Security you can verify, not just trust.
We operate Fortune 500 and critical-infrastructure environments where failure isn't an option. This is where we show our work — the certifications, controls, policies, and operational posture behind every BlackHawk managed engagement.
Independently validated. Continuously evidenced.
Our control environment is built to recognized frameworks and verified by third parties. Sensitive reports and letters are released to clients and qualified prospects under a mutual NDA through the document request workflow below.
SOC 2 Type II
ISO/IEC 27001:2022
HIPAA
Penetration Testing
Who owns what — in writing.
Clear ownership eliminates the gaps attackers exploit. This matrix shows a representative allocation across the managed environment; the authoritative allocation for any engagement is the RACI in the applicable Statement of Work. Tap a legend item to filter.
| Control Domain | BlackHawk | Shared | Client |
|---|---|---|---|
| Physical / Datacenter Security | |||
| Infrastructure Monitoring & Alerting | |||
| Patch & Vulnerability Management | |||
| Threat Detection & 24x7 SOC Response | |||
| Endpoint Protection (EDR) Operations | |||
| Backup, Replication & DR Execution | |||
| Identity & Access Management (managed systems) | |||
| Encryption Key Management | |||
| User Provisioning Approvals | |||
| Incident Notification & Coordinated Response | |||
| Compliance Evidence & Audit Support | |||
| Security Awareness of Client Staff | |||
| Application Code & Origin Infrastructure | |||
| Data Classification & Ownership | |||
| Regulatory Reporting to Authorities |
The playbooks behind the SLA.
Summaries of the governing policies that direct how we protect, respond, and recover. Full policy documents are available to active and prospective clients under NDA.
Incident Response Plan
▾A documented, tested process governs detection, triage, containment, eradication, and recovery for any confirmed security event. Severity drives response, and client notification is contractually time-bound — specific timeframes are defined in the applicable MSA / DPA.
| Severity | Description | Target Response | Client Notification |
|---|---|---|---|
| SEV-1 | Confirmed breach / major business impact | Rapid (high-severity) | Per agreement |
| SEV-2 | High user impact, minor business impact | Prioritized | Per agreement |
| SEV-3 | Minor impact to business and users | Scheduled | Per agreement |
| SEV-4 | No business impact | Routine | Next business day |
- Defined incident commander roles and 24x7x365 US-based SOC escalation paths.
- Containment runbooks per attack class, with chain-of-custody and forensic preservation.
- Post-incident review with root-cause analysis and corrective-action tracking.
Security Operations, Monitoring & Detection
▾Continuous monitoring and timely detection are central to our assume-breach posture. Security-relevant events are collected centrally, correlated through SIEM analytics, and triaged against documented severity criteria, 24x7x365.
| Metric | Representative Objective |
|---|---|
| Monitoring coverage | 24×7×365 |
| Mean time to detect (MTTD) | < 60 minutes for high-severity |
| Mean time to respond / contain | < 4 hours for high-severity |
| Critical vulnerability remediation | Within 3 days |
| Log retention | 12 months online / 60 months archived |
- Centralized logging of authentication, administrative, endpoint, and network events.
- Detections informed by threat intelligence and mapped to MITRE ATT&CK.
- EDR telemetry and containment at the host level, complemented by network and identity signals.
Business Continuity & Disaster Recovery
▾Recovery objectives are engineered to each client's tier and validated through scheduled testing — not assumed. The targets below are representative managed commitments; committed RTO/RPO per system are defined in the relevant agreement.
| Objective | Essentials | Advantage | Complete |
|---|---|---|---|
| Backup Frequency | Daily | Every 4 hrs | Near-continuous |
| Recovery Point (RPO) | ≤ 24 hrs | ≤ 4 hrs | ≤ 1 hr |
| Recovery Time (RTO) | ≤ 24 hrs | ≤ 8 hrs | ≤ 4 hrs |
| DR Test Cadence | Annual | Semi-annual | Quarterly |
- Geographically separated replication with immutable, ransomware-resilient backups.
- Documented failover runbooks and periodically exercised recovery procedures.
- Restore validation and reporting through the OneVision platform.
Information Security Policy
▾Access is governed by least-privilege and need-to-know. Data is handled according to a four-tier classification model that dictates encryption, retention, and access controls.
| Classification | Examples | Handling |
|---|---|---|
| Restricted | Client credentials, ePHI, keys | Encrypted, MFA + vaulted, audited access |
| Confidential | Client configs, contracts | Role-based access, encrypted at rest/in transit |
| Internal | Runbooks, internal docs | Authenticated employee access only |
| Public | Marketing, this page | No restriction |
- Role-based access control (RBAC) with mandatory MFA on all administrative and client systems.
- Encryption in transit (TLS 1.2+) and at rest (AES-256) across managed systems.
- Quarterly access reviews and automated deprovisioning on role change or offboarding.
Organized around the standards your assessors already use.
Our program is structured to the outcomes of NIST CSF 2.0 and ISO/IEC 27001:2022, and cross-walks to the SOC 2 Trust Services Criteria and CIS Controls v8 — so a single control area reconciles against whichever framework you assess against. Framework alignment indicates the program is organized around recognized control objectives; it is distinct from formal certification, which is identified explicitly above.
NIST CSF 2.0
Six functions provide an outcome-based view of cybersecurity risk management.
ISO/IEC 27001:2022
ISMS management clauses 4–10 plus all 93 Annex A controls across four themes.
Cross-walked
Each control domain maps cleanly to the frameworks your team already runs.
Trust is operational, not just documented.
The people, vendors, and systems behind the service are governed with the same rigor as the technology itself.
Personnel Security
Every team member is vetted before touching a client environment, and kept current after.
- Pre-employment background & reference checks
- Signed confidentiality & acceptable-use agreements
- Security awareness training at hire + annually
- Simulated phishing & role-based security upskilling
Vendor & Supply-Chain Risk
Our supply chain is your supply chain. Downstream providers are assessed and monitored.
- Security review before onboarding any subprocessor
- Review of vendor SOC 2 / ISO reports & DPAs
- Tiered risk ratings with periodic reassessment
- Tier III+ datacenter facilities for hosted services
System Status
Real-time visibility into the core platforms that deliver your managed service.
- Continuous uptime monitoring of OneVision & NOC/SOC tooling
- 90-day rolling availability published below
- Proactive maintenance notifications
- Incident history available to clients on request
Availability, in the open.
A representative operational snapshot across the platforms that power BlackHawk managed services. Client-specific environment dashboards are delivered privately through OneVision.
Need our security package for review?
Procurement, security, and compliance teams can request our full document set — SOC 2 status letter, ISO 27001 control mapping, HIPAA attestation, Information Security Program Overview, and pen-test executive summary — in one step, released under NDA.