INT
    Security standards for Clio Partners

    Security standards for Clio Partners

    Clio will abide by the security standards set forth below (โ€œSecurity Standardsโ€), which detail the various actions taken by Clio that are designed to ensure the security of the Clio Services (โ€œInformation Securityโ€). During the Subscription Term, these Security Standards may change without notice, as standards evolve or as additional controls are implemented or existing controls are modified as deemed reasonably necessary by Clio, provided that such changes will not bring the Security Standards below industry standard security measures.

    Definitions

    Terms not defined herein will have the meanings ascribed to them in the relevant agreement for the Clio Services entered into between the parties.

    • Regular information Security risk assessment is performed covering Clio facilities and information assets.
    • The risk assessment is conducted using an industry standard methodology to aid in identifying, measuring, and treating known risks.
    • Risk assessment results and risk mitigation suggestions are shared with the executive management team.
    • The risk assessment results will specify proposed changes to systems, processes, policies, or tools, in order to reduce security vulnerabilities and threats, if any.
    • Policies, including those related to data privacy, security, and acceptable use, are assessed and approved by Clio senior management. Policies are documented and published among all relevant personnel.
    • Employees and contracted third parties are required to comply with Clio policies relevant to their scope of work.
    • Information Security policies are stored, maintained, updated, and published in a centralized location accessible to employees and third parties.
    • Clio office space is secured from visitor access except for areas staffed by reception or security personnel.
    • The operation of systems and applications that support the Clio Services are subject to documented operating procedures.
    • The operations team maintains hardened standard server configurations. Systems are deployed and configured in a uniform manner using configuration management systems.
    • Clio maintains change control programs for development, operations, and Information Technology teams.
    • Separate environments are maintained to allow for the testing of changes.
    • All users are required to use a unique ID and SSH key for access to the production environment.
    • Generic accounts are prohibited for user access. Access to the โ€œrootโ€ account is restricted to Operations personnel deemed necessary.
    • All access to the back-end servers and network infrastructure require 2 levels of authentication, SSH access to the bastion host, and SSH access to the individual servers or network devices.
    • All access controls are based on โ€œleast privilegeโ€ and โ€œneed to knowโ€ principles. Different roles, including limited and administrative access, are used in the environment.
    • Upon notice of termination of Clio personnel, all user access is removed. All critical system access is removed immediately upon notification.
    • Product features are managed through a formalized product management process. Security requirements are discussed and formulated during scoping and design discussions.
    • Clio maintains a sustaining engineering team whose primary responsibility is identifying and remediating bugs found in the Clio Service.
    • Source code repositories are scanned regularly by a static analysis / code quality tool. Any security issues are validated, risk ranked, and placed in a dedicated bug tracking system for remediation.
    • Clio maintains a QA team dedicated to reviewing and testing application functionality and stability.
    • Clio performs third-party security audits using a variety of vendors.
    • Emergency fixes are pushed to production, as needed. Change management is retrospectively performed.

    Latest updated on 11. March 2021.