We hold ourselves to the highest documented standards in the industry including FedRAMP and ISO 27001
Modus invests heavily in the protection of client information entrusted to us for eDiscovery and Information Governance services. Our team has decades of experience building and sustaining the technologies and management controls necessary to provide the highest possible levels of protection. It is literally our policy to never assume that controls are in place and that continuing third-party audits and certifications validate that we are keeping pace with the ever-changing threat vectors.
Regardless of the validation form, Modus has been awarded the highest levels of information security validation. These awards require ongoing audits to validate that the controls at Modus remain in place, are effective, and keep pace with the threats to our environment.
BEWARE of service firms with only associations to certified services.
Information Security is a team sport at Modus. The entire leadership team representing executive management, Operations, Finance, Human Resources, Sales, Marketing and, of course, Information Technology are included in the oversight of security. This is our Information Security Management System (ISMS) Committee providing the resources, communication, and collaboration necessary to protect our environment.
To ensure this is effective throughout the company, all employees and contractors are trained and tested in our information security processes. Our ISO 27001 certified ISMS provides the foundation for the information security culture at Modus.
Modus Information Security policies, procedures and related controls encompass a broad spectrum of operational areas with detailed requirements within each. These control requirements are defined by the Federal Risk and Authorization Management Program (FedRAMP) and the International Organization for Standardization (ISO) to validate that Modus’ operations are sustaining the highest levels of security. The status of all controls and security metrics are reported to the Modus ISMS Committee on a quarterly basis. Control areas include:
Assessing and addressing risks is an ongoing process at Modus. Our risk assessment and treatment process is inventory based including hardware, software, people, third-party providers, and partner firms. In addition, risk updates are reported quarterly to the Modus leadership with a full reconciliation annually.
The leadership team reviews the security objectives and metrics on a quarterly basis and reconciles all resources necessary to address any issues. Having the entire executive team in the oversight of security ensures that resources are well coordinate and communicated.
Our service acquisition process requires that all software and partners sustain adequate levels of certifications to be included in our service portfolio. We assess this annually to validate that all partner services remain well controlled.
Modus sustains an ISO 27001 certification and the FedRAMP Moderate authorization to qualify our service to current and potential clients. These awards give modus instant credibility in managing information security.
Background checks, performance management, training, formal onboarding and off boarding are only a few of the measures modus takes in managing the people side of information security.
Most of our “Physical” controls are delegates to Amazon Web Services who invests over $50 Billion annually in securing and evolving their services. Their security standards meet or exceed the highly stringent FedRAMP standards.
Modus plans for contingencies ranging from minor outages to pandemics. Our service level agreements have been attained throughout the pandemic. All contingency and disaster plans are fully tested with training on an annual basis. Our Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are 24 hours.
Modus has “System Hardening Standards” that cover both commercial and government businesses. These include compliance with NIST Security Technical Information Guides (STIG’s) for compliance to government standards. We also deploy automated configuration management services using AWS and Microsoft tools.
We have Tenable vulnerability scans running and reporting daily. Modus reserved the third Saturday of each month for all remediation maintenance activities and plan the updates in the two weeks leading up to this event. Interim maintenance is performed for priority issues as they may arise.
Modus has deployed CrowdStrike as the next generation of malware and abnormal behavior protection. We also have Agile Blue running as further SIEM protection against data loss and intrusion monitoring. It’s not sufficient to only check for malicious files. We need to monitor RAM memory for any suspicious activity in our environment. Both are monitored 7x24x365.
Modus uses FIPS 140-2 Validated encryption for our data managed thorough removable media. We provide FIPS 140-2 validated FTP services and AWS Snowball media as alternatives for data transfers. Our management of physical media had proven solid for the chain of custody of evidence.
Incident identification and response at Modus is a combination of a Security Information and Event Management (SIEM) service monitored 7x24x365. Modus Data Protector (powered by Agile Blue) provides Artificial Intelligence and Machine Learning to identify and respond to incidents. Modus additionally has manual incident management based on collaboration across all employees.
Both our government and commercial business require an ongoing training and communication process focused on information security. Our employees are part of a fully collaborative process to evolve and sustain the protection required by our clients.
Modus required multi-factor authentication for all services and utilize Okta as the gateway for our identification and authentication. The standards are based on FedRAMP moderate requirements. Access to all critical services is managed through SAML 2.0.
Modus access allocation is role based and administered according to FedRAMP and ISO 27001 controls. All services and data are assigned and “Owner” who reviews and affirms access quarterly. Onboard and offboarding ensures that access is established and terminated in a timely manner.
All data at rest and in transit is encrypted. Our government environment mandates that all encryptions be based on FIPS 140-2 validated technologies. Even the communication between servers internal to the environment sustain this level of encryption.