We have implemented various controls to ensure the safety and confidentiality of customer data. One of the measures is automatic logout after a certain period of inactivity to prevent unauthorized access which can be customized by the account admin. Additionally, we have implemented a custom password policy to ensure that strong and unique passwords are used.

Furthermore, we have a data retention policy that complies with the General Data Protection Regulation (GDPR). This policy ensures that customer data is retained for only as long as necessary and is securely deleted once it is no longer needed. For more detailed information on our data security controls and measures, please refer here

HackerRank uses a combination of best-of-breed tools for performance, exception, and availability monitoring, including AWS CloudTrail, AWS CloudWatch, Honeybadger, OpsGenie, and Uptime. CloudTrail logs and continuously monitors account activity related to actions across our AWS infrastructure, providing event history and delivering logs to our S3 bucket for analysis. CloudWatch monitors all of our AWS cloud resources and applications, giving us system-wide visibility into resource utilization, application performance, and operational health. We use CloudWatch to collect and track metrics, monitor log files, set alarms, and automatically react to changes in our AWS resources.

We also use Honeybadger for exception and uptime monitoring, allowing us to detect and resolve issues quickly. OpsGenie provides alerting and incident management, ensuring that our team is notified of critical events and can respond promptly. Finally, Uptime provides additional performance and availability monitoring for our customers, giving us the ability to track uptime and identify potential issues before they become major problems. Together, these tools enable us to maintain high levels of performance, availability, and security for our customers.

At HackerRank, we take security very seriously, and as part of our defense-in-depth strategy, we have implemented an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) to detect and respond to potential security threats in real-time.

To achieve this, we leverage a combination of third-party tools and custom-built alerting solutions. Specifically, we use AWS GuardDuty and Google Cloud Security Command Centre as our primary IDS/IPS solutions. These cloud-based services use machine learning algorithms and threat intelligence to monitor network traffic, user behavior, and other activity for signs of potential attacks.

In addition to these third-party tools, we have also developed custom alerting mechanisms that are integrated with our communication platform Slack. These alerting tools are designed to detect anomalous behavior and potential security incidents and immediately notify our security team, who can then investigate and respond accordingly.

Overall, our IDS/IPS solution provides us with a multi-layered approach to security, combining the power of third-party services with our custom-built alerting tools. This helps us to detect and respond to security incidents quickly and efficiently, minimizing the impact of any potential security breaches.

As a security measure, HackerRank has implemented an Amazon Web Services (AWS) Virtual Private Cloud (VPC) to host and contain all of its data. The VPC is configured to use AWS Region us-east-1 (N. Virginia) as the primary location and AWS Region us-west-2 (Oregon) as the secondary Disaster Recovery (DR) location.

By using AWS Regions us-east-1 and us-west-2 for our primary and secondary DR locations respectively, we can ensure that our data and resources are protected from potential disasters or outages that may affect a single region. In the event of a regional outage or failure, our secondary DR location can be used to quickly and seamlessly failover our services and maintain business continuity.

Overall, using an AWS VPC and configuring it with multiple regions helps to provide a secure and highly available infrastructure for HackerRank's data and resources. By leveraging AWS's advanced network security features and disaster recovery capabilities, we can ensure that our systems remain protected and available at all times, even in the face of potential disruptions.

As a remote-first company with most of our employees working from home, HackerRank has implemented robust wireless security measures to protect our confidential information and ensure secure remote access to our internal data.

At our physical office locations, we use strong encryption for our wireless networks to prevent unauthorized access and protect our data from potential security threats. This helps to ensure that only authorized personnel can access our network and sensitive data.

To access our VPC and confidential information on endpoint devices, our employees are required to use our corporate VPN. This provides a secure and encrypted connection to our VPC, ensuring that sensitive data is not exposed to potential security threats on public or unsecured networks.

By storing all of our confidential information and Active Directory (AD) in our VPC, we can ensure that our data is protected by the advanced security measures of the AWS cloud infrastructure. This helps to safeguard our data from unauthorized access and prevent potential data breaches or security incidents.

Overall, HackerRank's wireless security measures and use of corporate VPN for remote access to our VPC help to ensure the highest level of security for our confidential data and resources. By implementing these advanced security measures, we can provide our employees with secure and remote access to our systems while maintaining the integrity and confidentiality of our data.

At HackerRank, we understand the importance of protecting sensitive data from unauthorized access or theft. As part of our endpoint protection strategy, we have implemented full-disk encryption on all employee laptops, using FileVault as our encryption solution.

Full-disk encryption ensures that all data on the laptop's hard drive is encrypted, making it inaccessible to anyone who does not have the encryption key. This means that even if a laptop is lost or stolen, the data on the hard drive remains protected from prying eyes.

FileVault is an encryption solution built into Apple's macOS operating system, which we have chosen for its ease of use and integration with our existing Apple hardware. FileVault uses strong encryption algorithms to secure the data on the hard drive and requires a password or recovery key to access the data.

At HackerRank, we use Mobile Device Management (MDM) to centrally manage all of our corporate devices, ensuring they meet our security and compliance requirements. We have implemented Jamf as our MDM solution, which provides us with a range of controls to manage our devices.

Jamf allows us to enforce controls such as automatic screen lock, strong passwords, and OS updates across all of our devices, helping to ensure that they are secure and up-to-date. This reduces the risk of security breaches resulting from unsecured devices or out-of-date software.

In addition, Jamf enables us to remotely wipe laptops in the event of loss or theft. This ensures that any sensitive data on the device is immediately erased, preventing it from falling into the wrong hands. This feature can also be helpful in the event that an employee leaves the company, as we can remotely wipe their device to ensure that any sensitive data is removed.

Overall, using Jamf as our MDM solution provides us with a centralized way to manage and secure our corporate devices. It enables us to enforce security controls, ensure devices are up-to-date, and remotely wipe devices if necessary, all of which help to minimize the risk of security breaches and protect our sensitive data.

We use GSuite as our email service provider, which provides us with a range of security features to help protect against email-based threats. The secure email gateway within GSuite is designed to filter out spam, phishing emails, and emails containing malware before they reach our employees' inboxes.

In addition to the secure email gateway, we also provide employee training on how to recognize and report suspicious emails. This helps to ensure that our employees are aware of potential threats and are equipped to take action to prevent successful attacks.

Overall, our use of a secure email gateway provides an additional layer of protection to our email communications. It helps to reduce the risk of email-based threats by filtering out suspicious emails before they reach our employees' inboxes, enabling us to focus on legitimate business communication and safeguarding sensitive data.

We recognize that employees play a critical role in maintaining the security of our systems and data. To ensure that all employees have the knowledge and skills necessary to identify and respond to security threats, we provide regular security awareness training.

All new employees are required to complete ISO training during their first month after onboarding. This training covers key concepts and best practices related to information security, including password management, data protection, and incident response. The training is designed to provide employees with a foundational understanding of our security policies and procedures and their roles and responsibilities in maintaining a secure work environment. In addition to the initial training, we require all employees to undergo regular security awareness training via Sprinto. This training is designed to keep employees up-to-date on the latest security threats and best practices and is customized to the specific needs of our organization.

As part of their training and awareness and contractual agreements, all employees are made aware of the information security policy (and associated policies), requirements, their responsibilities, and the implications of not conforming with the ISMS requirements. This helps to ensure that all employees understand their role in maintaining the security of our systems and data and are committed to following established policies and procedures.

Overall, our employee training program is designed to provide employees with the knowledge and skills necessary to identify and respond to security threats, helping to reduce the risk of a security breach and safeguard our sensitive data.

At HackerRank, we recognize that no system is 100% secure and that incidents can happen. To ensure that we are prepared to respond to incidents quickly and effectively, we have a dedicated incident response team and plan in place.

Our incident response team is responsible for managing and responding to any security incidents that may occur. The team is composed of individuals with specialized skills and knowledge in incident response and includes representatives from various departments within our organization.

Our incident response plan outlines the steps that our team will take in the event of an incident. These steps are designed to ensure that incidents are identified and responded to quickly, minimizing any potential damage or disruption to our systems and data.

The following steps are followed when there is any incident:

1. Incident Identification
2. Incident Handling and Response
3. Monitoring
4. Event Identification and Logging
5. Event Response

More information on our incident response plan is available in our Incident Response Policy. By having a dedicated incident response team and plan in place, we can ensure that we are prepared to respond quickly and effectively to any security incidents that may occur, helping to minimize the potential impact on our business and our customers.

At our company, we take the security of our infrastructure and applications seriously. To ensure that we are always up to date with the latest security threats and vulnerabilities, our Internal Security team regularly reviews the security of our infrastructure and applications.

During these reviews, our team identifies any vulnerabilities that need to be remediated, and we apply associated treatment plans or acceptance criteria to mitigate any risks. Ownership and accountability for all security-related risks ultimately lies with the Head of Information Security and Risk. This includes measurement and management of strategic and operational security risks.

As part of our commitment to security, we make use of a range of third-party suppliers and data sub-processors to deliver services to our customers. However, before onboarding any third-party supplier, we conduct an assessment to determine the level of impact on our organization's information security or continued service. Those suppliers identified as having a significant impact on these elements undergo a formal security review prior to final engagement and integration.

This review process is repeated at least annually thereafter to ensure that our third-party suppliers and data sub-processors continue to meet our high standards for information security. By conducting regular internal assessments and reviewing our third-party suppliers and data sub-processors, we can ensure that our infrastructure and applications are secure and that our customers' data is protected.

As part of our commitment to device management and security, we leverage Jamf Pro to provision, deploy, and manage all of our company computers. Through centralized management, we can ensure that all devices are configured with controls such as automatic screen lock, strong passwords, and regular operating system updates.

To request a particular application that is not currently available on their device, employees can create a support ticket for the IT admin. The admin will then provision the application by having its security checked and then publish it in the company-managed app store.

For added security, all HackerRank corporate applications and resources are accessible only through single sign-on (SSO) via Okta. This means that employees can access the resources they need with just one set of credentials, while we can ensure that only authorized personnel can access sensitive company data.

In addition to these measures, we conduct regular assessments of our device management and security protocols to ensure that they remain effective and up to date. By utilizing Jamf Pro for device management and enforcing SSO via Okta for corporate applications and resources, we can maintain a high level of security and protect against unauthorized access or data breaches.