Information Security Statement

This statement provides an overview of The Craneware Group’s approach to cyber security.

The Craneware Group’s utmost priority is the reliable protection of customer data. Our promise is to defend against reasonably anticipated threats and hazards, including risks created by unauthorized access, to the security and integrity of sensitive customer information entrusted with The Craneware Group.

Information Security Policy

The Craneware Group maintains a detailed Information Security Program, which aligns with applicable laws and regulations. This program governs how The Craneware Group employees and applications interact with sensitive, protected customers data. The policies and procedures that inform the Information Security Program are reviewed and updated no less than annually and with any significant changes to laws, regulations, infrastructure or company structure.

Organizational Security

Key oversight of the Information Security Program is managed by The Craneware Group’s Security Council and led by the Chief Information Officer. The Council is comprised of expert representatives from the following functional areas: Information Security, Risk & Compliance, Information Technology Infrastructure and Operations, Engineering, and the Governance Committee. The Craneware Group employs a dedicated Information Security Team and contracts with specialist 3rd party services, who assist with monitoring, testing, and improving our security position and technology.

The Craneware Group requires stringent training on information security and data protection for all employees at hire and annually. Confidentiality and nondisclosure agreements are required of all employees as well. The highest ethical standards are foundational to The Craneware Group’s code of conduct.

Data Management

Data and Information System assets include customer data and company resources; these are protected with Data Loss Prevention software and processes. The Craneware Group’s Information Security Program manages those assets that are subject to legislative requirements, i.e., HIPAA and GDPR.

Third Party Audits and Testing

The Craneware Group engages with third party auditors to support effective security practices and compliance with HITRUST, HIPAA and AICPA SOC.

Core operations, including product platforms Trisus and InSight, of The Craneware Group abide by the HITRUST CSF security controls across 19 domains and other security frameworks, such as HIPAA, AICPA (SOC2), NIST, and ISO27001. Sentinel, Sentrex, and DataNext applications meet AICPA Service Organization Controls (SOC) requirements, completing the SOC1 and SOC2 Type II audits annually.

Full HITRUST CSF assessments are conducted every two years; interim assessments are conducted during the intervening periods.

For HITRUST our products and corporate infrastructure are evaluated against around 500 controls mapped across 19 domains:

Information Protection ProgramTransmission ProtectionBusiness Continuity and Disaster Recovery
Endpoint ProtectionPassword ManagementRisk Management
Portable Media SecurityAccess ControlPhysical and Environmental Security
Mobile Device SecurityAudit Logging & MonitoringData Protection and Privacy
Wireless SecurityEducation, Training and Awareness
Configuration ManagementThird Party Assurance
Vulnerability ManagementIncident Management
Network Protection

The following is a comparison of HITRUST CSF against two other similar frameworks audited in this area

Our portfolio of products regularly conducts penetration testing using external security testing companies. This testing occurs in conjunction with major product updates, and no less than annually.

The Craneware Group also follows individual US state based guidance and criteria where appropriate.

Contact

For more information, please contact The Craneware Group Information Security at [email protected].