Security

Our Highest Priority

Your application and data security are our highest priorities.

Security First

We tackle each project from a security-first perspective to ensure that our team is up to speed on industry best practices.

Accountable

Multiple developers vet code for a project before it enters the production pipeline. All code is reviewed by peers using a “pull request” so that it has multiple checks before merges.

Confidentiality

Developers do not save or transfer passwords or sensitive key strings in plaintext. Our team leverages a secure password application for all password management.

Integrity

Each Mediacurrent team member is given access only to the systems they need to perform their specific role on a project.

Resilient

Backups provide data resiliency. Our team recommends hosting partners that have sound, well-documented archiving and disaster recovery processes in place.

Available

Mediacurrent configures project-specific chatops channels to respond to development events so that unexpected activity does not go unnoticed.

Expert

Medicurrent has an internal team leading security-related efforts with experience in site-hardening, developing security policies and responding to breaches.

Our Security Tools

The Mediacurrent team leverages the following tools on all developer pull requests:

An open-source OWASP tool for proactive penetration scans of the application
Drush pm: security which uses Composer to check for Drupal security updates
Grumphp security checker for static analysis
The Security Review module which looks for common configuration problems that make a Drupal site insecure.

Our Security Contribution

Our developers also manage the Drupal.org Guardr security distribution, which is integrated on every new project. Guardr offers several security enhancements and configuration for Drupal applications.

Visit Guardr

Security Methods

Mediacurrent highly recommends CDNs like Cloudflare that can offer additional security against DDOS and other malicious attacks. See Cloudflare Security Services for more information.

Securing Development

Development environments are secured through the following methods:

HTTP authentication: Development sites are password protected at the root level in their server configuration.
IP Whitelisting: IP Whitelisting used when required to ensure only allowed IPs can access staging/development sites.

IT Security

Our IT team deploys a variety of tools to secure our team’s machines including the following:

JAMF for policy enforcement, remote data wipe, and machine lock
Trend Micro enterprise security
Third-party password management for secure password sharing
Google Security Apps for spam and phishing attacks

Web Hosting

Mediacurrent partners with hosting companies that have established themselves as leaders in hosting security. These companies offer a variety of security measures including firewalls, threat monitoring, 24/7 coverage and high availability SLA’s:

Pantheon - https://pantheon.io/security
Acquia - https://docs.acquia.com/acquia-cloud/arch/security

HIPAA Compliance

Mediacurrent follows industry best practices to comply with the Administrative Safeguards of HIPAA Privacy, to secure and maintain the confidentiality of Protected Health Information, maintain sensitive organizational information at Mediacurrent and prevent and detect inappropriate and illegal uses and disclosures. This is done via training provided to employees involved with projects that may have potential exposure to PHI.

Workstation Security

Mediacurrent also has specific policies we enforce via our System Management software JAMF to ensure the requirements of the HIPAA Security Rule “Workstation Security” Standard 164.310(c) are met.

Mediacurrent - HIPAA IT Security Workstation Policy
Mediacurrent - HIPAA Privacy Policy
Mediacurrent - PHI Risk Management Plan
Mediacurrent - Security Incident Response Form
Mediacurrent - HIPAA Audit Compliance Plan

Incident Response

Mediacurrent follows industry best practices by adhering to a formal incident response process. Our team emphasizes open and transparent communication between Mediacurrent personnel, clients, and related hosting partners.

The key components of this process are outlined below. Further detail can be supplied to clients or prospects upon request:

Preparation
Detection and Identification
Containment
Eradication
Recovery
Lessons Learned

Drupal.org Security Advisories

Each week Drupal's security team will post advisories of vulnerabilities identified in core and contributed modules by the community. Mediacurrent's internal security team tracks these advisories, assesses their impact in the context of each Drupal application, and notifies affected clients. If required, a mitigation plan such as a config change or hotfix release is put into place.