OurCrowd Information Security
Security Mission Statement
OurCrowd is committed to safeguarding investors, partners, and employees' assets, interests, and personal data. We take a proactive approach to information security, always striving to provide the most reliable and secure environment for our clients and employees to conduct business in a safe, secure, and responsive Information Security environment.
Our security strategy is centered around our digital information assets and their nature, location, and criticality, considering the required Confidentiality, Integrity, and Availability necessary to support the business.
Security Team and Operations
We maintain an involved and engaged cyberculture. The Information Security team, headed by the company CISO, is based on top recruits from Israel's civilian and military security ecosystem and is fully integrated with the business.
OurCrowd augments its security team's capabilities by engaging top cyber services and specialists, including a 24/7 Security Operations Center (SOC). These collaborations involve architectural reviews, audits, technical appraisals, and rigorous testing.
Employees and Security
Before recruitment, candidates are subjected to background checks or similar measures (if permitted or as mandated by local laws and customs). Our evaluation of candidates is based on their qualifications and alignment with our corporate culture.
We cultivate a security-centric culture, with periodic security training and targeted sessions with specific departments and functionaries. We believe in empowering all, regardless of role, to make responsible, secure choices while safeguarding our customers, partners, and corporate assets.
OurCrowd Information Security Fundamentals
We are a native cloud company, and in alignment with the above, we strive to use only cloud-based solutions. We utilize a risk-based approach to security, reflecting the current threat landscape. We align our security vision with OurCrowd's core values of integrity, innovation, stewardship, entrepreneurship, accountability, and connectedness.
We strictly abide by the principles of need-to-know, segregation of duties, and least privileges and adhere to security best practices. We believe in Defense-In-Depth (DID), deploying multiple layers of monitoring and security controls based on the premise that disparate systems are less likely to have the same vulnerabilities while keeping to agile, nimble, and highly responsive architecture and solutions.
We emphasize a shift-left approach; security is part of the process, not an afterthought. We keep to a Secure Software Development Life Cycle (SSDLC) to govern our coding and CICD processes. OurCrowd adheres to well-defined security patching protocols. Single Sign-On (SSO) and Multi-Factor Authentication (MFA) are the mandatory norms, while Zero-Trust architecture adds another layer of security.
We maintain a redundant, robust cloud infrastructure with well-formulated backup and Disaster Recovery processes. We regularly exercise our Disaster Recovery plans, which are highly automated and ready to spring into action.
We meticulously monitor our infrastructure, systems, and applications by collecting signals and sending them to a central repository (SIEM) monitored 24/7 by our Security Operations Center (SOC). Anomalies raise alerts and cause the execution of a response playbook to ensure quick prevention, mitigation, and remediation.
OurCrowd maintains and exercises its Incident Response Management Plan (IRP). Events of a magnitude that could significantly disrupt our service and business will trigger the activation of this plan. OurCrowd IRP is designed to assess the situation, recruit resources, initiate a quick response, and then contain, eradicate, and recover, followed by post-incident activities. OurCrowd IRP is part of the company BCP (Business Continuity Policy).
Responsible Disclosure Reward Policy
OurCrowd's Responsible Disclosure Policy governs the submission and reward for ethically reporting vulnerabilities, i.e., bug-bounty rewards. Before submitting any bugs, please contact bugbounty@ourcrowd.com to receive the policy. Only after you accept the conditions of the policy and present the submissions as the policy dictates, will they be considered for a reward.
How to Contact Us
Members of the OurCrowd investor community who have any security questions or concerns may contact their investment representative or visit our Contact Us page.