At ML6, security is in our blood. Our security program is embedded in all the business processes. Starting from the first sales contact, delivering a proof of concept, up until the delivery of production applications.
To prove our dedication towards information security, our security program is certified against the ISO/IEC 27001:2017 standard. This internationally accepted standard provides requirements for establishing, implementing, maintaining and continually improving information security within an organization.
As a first line of defense against cyber threats, staff receive regular training in information security topics such as phishing, incident reporting, privacy regulation, information classification, information handling etc.
Technical staff receive more extensive training in secure development practices and web application security such as the OWASP Top 10 list. Furthermore technical staff have proven technical skills on Google Cloud in the form of Google Cloud certifications.
Access to systems is provided to staff according to the principle of least privilege.
User authentication to high value systems is protected with two-factor authentication, more specifically with physical security keys. Physical security keys are a phishing resistant second factor in the authentication process.
Where ML6 relies on suppliers for services, ML6 performs a risk assessment to assure that the supplier at least meets the same security standards as ml6 and that the services will be delivered in a reliable manner.
ML6 has implemented a documented incident response procedure to handle security incidents according to industry best practices. The procedure contains the following steps: reporting, classification, analysis, containment, eradication and recovery of the incident.
A post-incident review looks for lessons learned of a security incident to further optimize controls and procedures.
ML6 has implemented a secure development procedure to include security checks in multiple steps of the development process.
Application development includes security and privacy requirements in the design phase, this minimizes security risks but also cost.
Code is automatically scanned using static code analysis tools, flagging common security issues within the code.
Where needed, applications are regularly pen tested by third parties to identify possible unknown vulnerabilities.
ML6 applications and analysis are primarily hosted on Google Cloud. Therefore ML6 uses the same secure-by-design infrastructure, built-in protection, and global network that Google Search Engine, Gmail, YouTube etc. were built upon.
Google Cloud regularly undergoes independent verification of security, privacy, and compliance controls, achieving certification against global standards
Data stored in Google Cloud is encrypted at several layers with AES256 and AES128 to secure data. Google Cloud also uses various methods of encryption, both default and configured by ML6, for data in transit.
Google Cloud infrastructure used at ML6 is configured using the CIS Benchmark.
CIS Benchmarks are configuration baselines and best practices for securely configuring a system. ML6 performs daily scanning on its Google Cloud infrastructure to detect misconfigurations.