Table of Contents
- Security Management Policy
- Access Management
- Performance and Reliability
- Business Continuity
- Data Processing and Storage
- Harmful Code and Patches
- Support and Maintenance
- Event Monitoring
- Incident Response
- Network and Transport Security
- Physical Security
- Human Resources Security
- Remote Access
Host Connect is an integrated communications that connects employees no matter where they are via a robust mobile experience. Employees can curate and engage with the content that matters most to them, and business leaders can send targeted messages via push notification to provide critical information. This document identifies security policies and standards that CBRE maintains to protect the data and systems served by the Host Connect service, comprised of both cloud and mobile.
As part of adherence to ISO 27001:3013, CBRE has implemented a formal Information Security Management System (ISMS). This plan defines the overall IS policy inclusive of planning, risk management, competence, training, operation, performance evaluation, continuous improvement, and governance.
The core Host Connect architecture follows industry best practices that include ISO 27001:2013 and ISO 27002:2013 certification, leveraging ISO27001 certified vendors, and a reinforcement program based on NIST-SP-800 framework guidelines. Host Connect’s cloud hosting provider carries SOC1 (formerly SSAE 16/ISAE 3402), and SOC2 certification. CBRE’s most-recent certifications can be provided under NDA.
Access to servers/services (mobile app, backend portal access, analytics dashboards, etc.) requires the use of multi-factor authentication and SSO with extensive access monitoring and audit logs. Two-way TLS is supported. CBRE uses unique JSON Web Tokens (JWT) for every user session. Anonymous access to Host Connect is prohibited.
5.1. Platform operates in a logically segmented, multi-tenant environment in the cloud.
5.2. Automatic performance optimizations include:
5.2.1. Caching at edge level for content that does not update frequently.
5.2.2. Caching at API backend level with valid time-to-live (TTL) defined for caching content that updates often.
5.2.3. All CBRE backend servers run in containerized workloads. The virtual machines (VM) hosting these containers are spread across multiple availability zones with traffic balanced by a load balancer.
5.2.4. CBRE datastores are managed services, which are encrypted and replicated multiple times.
5.2.5. Policies in place to scale up when the workload reaches a certain threshold.
5.3. Platform deployed across multiple-availability zones and regions in the cloud as well as a resource manager governed (Kubernetes) auto-scaling has been configured to elasticize IaaS and PaaS layers (vertical and horizontal scaling) based on changing user, usage patterns, throughput, and response-time expectations.
6.1. As a CBRE Tier 1 application, there is a Recovery Time Objective (RTO) of four hours.
6.2. As a CBRE Tier 1 application, there is a Recovery Point Objective (RPO) of one hour.
6.3. For backups, CBRE maintains an eager copy in memory (for performance reasons) as well as a combination of an incremental online (point in time) and offline (history) snapshot. The in-memory copy is transient while the online and offline copies get archived on a cadence (configurable) if a need for a restore arises.
6.4. All data and metadata essential to the platform operation are backed up hourly. The backups taken include everything needed to completely re-instantiate a customer environment and data.
6.5. Backups are performed hourly by an automated process and monitored by an operations team. The backups are incremental – they utilize block storage snapshotting and copy-on-write, which optimizes efficiency and speed – with three primary goals:
6.5.1. ability to recover and rollback from customer error
6.5.2. ability to recover and rollback due to a platform error
6.5.3. ability to recover following a larger scale disaster (full cloud-provider outage)
6.6. Data restore fidelity upon request with a timestamp, the data and metadata associated can be restored to:
6.6.1. the nearest hourly backup if the request timestamp is within the last 24 hours
6.6.2. the nearest daily backup if the request timestamp is within the prior 7 days
6.6.3. the nearest weekly backup if the request timestamp is within the prior 3 weeks
6.6.4. the nearest monthly backup if the request timestamp is within the prior 2 months
6.7. The same backup process is used for restoring data. As such, the full backup-restore process is tested on a regular basis.
6.8. All backups are encrypted and there is a unique key per backup.
7.1. All data is protected at rest via AES symmetric key encryption with a key length of at least 256 bits. Only authorized users able to access data leveraging role-based access control (RBAC).
7.2. Platform ensures client data is logically and physically segmented. Segregation of duties and RBAC, as well as service principals, are used to ensure the right individuals have access to the right parts of the data.
7.3. CBRE’s approach to data strategy includes periodic privacy data assessments as well as privacy by design principles.
7.4. CBRE follows industry best practices and complies with applicable data protection requirements.
7.5. CBRE has established a Data Privacy Office to adhere to legal requirements and follow industry best practices around data privacy and protection.
7.6. Maintain a clear view of data controllers and processors along with their responsibilities with respect to data protection. CBRE also verifies that all vendors adequately and contractually address the security, privacy and confidentiality of customer data.
7.7. For clients without global deployments, data is stored within the region based on location of the user, i.e. in the US, EMEA and APAC regions. If the customer is US-based, data will be stored only in a data center located in the United States. For clients with global deployments, client data is replicated across applicable global regions and would be available wherever a user goes. CBRE uses eventual consistency methodology for replication.
7.8. Data encryption:
7.8.1. Standard secure and encrypted protocols (TLS v1.2) using 2048-bit key strength certifications.
7.8.2. CBRE manages rotation of symmetric encryption keys that protect data at rest by leveraging a combination of an internally-developed solution in conjunction with a third-party secrets management and data protection provider.
8.1. CBRE’s robust automated delivery pipelines bake both security and open source vulnerability assessments on each execution.
8.2. CBRE-sanctioned third-party penetration testing (“pen tests”) is performed annually to ensure network and application vulnerabilities are identified and addressed in a timely fashion. CBRE’s most-recent pen test results can be reviewed under NDA and via screenshare.
8.3. Secrets lifecycle management (token/secret generation, lease/unleases, revocation, etc.) and cryptography (encryption/decryption) are managed services (currently HashiCorp Vault) that CBRE subscribes to.
8.4. CBRE subscribes to security alerts for all software dependencies, and necessary preventative measures are applied based on the risk profile specified in an alert.
9.1. Development team conducts code vulnerability screening, leveraging third party tools via an integration with GitHub on every pull request (PR) commit. Source code reviews are done regularly and validated within GitHub.
9.2. CBRE operates on a 0/30/60/90-day patch policy. Blue-Green and Canary patterns are employed to support rolling maintenance and patching with little to no downtime. With Active-Active deployment configured in the cloud, Recovery Time Objective (RTO) and Recovery Point Objective (RPO) generally fall below (1) hour each.
9.3. CBRE has established a product management and engineering practice aligned with industry best practices to ensure releases/contents are reviewed on a cadence, data/analytics are leveraged to understand inefficiencies across the System Development Lifecycle (SDLC), scrummed for incremental delivery, assessed for quality and performance before they are released to our customer/partner base.
9.4. Patches will be non-breaking changes, i.e., entail bug fixes, some performance improvements, security / loss vulnerabilities released on a monthly cadence.
9.5. Minor releases will entail new non-breaking feature requests, performance improvements, custom-client needs and will be realized by customers on a quarterly basis.
9.6. Major releases will entail (potential) breaking changes (could be new UX, changes to existing flows, etc. We will try our best to be backward compatible), new feature requests, performance improvements, infrastructure and PaaS changes, resiliency enhancements and will be applied on a bi-annual/annual basis.
10.1. CBRE offers email support as a standard with 24-hour turnaround.
10.2. Telephone support is offered as follows 24/7 (USA: 6am-9pm CST; Brisbane: 9pm-2am CST, London: 2am - 6am CST) at an extra cost via premium support.
10.3. Teams currently support English; telephonic support in additional languages will be onboarded over time.
10.4. Support escalation flows through four levels:
10.4.1.Level 1: there are two options:
10.4.1.1. the user can email or directly call into the number (if premium support is picked) to reach service desk, or
10.4.1.2. the user can engage with an experience specialist on-premises to help debug and escalate to help desk if needed. If escalated to service desk, members will troubleshoot the issue, and if the issue still persists, it will be escalated to Level 2 support. If needed, further escalation is to Levels 3 and 4, which is the CBRE & Vendor Engineering (if the issue requires vendor resolution) teams. Sales and Transitions (and Management) are part of the client care/engagement team, so they are involved in the support/escalation off the bat.
10.4.2. Level 2: if escalated to service desk, those agents will troubleshoot the issue further.
10.4.3. Level 3: deeper issues get escalated from service desk to CBRE engineering and development teams
10.4.4. Level 4: issues requiring relevant vendor support are escalated accordingly directly from the Level 3 development teams. Further troubleshooting and research involving end user participation are handled by CBRE teams.
CBRE operates a 24/7 dedicated network operations center (NOC) powered by a Security Information and Event Management (SIEM) platform. Any notable events are raised to the CBRE Cyber Security team for further investigation. Incident management policies and procedures are in place to notify the proper business and data owners and SMEs in the event of an incident. Relevant portions of CBRE’s Incident Management documentation can be viewed via screenshare session if necessary and under NDA.
CBRE has implemented a complete incident response policy and procedure documented in the above-mentioned ISO Certified policies and procedures. Once reported, an incident is classified and then a response is formulated according to a set of standards.
13.1. Host Connect features accessed over the internet are protected by standard secure and encrypted protocols (TLS v1.2) using 2048-bit key strength certifications. Platform supports the encryption of data both in motion and at rest.
13.2. Only TLS1.2, AES256, and FDQN based certificates are used (no wildcard certificates) as well as CA signed certificates with expiration of less than two years.
13.3. Network details, including any applicable IP addresses and port details, can be shared once the full technology stack has been provisioned and the environment is prepared.
14.1. Data Loss Prevention (DLP) in place for all physical devices which could process client data.
14.2. No data stored on PCs, laptops, mobile devices, or removable media (USB drives, portable hard drives, etc.).
15.1. Where allowed by law, employees are subject to drug screening and background checks, including legal history, education and past employment, and – where applicable – financial/credit information.
15.2. Access to customer data and production services is restricted to authorized personnel only. All access is limited, logged, and tracked for auditing. All employees are trained on information security and privacy procedures
15.3. Vendors are subject to a vendor security review which includes a detailed questionnaire, follow-up and two-level internal review, any residual risks identified in the review must be approved and accepted by CBRE cyber security team.
16.1. All access to cloud resources, regardless of the type of device is controlled via SSO and multi-factor authentication (MFA) with extensive monitoring and audit logs.
16.2. Remote access may be performed only on a CBRE device leveraging CBRE VPN.