Security at Viant
Our comprehensive information security program covers all aspects of cyber security to protect and preserve the confidentiality, integrity and availability of our data and systems. Viant’s dedicated security team maintains and implements our information security program to protect the data of our customers, partners and employees.
We strive to meet and exceed industry standards to protect our data, systems, and client information. For example as a public company, Viant adheres to regulatory requirements laid out by the Sarbanes-Oxley Act or SOX and follows financial record-keeping and reporting requirements to protect investors. Our compliance efforts consist of regular audits, continuous monitoring, and the implementation of best practices in data privacy.
In addition, we comply with all applicable laws, including applicable privacy laws (e.g., California Consumer Privacy Act, or CCPA). For more information on data privacy please refer to our privacy center.
Physical Security
At Viant, physical security isn’t overlooked and is an important part of our information security program. Company physical resources and equipment are protected from unauthorized access and tampering. By implementing these physical security measures, we protect our infrastructure from physical threats, ensuring the integrity and availability of our data and services.
Security in our Offices
Access to company facilities, including secure areas within company facilities, is controlled and monitored using badge readers. All critical information systems are stored in secure areas. Access to these areas is strictly limited to employees with a direct need to access the equipment. Applications used to control physical access are implemented with appropriate access controls. Furthermore, logging is configured to monitor all activities. Access badges are deactivated by the company and building management, and collected immediately upon employee termination or when the employees’ job responsibilities no longer require such access.
Surveillance and Monitoring
Security cameras are placed at entry points and server rooms providing 24/7 surveillance. Camera footage is retained for review as needed. The movement of server equipment into, out of, and within a facility are monitored. Such movement is permissible only with appropriate management authorization.
Endpoint Security
Malware
We prioritize the security of our computers by employing antivirus software, and host-based firewalls across all our endpoints providing continuous real-time protection, regular scanning, and automatic updates to safeguard against the latest threats. These tools are configured to scan periodically, update regularly and are unable to be disabled by the end user.
Endpoint Management
Viant leverages endpoint management software for the security and efficient management of our devices. These controls allow us to enforce security policies, manage device configurations, and automate software updates, ensuring that all endpoints remain compliant with our security standards.
Phishing
Phishing attacks can cause immense damage to a company by compromising the trust of users. Advanced anti-phishing tools are deployed at Viant. Email content and sender information are analyzed for signs of malicious activities in order to quarantine suspicious emails before they reach our employees' inboxes.
Patch Management
We prioritize the continuous improvement and security of our systems through a rigorous patch management process on a quarterly basis. This involves regularly identifying, acquiring, testing, and applying software updates, or patches, to our infrastructure. Verifications are conducted on all patches prior to deployment. After deployment, systems are continuously monitored for performance and availability.
Backup and Recovery
Viant implements backup and recovery processes to ensure the integrity and availability of the company’s information systems while also minimizing the risk of losing assets, sensitive and confidential data, operational capacity, and applications due to unforeseen disruptions. This is done in accordance with our recovery time objectives (RTO) and recovery point objectives (RPO). Full backups are performed regularly for critical systems. Backups are tested routinely to confirm data can accurately and completely recover to a functional state.
Backup Management
Data is retained in a manner that provides sufficient capability to restore it to its original form, and with sufficient information to reasonably validate its integrity. This also includes authenticating the date archived and the source of the archived data. Backup media is rotated offsite or mirrored to an off-site location on a regular basis. Backup media is stored and physically secured in accordance with our policies. Backup and data processing jobs are monitored on a regular basis to ensure successful completion. Disruptions are logged, investigated, resolved and stored with supporting documentation.
Network Security
Our Network Infrastructure
The network infrastructure that supports mission critical applications and systems have built-in redundancies, such as a mirrored site capable of handling diverted traffic, in case of a failure. Our policies lay out our authentication settings on software or hardware, utilized for network management. Critical networking equipment is stored in secure areas. Networking equipment is also configured for logging and monitoring.
Network Management Devices
Network management devices, which are utilized in providing access to the environment, are configured to prevent unauthorized access. Equipment is uniquely identified, with information documented regarding its physical location, hardware configuration, firmware version, operating system version, and patch levels. Only authorized network administrators, with a direct need to access network management devices, have access to these devices. Network management devices are maintained and monitored to detect unauthorized intrusions. Configuration, firmware updates and patches to network management devices are tested and approved prior to implementation.
Internal and External Networks
All internal and external network connections are reviewed, tested and approved prior to activation. All communication with external networks is controlled by a firewall or gateway devices. Networks are logically separated from one another. All devices are configured to deny access unless specifically approved. Approved access is documented, tracked and reviewed on an annual basis.
Network Security at our Offices and Remote Work
All Viant office wireless networks are protected using strong encryption, multi-factor authentication, and 802.1x for authentication and authorization. External connections to Viant owned resources are not allowed unless documented, approved, and reviewed. Employees outside of our offices use a virtual private network or VPN. Access to company resources via VPN is controlled in accordance with our policies.
Denial of Service
Viant implements a multi-layered strategy to protect against Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. This includes deploying advanced firewalls and utilizing rate limiting to control the number of incoming requests preventing our servers from being overwhelmed. Additionally, we employ Content Delivery Networks (CDNs) and load balancers to distribute traffic efficiently, enabling availability even under heavy load. Our monitoring tools continuously analyze network traffic for unusual patterns, allowing for real-time detection and mitigation of potential threats.
Logging and Monitoring
Viant follows a logging and monitoring policy to aid in the identification and resolution of faults, errors, and unauthorized access and activity that could affect the integrity of critical systems and data. Logged events include but are not limited to: application faults, data access, failed account logins, attempts to gain unauthorized access, vulnerability exploit, denial-of-service attacks, distributed denial-of-service attacks, and changes to application code, libraries or configurations. Specialized alerts are created for privileged Viant groups and accounts.
Logs Management
Logs relating to system security and program/application changes are reviewed periodically to identify and resolve critical items. Appropriate segregation of duties is in place for logs of high-risk activities. Furthermore, logs are protected from any alterations by end users. Passwords and sensitive personal information are never logged. Logs are aggregated into a SIEM to monitor for anomaly and suspicious activities.
Operational Security
We implement stringent procedures to safeguard our operational processes and sensitive information from potential threats. This involves control of access to data, enabling only authorized personnel to access critical systems and information. We conduct regular security audits to identify and mitigate risks. Additionally, our team follows best practices in change management to ensure that all system updates and modifications are thoroughly tested and documented.
Confidentiality Agreements
Viant recognizes its confidentiality needs and requirements, and those of its clients, vendors and partners. Confidentiality and nondisclosure agreements are used to protect company data by specifying employee, contractor, and third-party information security responsibilities.
External Parties
While internal controls are vital in protecting company information, Viant places equal emphasis on maintaining the security of company information when it is accessed, processed, or managed by external parties. Risk assessments are conducted to examine security implications whenever there is a need to allow external parties to access company information and assets. Agreements are established between the company and external parties which identify the security controls that must be applied before external parties are able to access company data.
User Authentication and Identification
All user access to systems and applications are controlled through the approved authentication mechanism, which consists of a combination of a user ID and a password. User IDs are unique and directly mapped to individual users. Multi-factor authentication (MFA) is required to access all IT services and systems.
User Access Review
User access reviews are performed regularly for all critical systems, applications, databases, and infrastructure. System owners or business information owners review user access privileges on a periodic basis for both regular users, and privileged users. The results of these reviews are documented and retained for a minimum of one year.
Change Management
Viant defines the requirements to ensure that all changes implemented into production environments are authorized and appropriate, to minimize unanticipated system and application failures. Changes are reviewed and approved to ensure that the modifications adhere to our policies and standards and to verify that the changes appropriately satisfy intended business objectives. Changes are communicated to affected users in advance of implementation. All changes are logged and documented.
New Hires
Viant conducts criminal background screening of all new hires. In addition, we require new hires to sign a code of ethics, and a Proprietary Rights, Data Use, Privacy and Confidentiality Agreement agreement. Viant enforces the use of a user acceptance policy on all employees.
Security Awareness Training
Making sure our employees receive adequate and effective training around security is a top priority. Upon hire, employees are required to undergo security awareness training. Topics include social engineering, phishing, password best practices, office hygiene, and application security. New content is reviewed and pushed to employees bi-monthly. In addition, the security team sends out monthly newsletters to all employees covering various security topics that are pertinent to the business and hot topics in cybersecurity.
Incident Response
Viant has a documented incident response strategy to effectively manage and mitigate incidents in a timely manner. This is done by including guidelines on how to test our plan, how to notify clients in the event of a breach and define roles for incident response teams. Our incident response team is trained to quickly identify, assess, and respond to potential threats, ensuring minimal disruption to our operations. We follow a structured approach that includes preparation, detection, containment, eradication, recovery, and post-incident analysis.
Our Process
Problems and information security incidents are promptly communicated to the appropriate individuals. In the event of an incident, we promptly isolate affected systems to prevent further damage and work to eliminate the threat. Our recovery procedures aim to restore normal operations as soon as possible while maintaining data integrity. We conduct a thorough analysis to understand the root cause and improve our defenses, ensuring enhanced resilience against future attacks. All reported problems are logged and tracked. Events are periodically reviewed to determine whether there were any unreasonable delays in addressing and resolving the issue.
Escalation
Problems that cannot be resolved by first-level support are escalated following escalation procedures. A list of contacts for each application and each core infrastructure system is maintained. The list includes first-level contacts, as well as second level and third-level escalation contacts. Viant maintains an active agreement with third-party teams for incident response and digital forensics support.
Business Continuity Plan and Disaster Recovery
Viant has a documented business continuity and disaster recovery program to ensure the resilience and reliability of our operations. Our business continuity plan, or BCP, is designed to identify critical business functions and implement strategies to maintain essential operations during disruptive events. Complementing BCP, our disaster recovery process focuses on restoration of IT systems and data following a disaster. Our approach aims to ensure that we can quickly adapt to and recover from unforeseen disruptions and maintain continuity of service.
Insurance
One key component of our information security program is maintaining insurance in amounts we reasonably believe are necessary to protect against major risks in the context of our size and operations. Our policies are designed to cover a broad range of expenses and are issued by institutions we believe to be financially sound.
Data Security
Viant protects your data. We follow best practices to ensure the confidentiality, integrity, and availability of data across our systems. Our data security measures are complemented by audits and adherence to industry standards and regulations.
Data in Transit
We ensure that data transferred between our systems and networks is encrypted using advanced protocols such as TLS, or Transport Layer Security, to prevent interception and unauthorized access. This encryption safeguards sensitive information as it moves across internal networks, public networks, and the internet.
Data at Rest
Protecting data at rest is critical. Data at rest refers to all data stored on physical or virtual storage devices, including databases, file systems, and backup media. To safeguard this data, we implement encryption protocols that securely encrypts sensitive information when stored.
Data Classification
Classification is fundamental to data security. We categorize data based on its sensitivity and importance, ensuring appropriate levels of protection for different types of information. This process involves identifying and labeling data into distinct classes based on predefined criteria. By classifying data, we can implement tailored security controls to safeguard sensitive information to manage risks effectively. Our data classifications policies are regularly reviewed and updated.
Application Security
Viant’s development team follows software development best practices to protect our systems against malicious attacks and data breaches. Our program encompasses the entire software development lifecycle, integrating security practices from design through deployment. Applications get deployed in different environments and testing is done in development and staging environments.
Passwords
A password policy is followed for all accounts. Passwords have a minimum length and are stored salted and hashed according to industry best practices. Security tools are in place to check for exposed secrets in source code.
Secret Management
Application and system secrets are stored and encrypted in a secret storage system. A technical process is in place to rotate secrets in a controlled and safe manner. Access to secrets is restricted based on need to know and least privilege security principle. The secret storage system logs all use, storage and transmission of secrets.
Vulnerability Management
Viant uses several different services and tools to run security scans on a recurring basis. This includes scanning live environments and checking for usage of vulnerable third party code. These web application scans and internal pentests are conducted on a regular basis. These scans are reviewed and checked for vulnerabilities.
Contact Us
Viant is dedicated to maintaining rigorous security standards to protect the interest of our clients, partners and employees. For further information regarding our security policies and practices or if you suspect your account has been compromised reach out to your account representative or contact us at https://www.viantinc.com/contact/.