Arize Trust Center

Asset management is a systematic approach to the governance and realization of assets a group is responsible for over its life cycle. 

At Arize, our Access Management practices include:

• Kandji MDM

• Cloud provider native inventories

• On/offboarding monitoring

• Monitoring with Vanta

• Slack and emails notifications for missing assets

Identity Management is a framework used to ensure that users have the appropriate access to technology resources at all times. 

At Arize, Identity Management practices include:

• GSSO for sign-on for employees

• Maintaining SSO capabilities within our product

• SSO support as a security cornerstone: single pair of credentials, enhanced UX, regulatory & compliance requirements, and service integrations

.

.

Governance is the overall policies and processes which determine how organizations identify, mitigate, and respond to cyber incidents. 

At Arize, Governance includes: 

• A holistic understanding of various compliance standards 
• Executive and board oversight
• Regular compliance audits

Change management encompasses all approaches to prepare, support, and help teams make organizational change.

At Arize, our Change Management system is broken down into a few phases:

• Planning: Design implementation, scheduling, communication plans, test plans, and rollback plans

• Evaluation: Understanding the risk of change to determine the change type and process

• Review: Overview of the change plan within teams

• Approval: Change approval by management and/or other appropriate change authorities

• Communication: Ensure communication with the appropriate parties and informed stakeholders

• Implementation: Implement the change

• Documentation: Document the change and any review and approval information

• Post-change review: Review the change for future improvements

Patch management is the process of distributing and applying updates to software. 

Patch Management at Arize includes:

• Kandji for user endpoints
• Dependabot for dependencies updates
• Grype for Docker images

Network security includes the policies and practices adopted to prevent, detect and monitor unauthorized access to a computer network and resources.

At Arize, Network Security practices include: 

• Proper deployment stack configurations
• Access control policies and procedures
• Active detection and mitigation plans
• Routine network security reviews
• Key metrics for security efficacy

Endpoint security is the process of protecting devices such as desktops, laptops, mobile phones, and tablets from malicious attacks:

At Arize, Endpoint security procedures include:

• Mobile Devise Management System using Kandji
• Anti-malware system using Bitdefender
• Proper logging, monitoring, and auditing with Vanta and GCP trails

Risk management is the identification and evaluation of risks to minimize, monitor, and control the probability and impact of malicious attacks. 

At Arize, Risk Management practices include:

• Annual risk assessments
• Organizational risk identification with executive management
• Specific risk management procedures

Threat management is a framework used to manage a threat in an effort to identify and respond to an incident in the quickest and most effective way possible.

At Arize, Threat Management practices include: 

• A comprehensive incident response plan with constant testing & updating
• Monitoring and alerting internal systems 
• Accurate filtering using automation & severity triggers
• Dedicated risk workflows in case of an incident

Penetration Testing is an authorized simulated cyberattack on a computer system to evaluate the security of a system 

At Arize, Penetration Testing includes: 

• Annual testing with Cobalt.io
• Github tracking for findings and remediations
• Prompt retest upon fix implimentation

Vulnerability Management is the cyclical practice of identifying, prioritizing, remediating, and mitigating software vulnerabilities.

At Arize, our Vulnerability Management includes: 

• Clear vulnerability management policy and procedures
• Vulnerability classifications
• A log of remediation time stamps 
• Risk scores using CVSS and Environment Score Metrics
• Vulnerability scans: pentests, intruder, dependabot
• CVE monitoring

Application security introduces a secure software development life cycle practice to engineering teams. This helps teams find, fix, and prevent security issues at the start.

At Arize, Application Security includes: 

• Secure software development policies
• Secure coding training and on boarding
• Dependabot
• Peer code reviews
• Bug bounties

Privacy Regulations encompass the proper handling of data concerning consent, notice, sensitivity, and regulatory concerns.

At Arize, Privacy Regulation practices include:

• Properly trained DPO
• All customer data is treated as private/confidential using appropriate safeguards, proper access control, encryption at rest and in-flight, detailed logging, monitoring, alerts, and auditing, and prompt action on high ranked alerts
• Effective routing and actions for the right to remove requests 
• Documented “DLP” safeguards
• The use of the Fair Information Practices guideline

Configuration management is a process for establishing and maintaining consistencies of a product’s performance, functional, and physical attributes with its requirements, design, and operational information throughout its life.

At Arize, our Configuration Management practices include: 

• Infrastructure as code using Terraform and Bazel
• Clear lineage tracing in Git with Git approval workflows
• Drift measurements when configurations change externally

A security operations center is a centralized unit whose primary responsibility involves security issues at an organizational and technical level.

At Arize, our Security Operations Center includes:

•  A Back Office Portal which includes a status page, access management, and cross-referencing and monitoring compliance requirements

Threat detection is the practice of analyzing the entirety of a security ecosystem to identify any malicious activity that could compromise the security of our platform. 

At Arize, our Detection and Response practices include: 

• Cloud Provider intrusion detection services
• User endpoint protections

Third-party risk management focuses on identifying and reducing risks relating to the use of third parties. 

At Arize, our Third-party Risk Management practices include:

• TPSP policies and procedures such as the due-diligence processes, TPSP monitoring, Upguard, etc. 
• Inventory and risk ranking of TPSP
• In-depth understanding of the shared responsibility matrix
• Comprehensive impact analysis of TPSP in BCP and contingency planning

Compliance involves meeting various controls used to protect the confidentiality, security, and availability of data.

At Arize, our Compliance practices include:

• Implementation of policies and procedures such as standards documentation, clear and rigorous compliance policies, and exceeding compliance certification requirements
• Proactive risk mitigation plans
• Clear security controls
• Thorough systems monitoring set forth by compliance standards
• Key metrics for measuring compliance standards and the efficacy of the ISMS 
• Annual third-party certification audits