BSG Security Practices

1. Encryption

All BSG shared resources involved in client engagements and internal operations are protected by strong, proven end-to-end encryption.

Full Disk Encryption

Every BSG laptop and workstation has Full Disk Encryption (FDE) enabled. All data at rest is encrypted using industry-standard AES-256 encryption. In the event of device theft or loss, your data remains protected.

Encrypted File Sharing

We use Keybase for all client file sharing and internal document collaboration. Keybase provides end-to-end encryption for all files—meaning only authorized team members with the correct cryptographic keys can decrypt and read shared documents.

Unlike cloud storage services that hold encryption keys, Keybase ensures zero-knowledge architecture.

Secure Communication

Keybase is our team messenger (not Slack, Teams, or another server-based tool). All team communications are end-to-end encrypted by default.

For client communication, we prefer and recommend Signal group chats, which provide end-to-end encrypted messaging and voice calls. While we can communicate in your chosen applications, we always recommend the most secure option available.

Data in Transit

All data transmitted over the network is encrypted using TLS 1.2 or higher. This includes HTTPS for all web services, SSH for server access, and encrypted VPN connections for remote work.

2. Multi-Factor Authentication

BSG network resources and applications are protected by multi-factor authentication (MFA) at every access point. Single-factor authentication (passwords alone) is never sufficient.

SSH Public Key Authentication

Access to all BSG servers and virtual machines requires an authorized SSH public key. Password-based SSH authentication is disabled across all infrastructure. This prevents brute-force attacks and credential stuffing.

TOTP-Based MFA

All BSG tools and services, including self-developed applications, require a virtual token such as Google Authenticator or Authy. Time-based one-time passwords (TOTP) provide strong second-factor authentication resistant to phishing.

Hardware Security Keys

Critical applications—including email, encrypted file shares, and project management tools—require an approved YubiKey hardware token for authentication. YubiKeys provide phishing-resistant authentication based on the FIDO2/WebAuthn standard.

Hardware tokens are mandatory for all senior engineers and anyone with administrative access to client systems.

3. Password Practices

Using password managers and randomly-generated passwords of 20 characters or longer is our corporate standard.

Password Managers

Every BSG team member is required to use a password manager (such as 1Password, Bitwarden, or KeePassXC). Password managers enable:

• unique, randomly-generated passwords for every service
• secure storage of credentials with master password and 2FA
• secure password sharing for shared accounts
• automatic password rotation policies

Password Requirements

BSG enforces the following password policies:

• Minimum 20 characters for all business-critical systems
• randomly-generated (no dictionary words, names, or patterns)
• unique per service (no password reuse)
• stored only in approved password managers

Password Rotation

Passwords are rotated on a risk-based schedule:

• critical systems: every 90 days
• service accounts: immediately after team member departure
• shared credentials: immediately if compromise is suspected

4. Software Security

We keep our systems up to date and regularly scan them for known vulnerabilities.

Patch Management

All workstations, servers, and network devices receive security updates within 48 hours of release for critical vulnerabilities (CVSS 9.0+).

Operating systems, applications, and dependencies are automatically monitored for available updates. Critical patches are applied immediately; routine updates follow a weekly maintenance schedule.

Vulnerability Scanning

We perform regular vulnerability scans of our infrastructure using industry-standard tools. Any identified vulnerabilities are triaged and remediated based on severity:

• Critical (CVSS 9.0-10.0): 24 hours
• High (CVSS 7.0-8.9): 7 days
• Medium (CVSS 4.0-6.9): 30 days
• Low (CVSS 0.1-3.9): Risk accepted or 90 days

Code Security

For software we develop ourselves (internal tools, client deliverables, open-source projects), we regularly run:

• static application security testing (SAST) for code vulnerabilities
• dependency scanning for known vulnerabilities in third-party libraries
• manual security code reviews by senior engineers
• dynamic testing in staging environments before production deployment

Cloud Infrastructure Security

We deploy our infrastructure on Amazon Web Services (AWS) following AWS security best practices and the Well-Architected Framework.

We regularly run ScoutSuite (a multi-cloud security auditing tool) to identify misconfigurations, overly permissive IAM policies, and compliance violations. Scout findings are remediated within SLA timelines.

5. Access Control

We follow the principle of least privilege for all system access. Users and service accounts receive only the minimum permissions necessary to perform their role.

Role-Based Access Control

Access to client data, internal systems, and administrative functions is controlled through role-based access control (RBAC):

• Consultants: Access to assigned client projects only
• Project Leads: Access to project data and team coordination tools
• Administrators: Full system access with audit logging

Periodic Access Reviews

Access permissions are reviewed quarterly to ensure they remain appropriate. Access is immediately revoked upon:

• project completion (for project-specific access)
• role change (for elevated privileges)
• termination or resignation

Audit Logging

All administrative actions, privileged access, and sensitive operations are logged with:

• timestamp and user identity
• action performed and affected resources
• source IP address and geolocation

Audit logs are retained for 12 months and reviewed monthly for anomalies.

6. Client Data Protection

During security assessments and consulting engagements, we handle client data with the highest level of care and confidentiality.

Data Handling Principles

When conducting security assessments, we follow strict data handling protocols:

• Minimal data collection: We collect only the minimum data necessary to validate security findings
• No sensitive data extraction: We do not exfiltrate production databases, customer PII, or financial records
• Evidence sanitization: Screenshots and proof-of-concept artifacts are sanitized to remove sensitive information
• Secure transmission: All client data is transmitted via encrypted channels (SFTP, SCP, encrypted email)

Data Retention

Client engagement data is retained according to the following schedule:

• Assessment artifacts (logs, screenshots): 90 days post-engagement
• Final reports: 3 years (contractual requirement for re-test support)
• Communication records: Duration of engagement + 1 year

All client data is securely deleted upon expiration using secure wipe methods that prevent data recovery.

Data Isolation

Client data is logically isolated from other clients and from BSG internal systems. Each engagement is assigned a dedicated encrypted workspace with access restricted to:

• assigned project team members
• project lead and quality reviewer
• BSG management (with audit logging)

7. Incident Response

We maintain a documented security incident response plan to ensure rapid and effective response to security events.

Incident Classification

Security incidents are classified by severity:

• Critical: Active compromise, data breach, or service outage
• High: Confirmed vulnerability exploitation or unauthorized access attempt
• Medium: Suspicious activity or policy violation
• Low: Informational security event

Response Timeline

Incidents are responded to within the following timelines:

• Critical incidents: Immediate response (within 1 hour)
• High incidents: 4 hours
• Medium incidents: 24 hours
• Low incidents: 72 hours

Client Notification

In the event of a security incident affecting client data, we will notify affected clients within 72 hours of discovery, in accordance with GDPR Article 33 and other applicable data breach notification laws.

8. Vulnerability Disclosure

We believe in transparency and responsible disclosure. If you discover a security vulnerability in any BSG system or service, we want to hear from you.

How to Report

Our vulnerability disclosure policy is published at:
https://bsg.tech/.well-known/security.txt

You can report security issues to:

• Email: security@bsg.tech
• PGP Encrypted Email: Available in security.txt

Coordinated Disclosure

We follow a 90-day coordinated disclosure timeline:

• Day 0: Vulnerability reported and acknowledged
• Day 1-30: Investigation, validation, and patch development
• Day 30-60: Patch deployment and testing
• Day 60-90: Public disclosure preparation
• Day 90: Public disclosure (or earlier if mutually agreed)

Safe Harbor

We will not pursue legal action against security researchers who:

• report vulnerabilities responsibly to security@bsg.tech
• do not access, modify, or delete client data
• do not disrupt BSG services or systems
• follow coordinated disclosure timelines

9. Compliance and Certifications

BSG's security practices align with industry-standard frameworks and regulatory requirements:

Security Frameworks

• NIST Cybersecurity Framework: Core security controls and risk management
• ISO/IEC 27001: Information security management system (ISMS) controls
• OWASP ASVS: Application security verification standard
• CIS Controls: Center for Internet Security benchmarks

Regulatory Compliance

• GDPR: EU General Data Protection Regulation (data processing agreements available)
• CCPA/CPRA: California Consumer Privacy Act compliance
• NIS2 Directive: Network and Information Security directive (EU)

Team Certifications

BSG team members hold industry-leading security certifications:

• Offensive Security Certified Professional (OSCP)
• (ISC)² Certified Information Systems Security Professional (CISSP)
• ISACA Certified Information Systems Auditor (CISA)
• eLearnSecurity certifications (eWPTX, eMAPT, eCPPT, eJPT)
• EC-Council Certified Ethical Hacker (CEH)

10. Continuous Improvement

Security is not a one-time effort—it's a continuous process. We regularly review and update our security practices to address emerging threats and evolving best practices.

Threat Intelligence

Our team actively monitors security advisories, vulnerability disclosures, and threat intelligence feeds to stay ahead of emerging threats. We participate in:

• Bug bounty programs (continuous skill development)
• OWASP community (industry contribution and learning)
• Security conferences (NoNameCon organizers, speaker participation)

Internal Security Reviews

We conduct internal security assessments quarterly, including:

• infrastructure penetration testing
• application security assessment of internal tools
• social engineering simulations (phishing tests)
• security policy review and updates

Security Training

All BSG team members complete annual security awareness training covering:

• phishing and social engineering awareness
• password and credential security
• data handling and classification
• incident reporting procedures

11. Updates to This Document

This security practices document is reviewed and updated annually or when significant changes are made to our security controls.

Updates will be posted on this page with a new version number and effective date. We encourage clients and partners to review this page periodically.

12. Contact Us

Security inquiries:
Email: security@bsg.tech
Vulnerability disclosure: security.txt

Privacy inquiries:
Email: privacy@bsg.tech
Privacy Policy: bsg.tech/privacy-policy-bsg

General contact:
Email: hello@bsg.tech
Website: bsg.tech