Monitoring

Software changes are tested prior to being deployed into production.

Development, staging, and production environments are segregated.

Production data is not used in the development and testing environments, unless required for debugging customer issues.

A software development life cycle (SDLC) is utilized to designate milestones that must be achieved throughout the development and testing process. Policies and procedures govern the testing, evaluation, and authorization of system components before implementation.

Policies and procedures govern the documenting, tracking, testing, and approving of changes. A ticket or change management form is completed and properly approved before core changes are made to production application code. Change management software is used to manage and log all application changes.

Policies and procedures are in place to ensure that design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined system security policies.

A current Disaster Recovery Plan and Business Continuity Plan are maintained. These plans are periodically tested and help ensure that disruptive incidents are responded to quickly and effectively.

A backup policy is in place. Backups of production systems and data are completed in a timely manner, and the retention period for backup data has been defined by management.

The Business Continuity and Disaster Recovery Plans are periodically tested. Management uses test results to evaluate and update the plans as necessary.

Third-party enterprise monitoring tools monitor system uptime, downtime, and critical performance metrics. Alerts are triggered when predefined thresholds are exceeded.

Internal control policies identify how a system of controls should be maintained to safeguard assets, promote operational efficiency, and encourage adherence to prescribed managerial policies.

The importance of information security is communicated through ongoing training for employees, documented information security policies, and frequent discussion of individual responsibilities for data and systems security. Employees are required to read and sign acknowledgement of security policies and procedures annually.

Comprehensive background checks are performed by an independent third party for both employees and contract workers (1099) as part of the hiring process.

Hiring managers screen new hires or internal transfers to assess their qualifications, experience, and competency to fulfill their responsibilities. New hires sign confidentiality agreements or equivalents upon hire.

Internal personnel are evaluated via a formal performance review at least annually. A formal evaluation is prepared and maintained in the employee's HR file.

Security policies are reviewed and updated at least annually by senior management for consistency with the organization’s risk mitigation strategy, and updated as necessary for changes in the strategy.

A continuous monitoring solution monitors internal controls used in the achievement of service commitments and system requirements.

Information security roles and responsibilities are outlined for personnel responsible for the security, availability, and confidentiality of the system.

Operational meetings are held on a regular basis to discuss internal control responsibilities and performance measurement. Senior management oversees risk management, accountability, and is involved in the risk identification process. A formal annual risk assessment is performed and documented.

A policy is in place to assign responsibility and accountability for developing and maintaining the entity's security policies, and changes and updates to those policies, to appropriate personnel.

Management maintains a formal organizational chart to clearly identify positions of authority and the lines of communication, and publishes the organizational chart to internal personnel.

Documented information security policies establish security requirements for maintaining the security, confidentiality, integrity, and availability of applications, systems, infrastructure, and data. These policies are reviewed annually and communicated to all relevant personnel.

A Data Classification Policy details the security and handling protocols for sensitive data.

Upon customer request, Company requires that data that is no longer needed from databases and other file stores is removed in accordance with agreed-upon customer requirements.

A Data Retention and Disposal Policy specifies how customer data is to be retained and disposed of based on compliance requirements and contractual obligations.

A Vulnerability Management and Patch Management Policy outlines the processes to efficiently respond to identified vulnerabilities.

An Incident Response Plan outlines the process of identifying, prioritizing, communicating, assigning and tracking confirmed incidents through to resolution.

A risk register is maintained, which records the risk mitigation strategies for identified risks, and the development or modification of controls consistent with the risk mitigation strategy.

A Vendor Risk Management Policy defines a framework for the onboarding and management of the vendor relationship lifecycle.

Formal risk assessments are performed, which includes the identification of relevant internal and external threats related to security, availability, confidentiality, and fraud, and an analysis of risks associated with those threats.

A Risk Assessment and Treatment Policy governs the process for conducting risk assessments to account for threats, vulnerabilities, likelihood, and impact with respect to assets, team members, customers, vendors, suppliers, and partners. Risk tolerance and strategies are also defined in the policy.

A Network Security Policy identifies the requirements for protecting information and systems within and across networks.

Alerting software is used to notify impacted teams of potential security events.

A list of system assets, components, and respective owners are maintained and reviewed at least annually

An Access Control and Termination Policy governs authentication and access to applicable systems, data, and networks.

Non-console access to production infrastructure is restricted to users with a unique SSH key or access key

Service data transmitted over the internet is encrypted-in-transit.

An Encryption and Key Management Policy supports the secure encryption and decryption of app secrets, and governs the use of cryptographic controls.

Upon termination or when internal personnel no longer require access, system access is removed, as applicable.

Processes are in place to create, modify or remove physical access to facilities such as data centers, office spaces, and work areas based on the needs of such individual.

A Physical Security Policy that details physical security requirements for the company facilities is in place.

Policies and procedures are in place to guide personnel regarding addressing how complaints and requests relating to security issues are resolved. Management has implemented processes to handle security concerns raised by both internal personnel and external parties.

Security commitments and expectations are communicated to both internal personnel and external users via the company's website.

A Privacy Policy to both external users and internal personnel. This policy details the company's privacy commitments.

Critical information is communicated to external parties, as applicable.