Skip to main content
Skip table of contents

Routty - Security, Risk & Compliance V1.3

Domain

Details

  1. Application & Interface Security

Application Security

Industry standards are used to build in security for our Systems/Software Development Lifecycle (SDLC).

Automated source code analysis tool is used to detect security defects in code prior to production.

Manual source-code analysis is used to detect security defects in code prior to production.

We verify that all of our third party software suppliers adhere to industry standards for Systems/Software Development Lifecycle (SDLC) security.

We review our applications for security vulnerabilities and address any issues prior to deployment to production.

Customer Access Requirements

All identified security, contractual, and regulatory requirements for customer access are contractually addressed and remediated prior to granting customers access to data, assets, and information systems.

All requirements and trust levels for customers’ access are defined and documented.

Data Integrity

Data input and output integrity routines are implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data.

  • The procedures related to completeness, accuracy, timeliness, and authorization of inputs are consistent with the documented system processing integrity policies.

  • The procedures related to completeness, accuracy, timeliness, and authorization of system processing, including error correction and database management, are consistent with documented system processing integrity policies.

  • The procedures related to completeness, accuracy, timeliness, and authorization of outputs are consistent with the documented system processing integrity policies.

  • There are procedures to enable tracing of information inputs from their source to their final disposition and vice versa.

Data Security / Integrity

Our Data Security Architecture is designed using an industry standard. Procedures exist to protect against unauthorized access to system resources.

2. Audit Assurance & Compliance

Audit Planning

The system security is periodically reviewed and compared with the defined system security policies.

There is a process to identify and address potential impairments to the system’s ongoing ability to achieve its objectives in accordance with its defined system security policies.

Independent Audits

ISO 27001 certification is on-going.

Network penetration tests of our cloud service infrastructure are conducted regularly as prescribed by industry best practices.

Application penetration tests of our cloud infrastructure are conducted regularly as prescribed by industry best practices.

Internal audits are conducted regularly as prescribed by industry best practices.

External audits are conducted regularly as prescribed by industry best practices.

The results of the penetration tests are available to tenants at their request.

The results of internal and external audits available to tenants at their request.

An internal audit program is available that allows for cross-functional audit of assessments.

Information System Regulatory Mapping

The ability is available to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data.

We have the capability to recover data for a specific customer in the case of a failure or data loss.

We have the capability to restrict the storage of customer data to specific countries or geographic locations.

We have a program in place that includes the ability to monitor changes to the regulatory requirements in relevant jurisdictions, adjust our security program for changes to legal requirements, and ensure compliance with relevant regulatory requirements.

3. Business Continuity Management & Operational Resilience

Business Continuity Planning

Tenants are provided with geographically resilient hosting options.

Business Continuity Testing

Business continuity plans are subject to testing at planned intervals or upon significant organizational or environmental changes to ensure continuing effectiveness.

Power & Telecommunications

Tenants are provided with documentation showing the transport route of their data between our systems.

Tenants cannot define how their data is transported.

Documentation

Information system documents (e.g., administrator and user guides, architecture diagrams, etc.) are made available to authorized personnel to ensure configuration, installation and operation of the information system.

Environmental Risks

Physical protection against damage (e.g., natural causes, natural disasters, deliberate attacks) is anticipated and designed with countermeasures applied.

Equipment Location

Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft.

Equipment Maintenance

When using virtual infrastructure, our cloud solutions include independent hardware restore and recovery capabilities.

Tenants are not provided with a capability to restore a Virtual Machine to a previous state in time.

We do not allow virtual machine images to be downloaded and ported to a new cloud provider.

Machine images are not made available to the customer in a way that would allow the customer to replicate those images in their own off-site storage location.

Our cloud solutions do not include software/provider independent restore and recovery capabilities.

Equipment Power Failures

Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft.

Impact Analysis

We provide tenants with ongoing visibility and reporting of our operational Service Level Agreement (SLA) performance.

We currently do not make standards-based information security metrics (CSA, CAMM, etc.) available to our tenants.

Policy

We have technical control capabilities to enforce tenant data retention policies.

We currently do not have a documented procedure for responding to requests for tenant data from governments or third parties.

We have implemented backup or redundancy mechanisms to ensure compliance with regulatory, statutory, contractual or business requirements.

We test our backup or redundancy mechanisms at least annually.

4. Change Control & Configuration Management

New Development & Acquisition

Policies and procedures are established for management authorization for development or acquisition of new applications, systems, databases, infrastructure, services, operations and facilities.

Documentation is available that describes the installation, configuration, and use of products/services/features.

Outsourced Development

We have controls in place to ensure that standards of quality are being met for all software development.

We have controls in place to detect source code security defects for any outsourced software development activities.

Management Quality Testing

We provide our tenants with documentation that describes our quality assurance process.

Documentation describing known issues with certain products/services is available.

Policies and procedures are in place to triage and remedy reported bugs and security vulnerabilities for product and service offerings.

Mechanisms are in place to ensure that all debugging and test code elements are removed from released software versions.

Unauthorized Software Installations

Controls are in place to restrict and monitor the installation of unauthorized software onto our systems.

Production Changes

We provide tenants with documentation that describes our production change management procedures and their roles/rights/responsibilities within it.

5. Data Security & Information Lifecycle Management

Classification

The capability is available to identify virtual machines via policy tags/metadata.

The physical location/geography of storage of a tenant’s data can be provided upon request.

The physical location/geography of storage of a tenant's data can be provided in advance.

We currently do not allow tenants to define acceptable geographical locations for data routing or resource instantiation.

Data Inventory / Flows

We inventory, document, and maintain data flows for data that is resident (permanent or temporary) within the services' applications and infrastructure network and systems.

Microsoft ensures that data does not migrate beyond a defined geographical residency (based on Azure region).

Handling / Labeling / Security Policy

Policies and procedures are established for labeling, handling and the security of data and objects that contain data.

No mechanisms for label inheritance are implemented for objects that act as aggregate containers for data.

Non-production Data

We have procedures in place to ensure production data shall not be replicated or used in non-production environments.

Ownership / Stewardship

The responsibilities regarding data stewardship are defined, assigned, documented, and communicated.

Secure Disposal

We support secure deletion of archived and backed-up data as determined by the tenant.

We can provide a published procedure for exiting the service arrangement, including assurance to sanitize all computing resources of tenant data once a customer has exited our environment.

6. Datacenter Security

Asset Management

Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. A complete inventory of critical assets that includes ownership of the asset, is maintained by Microsoft.

Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. A complete inventory of critical supplier relationships, is maintained by Microsoft.

Controlled Access Points

Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Physical security perimeters are implemented and maintained by Microsoft.

Equipment Identification

Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Automated equipment identification is handled by Microsoft.

Offsite Authorization

Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Authorizations for the relocation or transfer of hardware, software, or data to an offsite premises, are the responsibility of Microsoft.

Offsite Equipment

Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Evidence documenting policies and procedures governing asset management and repurposing of equipment, can be requested at Microsoft.

Policy

Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Evidence regarding established policies, standards, and procedures for maintaining a safe and secure working environment in offices, rooms, facilities and secure areas, can be requested at Microsoft.

Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Evidence regarding personnel and involved third parties having been trained regarding documented policies, standards and procedures, can be requested at Microsoft.

Secure Area Authorization

Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Physical access control mechanisms to the Azure data centers are managed by Microsoft.

Unauthorized Persons Entry

Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Physical access control mechanisms to service areas and other points are managed by Microsoft.

User Access

Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Restriction of physical access to information assets and functions, is managed by Microsoft.

7. Encryption & Key Management

Entitlement

Key management policies binding keys to identifiable owners are in place.

Key Generation

We have the capability to allow creation of unique encryption keys per tenant.

We have the capability to manage encryption keys on behalf of tenants.

We maintain key management procedures.

We have documented ownership for each stage of the lifecycle of encryption keys.

We use third party/open source/proprietary frameworks to manage encryption keys.

Encryption

Tenant data at rest (on disk/storage) is encrypted within our environment.

We do leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances.

We do support tenant-generated encryption keys or permit tenants to encrypt data to an identity without access to a public key certificate (e.g., identity-based encryption).

We have documentation establishing and defining our encryption management policies, procedures, and guidelines.

Storage and Access

We have platform and data appropriate encryption that uses open/validated formats and standard algorithms.

Our encryption keys are maintained by a trusted key management provider.

Encryption keys are not stored in the cloud.

We have separate key management and key usage duties.

8. Governance and Risk Management

Baseline Requirements

We have documented information security baselines for every component of your infrastructure.

We have the capability to continuously monitor and report the compliance of our infrastructure against your information security baselines.

We do not allow our clients to provide their own trusted virtual machine images.

Risk Assessments

We currently do not provide security control health data in order to allow tenants to implement industry standard Continuous Monitoring.

We conduct risk assessments associated with data governance requirements at least once a year.

Management Oversight

Our technical, business, and executive managers are responsible for maintaining awareness of and compliance with security policies, procedures, and standards for both themselves and their employees as they pertain to the manager and employees' area of responsibility.

Management Program

We will provide tenants with documentation describing our Information Security Management Program (ISMP), as soon as it is available (part of on-going ISO27001 certification).

Our Information Security Management Program (ISMP) will be reviewed at least once a year, as required by ISO27001.

Management Support / Involvement

We ensure our providers adhere to our information security and privacy policies.

Policy

Our information security and privacy policies will be aligned with ISO-27001.

Agreements will be made to ensure our providers adhere to our information security and privacy policies.

Evidence of due diligence mapping of our controls, architecture, and processes to regulations and/or standards, can be provided after our ISO-27001 certification.

Policy Enforcement

A formal disciplinary or sanction policy is established for employees who have violated security policies and procedures.

Employees are made aware of what actions could be taken in the event of a violation via their policies and procedures.

Business / Policy Change Impacts

Risk assessment results include updates to security policies, procedures, standards, and controls to ensure they remain relevant and effective.

Policy Reviews

We notify our tenants when we make material changes to your information security and/or privacy policies.

We perform, at minimum, annual reviews to our privacy and security policies.

Assessments

Formal risk assessments are aligned with the enterprise-wide framework and performed at least annually, or at planned intervals, determining the likelihood and impact of all identified risks, using qualitative and quantitative methods.

The likelihood and impact associated with inherent and residual risk is determined independently, considering all risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance).

Program

We have a documented, organization-wide program in place to manage risk.

We not make documentation available of our organization-wide risk management program.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.