VIDIZMO Compliance with Minimum Security Requirements in FIPS 200

Contingency Planning (CP) 

• VIDIZMO environments benefit from Azure Defender, which offers real-time activity monitoring and periodic vulnerability assessments. 

• VIDIZMO conducts independent internal and external penetration tests annually, with network penetration testing performed at least once per quarter. 

• VIDIZMO has a comprehensive Disaster Recovery Strategy in place. A formal risk assessment determines the requirements, and the strategy covers essential technology elements, systems, and networks aligned with key business activities. The disaster Recovery Plan undergoes periodic testing in a simulated environment to ensure effective implementation during emergencies. The DR lead keeps the Disaster Recovery Strategy document up to date to accommodate changing circumstances. 

Identification and Authentication (IA) 

•  VIDIZMO supports various authentication methods, including username/password, Single Sign-On (SSO), and social login options.
•  Integration with industry-standard protocols such as SAML, OAuth, and OpenID Connect ensures secure identification and authentication processes. 
• VIDIZMO utilizes a "System for Cross-Domain Identity Management" (SCIM) for user provisioning, which ensures users added to the Identity Management System have their accounts automatically created in VIDIZMO and can be configured with several Identity Access Management (IAM) services such as Okta, OneLogin, Ping, Centrify, ForgeRock. 
•  VIDIZMO offers a SCIM 2.0 REST API, eliminating the pain of working with proprietary user management APIs.

Incident Response (IR) 

• VIDIZMO Incident Response Center is created for instances of security vulnerability identifications, expected and unexpected downtimes and critical security updates.  

• VIDIZMO team has predefined SLAs that categorize incidents to different severity levels, each of which has a defined incident response protocol that the VIDIZMO support team follows.  

• The incident response plan is in place to address potential security incidents and respond to them in a timely and effective manner.  

• It outlines the procedures and steps that VIDIZMO takes in the event of a security incident, such as a data breach, system compromise, or other security incident. 

• We review our documented Incident Response Plan on an annual basis. 

• All incidents are documented and reported for future reference and shared with relevant stakeholders. 

Maintenance (MA) 

• VIDIZMO team provides end-to-end maintenance or cooperates with the customer's internal teams for the underlying infrastructure, including Windows operating system and SQL server maintenance as part of our managed services. 

• The team follows the enterprise IT policy to install any patches, updates or upgrades as required by the customer based off their opted Support Plan. 

• For any hardware and network-related issues in the cloud or customer data centers, the VIDIZMO team coordinates with the service provider to resolve these issues.   

• At Azure, Microsoft conducts physical security reviews of the facilities periodically to ensure the data centers properly address Azure security requirements.   

Media Protection (MP) 

• VIDIZMO ensures data protection through encryption during transit with SSL and at rest with the AES-256 encryption cipher. 

• Secure streaming protocols, such as HTTPS, are employed to safeguard video content during playback. 

• Communication with various components is secured with Transport Layer Security (TLS) protocol. 

• Within the VIDIZMO organization, all internal and assigned systems, such as laptops, have their disks encrypted. 

• Access-protected backup sets are restricted to authorized only. 

• Backup protection hardening capabilities include snapshots and local accounts, along with MFA for admin access to the console. 

• VIDIZMO employee inboxes are protected by Office 365 ATP (advanced threat protection) to remove malicious emails. 

• At the infrastructure level, the VIDIZMO application data on Azure is protected using data segregation, at-rest data protection, in-transit data protection, data redundancy policies and more. Read more at Azure customer data protection.  

• Microsoft Azure also executes a complete deletion of data on customer request and on contract termination. 

Physical and Environmental Protection (PE) 

• VIDIZMO ensures there is no unauthorized access to the systems within VIDIZMO's office premises.  

• The facilities are protected with facial detection and biometric identification.  

• The systems in the organization are restricted for access with:  

• VIDIZMO's Azure AD 

• 2-step authentication 

• Strong password policies for complex and periodically updated passwords. 

• VIDIZMO also provides relevant training and awareness to prospects for ensuring the physical security of data and systems when deployed on-premises.  
• For Azure datacenters, where the VIDIZMO application is hosted, Microsoft designs, builds and operates datacenters in a way that strictly controls physical access to the areas where customer data is stored. For more information, refer to Azure facilities, premises, and physical security. 

Planning (PL) 

• VIDIZMO has developed and documented numerous SLAs and strategies for the implementation of security controls across the platform and infrastructure, such as our: 

• Incident Response Plan 

• Tier-Based Support

• Disaster Recovery Strategy

• Privacy Policy 

• Every 6 months, security policies are reviewed and revised if necessary.   

• Documentation is also periodically updated to meet the requirements of customers and comply with updating industry standards.  

• Likewise, Azure documents their best practices for security and data protection on their website at Azure security fundamentals documentation. 

Personnel Security (PS) 

• VIDIZMO conducts thorough background checks of all employed individuals to ensure the security of organizational data.  

• When an individual is terminated, all accounts are immediately locked to restrain the individual from further accessing VIDIZMO data.   

Risk Assessment (RA) 

• VIDIZMO performs vulnerability scanning of our external and internal networks and tracks the remediation of critical and high-risk issues.  

• All VIDIZMO environments are protected by Azure Defender, as our Endpoint Detection & Response platform across all systems, and the team does periodic assessments of vulnerabilities. 

• Data is encrypted at rest using AES 256 and in transit using HTTPS for both the tenant and within production environments.  

• Content encryption capabilities are provided within the application upon the request of the customer as an additional feature.  

• VIDIZMO cloud service relies on VMs, VNET, and Storage accounts, among other services, each of which is deployed and configured based on clearly defined security parameters.  

• Microsoft Azure, where VIDIZMO is deployed, has their own set of Risk Assessment policies in place. Read further on the Azure Risk Assessment Guide. 

System and Services Acquisition (SA) 

• VIDIZMO has adequate resources in a dedicated team to protect and maintain organizational information systems. 

• Group policies are enforced for departments for software usage restrictions.  

• To protect interdepartmental unauthorized access, individual teams are restricted from access to confidential and sensitive elements, such as code, that are not relevant to the scope of their responsibilities.  

• All VIDIZMO infrastructures are built with the latest hardware and are equipped with regularly updated, licensed operating systems and software.   

• Rules are placed on the organization's firewall to prevent risky downloads or other malicious media from intercepting through the network.  

• VIDIZMO, as an organization, also does not outsource any services to third-party providers.   

System and Communications Protection (SC) 

• VIDIZMO has implemented rules on our Microsoft Exchange server that block any emails which can potentially cause organizational loss, such as through data breaches by leaking source code leaks.  
• VIDIZMO uses Agile methodology over DevOps for our software development techniques. 
• The development process incorporates Continuous Integration and Continuous Delivery (CI/CD) within our software development practices, in which incremental code changes are made frequently and reliably.   
• MS Teams is used for internal communications, which is end-to-end encrypted. 

System and Information Integrity (SI) 

• VIDIZMO Team identifies issues and proactively acts for the integrity of systems and information contained. Some of the measures taken by the team include:

• Constant monitoring and checks of systems 

• Running diagnostics to identify issues and performance bottlenecks 

• Blocking of unwanted downloads 

• Implementation of multiple layers of security, including firewalls, intrusion detection and prevention systems, and anti-malware software.  

• Use of industry-standard anti-malware solutions that are regularly updated to ensure protection against the latest threats.  

• Security controls are in place for protecting PII (Personally Identifiable Information), such as "Have I Been Pwned" (HIBP), to alert of: 

• leaked credentials 

• encryption keys 

• session tokens 

• sensitive data 

• VIDIZMO uses Azure Security Center, which provides 24-hour monitoring and alerting of critical events. This includes service uptime notifications and security alerts, allowing the team to proactively take appropriate actions in standard response time. Customers can view the live status of services at https://vidizmo.com/service-status/