Companies that trust Benevity’s leading security practices include:
Physical security encompasses all the locations where we operate. That includes business offices, data centers and even our laptops. As part of Benevity’s security program, the following is true for each of our physical locations:
- CCTV cameras are in place and footage is stored per our security policies.
- Electronic locks with assigned key cards/fobs, which are assigned according to a strict access management procedure for granting, revoking and changing access.
- Various security zones with restricted access based on job role.
- All access (successful/failed) attempts are logged, with logs stored per our security policies.
- All visitors are registered and escorted, with registry stored per our security policies.
- A clean desk/clean whiteboard policy.
But the physical security at the data center (where your data is stored and processed) goes above and beyond the above standards. Benevity uses Amazon Web Services (AWS), a leader in the cloud hosting space, and as such, controls include:
- Data center access is restricted to AWS employees and contractors.
- Data centers are controlled by professional security personnel.
- Redundant power and network services.
- Fire detection and suppression.
- Climate and temperature are strictly controlled.
- Media are handled per NIST 800-88 guidelines for sanitization.
We subscribe to the AWS shared responsibility model where AWS operates, manages and controls the components from the virtualization layer down to the physical security of the facilities where the services operate. Our responsibilities are up the stack from the guest operating system and include the network configuration, databases and applications. This framework and model are made clear to all Benevity teams involved, including our:
- Site Reliability Engineering team
- Security Operations team
- Governance & Controls team
- Product Development team
To fulfill this responsibility, Benevity follows industry best practices and subscribes to AWS’s well-architected framework for the design of all our systems.
Benevity has a dedicated Security Operations team with many years of combined experience in securing enterprise IT environments and security-incident response. We also periodically engage Managed Security Service Providers from reputable, globally recognized companies. This team has developed a security practice that includes:
- DDOS protection.
- File integrity monitoring.
- Intrusion prevention system.
- Security information and event management.
- Continuous web application security scanning and business logic assessments conducted by an independent third party.
- Vulnerability management and patching policy.
- Network penetration testing conducted by an independent third party.
A formal Change Advisory Board enforces Benevity’s controls over changes to production systems, including:
- Maintenance and controlled access to a production environment and several non-production environments (development, test, staging, etc.).
- Ensuring every change to Benevity’s system is appropriately authorized.
- Testing changes by dedicated in-house Quality Assurance people before production.
- Thousands of automated tests prior to production.
- Segregation of Duties (SoD); progression of changes through different environments.
- Maintaining a system of segregation of incompatible duties.
Logical security involves controlling access to IT systems and making sure people have a valid reason to access, read or modify business information. Benevity maintains a system of role-based access controls, as well as the necessary processes to support:
- Access on a need-to-know and least-privilege basis.
- Documented access requests and approvals.
- Periodic reviews of access to ensure those who have it still need it.
- Authentication controls including strong passwords and multifactor authentication.
At Benevity, we recognize that security risks go beyond IT systems and include a human element. As such, we use significant resources to maintain a high level of security awareness among our people. This helps them understand the security requirements of our clients and the regulations we are subject to, as well as emerging security threats. Everyone at Benevity goes through formal security awareness training and regular phishing simulation testing. And many informal training opportunities are available to our people, including seminars, hands-on activities and question-and-answer sessions with security personnel.
Before a nonprofit can take part in our ecosystem, our dedicated vetting team makes sure they’re in good standing with the authorities in their region. Our vetting process also involves initial and pre-disbursement searches of the organization against a third-party database that aggregates over 1,200 sources for sanctions lists, enforcement actions and adverse media.
Benevity’s team has implemented several fraud detection and prevention measures. These include manual and automated procedures to maintain the integrity of the transactions in our system and minimize abuses.
We all know that bad things sometimes happen to good people, and we spend a fair bit of time thinking about the different kinds of risks that threaten our company and our clients’ good work. Our dedicated Business Continuity Planning committee performs periodic business-impact assessments and oversees Benevity’s Disaster Recovery Plan, and the testing of that plan. Data is replicated across two AWS hosting regions, with each region consisting of multiple “availability zones” (independent data centers) to ensure redundancy and high availability. Our recovery-time objective is four hours.