Citadelo follows strong ethical principles to maintain the trust of our clients. Trust and integrity are our most valuable assets and form the core of our operation. To remain consistent, we follow strict rules and principles developed over the years.
We repeatedly claim to have a zero-tolerance policy for any breach of our basic principles. Ethical hacking is constantly evolving and that places high demands on continuous adherence to our principles and regular reviews to ensure that we continue to do the best we can to maximize the legitimacy of our service and company.
It is no big secret that the human element is one of the most significant risks in cybersecurity. The human part is always a key factor, and it is critical to have protocols in place to safeguard our values.
We introduced the following five approaches to protect our internal values:
1. Background checks
As a part of our HR onboarding screening process, we perform comprehensive background checks on new on-boarded employees, partners, and external suppliers. This process is typically done by a dedicated external partner, who can ensure an independent review.
2. Internal ethics awareness program
We perform internal training sessions and workshops on ethics within our team. We communicate internally and openly if we believe someone is crossing the line. We also evaluate projects regularly. Even if those may appear to be minor factors, internal awareness programs are here to maintain the difference between white hat and black hat.
3. Legal framework
We sign a non-disclosure agreement (NDA) with all our partners, suppliers, and employees to ensure all data remains confidential. On top of this, we review contracts on a regular basis, to ensure that standards are being applied consistently. We are also implementing ISMS based on ISO 27002.
4. Log activity
When we perform a penetration test, we keep a record of our activities. This is mainly for historical reasons and to provide proof of records from a technical point of view. For safety reasons, we archive those records for a limited time only and protect them using encryption.
5. Responsible disclosure program
Our responsible disclosure approach obliges us to be transparent to the customer and notify the third party when a vulnerability is found in their system, even if we have no contract with them. The program also consists of guides describing steps on how to proceed in such situations. Our company does not engage in any activity that can potentially or actually cause harm to others.
While internal freedom to perform duties is a key value of our company, we safeguard our ethical principles very strongly and have zero tolerance when it comes to breaching our ethos. If we discover a partner, supplier, or employee not meeting our standards, we immediately start an internal evaluation of the situation. In case our standards are not met, we discontinue the relationship immediately. Beyond this, we would also consider filing a lawsuit, depending on the severity level, of course.
The fact that we have never had to file a lawsuit against an employee or third-party supplier is a testament to our values of trust and integrity. It also shows that our vetting process and internal security protocols work. However, we did discontinue partnerships in the past for different reasons.
For example, an event that we discovered last year made us discontinue a relationship with an external third-party supplier. In this case, the third-party supplier performed an unauthorized penetration in 2018/2019, in their own free time, using their personal hardware, and outside of our scope of work. Even if it was not connected to one of our projects or clients, we consider this action unacceptable and a reason for terminating a relationship.
We can’t afford to let our guard down in the current threat landscape. Whenever mistakes occur, what matters is how we respond to them. As such, the field of cybersecurity demands strict adherence to best practices, continuous and transparent communication (of principles), and much more.
Our principles and best practices remain robust and fluid as we evolve with the threat level. This approach helps us better ensure security and compliance in a rapidly changing environment and at scale. As such, we continue to take a proactive approach to cybersecurity and revisit our protocols regularly to keep both our clients and us secure and compliant consistently.
