Our service agreements provide for the confidential treatment of confidential customer information, including customer data. And we require all our employees and contractors as well as vendors to sign confidentiality agreements to ensure the protection of confidential information.
(Principle of Least Privilege)
Utility2030 follows the principle of "least privilege" in governing employee access to our systems. Access to our customers' data is limited to legitimate business needs, including activities needed to support our customers’ use of our services. We map network accounts directly to our employees using a unique identifier; generic administrative accounts are not used. We periodically review employee access to internal systems to ensure that employees’ access rights and patterns are commensurate with their current positions. A formal employee termination notification process exists, which is initiated by our Human Resources ("HR") department. Upon notification by HR, all physical and system accesses are promptly revoked.
We train all new employees about their confidentiality, privacy and information security obligations as part of their onboarding training. A compulsory annual security and privacy training ensures employees refresh their knowledge and understanding. Engineering teams receive further training related to their work duties and access.
Our employee workstations are automatically locked after a pre-determined period of non-use via the MDM system we have implemented.
All employee workstations are encrypted and wiped at time of decommission using DoD standards.
Utility2030 employees are required to provide specific documents verifying identity and undergo federal and state criminal background checks prior to being hired.
Utility2030 has implemented appropriate controls to restrict physical access to its offices. Our cloud service providers have implemented robust security measures to control physical access to the data processing facilities we use.
We have an independent, third-party security vendor conducting manual penetration testing of our internal and external infrastructure and services on an annual basis. This manual testing is complimented by automated testing on a more frequent regular basis using a variety of commercially available testing tools.
Utility2030 uses a number of automated scanning tools to scan for cloud, network and application security vulnerabilities on a frequent basis.