Security

Last updated on May 12, 2022

Security Overview

Corporate

All LVT employees undergo regular security training to ensure that security is always a central focus. Security training covers topics such as phishing detection, physical security best practices, cybersecurity best practices, and more. Additionally, access to all of our internal systems is controlled by a comprehensive identity and access management system, which utilizes single sign-on and multi-factor authentication (MFA).

Infrastructure

LVT infrastructure is only accessible via a hardened virtual private network (VPN) connection, which requires an active account protected by MFA to authenticate. Access to the LVT cloud environment is restricted by job role and the principle of least privilege and is enforced by a comprehensive identity and access management system. Our state-of-the-art advanced analytics tools detect threats or vulnerabilities to the LVT infrastructure.

Edge

Edge systems are connected to the LVT Platform via a private network with various internet service providers (ISP). The private network connection with the ISPs ensures that communication between the edge unit and the LVT Platform is private and secure.

Platform

The LVT Platform uses role-based access controls to ensure that users only have access to the resources they need. The portal supports SAML and sign-in with Google for organizations wishing to use their own identity provider. All connections to our web portal are encrypted using TLS 1.2.

Security

You can find more information about our vulnerability disclosure practices here.

Last updated on April 25, 2024

Customer Pentesting Policy

Purpose

This policy outlines the procedures and requirements for external customers who wish to conduct penetration testing on LVT's products and services. Our aim is to ensure that all testing is conducted safely, responsibly, and in compliance with legal and operational guidelines.

Scope

This policy is applicable to all external large enterprise customers, seeking to perform penetration tests specifically on our staging servers, avoiding impacts on production environments.

Requirements


1. Non-Disclosure Agreement (NDA)

All tests must be conducted under a signed NDA to protect the confidentiality and integrity of data and findings.

2. Pre-Approval

Requests for penetration testing must be submitted to our security team via email (security@lvt.com) at least 10 business days before the intended start. The request should include:

  • The request must include:
    • Testing dates, times, and time zone
    • Tester's name or company
    • Contact information of the primary tester
    • Source IP addresses for the test
    • Detailed scope of testing (areas of interest, methodology, attack vectors)

3. Tester Training Requirements

All testers must possess relevant certifications (e.g., OSCP, CEH) and/or demonstrate experience in conducting penetration tests. Testers should also undergo regular training to stay updated with the latest security practices and technologies.

4. Communication Plan

Vendors should outline their proposed communication plan, detailing:

  • Preferred channels and frequency of updates during the engagement.
  • The process for immediate reporting of critical vulnerabilities discovered.
  • Protocols for purple team interactions, ensuring seamless coordination during simulated attack scenarios.

5. Testing Restrictions

  • No Social Engineering: Tests targeting our personnel or systems through social engineering are prohibited.
  • No Denial-of-Service (DoS): Tests that could degrade or disrupt services are not allowed.
  • No Destructive Testing: Tests must not intentionally modify or delete data.
  • Staging Environment Only: Tests should be conducted only within designated staging environments.

6. Conducting the Test

Testers must ensure that their activities are responsible and ethical, comply with all laws, and do not disrupt LVT's operational capabilities. Specific guidelines include:

  • User Access Accounts: Testers will use pre-defined user accounts with minimum necessary permissions.
  • Third Party Testing: If using a third-party testing firm, direct communication between LVT and the third party is required to ensure adherence to this policy.

7. Reporting

A full report of the test findings must be submitted to our security team within 10 business days after testing concludes. The report should detail all vulnerabilities found, testing methods used, and any remediation recommendations.

8. Review and Follow-Up

Our security team will review the submitted report, track issues, and escalate them as needed. Customers can expect a preliminary response within 5 business days, followed by detailed discussions if necessary.

9. Scoring and Remediation Strategy

  • Scoring of Findings: Vulnerabilities are scored using the CVSS framework based on severity, impact, and exploitability.
  • Remediation Commitment: We prioritize fixing vulnerabilities based on their severity, with critical issues addressed within 30 days, high issues within 60 days, and medium to low issues within 90 days.

10. Policy Violation

Violations of this policy may lead to revocation of testing permissions, potential legal action, and cessation of services, depending on the violation's severity.

11. Contact Information

For questions or to submit a testing request, please contact: security@lvt.com