Regarding Rubica’s Internal Security

Security is our number one priority and is on our minds in everything we do, how we maintain the Rubica system, and how we run our internal operations. Transparency is key and we want our customers to know how we handle their data. If we wouldn’t use Rubica ourselves and didn’t trust the security, we wouldn’t expect others to use it either. We’ve built Rubica from the ground up, with security controls that will help you (and us) sleep at night knowing that all data and systems are as secure as possible.

Ops Security

All Rubica employees undergo extensive background investigations and we have a strict offboarding process that ensures access to systems and customer data is removed immediately when an employee leaves or is terminated.

Physical Security

We utilize data centers that have been thoroughly vetted and have strict physical security controls (e.g. RFID badges, biometrics, barbed wire fences, video surveillance, motion detection, and access logging) to ensure the data centers are secure.  The data centers limit access for entry and utilize the principle of least privilege for access.  Additionally, we utilize SAE 16 SOC 2 Type 2 audited/compliant data centers by geographic location whenever available by our data center providers.

Data Security

Information about our data security can be found at https://rubica.com/data-security-policy/

Network Security

Our Internal Network is protected by an enterprise-grade firewall/IDS/IPS system and we utilize Network segmentation to keep the Network secure.  Our Network is protected against DDoS attacks, as well as other well-known Network attacks.  We routinely scan our Internal Network for vulnerabilities and document remediations.

Device Security

All company devices are hardened, adhering to the highest security standards, utilize full-disk encryption, and have MDM software that allows for remote wiping if the device is ever lost.

Insider Threat Program

Rubica has created a custom Insider Threat Program to protect the company, intellectual property, and customer data from being compromised.

Cyber Security Awareness

Whenever someone joins Rubica, they complete a mandatory Cyber Security Training to bring them up to speed with cyber security principles and best practices.  Topics covered include:

  • Passwords & Multi-Factor best practices
  • Attack vectors (e.g. phishing, social engineering, malware)
  • Device security and how devices can be properly secured and hardened
  • Digital footprint (e.g. PII and how it can be easily accessed online, social media best practices)
  • We’ve built a custom management learning system to help further educate employees on cyber security best practices

All Rubica staff complete ongoing training related to cyber security and emerging threats to ensure staff are well trained and informed about potential security threats.  Additionally, mandatory quarterly Cyber Security Awareness trainings are completed by all employees.

Internal PenTesting

Rubica Internal Networks and devices are pentested to determine vulnerabilities.  If vulnerabilities are discovered, they are immediately remedied and documented.  Additionally, all employees are randomly tested with various simulations (e.g. phishing, social engineering) to identify any weak points in cyber security awareness.  If an employee fails an internal pentest simulation, they are coached on how to better handle future “attacks.”  The goal of these internal simulations is to ensure all employees have a firm grasp on utilizing strong cyber hygiene and how to safely use devices and systems at work and at home.

Vetting

Any cloud app/service Rubica uses (e.g. e-mail, collaboration software, messaging apps, etc.) has been thoroughly vetted to ensure it adheres to our strict security requirements.  If we can’t recommend it to a customer, we won’t use it.  Further, if we determine that an app/service we are using is no longer secure, we will immediately stop using it and switch to a secure alternative.  All vetting is documented and outlines the security controls and weaknesses, along with a final synopsis on any risks with using the app/service.