Security Overview
Security Overview
At SupportPay, we are committed to ensuring the safety and privacy of your data. Our comprehensive security framework follows industry best practices, safeguarding against unauthorized access, data breaches, and other potential threats. Below is an outline of the key measures we have in place to protect your information.
At SupportPay we prioritize the security of your data and take a proactive approach to protecting sensitive information across all systems and operations. We have developed a robust security framework that integrates risk management, compliance, and best-in-class technologies to safeguard against evolving threats.
Our security measures are designed to ensure confidentiality, integrity, and availability of your data, whether it’s being transmitted, stored, or processed. By adhering to industry-leading standards and regulatory requirements, we maintain a secure environment that fosters trust and reliability.
The following sections outline the comprehensive security policies and practices we have in place to protect your information, including encryption, access control, network security, incident management, and much more. Each area of our security program has been developed with meticulous care, ensuring that every possible risk is addressed and mitigated.
At SupportPay, your security is our priority.
A.1 Risk Governance Plan:
- We have a formalized risk governance plan that defines the requirements for our Enterprise Risk Management program.
- Risk Assessment: Conducted by AWS as part of the AWS Accelerate program. Based on these assessments, we have rated risks and prioritized fixes.
- Maturity: 3 – Partially in place with plans to enhance.
A.1.1 Risk Management Policies and Procedures:
- Our risk governance plan includes well-defined risk management policies, procedures, and internal controls.
- Risk Assessment: AWS assists in prioritizing and addressing risks.
- Maturity: 3 – Partially in place with plans to enhance.
A.1.2 Asset Coverage:
- The plan covers a broad range of assets: people, processes, data, and technology.
- Maturity: 3 – Partially in place with plans to enhance.
A.3 Formal Risk Assessment Process:
- We have a formal Risk Assessment Process that identifies, quantifies, and prioritizes risks according to acceptable levels.
- Maturity: 3 – Partially in place with plans to enhance.
A.3.8 Risk Response and Treatment:
- We have established processes to manage risk responses and treatments.
- Maturity: 3 – Partially in place with plans to enhance.
A.5 Third-Party Subcontractor Access:
- Subcontractor Access: Our subcontractors, such as backup vendors and service providers, have scoped access to relevant systems and data. Only necessary personnel have access, with restrictions for the Founder, Sheri Atwood.
- Maturity: 4 – In place with exclusions.
A.5.1 Third-Party Risk Management:
- A documented risk management program is in place for subcontractors, covering selection, oversight, and risk assessment.
- Maturity: 5 – In place with no exclusions.
A.5.2 Contracts with Subcontractors:
All subcontractors requiring assessment are bound by contracts.
Maturity: 4 – In place with exclusions.
A.5.2.1 Non-Disclosure/Confidentiality Agreements:
- Contracts with subcontractors include Non-Disclosure/Confidentiality Agreements (NDAs).
- Maturity: 5 – In place with no exclusions.
A.5.2.2 Intellectual Property:
- Contracts include clauses regarding ownership of information, trade secrets, and intellectual property.
- Maturity: 5 – In place with no exclusions.
A.5.2.4 Confidential Information Use:
- Contracts include limitations on the permitted use of confidential information.
- Maturity: 5 – In place with no exclusions.
A.5.2.5 Data Breach Notification:
- Contracts include data breach notification provisions.
- Maturity: 4 – In place with exclusions.
A.5.2.9 Indemnification/Liability:
- Contracts include indemnification and liability clauses.
- Maturity: 5 – In place with no exclusions.
A.5.2.18 Termination/Exit Clauses:
- Contracts include termination/exit clauses.
- Maturity: 5 – In place with no exclusions.
A.5.2.11 Breach of Agreement Terms:
- Contracts address breach of agreement terms.
- Maturity: 5 – In place with no exclusions.
A.5.3 Third-Party Risk Tracking:
- The third-party risk management program includes an assigned individual or group responsible for maintaining and tracking subcontractor security, privacy, or related issues.
- Maturity: 5 – In place with no exclusions.
A.5.1.15.5 Confidentiality Agreements:
- The third-party risk management program requires Confidentiality and/or Non-Disclosure Agreements (NDAs) from all subcontractors.
- Maturity: 5 – In place with no exclusions.
A.5.1.15.6 Subcontractor Change Notifications:
- Subcontractors are required to notify us of changes affecting services rendered.
- Maturity: 5 – In place with no exclusions.
A.5.1.15.7 Background Checks for Subcontractors:
- Background checks are required for service provider contractors and subcontractors.
- Maturity: 4 – In place with exclusions.
A.5.3.4.3 Remediation Reporting:
- We maintain a process for logging and identifying subcontractor information security, privacy, and data breach issues.
- Maturity: 5 – In place with no exclusions.
- Â
Information Security Policies:
We maintain a comprehensive set of information security policies that have been formally approved by management. These policies are published and communicated to all relevant parties within the organization.
Maturity: 3 – Partially in place with plans to enhance.
Â
- B.1.5 Policy Ownership:
Every security policy is assigned to a specific owner who is responsible for conducting regular reviews and securing periodic approvals from relevant stakeholders.
Maturity: 5 – In place with no exclusions.
Â
- B.1.6 Policy Review:
All information security policies and standards are subject to review at least once within a 12-month period to ensure they remain current and effective.
Maturity: 5 – In place with no exclusions.
C.1 Responsibilities for Asset Protection:
Responsibilities for asset protection and specific information security processes are clearly defined and communicated to the relevant parties within the organization.
Additional Information: Due to the current size of the organization, these responsibilities fall under the scope of Sheri Atwood, CEO.
Maturity: 3 – Partially in place with plans to enhance.
Â
- C.4 Information Security Personnel:
Information security personnel, whether internal or outsourced, are responsible for the implementation and management of information security processes.
Maturity: 3 – Partially in place with plans to enhance.
Â
- C.4.2 Policy Creation and Review:
Information security personnel are tasked with the creation and review of information security policies, ensuring that they remain relevant and effective.
Maturity: 3 – Partially in place with plans to enhance.
Â
- C.4.6 Incident Monitoring:
Personnel are responsible for the review and monitoring of information security incidents and events, enabling quick responses and resolution.
Maturity: 3 – Partially in place with plans to enhance.
Â
- C.6 Information Security Assessments for Projects:
All projects that involve scoped systems and data undergo information security assessments to evaluate and mitigate potential risks.
Maturity: 3 – Partially in place with plans to enhance.
Â
Asset Management Program:
We have an asset management program that has been approved by management, communicated to all relevant constituents, and assigned an owner responsible for maintenance and regular review.
Maturity: 4 – In place with exclusions.
Â
- D.1.1 Asset Inventory List:
An asset inventory list or Configuration Management Database (CMDB) is maintained to track all assets within the organization.
Maturity: 4 – In place with exclusions.
Â
- D.2 Acceptable Use Policy:
A formal acceptable use policy governs the use of information and associated assets. This policy is approved by management, communicated to appropriate constituents, and assigned an owner for ongoing maintenance and periodic reviews.
Maturity: 4 – In place with exclusions.
Â
- D.3 Asset Return Process:
We have a well-defined process to verify the return of constituent assets (e.g., computers, cell phones, access cards) upon termination or role change.
Maturity: 5 – In place with no exclusions.
Â
- D.5 Information Classification:
Information is classified according to legal and regulatory requirements, business value, and the sensitivity to unauthorized disclosure or modification.
Maturity: 3 – Partially in place with plans to enhance.
Â
- D.5.3 Information Asset Ownership:
Each information asset is assigned an owner responsible for its oversight and maintenance.
Maturity: 4 – In place with exclusions.
Â
- D.5.3.2 Periodic Access Review:
Asset owners are responsible for approving and periodically reviewing access to information assets to ensure proper control.
Maturity: 5 – In place with no exclusions.
Â
- D.5.4 Information Handling Policy:
We have a policy for information handling, covering storage, processing, and communication. This policy is approved by management, communicated to all relevant constituents, and assigned an owner for maintenance.
Maturity: 4 – In place with exclusions.
Â
- D.5.4.2 Encryption Requirements:
The information handling policy includes encryption requirements for data during storage and transmission.
Maturity: 5 – In place with no exclusions.
Â
- D.5.4.3 Storage Requirements:
Storage requirements, including the authorized use of Public Cloud storage, are clearly defined.
Maturity: 5 – In place with no exclusions.
Â
- D.5.4.4 Electronic Transmission Security:
The policy includes security requirements for electronic transmission, such as email, web, and file transfer services.
Maturity: 5 – In place with no exclusions.
Â
- D.5.4.5 Removable Media Requirements:
Requirements for handling removable media (e.g., thumb drives, DVDs) are outlined in the policy.
Maturity: 4 – In place with exclusions.
Â
- D.5.5 Data Retention and Destruction:
We have a data retention and destruction policy, covering live media, backup/archived media, and data managed by subcontractors.
Maturity: 5 – In place with no exclusions.
Â
- D.6 Scoped Data via Physical Media:
Scoped data is occasionally sent or received via physical media as needed.
Maturity: 5 – In place with no exclusions.
Â
- D.7 Scoped Data via Electronic Means:
Scoped data is primarily sent or received electronically.
Maturity: 5 – In place with no exclusions.
Â
- D.7.2 Encryption of Electronic Data:
All scoped data sent or received electronically is encrypted in transit while outside the network.
Maturity: 5 – In place with no exclusions.
Â
- D.7.6 Protection Against Malicious Code:
Data sent or received electronically is protected by virus scanning and network virus inspection at the endpoint.
Maturity: 5 – In place with no exclusions.
Â
- D.7.7 Phishing Prevention:
Incoming and outgoing emails undergo phishing prevention scans to mitigate potential threats.
Maturity: 5 – In place with no exclusions.
Â
- D.7.9 Cloud-Based Public Sharing:
We take necessary precautions when storing or transferring data via cloud-based public sharing solutions.
Maturity: 5 – In place with no exclusions.
Â
- D.8 Confidential Scoped Data Storage:
Confidential and regulated scoped data is stored electronically following security protocols.
Maturity: 5 – In place with no exclusions.
Â
Human Resource Policies:
Human Resource policies are approved by management, communicated to all constituents, and assigned an owner for ongoing maintenance and review.
Maturity: 5 – In place with no exclusions.
- E.1.1 Constituent Background Screening:
HR policies include background screening criteria for all constituents.
- E.1.1.1 Criminal Screening:
Background screening criteria also include criminal screening for relevant positions.
Maturity: 5 – In place with no exclusions.
- E.1.3 Security Awareness Training:
All constituents are required to participate in security awareness training programs that educate them on the company’s security protocols and procedures.
- E.1.3.3 Security Roles and Responsibilities:
The training program includes a detailed explanation of each constituent’s security roles and responsibilities within the organization.
- E.1.3.5 New Hire and Annual Participation:
Security awareness training is mandatory for all new hires and is conducted annually for all existing employees to ensure continued compliance.
Maturity: 5 – In place with no exclusions.
- E.1.4 Disciplinary Process for Non-Compliance:
A disciplinary process is in place for any non-compliance with security policies, ensuring that all constituents adhere to security protocols.
Maturity: 5 – In place with no exclusions.
- E.1.6 Termination and Change of Status Processes:
The HR policy includes procedures for termination and change of status to ensure appropriate access revocation and role adjustments.
Maturity: 5 – In place with no exclusions.
- E.2 Electronic Access Removal:
Electronic access to systems containing scoped data is removed within 24 hours for terminated constituents, ensuring no unauthorized access after departure.
Maturity: 5 – In place with no exclusions.
Security Program and Management
- Physical Security Program: Our physical security program is formally approved by management. It is communicated to all relevant parties, and a designated owner is responsible for its ongoing maintenance and review.
- Status: Fully implemented with no exclusions.
2. Physical Security Controls
Secured Facilities: We have implemented robust physical security controls for all our secured facilities, including data centers and office buildings.
- Status: Fully implemented with no exclusions.
Electronic Access Controls: Our physical security controls feature an electronic access system, such as key cards, tokens, fobs, or biometric readers.
- Status: Fully implemented with no exclusions.
Entry and Exit Monitoring: All entry and exit doors are equipped with alarms for forced entry and propped-open scenarios, and are monitored by security personnel.
- Status: Fully implemented with no exclusions.
Access Restrictions and Logs: Access to our facilities is restricted to authorized personnel only, and we maintain detailed logs of all access activities.
- Status: Fully implemented with no exclusions.
Documentation of Procedures: Our procedures for physical access controls are thoroughly documented to ensure clarity and consistency.
- Status: Fully implemented with no exclusions.
Reporting of Lost or Stolen Access: We require immediate reporting of any lost or stolen access cards or keys to maintain security integrity.
- Status: Fully implemented with no exclusions.
3. Environmental Controls
- Protective Measures: We have established environmental controls within our secured facilities to protect computers and other physical assets. This includes comprehensive fire detection and suppression systems.
- Status: Fully implemented with no exclusions.
4. Visitor Access
- Visitor Policy: We have a clear policy regarding visitor access to our facilities to ensure security is maintained at all times.
- Status: Fully implemented with no exclusions.
5. Data Center
- Data Center Location: Our scoped systems and data are securely housed within a dedicated data center, ensuring optimal security and reliability.
- Status: Fully implemented with no exclusions.
- Data Center Location: Our scoped systems and data are securely housed within a dedicated data center, ensuring optimal security and reliability.
Operational and Change Management
1. Operating Procedures
- Management Approved Procedures: We utilize operating procedures that are formally approved by management. These procedures are consistently followed across our organization.
- Status: Fully implemented with no exclusions.
2. Change Management/Control
Change Management Policy: Our Change Management/Change Control policy is documented, approved by management, and communicated to all relevant stakeholders. A designated owner is responsible for maintaining and reviewing the policy.
- Status: Fully implemented with no exclusions.
Change Control Process: All changes to the production environment, including network configurations, system updates, application modifications, and code changes, are subject to our Change Control process.
- Status: Fully implemented with no exclusions.
Client Notification: Our Change Control process includes a formal procedure to notify clients in advance of any changes that may impact their services.
- Status: Fully implemented with no exclusions.
Scheduled Maintenance: Our Change Control process includes a scheduled maintenance window to manage updates and changes efficiently.
- Status: Fully implemented with no exclusions.
Maintenance Impact: We also have a scheduled maintenance window that may result in client downtime, ensuring that any potential disruptions are managed proactively.
- Status: Fully implemented with no exclusions.
3. Information Security for New Systems
Security Requirements: Information Security requirements are specified and implemented for new, upgraded, or enhanced systems based on the sensitivity of the data involved.
- Status: In place with some exclusions.
Sensitivity-Based Security: New or enhanced systems are assessed for security requirements in accordance with the sensitivity of the data they handle.
- Status: In place with some exclusions.
4. Time Synchronization
- Common Time Synchronization: All systems and network devices use a common time synchronization service to ensure consistency and accuracy across our operations.
- Status: Fully implemented with no exclusions.
- Common Time Synchronization: All systems and network devices use a common time synchronization service to ensure consistency and accuracy across our operations.
Access Control and Password Policies
1. Access Control Program
- Management Approved Access Control Program: Our access control program is approved by management and communicated to all relevant stakeholders. A dedicated owner is responsible for maintaining and reviewing the program.
- Status: Fully implemented with no exclusions.
2. Data Access
Constituent Access: Authorized constituents are able to access Scoped data as required.
- Status: Fully implemented with no exclusions.
Client Access Management: Clients are given the ability to manage access to their own system data, ensuring greater control and security.
- Status: Fully implemented with no exclusions.
3. ID Creation and Assignment
Rules for ID Creation: We enforce a strict set of rules governing the creation and assignment of unique IDs for access.
- Status: Fully implemented with no exclusions.
Unique Authentication IDs: Unique IDs are required for accessing applications, operating systems, databases, and network devices.
- Status: Fully implemented with no exclusions.
4. Access Request and Approval
Access Approval Process: A formal process is in place to request and approve access to systems that transmit, process, or store Scoped data.
- Status: Fully implemented with no exclusions.
Least Privilege Principle: Access to applications, operating systems, databases, and network devices is granted according to the principle of least privilege.
- Status: Fully implemented with no exclusions.
Segregation of Duties: There is clear segregation of duties for granting and approving access to Scoped systems and data.
- Status: Fully implemented with no exclusions.
Access Implementation: Duties for approving and implementing access requests are also segregated to maintain security and accountability.
- Status: Fully implemented with no exclusions.
5. Limited Access
- Scoped Data Access: Access to systems that store or process Scoped data is strictly limited to authorized personnel.
- Status: Fully implemented with no exclusions.
6. Password Management
Password Policy: A comprehensive password policy, approved by management, governs systems that transmit, process, or store Scoped data.
- Status: Fully implemented with no exclusions.
Complexity and Length Requirements: The policy requires passwords to be at least eight characters long and to include a combination of upper and lower-case letters, numbers, and special characters.
- Status: Fully implemented with no exclusions.
Password Confidentiality: The policy prohibits sharing passwords and storing them in an unencrypted format.
- Status: Fully implemented with no exclusions.
Encrypted Passwords: All passwords are required to be encrypted both in transit and at rest.
- Status: Fully implemented with no exclusions.
Password Reset Requirements: Passwords must be changed upon initial login, and reset processes are limited to authorized personnel or automated tools.
- Status: Fully implemented with no exclusions.
Periodic Changes: Passwords must be changed regularly, and users are required to change them if a compromise is suspected.
- Status: Fully implemented with no exclusions.
Multi-Factor Authentication (MFA): MFA is deployed for enhanced security across our systems.
- Status: Fully implemented with no exclusions.
7. Session Management
- Session Termination: System policies require active sessions to be terminated or secured when finished, including logging off from terminals, PCs, and servers.
- Status: Fully implemented with no exclusions.
8. Access Review Process
Periodic Reviews: User and privileged access rights are reviewed periodically to ensure continued appropriateness.
- Status: Fully implemented with no exclusions.
Role Change Reviews: Access rights are reviewed when a constituent’s role changes to maintain appropriate levels of access.
- Status: Fully implemented with no exclusions.
Inactive User IDs: Constituent user IDs that remain inactive for a defined period are disabled and deleted to prevent unauthorized access.
- Status: Fully implemented with no exclusions.
Application and Web Security Controls
1. Applications Handling Scoped Data
Applications Involved in Data Processing: Applications used within our environment transmit, process, and store Scoped data.
- Status: Fully implemented with no exclusions.
Vendor/Service Account Monitoring: System, vendor, and service accounts are disallowed for normal operations and monitored for any usage.
- Status: Fully implemented with no exclusions.
Web Application Security: All web applications follow best practices and security guidelines, such as OWASP standards.
- Status: Fully implemented with no exclusions.
Input Validation: Data input into applications is validated to prevent security issues.
- Status: Fully implemented with no exclusions.
Test/Development Environments: Scoped systems and data are not used in test, development, or QA environments to ensure production integrity.
- Status: Fully implemented with no exclusions.
Outside Development Resources: External development resources are occasionally utilized for development purposes.
- Status: Fully implemented with no exclusions.
2. Software Development Life Cycle (SDLC)
Application Development: Application development is performed in-house as per business needs.
- Status: Fully implemented with no exclusions.
Formal SDLC Process: A formal Software Development Life Cycle (SDLC) process is in place.
- Status: Fully implemented with no exclusions.
Secure Development Policy: A secure SDLC policy, approved by management, has been implemented and communicated to all relevant parties.
- Status: Fully implemented with no exclusions.
Application Change Management: A documented change management process for applications handling Scoped data is in place.
- Status: Fully implemented with no exclusions.
Production Environment Changes: All changes to the production environment undergo a formal change control procedure.
- Status: Fully implemented with no exclusions.
Testing Before Deployment: The change control process includes rigorous testing of changes prior to deployment.
- Status: Fully implemented with no exclusions.
Stakeholder Communication: The change control process ensures stakeholder communication and necessary approvals for changes.
- Status: Fully implemented with no exclusions.
Documentation of Changes: All system changes are thoroughly documented as part of the change management process.
- Status: Fully implemented with no exclusions.
Version Control: Version control mechanisms are in place for all software.
- Status: Fully implemented with no exclusions.
Change Request Logging: All Change Requests are logged for audit and accountability purposes.
- Status: Fully implemented with no exclusions.
Security Evaluations: Applications are evaluated from a security perspective before they are promoted to the production environment.
- Status: Fully implemented with no exclusions.
Regular Secure Code Reviews: Secure Code Reviews are performed regularly to identify potential vulnerabilities.
- Status: Fully implemented with no exclusions.
Vulnerability Analysis: Code reviews include an analysis of vulnerability to recent attacks.
- Status: Fully implemented with no exclusions.
Vulnerability Remediation: Identified security vulnerabilities are remediated before promotion to production.
- Status: Fully implemented with no exclusions.
Un-remediated Vulnerabilities: Any known un-remediated vulnerabilities are communicated to the Security Monitoring and Response group for ongoing awareness and monitoring.
- Status: Fully implemented with no exclusions.
Open-Source Software: Open-source software and libraries are used for Scoped data only when vetted for security.
- Status: Fully implemented with no exclusions.
3. Web Applications and Servers
Web Server Segregation: Web, application, and database components are logically or physically segregated to ensure secure operations.
- Status: Fully implemented with no exclusions.
Web Server Usage: Web servers are used for transmitting, processing, and storing Scoped data.
- Status: Fully implemented with no exclusions.
Compliance Reviews: Regular reviews are conducted to validate compliance with documented web server software security standards.
- Status: Fully implemented with no exclusions.
HTTPS Enforcement: HTTPS is enabled for all web pages to ensure secure data transmission.
- Status: Fully implemented with no exclusions.
Removal of Sample Scripts: Sample applications and scripts are removed from web servers to reduce the attack surface.
- Status: Fully implemented with no exclusions.
Security Patches: High-risk web server software security patches are applied and verified at least monthly.
- Status: Fully implemented with no exclusions.
Incident Investigation Logs: Web server and application logs include sufficient detail for investigating incidents, including failed and successful login attempts and changes to sensitive settings.
- Status: Fully implemented with no exclusions.
API Availability: An Application Programming Interface (API) is available to clients for interaction with Scoped data.
- Status: Fully implemented with no exclusions.
Prohibited Software Versions: Web server software versions that no longer receive security patches are prohibited from use.
- Status: Fully implemented with no exclusions.
4. Mobile Applications
Mobile Application Development: Mobile applications that access Scoped systems and data are developed internally.
- Status: Fully implemented with no exclusions.
Mobile App Actions: All actions performed by mobile applications to access, process, transmit, or locally store Scoped data are conducted securely following best practices.
- Status: Fully implemented with no exclusions.
Incident Event & Communication Management
1. Incident Management Program
- Established Program: There is an Incident Management Program in place, which has been approved by management, communicated to all relevant parties, and is actively maintained and reviewed by an appointed owner.
- Status: Fully implemented with no exclusions.
2. Formal Incident Response Plan
Incident Response Plan: A formal Incident Response Plan exists to ensure the organization is prepared to handle incidents.
- Status: Fully implemented with no exclusions.
Escalation Procedures: The Incident Response Plan includes a clear escalation procedure to guide the response team on how to handle critical situations.
- Status: Fully implemented with no exclusions.
Actions for Security Events: The plan outlines specific actions to be taken in response to an information security event, ensuring a structured and effective approach.
- Status: Fully implemented with no exclusions.
5. Event Monitoring and Investigation
Regular Event Reviews: Events on scoped systems or systems containing scoped data are regularly reviewed using a specific methodology to detect and investigate potential incidents.
- Status: Fully implemented with no exclusions.
Security Monitoring Alerts: The organization’s regular security monitoring includes alerts for malware activity, such as uncleaned infections and suspicious activity, to detect potential security breaches.
- Status: Fully implemented with no exclusions.
Business Resiliency
1. Business Resiliency Program
- Established Program: The organization has a Business Resiliency Program in place that has been approved by management, communicated to relevant parties, and maintained with an assigned owner responsible for its review.
- Status: Fully implemented with no exclusions.
5. Business Continuity Procedures
- Documented Continuity Procedures: Formal business continuity procedures have been developed and documented to ensure critical operations can continue during disruptive events.
- Status: Fully implemented with no exclusions.
6. Senior Management Responsibility
- Assigned Responsibility: Senior management has assigned responsibility for managing critical response and recovery efforts.
- Status: Fully implemented with no exclusions.
7. Periodic Review
- Annual Review: The business resiliency procedures are reviewed at least annually to ensure they remain effective and up to date.
- Status: Fully implemented with no exclusions.
8. Critical Third-Party Dependencies
- Third-Party Dependencies: There are dependencies on critical third-party service providers, which are taken into account in the resiliency planning.
- Status: Fully implemented with no exclusions.
10. IT Disaster Recovery
- Documented IT Disaster Recovery Program: A formal, documented IT disaster recovery exercise and testing program is in place to ensure readiness in the event of an IT disruption.
- Status: Fully implemented with no exclusions.
19. Backups of Scoped Systems and Data
Backup Process: Backups of scoped systems and data are regularly performed to ensure data integrity.
- Status: Fully implemented with no exclusions.
Backup Policy: There is a formal policy or process for backing up production data.
- Status: Fully implemented with no exclusions.
Backup Integrity Testing: Backup integrity and restoration procedures are tested at least annually to ensure they function as intended.
- Status: Fully implemented with no exclusions.
Backup Error Review: Backup and replication errors are reviewed and resolved as required to ensure data availability and integrity.
- Status: Fully implemented with no exclusions.
Offsite Backup Storage: Scoped data is backed up and stored offsite to mitigate the risk of data loss in case of a disaster.
- Status: Fully implemented with no exclusions.
Backup Security: Backups containing scoped data are stored in an environment with security controls equivalent to those of the production environment, ensuring the data is protected.
- Status: Fully implemented with no exclusions.
Compliance
1. Policies and Procedures for Compliance
- Compliance Policies: The organization has policies and procedures in place to ensure compliance with applicable legislative, regulatory, and contractual requirements.
- Status: Fully implemented with no exclusions.
1.1. Regulatory Change Process
- Process for Regulatory Changes: A documented process exists to identify and assess regulatory changes that could significantly impact product and service delivery.
- Status: Fully implemented with no exclusions.
3. Internal Audit/Risk Management
Internal Oversight Unit: The organization has an internal audit, risk management, or compliance department responsible for assessing, identifying, and tracking the resolution of outstanding regulatory issues.
- Status: Fully implemented with no exclusions.
3.1. Audit Independence: The audit function operates independently from the lines of business.
- Status: Fully implemented with no exclusions.
3.3. Compliance Audits: Audits are regularly performed to ensure compliance with statutory, regulatory, contractual, or industry requirements.
- Status: Fully implemented with no exclusions.
4. Records Management and Reporting
Records and Reporting: A set of policies and procedures exists for managing required records and ensuring compliance with reporting obligations.
- Status: Fully implemented with no exclusions.
4.2. Reporting Compliance: Internal management and external reporting to government agencies are maintained in accordance with applicable law.
- Status: Fully implemented with no exclusions.
11.3. Employee Training
- Annual Compliance Training: Employees undergo annual training on non-disclosure of insider information, code of conduct, conflicts of interest, and compliance and ethics responsibilities.
- Status: Fully implemented with no exclusions.
14. Call Center Services
- Call Center Involvement: The engagement will include call center-related services.
- Status: Fully implemented with no exclusions.
16. Marketing Activities
- Marketing to Client’s Customers: Marketing or selling activities are conducted directly to the client’s customers.
- Status: Fully implemented with no exclusions.
17. Collections Activities
- Collections Services: Collections activities are conducted directly with the client’s customers.
- Status: Fully implemented with no exclusions.
18.2. Terms of Sale Online
- Online Sale Procedures: Procedures for the terms of sale, dispute resolution, and returns are available online.
- Status: Fully implemented with no exclusions.
19. Client Interactions
- Direct Client Interactions: There are direct interactions with the client’s customers.
- Status: Fully implemented with no exclusions.
20. Cybersecurity Obligations
- Cybersecurity Policies: Documented policies and procedures enforce applicable legal, regulatory, and contractual cybersecurity obligations.
- Status: Fully implemented with no exclusions.
23. Client Audits and Assessments
Client Audits: Client audits and/or risk assessments are permitted.
- Status: Fully implemented with no exclusions.
23.4. Evidence of Internal Controls: Internal controls are available during client assessments.
- Status: Fully implemented with no exclusions.
23.5. Control Validation: Controls are validated by independent, third-party auditors or information security professionals.
- Status: Fully implemented with no exclusions.
25. Fraud Detection and Prevention
- Fraud Compliance Program: A compliance program with policies and procedures exists to address internal and external fraud detection and prevention.
- Status: Fully implemented with no exclusions.
32. Account Activity and Transactions
Account Maintenance: Accounts are opened, financial transactions are initiated, and account maintenance activities are conducted through electronic, telephonic, written, or in-person requests.
- Status: Fully implemented with no exclusions.
32.1. Payment Compliance: Policies and procedures are in place to address payments compliance in delivering products or services as required by regulation.
- Status: Fully implemented with no exclusions.
32.3. E-Commerce Systems: Electronic commerce websites or applications are used to transmit, process, or store scoped systems and data.
- Status: Fully implemented with no exclusions.
32.3.2. Transaction Data Protection: All transaction details, including payment card info and parties involved in transactions, are prohibited from being stored in the Internet-facing DMZ.
- Status: Fully implemented with no exclusions.
34. Sanctioned Country Restrictions
Restricted Activities: Policies and procedures are in place to restrict activities or transactions involving sanctioned countries (e.g., country blocking).
- Status: Fully implemented with no exclusions.
34.10. Sanctions Compliance Checks: Compliance and sanctions checks (e.g., Office of Foreign Assets Control – OFAC) are performed on customers, suppliers, and third parties.
- Status: Fully implemented with no exclusions.
34.11. Sanctions Compliance Program: A sanctions compliance program with policies and procedures exists to meet obligations related to Office of Foreign Assets Control (OFAC) requirements.
- Status: Fully implemented with no exclusions.
END USER DEVICE SECURITY
End User Devices (Desktops, Laptops, Tablets, Smartphones) Usage
Scoped Data on End User Devices:
Are end-user devices used to transmit, process, or store scoped data?
Status: Yes if employees use these devices for work that involves sensitive data.
1.1. Security Configuration Standards
Security Configuration Documentation:
Are there documented security configuration standards for end-user devices?
Status: Yes if there are policies in place, such as encryption, password complexity, etc.
1.16. Activity Alerts for Infections and Suspicious Activity
Review of Alerts:
Are alerts reviewed and actioned at least weekly for uncleaned infections and suspicious activity?
Status: Yes if regular monitoring or antivirus solutions are implemented.
1.17. Anti-virus System Checks
Anti-virus Procedures:
Are there defined procedures to identify and correct systems without antivirus?
Status: Yes if the organization uses tools to regularly verify antivirus installations.
1.22. Mobile Device Usage
Mobile Device Use:
Are employees allowed to use mobile devices in your environment?
Status: Yes if employees can access company networks or apps on mobile.
1.22.5. Access to Corporate Email on Mobile Devices
Corporate Email Access:
Can employees access corporate email on mobile devices?
Status: Yes if email is accessible via smartphones or tablets.
1.23. Mobile Device Management Program
Mobile Device Management:
Is there a formal mobile device management program in place?
Status: Yes if the company uses tools like MDM (Mobile Device Management) software.
Personal Computers (PCs) Usage
PCs and Scoped Data:
Are personal computers (PCs) used to handle scoped data?
Status: Yes if PCs are used for tasks involving sensitive data.
2.3. Non-Company Managed PCs
External PCs Accessing Company Network:
Are non-company PCs allowed to connect to the company network?
Status: No if this is prohibited for security reasons.
NETWORK SECURITYÂ
1.1. Approval Process for Network Devices
- Network Device Approval:
Is there an approval process prior to installing a network device?
Status: Yes if devices are approved before being added to the network.
Security and Hardening Standards
- Network Device Standards:
Are there security and hardening standards for network devices, including Firewalls, Switches, Routers, and Wireless Access Points (baseline configuration, patching, passwords, Access control)?
Status: Yes if standards are defined and followed.
- Network Device Standards:
2.1. Administrative Interfaces
- Interface Configuration:
Are all network device administrative interfaces configured to require authentication and encryption?
Status: Yes if these interfaces are secured with authentication and encryption.
2.2. Default Passwords
- Default Password Handling:
Are default passwords changed or disabled prior to placing network devices into production?
Status: Yes if default passwords are managed properly.
Network Device Logs
- Log Detail:
Is there sufficient detail contained in network device logs to support incident investigation?
Status: Yes if logs contain adequate information for investigations.
- Log Detail:
Security Patches
- Patch Application:
Are all available high-risk security patches applied and verified on network devices?
Status: Yes if high-risk patches are consistently applied.
- Patch Application:
Network Segmentation
- Network Segmentation:
Are network technologies used to isolate critical and sensitive systems into network segments separate from those with less sensitive systems?
Status: Yes if segmentation is in place.
- Network Segmentation:
5.11. External Network Connections
- Firewall Termination:
Is every connection to an external network terminated at a firewall (e.g., the Internet, partner networks)?
Status: Yes if all external connections are secured by firewalls.
6.1. Access Control
- Default Access Denial:
Do network devices deny all access by default?
Status: Yes if default access is restricted.
6.2. Firewall Rules
- Firewall Rules:
Do the firewalls have any rules that permit ‘any’ network, subnetwork, host, protocol, or port on any of the firewalls (internal or external)?
Status: No if firewall rules are restrictive and specific.
Remote Access Policy
- Remote Access Policy:
Is there a policy that defines the requirement for remote access from external networks to networks containing scoped systems and data that has been approved by management and communicated to constituents?
Status: Yes if a policy for remote access exists and is communicated.
- Remote Access Policy:
7.3. Encrypted Communications for Remote Access
- Encryption Requirement:
Are encrypted communications required for all remote network connections from external networks containing scoped systems and data?
Status: Yes if encryption is mandated for remote connections.
Remote Administration
- Remote Administration Security:
Is remote administration of organizational assets approved, logged, and performed in a manner that prevents unauthorized access?
Status: Yes if remote administration is controlled and logged.
- Remote Administration Security:
9.2. Encryption for Remote System Access
- Encryption Requirement:
Are encrypted communications required for all remote system access?
Status: Yes if encryption is required.
- Baseboard Management Controllers (BMCs)
- BMC Usage:
Are Baseboard Management Controllers (BMCs) enabled on any servers or other devices?
Status: No if BMCs are not enabled.
- Network Intrusion Detection
- Intrusion Detection Capabilities:
Are Network Intrusion Detection capabilities employed?
Status: Yes if intrusion detection systems are in use.
- DMZ Environment
- DMZ Environment:
Is there a DMZ environment within the network that transmits, processes, or stores scoped systems and data?
Status: Yes if a DMZ is in place for handling scoped data.
- Wireless Networking Devices
Network Security Policy
- Network Security Policy:
Is there a policy that defines network security requirements that is approved by management, communicated to constituents, and has an owner to maintain and review?
Status: Yes if such a policy exists and is properly managed.
- Wireless Devices in Network:
Are wireless networking devices connected to networks containing scoped systems and data?
Status: No if wireless devices are not connected to sensitive networks
- Wireless Devices in Network:
Software, Firmware, and BIOS Updates
- Automatic Updates Delivery:
Do you deliver software, firmware, and/or BIOS updates to clients through automatic downloads (e.g., Windows Update, LiveUpdate)?
Status: Yes if updates are delivered through automatic mechanisms.THREAT MANAGEMENT (P)
Windows Servers Usage
- Scoped Services:
Are Windows servers used as part of the Scoped Services?
Status: Yes if Windows servers are part of the scoped services.
- Scoped Services:
Vulnerability Management Policy
- Vulnerability Management Policy:
Is there a Vulnerability Management Policy or Program that has been approved by management, communicated to appropriate constituents, and has an owner assigned to maintain and review the policy?
Status: Yes if a formal policy or program is in place.
- Vulnerability Management Policy:
2.4. Internal Network Vulnerability Scans
- Internal Scans:
Are network vulnerability scans performed against internal networks and systems?
Status: Yes if regular scans are conducted for internal networks.
2.5. Internet-Facing Network Vulnerability Scans
- Internet-Facing Scans:
Are network vulnerability scans performed against internet-facing networks and systems?
Status: Yes if scans are conducted for internet-facing networks.
2.5.1. Frequency of Vulnerability Scans
- Scan Frequency:
Do network vulnerability scans occur at least monthly?
Status: Yes if scans are performed on a monthly basis.
- Automatic Updates Delivery:
SERVER SECURITY
Servers Handling Scoped Data
- Scoped Data Usage:
Are servers used for transmitting, processing, or storing scoped data?
Status: Yes if servers are involved with handling scoped data.
- Scoped Data Usage:
1.1. Server Security Configuration Standards
- Documentation and Guidance:
Are server security configuration standards documented and based on external industry or vendor guidance?
Status: Yes if standards are documented and follow industry or vendor guidelines.
1.1.2. Security Configuration Reviews
- Regular Reviews:
Are server security configuration reviews performed regularly to validate compliance with documented standards?
Status: Yes if reviews are conducted on a regular basis.
1.2. Server Build Process
- Configuration During Build:
Are all servers configured according to security standards as part of the build process?
Status: Yes if servers are set up following security standards during the build phase.
1.2.1. Unnecessary Services
- Service Management:
Are all unnecessary/unused services uninstalled or disabled on all servers?
Status: Yes if unused services are managed appropriately.
1.2.5. Vendor Default Passwords
- Default Passwords:
Are vendor default passwords removed, disabled, or changed prior to placing any device or system into production?
Status: Yes if default passwords are handled before production use.
1.3. Logging for Incident Investigation
- Log Detail:
Is sufficient detail contained in operating system and application logs to support security incident investigations (at minimum, successful and failed login attempts, and changes to sensitive configuration settings and files)?
Status: Yes if logs contain necessary details for investigations.
1.5. Regular Patching
- System and Application Patching:
Are all systems and applications patched regularly?
Status: Yes if regular patching is performed.
1.5.8. Outdated Operating System Versions
- No Longer Supported OS:
Are there any Operating System versions in use within the Scoped Services that no longer have patches released? If yes, please describe in the Additional Information section.
Status: No if all OS versions in use are still supported with patches.
1.6. Unix or Linux Usage
- Unix/Linux Use:
Is Unix or Linux used as part of the scoped services?
Status: Yes if Unix or Linux systems are part of the services.
1.6.1. Root Access
- Root Access Requirements:
Are users required to ‘su’ or ‘sudo’ into root?
Status: Yes if root access requires these commands.
1.7. AS/400 Usage
- AS/400 Systems:
Are AS/400s used as part of the scoped services?
Status: No if AS/400 systems are not used.
1.8. Mainframes Usage
- Mainframes:
Are Mainframes used as part of the scoped services?
Status: No if Mainframes are not used.
1.9. Hypervisors Usage
- Hypervisors:
Are Hypervisors used to manage systems used to transmit, process, or store scoped data?
Status: Yes if Hypervisors are utilized for managing these systems.
1.10. Containers Usage
- Containers:
Are Containers used to process or store scoped data (e.g., Docker, Kubernetes, OpenShift)?
Status: Yes if Containers are employed for handling scoped data.
- Containers:
CLOUD HOSTING
Cloud Hosting Services
- IaaS Provision:
Are Cloud Hosting services (IaaS) provided?
Status: Yes if Infrastructure as a Service (IaaS) is part of the offerings.
- IaaS Provision:
Subcontracting of Cloud Services
- Subcontracting:
Are Cloud Hosting services subcontracted?
Status: No if these services are not subcontracted.
- Subcontracting:
Backup Image Snapshots
- Authorization for Snapshots:
Is there a management-approved process to ensure that backup image snapshots containing scoped data are authorized by the outsourcer prior to being snapped?
Status: Yes if there is a formal process in place for authorization.
- Authorization for Snapshots:
3.1. Backup Storage Security
- Security Controls for Backup:
Are backup image snapshots containing scoped data stored in an environment where the security controls protecting them are commensurate with the production environment?
Status: Yes if backups are stored with equivalent security controls as production.
Hardened Virtual Images
- Base Virtual Images:
Are default hardened base virtual images applied to virtualized operating systems?
Status: Yes if hardened images are used to ensure security.
- Base Virtual Images:
Independent Audit Reports
- Audit Reports:
Does the Cloud Hosting Provider provide independent audit reports for their cloud hosting services (e.g., Service Operational Control – SOC)?
Status: Yes if SOC or similar audit reports are provided.
- Audit Reports:
6.2. Certification by Third Parties
- Compliance Certification:
Is the Cloud Service Provider certified by an independent third party for compliance with domestic or international control standards (e.g., National Institute of Standards and Technology – NIST, International Organization for Standardization – ISO)?
Status: Yes if the provider has relevant certifications.
- Compliance Certification: