Skip to Main Content
(800) 346-4747
 

Technical and Organizational Measures

The Cain Travel Group of Boulder, Inc. (“Cain Travel”) takes its security seriously.  This document describes the Technical and Organizational Measures that Cain Travel implements and maintains to ensure it processes and protects personal data in a responsible way, considering the types of data that Cain Travel processes, industry standards, the interests and rights of our customers, and the reasonable cost of implementation.

At a minimum, Cain Travel has implemented the technical and organizational measures as follows:

Confidentiality of Processing Systems

  • Identity and Access Management
    • Predefined security groups are utilized to assign role-based access privileges and segregate access to data in our production systems.
    • Administrator access to our production systems is granted on a limited basis to job-based roles and responsibilities and is limited to authorized personnel.
  • Audit Assurance: Compliance, Governance and Risk Management
    • Cain Travel performs annual security risk assessments of production applications and Results from these assessments are documented and treated based on risk level.
    • Cain Travel performs security reviews annually of third-party vendors whose services will store, process or transmit data on behalf of Cain Travel.
    • Cain Travel preforms continuous risk-based control monitoring throughout the Testing results are documented and reviewed by management, including remediation plans for identified risks.
    • Control documents (Information Security Policies) is reviewed, and approved by management and communicated to all relevant employees at the time of hire, and annually.
  • Human Resources
    • Cain Travel employees complete security awareness training upon hire, and annually thereafter.  The training includes relevant Cain Travel security policies, instructions for reporting security-based events, phishing/malware training and general industry best practices.
    • All Cain Travel employees are required to pass a background check as a condition of their employment.

Integrity of Processing Systems

  • Application & Infrastructure Security
    • Information management and configuration management tools are used for security hardening and to ensure baseline configuration standards have been established for servers and for our cloud infrastructure.
    • Network traffic to and from untrusted networks passes through a policy enforcement point; firewall rules are configured to prevent unauthorized access.
    • An issue tracking system is in place to centrally maintain, manage, and monitor application and infrastructure changes from development to implementation.
  • Threat and Vulnerability Management
    • Cain Travel conducts vulnerability scans against our production environment to identify threats and assess their potential impact to the system on a quarterly basis. Results are evaluated and remediated. Reports are available if requested.
    • Monitoring tools are used to continuously monitor security events, latency, network performance and virtual server performance.
    • Incident response procedures are in place (Information Security Policies) that outline the response procedures to security events and includes lessons learned to evaluate the effectiveness of the procedures.

Availability of Systems

  • A business continuity plan is in place to guide personnel in procedures to protect against disruptions caused by an unexpected event. What if scenarios are completed on an annual basis.

Additional Considerations

  • Cain Travel provides processes to allow customers to delete their own personal information when it is no longer needed for travel services use.
  • Microsoft (Azure E5) is responsible for implementing controls to manage physical and logical access to the servers and supporting cloud infrastructure in place at Cain Travel.