Security & Compliance

The ability to deploy application changes to production environments is restricted to authorized personnel.

The company designs and implements controls to mitigate risks identified during the risk assessment process.

The company's Privacy Policy is available online to visitors and customers, and outlines the receipt, sharing, use, and disposal of visitor and subscriber data.

The company communicates system changes to its users and customers through an established channel and procedure.

The company's software development process includes frequent team meetings which facilitate the communication and evaluation of objectives between team members. These touch points include Scrum meetings, sprint planning, and sprint retrospective meetings.

Employees have access to an internal support channel that can be used to report incidents, concerns, and complaints.

The company's Master Services Agreement with its customers communicates the responsibilities of both parties relative to internal controls impacting Security, Availability, Processing Integrity and Confidentiality.

The company maintains a customer-accessible technical documentation site containing high-level overviews and detailed information about the company's products and services, including security-oriented articles and guides.

The company has cyber insurance to mitigate the risk of financial impact from security incidents.

Control activities over the technology infrastructure and technology access control are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.

External users are provided with a support channel for reporting systems failures, incidents, concerns, and other complaints to appropriate personnel.

The company develops and maintains formal policies that govern information security within the company. The policies are formally reviewed and approved at least once a year, and are communicated to all employees.

A disaster recovery test with predefined RTO goals is performed annually, assuming a full outage of our primary cloud region.

The company maintains a Business Continuity Policy and Plan which outlines the requirements and a process to recover from prolonged disruptions of business operations.

The company assesses the potential for fraud from internal or external stakeholders as part of its Risk Assessment process.

Control owners take corrective actions when issues and nonconformities with their controls are identified.

The company's Terms of Use are available online to visitors and customers, and outline the requirements and commitments of both parties relative to security and confidentiality.

The company has a Status Page that provides information about the company's status, including outages, incidents, and other relevant information.

The company has a Trust Center that provides information about the company's security practices, policies, and procedures.

Customer data is automatically backed up according to a backup configuration scheduled described in the Backup Policy.

The company maintains a Cumulative Risk Register storing control deficiencies identified as part of ongoing system reviews, and reviews the register as part of the company's regular Risk Assessment process.

Backups are encrypted, stored in geographically independent regions, and have equivalent access control to the original system.

The company maintains a risk management program to identify, prioritize, and mitigate risk to acceptable levels.

Incidents are recorded and tracked, and all applicable evidence and documentation is reviewed in post-mortem meetings.

The Security Incident Management Program outlines the requirements and process for declaring and responding to security incidents, including the roles and responsibilities, and the internal and external communication necessary to take the issue to resolution.

The company holds an official legal document confirming its registration in the relevant jurisdiction.

The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system.

Information security shall be integrated into project management.

The company maintains a host hardening policy for VMs and containers that describes the baseline security standard for hosts. The policy is expressed as code and playbooks, and all new hosts are built using it.

Third-party vendors are used to perform penetration tests against the production system on an annual basis. Identified Critical and High issues are promptly resolved and the rest are prioritized as appropriate.

Firewalls are configured to restrict network traffic to the minimum required for the system to function.

OS patches and docker image updates are applied at least weekly.

Vulnerability scanning tools are utilized to proactively identify CVEs across OS and applications, and issues found are resolved promptly based on severity.

Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.

The company leadership conducts formal reviews of the company's internal performance results with the Board of Directors.

Termination checklists are executed upon separation with an employee or contractor to ensure asset return, and prompt and complete access revocation.

The company has documented disciplinary policies that define the consequences for employees who violate the Acceptable Use Policy, Code of Conduct, and Information Security policies and procedures.

The company has established a formal review process that includes semi-annual employee self-reviews and immediate manager reviews. Reviews include performance assessments, goal setting, and an evaluation of resources required for the next review period.

The company has an appropriate organizational structure based on functional departments, with an executive leader heading each department.

The company has a Human Resources Policy that outlines the requirements and responsibilities of the Human Resources department.

A Board of Directors exercises independent oversight of the company's strategic direction, operational performance, and internal control.

Organizational values and behavioral standards are communicated to all personnel through an Employee Handbook, which outlines the company's policy regarding Standards of Conduct and Code of Business Ethics.

Company employees are required to sign and attest their adherence to applicable company policies and procedures.

Management and the Board of Directors consider requirements relevant to security, availability, processing integrity, and confidentiality. These considerations are documented in the company's Information Security Policy, which specifically delegates the overall responsibility of security to the Security Officer.

Security awareness training is provided to new employees, and to all employees on a recurring annual basis, to promote strong security practices for the whole company.

All employees and contractors must sign a confidentiality agreement with the company prior to gaining access to any sensitive information.

Roles and responsibilities of company employees are communicated through documented job descriptions.

Background checks are performed on newly hired employees where permitted by law.

The organization shall: a) determine the necessary competence of person(s) doing work under its control that affects its information security performance; b) ensure that these persons are competent on the basis of appropriate education, training, or experience; c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and d) retain appropriate documented information as evidence of competence.

Persons doing work under the organization’s control shall be aware of: a) the information security policy; b) their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and c) the implications of not conforming with the information security management system requirements.

Information security roles and responsibilities shall be defined and allocated according to the organization needs.

Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

The employment contractual agreements shall state the personnel’s and the organization’s responsibilities for information security.

A disciplinary process shall be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation

Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.

Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.

The company monitors the IT infrastructure devices for compliance with the Asset Management Policy and checks for requirements such as hard drive encryption, user authentication requirements, and security patching.

The company maintains an inventory of all information systems, services, and assets, and classifies them based on the data they store. Inventory is reviewed as part of an annual Risk Assessment.

The company maintains an inventory of IT infrastructure devices.

The company has an architecture diagram that shows the physical and logical network topology, including all systems, connections, and security controls.

The Acceptable Use Policy outlines the acceptable use of computer equipment and systems at the company.

The company maintains a System Description document that outlines the system's purpose, scope, and the data it processes.

The organization shall determine the boundaries and applicability of the information security management system to establish its scope. When determining this scope, the organization shall consider: a) the external and internal issues referred to in 4.1; b) the requirements referred to in 4.2; c) interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. The scope shall be available as documented information.

Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.

Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.

The company uses a version control system to manage source code and documentation, and to implement and run change management functions. The version control software is only accessible by authorized personnel.

A static code analysis tool is configured to scan the source code for vulnerabilities.

The company maintains documented guidance on the selection and configuration of appropriate cryptographic methods.

The company leverages SSO authentication for sensitive systems, wherever available.

All users with privileged access to sensitive systems are required to use a password management solution.

Access to sensitive systems and resources is granted based on the principle of least privilege.

Password configuration settings are managed in compliance with the company's Password Policy.

A quarterly review of users with access to Customer Confidential systems is performed to ensure that access is restricted to appropriate personnel.

Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.

The full life cycle of identities shall be managed.

The allocation and use of privileged access rights shall be restricted and managed.

Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.

Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.

The use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled.

The company maintains an inventory of its vendors and classification of the data they store or process.

Vendors are evaluated on a periodic basis, by reviewing their audit reports or other means, in order to track and determine the impact of any changes in their security posture.

As part of the risk management process, vendors storing data classified as Customer Sensitive undergo due diligence and risk assessment.

Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.

The organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.

The organization shall direct, monitor and review the activities related to outsourced system development.

Security events are triaged and reviewed for unauthorized and malicious activity. High priority findings are treated as potential security incidents.

Security tools are deployed and system components are configured to monitor for security-related events.

Applications and system logs are pushed to a central logging repository where possible. Access control to the central repository is enforced based on the Access Control policy. Logs are retained in compliance with applicable legal, regulatory, customer, and operational requirements.

Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.

Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.

Customer data is securely disposed of after its retention period passes, and any retained data is sanitized and anonymized.

An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.

Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.

Data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.

Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.

Data stores are configured to enable encryption at rest.

Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.

Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.

Third-party cloud filestores such as S3 and GCS are configured with a minimum server-side encryption using the vendor's key.

Retention periods for customer data are specified in the company's Data Retention Procedure and adhere to compliance, regulatory, contractual, and organizational requirements.

All company and customer data is classified as per the data classification policy.

The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.

The organization shall determine: a) interested parties that are relevant to the information security management system; b) the relevant requirements of these interested parties; c) which of these requirements will be addressed through the information security management system.

The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of ISO 27001.

Top management shall demonstrate leadership and commitment with respect to the information security management system by: a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; b) ensuring the integration of the information security management system requirements into the organization’s processes; c) ensuring that the resources needed for the information security management system are available; d) communicating the importance of effective information security management and of conforming to the information security management system requirements; e) ensuring that the information security management system achieves its intended outcome(s); f) directing and supporting persons to contribute to the effectiveness of the information security management system; g) promoting continual improvement; and h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.

Top management shall establish an information security policy that: a) is appropriate to the purpose of the organization; b) includes information security objectives (see 6.2) or provides the framework for setting information security objectives; c) includes a commitment to satisfy applicable requirements related to information security; d) includes a commitment to continual improvement of the information security management system. The information security policy shall: e) be available as documented information; f) be communicated within the organization; g) be available to interested parties, as appropriate.

Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organization. Top management shall assign the responsibility and authority for: a) ensuring that the information security management system conforms to the requirements of this document; b) reporting on the performance of the information security management system to top management.

The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall: a) be consistent with the information security policy; b) be measurable (if practicable); c) take into account applicable information security requirements, and results from risk assessment and risk treatment; d) be monitored; e) be communicated; f) be updated as appropriate; g) be available as documented information. The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organization shall determine: h) what will be done; i) what resources will be required; j) who will be responsible; k) when it will be completed; and l) how the results will be evaluated.

The organization shall determine the need for internal and external communications relevant to the information security management system including: a) on what to communicate; b) when to communicate; c) with whom to communicate; d) how to communicate.

The organization’s information security management system shall include: a) documented information required by this document; and  b) documented information determined by the organization as being necessary for the effectiveness of the information security management system.

When creating and updating documented information the organization shall ensure appropriate: a) identification and description (e.g. a title, date, author, or reference number); b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and c) review and approval for suitability and adequacy.

Documented information required by the information security management system and by this document shall be controlled to ensure: a) it is available and suitable for use, where and when it is needed; and b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). For the control of documented information, the organization shall address the following activities, as applicable: c) distribution, access, retrieval and use; d) storage and preservation, including the preservation of legibility; e) control of changes (e.g. version control); and f) retention and disposition. Documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled.

The organization shall determine: a) what needs to be monitored and measured, including information security processes and controls; b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid; c) when the monitoring and measuring shall be performed; d) who shall monitor and measure; e) when the results from monitoring and measurement shall be analyzed and evaluated; f) who shall analyze and evaluate these results. Documented information shall be available as evidence of the results. The organization shall evaluate the information security performance and the effectiveness of the information security management system.

Top management shall review the organization's information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.

The management review shall include consideration of: a) the status of actions from previous management reviews; b) changes in external and internal issues that are relevant to the information security management system; c) changes in needs and expectations of interested parties that are relevant to the information security management system; d) feedback on the information security performance, including trends in: 1) nonconformities and corrective actions; 2) monitoring and measurement results; 3) audit results; 4) fulfilment of information security objectives; e) feedback from interested parties; f) results of risk assessment and status of risk treatment plan; g) opportunities for continual improvement.

The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. Documented information shall be available as evidence of the results of management reviews.

The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system.

Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.

Management shall require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.

The organization shall establish and maintain contact with relevant authorities.

The organization shall establish and maintain contact with special interest groups or other specialist security forums and professional associations.

Operating procedures for information processing facilities shall be documented and made available to personnel who need them.

When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: a) ensure the information security management system can achieve its intended outcome(s); b) prevent, or reduce, undesired effects; c) achieve continual improvement. The organization shall plan: d) actions to address these risks and opportunities; and e) how to 1) integrate and implement the actions into its information security management system processes; and 2) evaluate the effectiveness of these actions

The organization shall define and apply an information security risk assessment process that: a) establishes and maintains information security risk criteria that include: 1) the risk acceptance criteria; and 2) criteria for performing information security risk assessments; b) ensures that repeated information security risk assessments produce consistent, valid and comparable results; c) identifies the information security risks: 1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and 2) identify the risk owners; d) analyses the information security risks: 1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize; 2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and 3) determine the levels of risk; e) evaluates the information security risks: 1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and 2) prioritize the analysed risks for risk treatment. The organization shall retain documented information about the information security risk assessment process.

The organization shall define and apply an information security risk treatment process to: a) select appropriate information security risk treatment options, taking account of the risk assessment results; b) determine all controls that are necessary to implement the information security risk treatment option(s) chosen; c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted; d) produce a Statement of Applicability that contains: — the necessary controls (see 6.1.3 b) and c)); — justification for their inclusion; — whether the necessary controls are implemented or not; and — the justification for excluding any of the Annex A controls. e) formulate an information security risk treatment plan; and f) obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks. The organization shall retain documented information about the information security risk treatment process.

The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a). The organization shall retain documented information of the results of the information security risk assessments.

The organization shall retain documented information of the results of the information security risk treatment.

When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.

Procedures and measures shall be implemented to securely manage software installation on operational systems.

The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by: — establishing criteria for the processes; — implementing control of the processes in accordance with the criteria. Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned.  The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. The organization shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled.

The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: a) conforms to 1) the organization’s own requirements for its information security management system;  2) the requirements of this document; b) is effectively implemented and maintained.

The organization shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits. The organization shall: a) define the audit criteria and scope for each audit; b) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process; c) ensure that the results of the audits are reported to relevant management; Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results.

When a Nonconformity occurs, the organization shall: a) React to the nonconformity, and as applicable: 1) take action to control and correct it; 2) deal with the consequences b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by; 1) reviewing the nonconformity; 2) determining the causes of the nonconformity; and 3) determining if similar nonconformities exist, or could potentially occur c) implement any action needed; d) review the effectiveness of any corrective action taken; and e) make changes to the information security management system, if necessary. Corrective actions shall be appropriate to the effects of the nonconformities encountered. Documented information shall be available as evidence of: f) The nature of the nonconformities and any subsequent actions taken, g) the results of any corrective action.

Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date.

The organization’s approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur.

Compliance with the organization’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed.

Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and appropriate management.

Information relating to information security threats shall be collected and analyzed to produce threat intelligence.

Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.

The organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.

The organization shall assess information security events and decide if they are to be categorized as information security incidents.

Information security incidents shall be responded to in accordance with the documented procedures.

Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls.

The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.

The organization shall plan how to maintain information security at an appropriate level during disruption.

The organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.

ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.

Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function.

Secure areas shall be protected by appropriate entry controls and access points.

Physical security for offices, rooms and facilities shall be designed and implemented.

Premises shall be continuously monitored for unauthorized physical access.

Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.

Security measures for working in secure areas shall be designed and implemented.

Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.

Equipment shall be sited securely and protected.

The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.

Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.

Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.

The clocks of information processing systems used by the organization shall be synchronized to approved time sources.

Rules for the secure development of software and systems shall be established and applied.

Information security requirements shall be identified, specified and approved when developing or acquiring applications.

Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.

Secure coding principles shall be applied to software development.

Security testing processes shall be defined and implemented in the development life cycle.

Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.

Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.

Groups of information services, users and information systems shall be segregated in the organization’s networks.

Access to external websites shall be managed to reduce exposure to malicious content.