AGI is fully committed to taking all appropriate measures to combat malicious activity on or with our software. We believe our employee education process, along with our network and development processes and our partnerships with relevant U.S. Government (USG) agencies and law enforcement, strengthen our software’s security to the highest possible standard.
Protecting our source code
Securing AGI source code against malicious attacks and injection is of the highest priority. Our software development network, which is the only computing network where our source code resides, is compartmentalized. Code development is entirely isolated in our development network environment since it does not have direct access to other networks or the Internet.
In addition to this network isolation, AGI’s pre-release software build and testing process provides another layer of security. Our process includes steps that will detect security vulnerabilities, injections, viruses, spyware and trojans, these steps include:
- Peer code reviews
- Configuration and change control management with SSL-secured communications
- Daily automated regression testing to detect unintentional changes, thus combatting the threat of injection
- Continual static code analysis for all daily builds using Coverity along with FxCop and PREfast for specialized analysis
- Virus scanning of all customer deliverables
Scanned media is never replicated, and unscanned media never enters the development network and requires approval from an empowered development security officer.
AGI network security policy is designed to focus on the most common and damaging threat types. AGI’s overall corporate network topology is designed to reduce the exposure to transport layer vulnerabilities and to be resistant to lateral movement from machine to machine. Our network security policy is designed to focus on the most common and damaging threat types. Modeled on best practices of top networking vendors, the security strategy follows the industry standard of defense in depth.
The number of network egresses is limited to allow for the highest visibility into inbound and outbound Internet traffic. By maintaining a hub and spoke design, remote office locations get the same security advantages as the primary facility. This centralized approach allows focused efforts for data flow capture, monitoring and analysis which speeds anomaly detection and mitigation.
AGI uses leading vendor solutions to provide layer-7 controls and defense in depth. Zoning and isolation are integral parts of the network design to limit lateral movement. Intrusion detection systems (IDS) and deep packet inspection are used at the network egress to detect reconnaissance and defend against attacks.
AGI utilizes a variety of tools for cyber security monitoring, including Security Incident and Event Incident Management (SIEM) tools to log security data and analyze security alerts. AGI maintains an ongoing contract with a leading cyber-security consulting company and security operations center, to help AGI personnel monitor and respond to network attacks.
All AGI employees are subject to background checks upon hire and sign confidentiality and non-disclosure agreements to ensure that our IP and your data is protected. All employees receive tools and training for handling sensitive data, export control policy, and DoD and intel security practices where applicable. Annual online training for “Foreign Corrupt Practices Act”, “Code of Conduct (FAR)”, and “U.S. Export Controls” is required for all employees along “Global-Anti-Corruption” training for applicable employees.
AGI also has a written Network Security Policy (NSP) specific to our isolated development network that standardizes access, usage, monitoring, auditing, reporting and enforcement processes. All employees working in the isolated development security (DevSec) environment must acknowledge, agree to abide and sign the policy with full accountability.
AGI software is subject to the export control laws of the United States, with most offerings falling under control of the Export Administration Regulations (EAR) as administered by the U.S. Commerce Department, and some under the International Traffic in Arms Regulations (ITAR) as administered by the U.S. State Department. As a matter of the highest priority, it is AGI’s policy to comply with the spirit and letter of the United States export regulations, which control the export, re-export, resale or transfer of products, services and related technical data without proper authorization.
Export policy is re-affirmed to all existing employees in annual mandatory export control training and in the annual Chief Executive Officer’s (CEO’s) Directive. The export control training is delivered to all new employees prior to assuming any duties at AGI. AGI also maintains a formal Internal Control Plan (ICP), along with an export control handbook reference guide for all employees, that sets forth the roles, responsibilities and processes which comprise our export control program.
In addition to the list of U.S. denied countries, and as a result of AGI’s industry research and sensitivity to its customer base, the company imposes sales restrictions on more than 70 countries including Russia and China.
All of AGI external prospects and contacts are automatically checked against the U.S. Consolidated Screening List. All customer-facing AGI personnel are trained to be aware of export compliance “red flags” when interacting with all contacts.
All customer data and contact information (CRM data) is stored with at least dual redundancy and physical separation. Critical internal data is encrypted at rest and backed up off-site. Some of our infrastructure or application data resides within data centers designed and operated by third parties such as Amazon Web Services (AWS) or SalesForce. These data centers typically feature state of the art environmental security controls to safeguard against fires, power loss, and adverse weather conditions – it is essential to their service. In addition, physical access to these facilities is highly restricted.
AGI maintains a off-site secondary location at a top tier carrier’s colocation facility. Key systems are run in an active standby mode at this location. The option to restore off-site backups to this location would be leveraged in a Disaster Recovery (DR) scenario.
Our offices are equipped with 24/7 access control, alarms, and exterior and interior video surveillance systems. All entrances to AGI headquarters require badge access that requires two factor authentication after working hours. All entries are logged. All employees are required to wear their badges while in the building, and all visitors are required to sign-in and wear a visitor badge. Foreign nationals and non-US persons must be escorted at all times. Specific areas of the facility such as the IT and server rooms and the ComSpOC operations floor require additional levels of access controlled by AGI security.
In the event of electrical failure, the entire AGI facility is safeguarded against extended downtime by a 1 Megawatt (1000 kW) generator with key systems protected by an 80 kW Universal Power Supply (UPS) to assure zero downtime due to power loss.
Partnering with government
To help counter cyber threats and maintain the best possible security stance, AGI proactively collaborates with government agencies and reports any suspicious behavior by actively collaborating with appropriate agencies and law enforcement – such as the FBI, Department of Homeland Security, U.S. Commerce Department, U.S. State Department, and several intelligence agencies.