define specific permissions for users or groups regarding viewing or editing videos and webcasts. The users can determine if the content is for internal or public consumption.

 

  • Activity Tracking Insights 

User activity tracking enables tracking of any changes made to any video or media within VIDIZMO. It allows users to access detailed information about the specific modifications and identifies the system user responsible for the changes.

 

  • Versatile SSO Integrations  

VIDIZMO offers versatile single sign-on (SSO) integrations support for over 25 different SSO service providers, facilitating seamless authentication across various platforms. Additionally, VIDIZMO allows user import through Active Directory, enabling centralized access management. 


The Foremost Cloud Infrastructure 

VIDIZMO runs on Microsoft Azure and Amazon Web Services, the world's leading cloud infrastructure providers, to ensure the highest availability, security, and scalability levels.


Ensuring Regulatory Compliance

The application offers robust compliance for CJIS, FIPS 140-2, FIPS 200, HIPAA, Schrems II, GDPR, CCPA, ADA Section 508c, WCAG, and more, through a wide range of features. VIDIZMO also offers infrastructure-level compliance with Azure Cloud Environment (for CJIS and other regulations) and with partnerships like ProjectHosts (for FedRAMP). Users can trust the platform to meet stringent regulatory standards and safeguard their data and operations.  


Meeting NIST FIPS 200 Security Requirements: How VIDIZMO Ensures Compliance

Access Control (AC) 

  • VIDIZMO offers Role-Based Access Control (RBAC) to prevent unauthorized access.
  • VIDIZMO allows users to secure the platform by disabling anonymous access. 
  • VIDIZMO allows users to configure Single Sign-On (SSO) to synchronize users' and groups' information. 
  • VIDIZMO allows users to synchronize users' and groups' information with their directory through separate SSO per portal. 
  • VIDIZMO allows users to automate user and group provisioning/de-provisioning through SCIM and define rules to grant permissions based on pre-defined roles. 
  • VIDIZMO allows users to define custom security policies organization-wide or department-specific policies, including restrictions on anonymous access, external sharing, downloads, and delegation of access. 
  • VIDIZMO offers users a password-protected media option, which allows users to control access to media by setting up a password. 
  • VIDIZMO offers an automatic login timeout feature that allows users to set a time frame for inactivity, after which a user is automatically logged out. 
  • VIDIZMO also locks a user out for multiple failed login attempts into the portal.  
  • VIDIZMO offers whitelisting/blacklisting of IP pools to limit access from specific domains or geographic regions. 
  • The VIDIZMO application offers multifactor authentication using email to ensure secure logins to the portal only. 
  • VIDIZMO ensures limited access URLs to portal media are tokenized, providing enhanced security by controlling access based on factors such as expiration, limited view sharing, limited duration sharing, and email sharing with guests. 
  • VIDIZMO logs the reasoning behind access to portal media, providing a clear audit trail and accountability for user activities. 
  • VIDIZMO enables users to configure account lockout after a specified number of unsuccessful login attempts. This feature helps prevent unauthorized access by limiting the number of consecutive failed login attempts. 
  • A user can view their last login activity in the VIDIZMO portal.

Awareness and Training (AT) 

  • VIDIZMO adheres to applicable laws, regulations, and industry standards, ensuring its solutions comply with information security requirements. 
  • VIDIZMO provides comprehensive educational resources to raise awareness of security risks and best practices. Regular internal training sessions and completion certificates further enhance employee cybersecurity awareness. 
  • VIDIZMO offers relevant documentation and conducts 2-hour "train-the-trainer" sessions upon deployment, enabling customers to train additional personnel effectively. 
  • VIDIZMO provides ongoing support, including access to a dedicated support team. They assist users in addressing security concerns, offering guidance on best practices, and resolving security-related issues. 

Audit and Accountability (AU)

  • VIDIZMO maintains comprehensive logs/chain of custody of user activities, system events, and access attempts. These logs enable forensic analysis, monitoring, and compliance audits, ensuring accountability and transparency. 
  • Utilizing the SHA-3 algorithm, VIDIZMO generates hash values to detect tampering and maintain media integrity.
  • VIDIZMO retains audit reports from portal creation until purged, ensuring long-term accountability records.
  • VIDIZMO allows easy exporting of audit reports in PDF or CSV files for further analysis or compliance purposes.
  • VIDIZMO provides activity flagging and notification option. Notifications enable the flagging of specific activities within the portal, enhancing visibility and prompt action. 
  • VIDIZMO implements a content moderation workflow to prevent unauthorized or unwanted publishing of content, ensuring controlled and approved access. 

Certification, Accreditation, and Security Assessments (CA) 

  • VIDIZMO's hosting facility in Microsoft Azure Cloud meets global compliance standards, including ISO 27001, FedRAMP, SAS70, SOC 1, SOC 2, and NIST SP 800-53. For more information, visit: Azure Compliance 
  • VIDIZMO conducts regular assessments of security controls, identifying vulnerabilities and implementing action plans to address them. 
  • VIDIZMO performs various tests, including static and dynamic code tests, functional tests, software composition analysis, and penetration tests, to ensure the effectiveness of security controls. 
  • VIDIZMO has a well-defined security incident response plan in place to address security incidents promptly and effectively. 
  • VIDIZMO has a dedicated team that monitors the facility, systems, and personnel activities to ensure the continued effectiveness of security controls. 
  • VIDIZMO implements factors such as SSO configuration via Azure AD, MFA/OTP, and whitelisted email domains to ensure authorized operations of information systems. 

Configuration Management (CM) 

  • VIDIZMO implements configuration management practices throughout the system development lifecycle. 
  • VIDIZMO has a dedicated team that establishes and maintains baseline configurations and inventories of information systems, including hardware, software, firmware, and documentation. 
  • VIDIZMO enforces security configuration settings for its IT products, ensuring proper configuration and security. These settings encompass network configurations, access controls, encryption, logging, and more. 
  • VIDIZMO collaborates with the organization's Business/Enterprise IT team to configure firewalls for internet access to specific URLs that need to be enabled or whitelisted in the organization's firewall. 

Contingency Planning (CP) 

  • VIDIZMO environments benefit from Azure Defender, which offers real-time activity monitoring and periodic vulnerability assessments. 

  • VIDIZMO conducts independent internal and external penetration tests annually, with network penetration testing performed at least once per quarter. 

  • VIDIZMO has a comprehensive Disaster Recovery Strategy in place. A formal risk assessment determines the requirements, and the strategy covers essential technology elements, systems, and networks aligned with key business activities. The disaster Recovery Plan undergoes periodic testing in a simulated environment to ensure effective implementation during emergencies. The DR lead keeps the Disaster Recovery Strategy document up to date to accommodate changing circumstances. 

Identification and Authentication (IA) 

  •  VIDIZMO supports various authentication methods, including username/password, Single Sign-On (SSO), and social login options.
  •  Integration with industry-standard protocols such as SAML, OAuth, and OpenID Connect ensures secure identification and authentication processes. 
  • VIDIZMO utilizes a "System for Cross-Domain Identity Management" (SCIM) for user provisioning, which ensures users added to the Identity Management System have their accounts automatically created in VIDIZMO and can be configured with several Identity Access Management (IAM) services such as Okta, OneLogin, Ping, Centrify, ForgeRock. 
  •  VIDIZMO offers a SCIM 2.0 REST API, eliminating the pain of working with proprietary user management APIs.

Incident Response (IR) 

  • VIDIZMO Incident Response Center is created for instances of security vulnerability identifications, expected and unexpected downtimes and critical security updates.  

  • VIDIZMO team has predefined SLAs that categorize incidents to different severity levels, each of which has a defined incident response protocol that the VIDIZMO support team follows.  

  • The incident response plan is in place to address potential security incidents and respond to them in a timely and effective manner.  

  • It outlines the procedures and steps that VIDIZMO takes in the event of a security incident, such as a data breach, system compromise, or other security incident. 

  • We review our documented Incident Response Plan on an annual basis. 

  • All incidents are documented and reported for future reference and shared with relevant stakeholders. 

Maintenance (MA) 

  • VIDIZMO team provides end-to-end maintenance or cooperates with the customer's internal teams for the underlying infrastructure, including Windows operating system and SQL server maintenance as part of our managed services. 

  • The team follows the enterprise IT policy to install any patches, updates or upgrades as required by the customer based off their opted Support Plan. 

  • For any hardware and network-related issues in the cloud or customer data centers, the VIDIZMO team coordinates with the service provider to resolve these issues.   

  • At Azure, Microsoft conducts physical security reviews of the facilities periodically to ensure the data centers properly address Azure security requirements.   

Media Protection (MP) 

  • VIDIZMO ensures data protection through encryption during transit with SSL and at rest with the AES-256 encryption cipher. 

  • Secure streaming protocols, such as HTTPS, are employed to safeguard video content during playback. 

  • Communication with various components is secured with Transport Layer Security (TLS) protocol. 

  • Within the VIDIZMO organization, all internal and assigned systems, such as laptops, have their disks encrypted. 

  • Access-protected backup sets are restricted to authorized only. 

  • Backup protection hardening capabilities include snapshots and local accounts, along with MFA for admin access to the console. 

  • VIDIZMO employee inboxes are protected by Office 365 ATP (advanced threat protection) to remove malicious emails. 

  • At the infrastructure level, the VIDIZMO application data on Azure is protected using data segregation, at-rest data protection, in-transit data protection, data redundancy policies and more. Read more at Azure customer data protection.  

  • Microsoft Azure also executes a complete deletion of data on customer request and on contract termination. 

Physical and Environmental Protection (PE) 

  • VIDIZMO ensures there is no unauthorized access to the systems within VIDIZMO's office premises.  

  • The facilities are protected with facial detection and biometric identification.  

  • The systems in the organization are restricted for access with:  

  • VIDIZMO's Azure AD 

  • 2-step authentication 

  • Strong password policies for complex and periodically updated passwords. 

  • VIDIZMO also provides relevant training and awareness to prospects for ensuring the physical security of data and systems when deployed on-premises.  
  • For Azure datacenters, where the VIDIZMO application is hosted, Microsoft designs, builds and operates datacenters in a way that strictly controls physical access to the areas where customer data is stored. For more information, refer to Azure facilities, premises, and physical security. 

Planning (PL) 

  • VIDIZMO has developed and documented numerous SLAs and strategies for the implementation of security controls across the platform and infrastructure, such as our: 

  • Every 6 months, security policies are reviewed and revised if necessary.   

  • Documentation is also periodically updated to meet the requirements of customers and comply with updating industry standards.  

  • Likewise, Azure documents their best practices for security and data protection on their website at Azure security fundamentals documentation. 

Personnel Security (PS) 

  • VIDIZMO conducts thorough background checks of all employed individuals to ensure the security of organizational data.  

  • When an individual is terminated, all accounts are immediately locked to restrain the individual from further accessing VIDIZMO data.   

Risk Assessment (RA) 

  • VIDIZMO performs vulnerability scanning of our external and internal networks and tracks the remediation of critical and high-risk issues.  

  • All VIDIZMO environments are protected by Azure Defender, as our Endpoint Detection & Response platform across all systems, and the team does periodic assessments of vulnerabilities. 

  • Data is encrypted at rest using AES 256 and in transit using HTTPS for both the tenant and within production environments.  

  • Content encryption capabilities are provided within the application upon the request of the customer as an additional feature.  

  • VIDIZMO cloud service relies on VMs, VNET, and Storage accounts, among other services, each of which is deployed and configured based on clearly defined security parameters.  

  • Microsoft Azure, where VIDIZMO is deployed, has their own set of Risk Assessment policies in place. Read further on the Azure Risk Assessment Guide

System and Services Acquisition (SA) 

  • VIDIZMO has adequate resources in a dedicated team to protect and maintain organizational information systems. 

  • Group policies are enforced for departments for software usage restrictions.  

  • To protect interdepartmental unauthorized access, individual teams are restricted from access to confidential and sensitive elements, such as code, that are not relevant to the scope of their responsibilities.  

  • All VIDIZMO infrastructures are built with the latest hardware and are equipped with regularly updated, licensed operating systems and software.   

  • Rules are placed on the organization's firewall to prevent risky downloads or other malicious media from intercepting through the network.  

  • VIDIZMO, as an organization, also does not outsource any services to third-party providers.   

System and Communications Protection (SC) 

  • VIDIZMO has implemented rules on our Microsoft Exchange server that block any emails which can potentially cause organizational loss, such as through data breaches by leaking source code leaks.  
  • VIDIZMO uses Agile methodology over DevOps for our software development techniques. 
  • The development process incorporates Continuous Integration and Continuous Delivery (CI/CD) within our software development practices, in which incremental code changes are made frequently and reliably.   
  • MS Teams is used for internal communications, which is end-to-end encrypted. 

System and Information Integrity (SI) 

  • VIDIZMO Team identifies issues and proactively acts for the integrity of systems and information contained. Some of the measures taken by the team include:
  • Constant monitoring and checks of systems 

  • Running diagnostics to identify issues and performance bottlenecks 

  • Blocking of unwanted downloads 

  • Implementation of multiple layers of security, including firewalls, intrusion detection and prevention systems, and anti-malware software.  

  • Use of industry-standard anti-malware solutions that are regularly updated to ensure protection against the latest threats.  

  • Security controls are in place for protecting PII (Personally Identifiable Information), such as "Have I Been Pwned" (HIBP), to alert of: 

  • leaked credentials 

  • encryption keys 

  • session tokens 

  • sensitive data 

  • VIDIZMO uses Azure Security Center, which provides 24-hour monitoring and alerting of critical events. This includes service uptime notifications and security alerts, allowing the team to proactively take appropriate actions in standard response time. Customers can view the live status of services at https://vidizmo.com/service-status/