Security, Risk & Compliance
Domain | Specification | Details |
|---|---|---|
| ||
Application Security | Applications and programming interfaces (APIs) shall be designed, developed, deployed, and tested in accordance with leading industry standards and adhere to applicable legal, statutory, or regulatory compliance obligations. | Industry standards are used to build in security for our Systems/Software Development Lifecycle (SDLC). |
Automated source code analysis tool is used to detect security defects in code prior to production. | ||
Manual source-code analysis is used to detect security defects in code prior to production. | ||
We verify that all of our third party software suppliers adhere to industry standards for Systems/Software Development Lifecycle (SDLC) security. | ||
We review our applications for security vulnerabilities and address any issues prior to deployment to production. | ||
Customer Access Requirements | Prior to granting customers access to data, assets, and information systems, identified security, contractual, and regulatory requirements for customer access shall be addressed. | All identified security, contractual, and regulatory requirements for customer access are contractually addressed and remediated prior to granting customers access to data, assets, and information systems. |
All requirements and trust levels for customers’ access are defined and documented. | ||
Data Integrity | Data input and output integrity routines (i.e., reconciliation and edit checks) must be implemented for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse. | Data input and output integrity routines are implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data.
|
Data Security / Integrity | Policies and procedures must be established and maintained in support of data security to include (confidentiality, integrity, and availability) across multiple system interfaces, jurisdictions, and business functions to prevent improper disclosure, alternation, or destruction. | Our Data Security Architecture is designed using an industry standard. Procedures exist to protect against unauthorized access to system resources. |
2. Audit Assurance & Compliance | ||
Audit Planning | Audit plans must be developed and maintained to address business process disruptions. Auditing plans shall focus on reviewing the effectiveness of the implementation of security operations. All audit activities must be agreed upon prior to executing any audits. | The system security is periodically reviewed and compared with the defined system security policies. There is a process to identify and address potential impairments to the system’s ongoing ability to achieve its objectives in accordance with its defined system security policies. |
Independent Audits | Independent reviews and assessments must be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations. | ISO 27001 certification is on-going. |
Network penetration tests of our cloud service infrastructure are conducted regularly as prescribed by industry best practices. | ||
Application penetration tests of our cloud infrastructure are conducted regularly as prescribed by industry best practices. | ||
Internal audits are conducted regularly as prescribed by industry best practices. | ||
External audits are conducted regularly as prescribed by industry best practices. | ||
The results of the penetration tests are available to tenants at their request. | ||
The results of internal and external audits available to tenants at their request. | ||
An internal audit program is available that allows for cross-functional audit of assessments. | ||
Information System Regulatory Mapping | Organizations must create and maintain a control framework which captures standards, regulatory, legal, and statutory requirements relevant for their business needs. The control framework shall be reviewed at least annually to ensure changes that could affect the business processes are reflected. | The ability is available to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data. |
We have the capability to recover data for a specific customer in the case of a failure or data loss. | ||
We have the capability to restrict the storage of customer data to specific countries or geographic locations. | ||
We have a program in place that includes the ability to monitor changes to the regulatory requirements in relevant jurisdictions, adjust our security program for changes to legal requirements, and ensure compliance with relevant regulatory requirements. | ||
3. Business Continuity Management & Operational Resilience | ||
Business Continuity Planning | A consistent unified framework for business continuity planning and plan development must be established, documented, and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements. | Tenants are provided with geographically resilient hosting options. |
Business Continuity Testing | Business continuity and security incident response plans must be subject to testing at planned intervals or upon significant organizational or environmental changes. Incident response plans shall involve impacted customers (tenant) and other business relationships that represent critical intra-supply chain business process dependencies. | Business continuity plans are subject to testing at planned intervals or upon significant organizational or environmental changes to ensure continuing effectiveness. |
Power & Telecommunications | Data center utilities services and environmental conditions (e.g., water, power, temperature and humidity controls, telecommunications, and internet connectivity) shall be secured, monitored, maintained, and tested for continual effectiveness at planned intervals to ensure protection from unauthorized interception or damage, and designed with automated fail-over or other redundancies in the event of planned or unplanned disruptions. | Tenants are provided with documentation showing the transport route of their data between our systems. |
Tenants cannot define how their data is transported. | ||
Documentation | Information system documentation (e.g., administrator and user guides, and architecture diagrams) shall be made available to authorized personnel to ensure the following:
| Information system documents (e.g., administrator and user guides, architecture diagrams, etc.) are made available to authorized personnel to ensure configuration, installation and operation of the information system. |
Environmental Risks | Physical protection against damage from natural causes and disasters, as well as deliberate attacks, including fire, flood, atmospheric electrical discharge, solar induced geomagnetic storm, wind, earthquake, tsunami, explosion, nuclear accident, volcanic activity, biological hazard, civil unrest, mudslide, tectonic activity, and other forms of natural or man-made disaster shall be anticipated, designed, and have countermeasures applied. | Physical protection against damage (e.g., natural causes, natural disasters, deliberate attacks) is anticipated and designed with countermeasures applied. |
Equipment Location | To reduce the risks from environmental threats, hazards, and opportunities for unauthorized access, equipment shall be kept away from locations subject to high probability environmental risks and supplemented by redundant equipment located at a reasonable distance. | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. |
Equipment Maintenance | Policies and procedures shall be established, and supporting business processes and technical measures implemented, for equipment maintenance ensuring continuity and availability of operations and support personnel. | When using virtual infrastructure, our cloud solutions include independent hardware restore and recovery capabilities. |
Tenants are not provided with a capability to restore a Virtual Machine to a previous state in time. | ||
We do not allow virtual machine images to be downloaded and ported to a new cloud provider. | ||
Machine images are not made available to the customer in a way that would allow the customer to replicate those images in their own off-site storage location. | ||
Our cloud solutions do not include software/provider independent restore and recovery capabilities. | ||
Equipment Power Failures | Protection measures must be put into place to react to natural and man-made threats based upon a geographically-specific business impact assessment. | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. |
Impact Analysis | There must be a defined and documented method for determining the impact of any disruption to the organization (cloud provider, cloud consumer) that must incorporate the following:
| We provide tenants with ongoing visibility and reporting of our operational Service Level Agreement (SLA) performance. |
We currently do not make standards-based information security metrics (CSA, CAMM, etc.) available to our tenants. | ||
Policy | Policies and procedures must be established, and supporting business processes and technical measures implemented, for appropriate IT governance and service management to ensure appropriate planning, delivery and support of the organization's IT capabilities supporting business functions, workforce, and/or customers based on industry acceptable standards (i.e., ITIL v4 and COBIT 5). Additionally, policies and procedures shall include defined roles and responsibilities supported by regular workforce training. | We have technical control capabilities to enforce tenant data retention policies. |
We currently do not have a documented procedure for responding to requests for tenant data from governments or third parties. | ||
We have implemented backup or redundancy mechanisms to ensure compliance with regulatory, statutory, contractual or business requirements. | ||
We test our backup or redundancy mechanisms at least annually. | ||
4. Change Control & Configuration Management | ||
New Development & Acquisition | Policies and procedures must be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network and systems components, or any corporate, operations and/or data center facilities have been pre-authorized by the organization's business leadership or other accountable business role or function. | Policies and procedures are established for management authorization for development or acquisition of new applications, systems, databases, infrastructure, services, operations and facilities. |
Documentation is available that describes the installation, configuration, and use of products/services/features. | ||
Outsourced Development | External business partners must adhere to the same policies and procedures for change management, release, and testing as internal developers within the organization (e.g., ITIL service management processes). | We have controls in place to ensure that standards of quality are being met for all software development. |
We have controls in place to detect source code security defects for any outsourced software development activities. | ||
Management Quality Testing | Organizations must follow a defined quality change control and testing process (e.g., ITIL Service Management) with established baselines, testing, and release standards which focus on system availability, confidentiality, and integrity of systems and services. | We provide our tenants with documentation that describes our quality assurance process. |
Documentation describing known issues with certain products/services is available. | ||
Policies and procedures are in place to triage and remedy reported bugs and security vulnerabilities for product and service offerings. | ||
Mechanisms are in place to ensure that all debugging and test code elements are removed from released software versions. | ||
Unauthorized Software Installations | Policies and procedures must be established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorized software on organizationally-owned or managed user end-point devices (e.g., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components. | Controls are in place to restrict and monitor the installation of unauthorized software onto our systems. |
Production Changes | Policies and procedures shall be established for managing the risks associated with applying changes to:
Technical measures shall be implemented to provide assurance that all changes directly correspond to a registered change request, business-critical or customer (tenant), and/or authorization by, the customer (tenant) as per agreement (SLA) prior to deployment. | We provide tenants with documentation that describes our production change management procedures and their roles/rights/responsibilities within it. |
5. Data Security & Information Lifecycle Management | ||
Classification | Data and objects containing data must be assigned a classification by the data owner based on data type, value, sensitivity, and criticality to the organization. | The capability is available to identify virtual machines via policy tags/metadata. |
The physical location/geography of storage of a tenant’s data can be provided upon request. | ||
The physical location/geography of storage of a tenant's data can be provided in advance. | ||
We currently do not allow tenants to define acceptable geographical locations for data routing or resource instantiation. | ||
Data Inventory / Flows | Policies and procedures must be established, and supporting business processes and technical measures implemented, to inventory, document, and maintain data flows for data that is resident (permanently or temporarily) within the service's geographically distributed (physical and virtual) applications and infrastructure network and systems components and/or shared with other third parties to ascertain any regulatory, statutory, or supply chain agreement (SLA) compliance impact, and to address any other business risks associated with the data. Upon request, provider shall inform customer (tenant) of compliance impact and risk, especially if customer data is used as part of the services. | We inventory, document, and maintain data flows for data that is resident (permanent or temporary) within the services' applications and infrastructure network and systems. |
Microsoft ensures that data does not migrate beyond a defined geographical residency (based on Azure region). | ||
Handling / Labeling / Security Policy | Policies and procedures must be established for labeling, handling, and the security of data and objects which contain data. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data. | Policies and procedures are established for labeling, handling and the security of data and objects that contain data. |
No mechanisms for label inheritance are implemented for objects that act as aggregate containers for data. | ||
Non-production Data | Production data must not be replicated or used in non-production environments. Any use of customer data in non-production environments requires explicit, documented approval from all customers whose data is affected, and must comply with all legal and regulatory requirements for scrubbing of sensitive data elements. | We have procedures in place to ensure production data shall not be replicated or used in non-production environments. |
Ownership / Stewardship | All data shall be designated with stewardship, with assigned responsibilities defined, documented, and communicated. | The responsibilities regarding data stewardship are defined, assigned, documented, and communicated. |
Secure Disposal | Policies and procedures must be established with supporting business processes and technical measures implemented for the secure disposal and complete removal of data from all storage media, ensuring data is not recoverable by any computer forensic means. | We support secure deletion of archived and backed-up data as determined by the tenant. |
We can provide a published procedure for exiting the service arrangement, including assurance to sanitize all computing resources of tenant data once a customer has exited our environment. | ||
6. Datacenter Security | ||
Asset Management | Assets must be classified in terms of business criticality, service-level expectations, and operational continuity requirements. A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time shall be maintained and updated regularly, and assigned ownership by defined roles and responsibilities. | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. A complete inventory of critical assets that includes ownership of the asset, is maintained by Microsoft. |
Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. A complete inventory of critical supplier relationships, is maintained by Microsoft. | ||
Controlled Access Points | Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) shall be implemented to safeguard sensitive data and information systems. | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Physical security perimeters are implemented and maintained by Microsoft. |
Equipment Identification | Automated equipment identification shall be used as a method of connection authentication. Location-aware technologies may be used to validate connection authentication integrity based on known equipment location. | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Automated equipment identification is handled by Microsoft. |
Offsite Authorization | Authorization must be obtained prior to relocation or transfer of hardware, software, or data to an offsite premises. | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Authorizations for the relocation or transfer of hardware, software, or data to an offsite premises, are the responsibility of Microsoft. |
Offsite Equipment | Policies and procedures must be established for the secure disposal of equipment (by asset type) used outside the organization's premise. This shall include a wiping solution or destruction process that renders recovery of information impossible. The erasure shall consist of a full write of the drive to ensure that the erased drive is released to inventory for reuse and deployment or securely stored until it can be destroyed. | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Evidence documenting policies and procedures governing asset management and repurposing of equipment, can be requested at Microsoft. |
Policy | Policies and procedures must be established, and supporting business processes implemented, for maintaining a safe and secure working environment in offices, rooms, facilities, and secure areas storing sensitive information. | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Evidence regarding established policies, standards, and procedures for maintaining a safe and secure working environment in offices, rooms, facilities and secure areas, can be requested at Microsoft. |
Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Evidence regarding personnel and involved third parties having been trained regarding documented policies, standards and procedures, can be requested at Microsoft. | ||
Secure Area Authorization | Ingress and egress to secure areas must be constrained and monitored by physical access control mechanisms to ensure that only authorized personnel are allowed access. | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Physical access control mechanisms to the Azure data centers are managed by Microsoft. |
Unauthorized Persons Entry | Ingress and egress points such as service areas and other points where unauthorized personnel may enter the premises shall be monitored, controlled and, if possible, isolated from data storage and processing facilities to prevent unauthorized data corruption, compromise, and loss. | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Physical access control mechanisms to service areas and other points are managed by Microsoft. |
User Access | Physical access to information assets and functions by users and support personnel must be restricted. | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Restriction of physical access to information assets and functions, is managed by Microsoft. |
7. Encryption & Key Management | ||
Entitlement | Keys must have identifiable owners (binding keys to identities) and there shall be key management policies. | Key management policies binding keys to identifiable owners are in place. |
Key Generation | Policies and procedures must be established for the management of cryptographic keys in the service's cryptosystem (e.g., lifecycle management from key generation to revocation and replacement, public key infrastructure, cryptographic protocol design and algorithms used, access controls in place for secure key generation, and exchange and storage including segregation of keys used for encrypted data or sessions). Upon request, provider shall inform the customer (tenant) of changes within the cryptosystem, especially if the customer (tenant) data is used as part of the service, and/or the customer (tenant) has some shared responsibility over implementation of the control. | We have the capability to allow creation of unique encryption keys per tenant. |
We have the capability to manage encryption keys on behalf of tenants. | ||
We maintain key management procedures. | ||
We have documented ownership for each stage of the lifecycle of encryption keys. | ||
We use third party/open source/proprietary frameworks to manage encryption keys. | ||
Encryption | Policies and procedures must be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations) and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations. | Tenant data at rest (on disk/storage) is encrypted within our environment. |
We do leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances. | ||
We do support tenant-generated encryption keys or permit tenants to encrypt data to an identity without access to a public key certificate (e.g., identity-based encryption). | ||
We have documentation establishing and defining our encryption management policies, procedures, and guidelines. | ||
Storage and Access | Platform and data appropriate encryption (e.g., AES-256) in open/validated formats and standard algorithms is required. Keys shall not be stored in the cloud (i.e. at the cloud provider in question), but maintained by the cloud consumer or trusted key management provider. Key management and key usage shall be separated duties. | We have platform and data appropriate encryption that uses open/validated formats and standard algorithms. |
Our encryption keys are maintained by a trusted key management provider. | ||
Encryption keys are not stored in the cloud. | ||
We have separate key management and key usage duties. | ||
8. Governance and Risk Management | ||
Baseline Requirements | Baseline security requirements must be established for developed or acquired, organizationally-owned or managed, physical or virtual, applications and infrastructure system, and network components that comply with applicable legal, statutory, and regulatory compliance obligations. Deviations from standard baseline configurations must be authorized following change management policies and procedures prior to deployment, provisioning, or use. Compliance with security baseline requirements must be reassessed at least annually unless an alternate frequency has been established and authorized based on business needs. | We have documented information security baselines for every component of your infrastructure. |
We have the capability to continuously monitor and report the compliance of our infrastructure against your information security baselines. | ||
We do not allow our clients to provide their own trusted virtual machine images. | ||
Risk Assessments | Risk assessments associated with data governance requirements must be conducted at planned intervals and shall consider the following: | We currently do not provide security control health data in order to allow tenants to implement industry standard Continuous Monitoring. |
We conduct risk assessments associated with data governance requirements at least once a year. | ||
Management Oversight | Managers are responsible for maintaining awareness of, and complying with, security policies, procedures, and standards that are relevant to their area of responsibility. | Our technical, business, and executive managers are responsible for maintaining awareness of and compliance with security policies, procedures, and standards for both themselves and their employees as they pertain to the manager and employees' area of responsibility. |
Management Program | An Information Security Management Program (ISMP) must be developed, documented, approved, and implemented that includes administrative, technical, and physical safeguards to protect assets and data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The security program shall include, but not be limited to, the following areas insofar as they relate to the characteristics of the business: | We will provide tenants with documentation describing our Information Security Management Program (ISMP), as soon as it is available (part of on-going ISO27001 certification). |
Our Information Security Management Program (ISMP) will be reviewed at least once a year, as required by ISO27001. | ||
Management Support / Involvement | Executive and line management must take formal action to support information security through clearly-documented direction and commitment, and shall ensure the action has been assigned. | We ensure our providers adhere to our information security and privacy policies. |
Policy | Information security policies and procedures must be established and made readily available for review by all impacted personnel and external business relationships. Information security policies must be authorized by the organization's business leadership (or other accountable business role or function) and supported by a strategic business plan and an information security management program inclusive of defined information security roles and responsibilities for business leadership. | Our information security and privacy policies will be aligned with ISO-27001. |
Agreements will be made to ensure our providers adhere to our information security and privacy policies. | ||
Evidence of due diligence mapping of our controls, architecture, and processes to regulations and/or standards, can be provided after our ISO-27001 certification. | ||
Policy Enforcement | A formal disciplinary or sanction policy must be established for employees who have violated security policies and procedures. Employees shall be made aware of what action might be taken in the event of a violation, and disciplinary measures must be stated in the policies and procedures. | A formal disciplinary or sanction policy is established for employees who have violated security policies and procedures. |
Employees are made aware of what actions could be taken in the event of a violation via their policies and procedures. | ||
Business / Policy Change Impacts | Risk assessment results must include updates to security policies, procedures, standards, and controls to ensure that they remain relevant and effective. | Risk assessment results include updates to security policies, procedures, standards, and controls to ensure they remain relevant and effective. |
Policy Reviews | The organization's business leadership (or other accountable business role or function) must review the information security policy at planned intervals or as a result of changes to the organization to ensure its continuing alignment with the security strategy, effectiveness, accuracy, relevance, and applicability to legal, statutory, or regulatory compliance obligations. | We notify our tenants when we make material changes to your information security and/or privacy policies. |
We perform, at minimum, annual reviews to our privacy and security policies. | ||
Assessments | Aligned with the enterprise-wide framework, formal risk assessments must be performed at least annually or at planned intervals, (and in conjunction with any changes to information systems) to determine the likelihood and impact of all identified risks using qualitative and quantitative methods. The likelihood and impact associated with inherent and residual risk shall be determined independently, considering all risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance). | Formal risk assessments are aligned with the enterprise-wide framework and performed at least annually, or at planned intervals, determining the likelihood and impact of all identified risks, using qualitative and quantitative methods. |
The likelihood and impact associated with inherent and residual risk is determined independently, considering all risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance). | ||
Program | Risks must be mitigated to an acceptable level. Acceptance levels based on risk criteria shall be established and documented in accordance with reasonable resolution time frames and stakeholder approval. | We have a documented, organization-wide program in place to manage risk. |
We not make documentation available of our organization-wide risk management program. | ||