Routty - Security, Risk & Compliance V1.3
Domain | Details |
---|---|
| |
Application Security | Industry standards are used to build in security for our Systems/Software Development Lifecycle (SDLC). |
Automated source code analysis tool is used to detect security defects in code prior to production. | |
Manual source-code analysis is used to detect security defects in code prior to production. | |
We verify that all of our third party software suppliers adhere to industry standards for Systems/Software Development Lifecycle (SDLC) security. | |
We review our applications for security vulnerabilities and address any issues prior to deployment to production. | |
Customer Access Requirements | All identified security, contractual, and regulatory requirements for customer access are contractually addressed and remediated prior to granting customers access to data, assets, and information systems. |
All requirements and trust levels for customers’ access are defined and documented. | |
Data Integrity | Data input and output integrity routines are implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data.
|
Data Security / Integrity | Our Data Security Architecture is designed using an industry standard. Procedures exist to protect against unauthorized access to system resources. |
2. Audit Assurance & Compliance | |
Audit Planning | The system security is periodically reviewed and compared with the defined system security policies. There is a process to identify and address potential impairments to the system’s ongoing ability to achieve its objectives in accordance with its defined system security policies. |
Independent Audits | ISO 27001 certification is on-going. |
Network penetration tests of our cloud service infrastructure are conducted regularly as prescribed by industry best practices. | |
Application penetration tests of our cloud infrastructure are conducted regularly as prescribed by industry best practices. | |
Internal audits are conducted regularly as prescribed by industry best practices. | |
External audits are conducted regularly as prescribed by industry best practices. | |
The results of the penetration tests are available to tenants at their request. | |
The results of internal and external audits available to tenants at their request. | |
An internal audit program is available that allows for cross-functional audit of assessments. | |
Information System Regulatory Mapping | The ability is available to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data. |
We have the capability to recover data for a specific customer in the case of a failure or data loss. | |
We have the capability to restrict the storage of customer data to specific countries or geographic locations. | |
We have a program in place that includes the ability to monitor changes to the regulatory requirements in relevant jurisdictions, adjust our security program for changes to legal requirements, and ensure compliance with relevant regulatory requirements. | |
3. Business Continuity Management & Operational Resilience | |
Business Continuity Planning | Tenants are provided with geographically resilient hosting options. |
Business Continuity Testing | Business continuity plans are subject to testing at planned intervals or upon significant organizational or environmental changes to ensure continuing effectiveness. |
Power & Telecommunications | Tenants are provided with documentation showing the transport route of their data between our systems. |
Tenants cannot define how their data is transported. | |
Documentation | Information system documents (e.g., administrator and user guides, architecture diagrams, etc.) are made available to authorized personnel to ensure configuration, installation and operation of the information system. |
Environmental Risks | Physical protection against damage (e.g., natural causes, natural disasters, deliberate attacks) is anticipated and designed with countermeasures applied. |
Equipment Location | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. |
Equipment Maintenance | When using virtual infrastructure, our cloud solutions include independent hardware restore and recovery capabilities. |
Tenants are not provided with a capability to restore a Virtual Machine to a previous state in time. | |
We do not allow virtual machine images to be downloaded and ported to a new cloud provider. | |
Machine images are not made available to the customer in a way that would allow the customer to replicate those images in their own off-site storage location. | |
Our cloud solutions do not include software/provider independent restore and recovery capabilities. | |
Equipment Power Failures | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. |
Impact Analysis | We provide tenants with ongoing visibility and reporting of our operational Service Level Agreement (SLA) performance. |
We currently do not make standards-based information security metrics (CSA, CAMM, etc.) available to our tenants. | |
Policy | We have technical control capabilities to enforce tenant data retention policies. |
We currently do not have a documented procedure for responding to requests for tenant data from governments or third parties. | |
We have implemented backup or redundancy mechanisms to ensure compliance with regulatory, statutory, contractual or business requirements. | |
We test our backup or redundancy mechanisms at least annually. | |
4. Change Control & Configuration Management | |
New Development & Acquisition | Policies and procedures are established for management authorization for development or acquisition of new applications, systems, databases, infrastructure, services, operations and facilities. |
Documentation is available that describes the installation, configuration, and use of products/services/features. | |
Outsourced Development | We have controls in place to ensure that standards of quality are being met for all software development. |
We have controls in place to detect source code security defects for any outsourced software development activities. | |
Management Quality Testing | We provide our tenants with documentation that describes our quality assurance process. |
Documentation describing known issues with certain products/services is available. | |
Policies and procedures are in place to triage and remedy reported bugs and security vulnerabilities for product and service offerings. | |
Mechanisms are in place to ensure that all debugging and test code elements are removed from released software versions. | |
Unauthorized Software Installations | Controls are in place to restrict and monitor the installation of unauthorized software onto our systems. |
Production Changes | We provide tenants with documentation that describes our production change management procedures and their roles/rights/responsibilities within it. |
5. Data Security & Information Lifecycle Management | |
Classification | The capability is available to identify virtual machines via policy tags/metadata. |
The physical location/geography of storage of a tenant’s data can be provided upon request. | |
The physical location/geography of storage of a tenant's data can be provided in advance. | |
We currently do not allow tenants to define acceptable geographical locations for data routing or resource instantiation. | |
Data Inventory / Flows | We inventory, document, and maintain data flows for data that is resident (permanent or temporary) within the services' applications and infrastructure network and systems. |
Microsoft ensures that data does not migrate beyond a defined geographical residency (based on Azure region). | |
Handling / Labeling / Security Policy | Policies and procedures are established for labeling, handling and the security of data and objects that contain data. |
No mechanisms for label inheritance are implemented for objects that act as aggregate containers for data. | |
Non-production Data | We have procedures in place to ensure production data shall not be replicated or used in non-production environments. |
Ownership / Stewardship | The responsibilities regarding data stewardship are defined, assigned, documented, and communicated. |
Secure Disposal | We support secure deletion of archived and backed-up data as determined by the tenant. |
We can provide a published procedure for exiting the service arrangement, including assurance to sanitize all computing resources of tenant data once a customer has exited our environment. | |
6. Datacenter Security | |
Asset Management | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. A complete inventory of critical assets that includes ownership of the asset, is maintained by Microsoft. |
Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. A complete inventory of critical supplier relationships, is maintained by Microsoft. | |
Controlled Access Points | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Physical security perimeters are implemented and maintained by Microsoft. |
Equipment Identification | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Automated equipment identification is handled by Microsoft. |
Offsite Authorization | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Authorizations for the relocation or transfer of hardware, software, or data to an offsite premises, are the responsibility of Microsoft. |
Offsite Equipment | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Evidence documenting policies and procedures governing asset management and repurposing of equipment, can be requested at Microsoft. |
Policy | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Evidence regarding established policies, standards, and procedures for maintaining a safe and secure working environment in offices, rooms, facilities and secure areas, can be requested at Microsoft. |
Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Evidence regarding personnel and involved third parties having been trained regarding documented policies, standards and procedures, can be requested at Microsoft. | |
Secure Area Authorization | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Physical access control mechanisms to the Azure data centers are managed by Microsoft. |
Unauthorized Persons Entry | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Physical access control mechanisms to service areas and other points are managed by Microsoft. |
User Access | Our cloud solutions are built upon MS Azure and the data centers are managed by Microsoft. Restriction of physical access to information assets and functions, is managed by Microsoft. |
7. Encryption & Key Management | |
Entitlement | Key management policies binding keys to identifiable owners are in place. |
Key Generation | We have the capability to allow creation of unique encryption keys per tenant. |
We have the capability to manage encryption keys on behalf of tenants. | |
We maintain key management procedures. | |
We have documented ownership for each stage of the lifecycle of encryption keys. | |
We use third party/open source/proprietary frameworks to manage encryption keys. | |
Encryption | Tenant data at rest (on disk/storage) is encrypted within our environment. |
We do leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances. | |
We do support tenant-generated encryption keys or permit tenants to encrypt data to an identity without access to a public key certificate (e.g., identity-based encryption). | |
We have documentation establishing and defining our encryption management policies, procedures, and guidelines. | |
Storage and Access | We have platform and data appropriate encryption that uses open/validated formats and standard algorithms. |
Our encryption keys are maintained by a trusted key management provider. | |
Encryption keys are not stored in the cloud. | |
We have separate key management and key usage duties. | |
8. Governance and Risk Management | |
Baseline Requirements | We have documented information security baselines for every component of your infrastructure. |
We have the capability to continuously monitor and report the compliance of our infrastructure against your information security baselines. | |
We do not allow our clients to provide their own trusted virtual machine images. | |
Risk Assessments | We currently do not provide security control health data in order to allow tenants to implement industry standard Continuous Monitoring. |
We conduct risk assessments associated with data governance requirements at least once a year. | |
Management Oversight | Our technical, business, and executive managers are responsible for maintaining awareness of and compliance with security policies, procedures, and standards for both themselves and their employees as they pertain to the manager and employees' area of responsibility. |
Management Program | We will provide tenants with documentation describing our Information Security Management Program (ISMP), as soon as it is available (part of on-going ISO27001 certification). |
Our Information Security Management Program (ISMP) will be reviewed at least once a year, as required by ISO27001. | |
Management Support / Involvement | We ensure our providers adhere to our information security and privacy policies. |
Policy | Our information security and privacy policies will be aligned with ISO-27001. |
Agreements will be made to ensure our providers adhere to our information security and privacy policies. | |
Evidence of due diligence mapping of our controls, architecture, and processes to regulations and/or standards, can be provided after our ISO-27001 certification. | |
Policy Enforcement | A formal disciplinary or sanction policy is established for employees who have violated security policies and procedures. |
Employees are made aware of what actions could be taken in the event of a violation via their policies and procedures. | |
Business / Policy Change Impacts | Risk assessment results include updates to security policies, procedures, standards, and controls to ensure they remain relevant and effective. |
Policy Reviews | We notify our tenants when we make material changes to your information security and/or privacy policies. |
We perform, at minimum, annual reviews to our privacy and security policies. | |
Assessments | Formal risk assessments are aligned with the enterprise-wide framework and performed at least annually, or at planned intervals, determining the likelihood and impact of all identified risks, using qualitative and quantitative methods. |
The likelihood and impact associated with inherent and residual risk is determined independently, considering all risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance). | |
Program | We have a documented, organization-wide program in place to manage risk. |
We not make documentation available of our organization-wide risk management program. |