Grants Security, Privacy, & Operations

Environment Overview

Data Centers

Data Ownership

Information Security Program

Euna Grants maintains an organization-wide information security program and has policies and procedures in place to ensure the availability, security, confidentiality, and privacy of Euna Grants systems and client data stored and managed within Euna Grants. Key policies include:

• Information Security
• Software Development Lifecycle
• Availability
• Information, System, and Software Backup
• Disaster Recovery
• Access Control
• Encryption
• Change Management
• Privacy

All Euna Grants employees are required to follow all documented policies and procedures. The Information Security program is provided to employees during onboarding and all employees undergo annual security and privacy training.

Compliance

Privacy

Euna Grants has a published Privacy Policy that is reviewed annually and is available at: https://www.eunasolutions.com/privacy-policy/

External Security Audits

Network Security

Euna Grants takes advantage of several key Azure services to provide a highly secure customer hosting environment.

Azure provides distributed denial of service (DDoS) protection through always-on traffic monitoring and real-time mitigation.

All web interfaces are protected by Azure Application Gateways and Web Application Firewalls. The Application Gateway provides secure load balancing and application monitoring for multiple web applications. Web Application Firewalls provides centralized protection of Euna Grants web applications from common exploits and vulnerabilities, such as SQL injection and cross-site scripting. The Web Application Firewall is based on the Core Rule Set (CRS) 3.0 from the Open Web Application Security Project (OWASP) and is automatically updated to include protection against new vulnerabilities.

For all databases, Euna Grants uses Azure SQL Server Advanced Data Security and Advanced Threat Protection to monitor for vulnerabilities and anomalies and protect against malicious activity. Euna Grants also uses Azure SQL Server Firewall services to restrict access to only approved IP addresses.

Encryption

Access Control

All Euna Grants staff undergo background checks and are required to sign a nondisclosure agreement. All staff are sufficiently trained and may only access data and systems for which they have clearance.

Only approved Euna Grants technical employees have access to the Euna Grants Azure environment. Two-factor authentication (2FA) is required for administrative access to the Euna Grants Azure environment. Euna Grants uses multiple Azure roles to differentiate employees who can make platform changes from those who can deploy and manage releases. Activity within the Azure environment is logged. Only Euna Grants DevOps employees have access to the Production environment.

Only approved Euna Grants Customer Support and Technical Support employees have access to the customer’s Euna Grants implementation and data. Euna Grants Customer Support and Technical Support employees may access the QA, UAT, Stage, or Production environments for the purposes of defect validation, troubleshooting, general support activity, or training. Activity within the Euna Grants environment is logged.

Application Security

Euna Grants is a secure application that requires all users, whether grantors, grantees, or staff to log in with a unique user ID and password before being able to access the system. Euna Grants customers can define a password policy, including minimum password length; complexity requirements such as special characters, numbers, and capital letters; and password aging, reuse, and lockout.

Euna Grants can be configured to use an external authentication provider (via SAML, OAUTH, or WS-Federation services) and directory.

Euna Grants utilizes role-based security and a granular security model to provide user access to modules, features, and records within the system. System roles are pre-defined. Users can be granted elevated permissions at various spots within the application by setting permissions at the object level. A user, for example, can be added to a grant as a grant manager, which elevates the user permissions for that particular grant.

Development

All Euna Grants development and QA processes follow the Euna Grants Software Development Lifecycle Policy and the Euna Grants Development Process guide. The purpose of the Euna Grants Software Development Lifecycle Policy is to ensure a well-defined, secure, and consistent process for managing the entire lifecycle of Euna Grants development and includes the following phases:

• Requirements Analysis
• Architecture and Design
• Testing
• Deployment/Implementation
• Operations/Maintenance

The policy also defines requirements for secure development with specific patterns and best practices designed to mitigate the OWASP top 10 web vulnerabilities.

The Euna Grants Development Process guide defines the operational procedure that guide the day-to-day activities of the Product, Development, QA, and Infrastructure teams. Euna Grants uses an Agile methodology for all product development.

The Euna Grants Development, QA, and Infrastructure teams perform ongoing application testing. The Euna Grants QA Team is responsible for testing and certifying all application enhancements and patches. The Development Team performs unit testing and code review activities. The QA Team is responsible for all integration, regression, functionality, usability, HTML validation, and compatibility testing for all releases. The Euna Grants Infrastructure Team performs regular vulnerability scans, load testing, and failover testing.

Maintenance

As a SaaS solution, Euna Grants is continually updated to add new features and functionality to streamline the grants management processes for our clients, facilitate best practices, and to ensure compliance with Federal regulations.

Euna Grants maintains a maintenance window of 10-11pm ET daily Monday through Friday. During this window, the platform may be updated with new feature releases and patches for all Euna Grants clients. All platform updates are made available to all Euna Grants clients who have the ability to utilize the upgrades as they see fit.

Availability

Euna Grants is available 24 x 7 x 365 and maintains a maintenance window of 10-11pm ET, Monday through Friday. Euna Grants provides a 99.9% application uptime guarantee exclusive of the scheduled maintenance window and makes every effort to minimize the impact of maintenance performed during this time.

Redundancy and Disaster Recovery

The Euna Grants environment is designed on the concept of disaster avoidance. The platform is built to be resilient and maintain availability in the wake of foreseeable disruption.

Within the Microsoft Azure cloud, Euna Grants utilizes multiple geographically redundant data centers. Disaster recovery is built into the platform, with data replicated in real-time across data centers. Euna Grants maintains a primary production environment and a secondary hot site. In the event of a disaster scenario, Euna Grants can failover individual services or the entire platform from the production environment to the secondary hot site.

The Euna Grants Disaster Recovery and Business Continuity plan is reviewed annually, and all procedures are tested semi-annually.

Data Backup

The Euna Grants team manages all data backups, data restores, and disaster recovery services. Euna Grants has a standard data backup schedule.

Differential database backups are run every few hours and transaction log backups run every 5-10 minutes to create Point-in-Time backups. Point-in-Time backups are continually run and are retained for 21 days. Point-in-Time Restore is supported for any restore point within 21 days. Full database backups occur monthly and are retained for 12 months. Full file system backups are run daily.

Euna Grants file system backups run between 3-4am ET. daily. Database backups for point-in-time restore run continually throughout the day and do not impact system performance.

Restore from geo-replicated backups has an estimated recovery time objective (RTO) of under 12 hours with a recovery point objective (RPO) of under one hour.

Change Management

Euna Grants has a Change Management Policy as part of its information security program. All infrastructure changes must be approved by the CTO and may only be implemented by authorized Euna Grants infrastructure team members during the Euna Grants maintenance window. All changes are document in Euna Grants internal tracking system. Changes to Azure infrastructure configurations are also logged in the Azure Activity Log.

Only authorized Euna Grants infrastructure team members have access to the Azure Activity Log. Access to the Euna Grants product and specific data elements within Euna Grants is tracked via the Euna Grants Activity Log. The Euna Grants team and customer administrators can access the Euna Grants Activity Log within the product to view user level activity logs that show data for logins, logouts, object access, and other key activities.

Logging and Monitoring

Euna Grants monitors the performance and availability of the platform using various tools including Azure Monitor, Azure Insights, and Azure Security Center. These tools track compliance and performance of the key components of the platform (databases, storage, web apps, network) as well as the responsiveness of the specific web apps (request rates, response times, exceptions).

Access to specific data elements within Euna Grants is tracked via the Euna Grants Activity Log. The Euna Grants team and customer administrators can access the Euna Grants Activity Log within the product to view user level activity logs that show data for logins, logouts, object access, and other key activities.

Incident Response

Euna Grants maintains an Incident Response Policy as part of the full policy suite included in the Euna Grants Information Security Program.

A key objective of Euna Grants Information Security Program is to focus on detecting information security weaknesses and vulnerabilities so that incidents and breaches can be prevented wherever possible. Euna Grants is committed to protecting its employees, customers, and partners from illegal or damaging actions taken by others, either knowingly or unknowingly. Despite this, incidents and data breaches are likely to happen; when they do, Euna Grants is committed to rapidly responding to them, which may include identifying, containing, investigating, resolving, and communicating information related to the breach.

The Euna Grants Incident Response Policy mandates that if a security incident is identified, it must be investigated within a set period of time based on its severity. If an incident is confirmed as a breach, a set procedure must be followed to contain, investigate, resolve, and communicate information to employees, customers, partners, and other stakeholders.

In addition, Euna Grants will notify customer contacts at all impacted customers and provide the relevant details including; description of the incident, customer information involved, individuals and entities that may have accessed customer information, steps involved in investigating the incident, and steps involved in mitigating issues related to the incident.