Try ShortPoint nowAt ShortPoint, protecting data is at the heart of everything we do. We believe that keeping data secure isn't just about having the right technology. It's also about maintaining trust through consistent, reliable security practices that work together to safeguard what matters most to you and your business.
Our security approach is built on three key principles: understanding the data, ensuring it stays safe, and making sure it's kept for the right amount of time. We continuously monitor our systems and review our security settings every year to make sure we're meeting the highest standards. Independent experts regularly assess our security measures to verify they're working as intended. The controls we have implemented have been independently assessed for design and operating effectiveness.
NoteShortPoint does not access, store, or process customer content or data from your SharePoint environment. The data classification, encryption, and retention practices described in this article refer only to ShortPoint’s own internal corporate data and not customer SharePoint content.
TABLE OF CONTENTS
- Understanding Your Data: How We Classify Information
- Encryption: Data's Security Blanket
- Keeping Data for the Right Amount of Time
- Our Commitment to You
- Frequently Asked Questions
- How does ShortPoint classify data?
- How is data encrypted in ShortPoint?
- What are data retention policies in ShortPoint?
- How does ShortPoint prevent unauthorized sharing and data leaks?
- What happens to data when an employee leaves the company?
- How often are SharePoint security settings reviewed?
- How does ShortPoint ensure compliance with regulatory requirements?
- Can content be accessed by unauthorized users?
Understanding Your Data: How We Classify Information
Imagine you're organizing your home. You'd probably want to keep your valuables like gadgets or jewelry in a safe, but keep magazines or books on a coffee table. The same thinking applies when it comes to data classification in ShortPoint.
Understanding and classifying the kind of data we have helps us determine the right level of protection for each type. This allows us to apply the appropriate access control and user permissions. No single ShortPoint employee has full control of your data. Every data type can only be accessed by authorized users.
By managing security through careful classification and encryption, we prevent unauthorized sharing and data leaks, ensuring data integrity. Here's how we break it down:
Restricted/Confidential Data
This is classified as the most sensitive information. It's the type of data that could cause serious problems if it fell into the wrong hands. It might include highly sensitive data or business information about ShortPoint. Unauthorized disclosure, alteration, or destruction of confidential data could cause a serious or significant level of risk to ShortPoint or its customers.
We treat this data with the highest level of security. To protect it, we create explicit permissions guidelines, limiting access to only those specific employees who absolutely need it to do their jobs. We think of it like a vault with only a few trusted keyholders, ensuring access control and preventing unauthorized users from gaining access.
Internal Use Data
This category covers information that isn't necessarily secret, but shouldn't be publicly available either. Data is classified as Internal Use when its unauthorized compromise could result in a moderate level of risk to ShortPoint or its customers.
We assign permissions carefully to protect this data from unauthorized access. It is only shared with employees who have a legitimate business reason to see it. Any data that is not assigned as restricted or public is automatically treated as Internal Use data. By applying strict access control and sharing settings, ShortPoint ensures compliance standards and prevents any data breaches.
Public Data
This is information that's already public or wouldn't cause harm if it became public. Data classified under this type results in little or no risk to the company or its customers. While we don't worry as much about keeping it confidential, we still make sure it can't be tampered with or deleted without authorization by implementing strict access control and permissions. Even if these types of content may have no potential risks, we are still committed to maintaining security and following security best practices.
Encryption: Data's Security Blanket
ShortPoint ensures that data is protected using appropriate cryptographic controls consistent with its security policies, classification requirements, and compliance standards. To put it simply, we use super-strong encryption to protect sensitive information. Whether it's stored within our systems or traveling across the internet, we keep data safe and protected.
The encryption process is like a security blanket for information. It blocks access to unauthorized users and ensures that only those with the right permissions have access to decrypt and open data. By implementing these security features, we help prevent unauthorized sharing and maintain the data integrity of content throughout its lifecycle.
When Data Is Stored ( Data At Rest)
All production data stored on our systems is encrypted, no exceptions. This includes databases, file systems, and sensitive information. We manage the encryption keys ourselves and keep them under strict security controls, accessible only to specially authorized accounts. This robust encryption practice is a crucial part of securing and maintaining data integrity.
When Data Is Moving (Data In Transit)
Anytime data moves between systems, we use strong end-to-end encryption. This security measure applies to communications with cloud infrastructure and third-party vendors, and applications. This creates a secure tunnel that keeps your information safe from prying eyes and helps in preventing unauthorized sharing and data leaks.
We make sure that both internal and external communications are encrypted and authenticated by strong protocols, ensuring user authentication is robust and compliant with security settings. If we need to send particularly sensitive information through email or messaging, we require end-to-end encryption to be fully enabled first. Otherwise, transmission of restricted or sensitive data over electronic end-user messaging channels is prohibited, in line with our compliance standards and regulatory requirements.
Keeping Data for the Right Amount of Time
We follow a simple philosophy when it comes to data retention policies: keep what we need, for as long as we need it, and no longer. This approach is guided by three principles: fairness, necessity, and security. By implementing clear retention policies within our security framework, we ensure compliance with regulatory requirements. These policies help us limit access to sensitive data over time, reducing risk and supporting data integrity throughout the lifecycle of your information.
How Long Do We Keep Data
We only hold onto data as long as there's a legitimate reason to do so, adhering strictly to our security and data retention policies. This might be because:
- Legal regulations require it, ensuring compliance with regulatory requirements
- Our contract with you specifies it,
- It's necessary to provide the services you've requested.
For customer data, we follow the retention periods outlined in your product terms and service agreements. Throughout this time, we store your data in secure systems with full audit trails to ensure it stays protected, leveraging security features like access control and continuous monitoring.
What Happens When It's Time to Let Go
When data reaches the end of its retention period, we don't just hit delete and call it a day. We have specific procedures to ensure information is destroyed securely and completely, in line with our data loss prevention policies and compliance standards. These procedures include documented evidence of disposal actions, noting the date and method used, helping us maintain full audit trails and meet regulatory requirements.
- For digital data, we use secure wiping methods that make recovery impossible, supporting our commitment to securing content and protecting sensitive information.
- Physical documents are shredded to ensure they can't be reconstructed, following strict access control measures.
- For physical assets that store content or other critical data, we carefully review retention policies and properly wipe the drives according to best practices in data lifecycle management.
And when employees leave the company, they return all company equipment. If they used personal devices for work, we ensure all business information is transferred to us and securely erased from their equipment. This process is part of our broader strategy to manage security and prevent users from unintentionally exposing sensitive data.
Our Commitment to You
ShortPoint doesn't see data security as a one-time achievement. We see it as an ongoing commitment that requires continuous vigilance and adaptation. By combining thoughtful data classification, robust encryption, and careful data retention policies, we ensure all information is protected throughout its entire journey. These practices align with industry compliance standards and are supported by advanced security features. And it has been independently assessed for design and operating effectiveness based on the AICPA's Trust Services Criteria for security.
If there's one thing we want you to remember, it is that our commitment extends beyond policies on paper. At its core, the whole ShortPoint team stands behind data integrity. Your trust matters to us, and we work hard to earn it through actions, not just words.
Frequently Asked Questions
How does ShortPoint classify data?
ShortPoint classifies data into three categories: Restricted/Confidential Data (highly sensitive information with limited access), Internal Use Data (information accessible within the organization but not public, shared only with authorized users and security groups), and Public Data (information safe for public viewing). This classification helps determine appropriate access control and security settings to ensure proper restriction of access and prevent unauthorized sharing.
How is data encrypted in ShortPoint?
Data is encrypted both at rest and in transit using strong cryptographic controls. Encryption keys are tightly managed and accessible only to authorized accounts. This ensures that sensitive data remains protected whether stored on servers or moving across networks, complying with regulatory requirements and maintaining data integrity. These encryption practices align with data lifecycle management policies and help prevent unauthorized sharing or data leaks involving external users.
What are data retention policies in ShortPoint?
Data retention policies define how long data is kept based on legal, contractual, or operational requirements. At ShortPoint, we strictly adhere to these policies and related compliance frameworks to ensure proper management of your data. ShortPoint retains data only as long as necessary, securely disposing of it afterward using documented procedures that maintain data integrity, support compliance standards, and prevent unauthorized access or data leaks.
How does ShortPoint prevent unauthorized sharing and data leaks?
By implementing strict access control, user permissions, multi-factor authentication, continuous monitoring, and robust encryption, ShortPoint ensures that sensitive data is accessed only by authorized users, minimizing the risk of unauthorized sharing or data leaks. These comprehensive security settings help prevent unauthorized users from gaining access, while also supporting compliance with regulatory requirements.
What happens to data when an employee leaves the company?
When employees depart, all company data on their devices is securely transferred back and erased from personal or company equipment, ensuring sensitive information is not left exposed. This process is part of a comprehensive insider risk management strategy that helps prevent data leaks and unauthorized access.
How often are SharePoint security settings reviewed?
Security settings are reviewed annually and continuously monitored to maintain compliance with industry standards and to ensure the highest level of protection. This ongoing process includes managing access requests to promptly address any security concerns.
How does ShortPoint ensure compliance with regulatory requirements?
ShortPoint follows strict data classification, encryption, retention, and disposal policies aligned with regulatory requirements and industry compliance standards. These practices are independently assessed and continuously monitored through advanced security settings and access control mechanisms.
Can content be accessed by unauthorized users?
No, the data handled by ShortPoint is protected through robust access control and user permissions that restrict access only to authorized users, preventing unauthorized access.
Related articles:
- Continuous Defense: ShortPoint’s Program for Proactive Data Security
- Security by Design: How ShortPoint Protects Data
- Zero Trust Access: How ShortPoint Keeps Data Safe with Smart Security
- Security in Software Development Life Cycle: How ShortPoint Keeps the Development Lifecycle Safe and Secure
- Organizational Resilience: How ShortPoint Ensures Business Continuity
- Creating a Company Culture for Security: How ShortPoint Builds a Culture of Compliance
- How ShortPoint Classifies and Encrypts Data
- Privacy by Design: How ShortPoint Complies with the General Data Protection Regulation
