A-Team Systems Security Statement

A-Team Systems prioritizes the security and privacy of our customers. We maintain a formal security program with documented policies, technical controls, and operating procedures designed to safeguard systems we manage and protect the confidentiality and integrity of customer data we may have access to.

NIST CSF 2.0 / Cybersecurity Framework

A-Team Systems aligns its security program with the NIST Cybersecurity Framework (CSF) 2.0. Our policies, technical controls, and operational procedures are structured around the five core functions of the framework:

• Identify: Risk assessment, governance oversight, asset management, and third-party monitoring.
• Protect: Access controls, encryption, configuration management, patch management, and endpoint security.
• Detect: Continuous monitoring, centralized logging and correlation, endpoint telemetry, and vulnerability scanning.
• Respond: Documented incident response procedures, SOC-backed monitoring, containment, and customer notification processes.
• Recover: Immutable off-site backups, restoration procedures, and post-incident review and improvement.

This alignment ensures our security program is structured, measurable, and continuously improved rather than ad hoc.

Independent Attestation

Our security posture is evaluated and attested by an independent third party, including oversight of our NIST CSF 2.0 alignment and overall organizational security practices.

Governance and Risk Management

Security Program Governance

We maintain a documented security program governing how we protect systems, data, and client interests. Security governance reviews occur regularly to evaluate risk posture, vulnerability findings, threat intelligence, and improvement initiatives.

Risk Management

We follow a structured risk management process to identify, evaluate, and respond to risks affecting our operations and customer data. Risks and control improvements are reviewed by leadership and tracked to completion.

Third-Party and Supply Chain Risk (In Progress)

We evaluate third-party service providers with access to sensitive systems for security posture and monitor for ongoing risk. As part of continued alignment with NIST CSF 2.0, we are expanding our formalized cyber supply chain risk management process, including documented critical vendor reviews and risk tracking.

Operational Security

Access and Zero Trust

Engineer access to internal and customer infrastructure is tightly controlled and restricted behind multiple security layers, including network segmentation, controlled jump points, and enforced multi-factor authentication (MFA). Administrative access is granted based on least privilege principles and limited to necessary systems.

Encryption In Transit

Strong TLS encryption is enforced for remote administrative access and any transmission of sensitive data over public networks. Clear-text administrative access is not permitted.

Credential Security and Auditing

Customer credentials and sensitive operational secrets are stored in an enterprise-grade password vault with encryption at rest, role-based access controls (RBAC), and full access auditing. Access is restricted by role and reviewed regularly to ensure least privilege.

Configuration and Change Management

We use formal processes and tooling to manage system configurations, reduce vulnerabilities, and ensure consistency. Baseline configurations and approved changes are tracked and reviewed.

Internally developed tools are maintained in version control with documented change approval workflows. Changes are tested in a designated testing environment prior to production use, and change records are retained.

Vulnerability and Patch Management

A-Team Systems maintains its internal infrastructure using the same operational standards applied to customer production environments. Operating systems and supporting software are reviewed for updates on a continual basis, with formal review occurring at least weekly.

Security patches are deployed on a weekly cadence under normal conditions. Critical or actively exploited vulnerabilities are evaluated immediately and, where applicable, deployed on an accelerated timeline based on severity, exploitability, and operational impact.

Authenticated internal vulnerability scans are conducted at least monthly. Findings are documented, prioritized, remediated, and verified.

Security Monitoring, Logging, and Testing

Continuous Monitoring and Endpoint Security

All end-user devices with access to internal or customer infrastructure are protected by a managed Endpoint Detection and Response (EDR) platform with continuous 24×7 Security Operations Center (SOC) monitoring and response capabilities.

Centralized Logging and Retention

Security-relevant logs are centrally collected and stored remotely in a tamper-resistant manner for forensic and audit purposes. Log retention is maintained for at least 12 months.

Independent Testing

In addition to internal scanning, we engage an independent third party to perform quarterly external network penetration testing of our Internet-facing infrastructure. Findings are formally documented, reviewed by leadership, and tracked through remediation and verification.

Data Protection

Confidential by Default

We treat customer and internal operational data as confidential by default. Access is restricted to authorized personnel based on least privilege and business need, and controls are designed to reduce unnecessary exposure of sensitive information.

Data Protection Mechanisms

We have implemented controls to protect data at rest and in transit, including encryption, access restrictions, and monitoring. These safeguards are designed to preserve confidentiality and integrity.

Backups and Restoration Testing

We perform regular backups of internal infrastructure with immutable, off-site storage. Backup restoration procedures are tested at least quarterly across all servers to validate recoverability.

Sensitive credential stores are backed up in encrypted form, with decryption keys stored separately from backup data to reduce the risk of unauthorized decryption.

Business Continuity and Disaster Recovery

A-Team Systems maintains a documented Business Continuity and Disaster Recovery (BCP/DR) plan covering critical operational systems and dependencies. Systems are classified by criticality with defined recovery objectives, and the plan is reviewed at least annually and after continuity events.

Personnel Security

Employees with elevated access undergo criminal background screening as part of pre-employment checks. Team members are bound by confidentiality obligations and are required to follow internal security, device, and data handling policies.

Workstation and device security requirements include full-disk encryption, enforced authentication controls, and required security tooling on devices used to access internal or customer systems.

Threat Awareness

Technical staff receive ongoing security awareness training and routinely review threat intelligence and industry security updates. Threat trends and security events are reviewed during governance meetings and used to inform continuous improvement.

Incident Response

A-Team Systems maintains a documented Incident Response process aligned with the Respond and Recover functions of the NIST Cybersecurity Framework (CSF) 2.0. Security events are triaged based on severity and potential impact.

Confirmed incidents are documented, contained, eradicated, and followed by structured post-incident review to identify root cause and corrective actions. Where applicable, customers are notified of confirmed security incidents affecting their infrastructure in accordance with contractual and legal obligations.