Category / Section
Security Questions
Published:
29 mins read
| Human Resources Security | ||
QUESTIONS: | SHORT ANSWER: Y/N | LONG ANSWER: |
| 1. Do you train your employees regarding their specific role and the information security controls they must fulfill? | Yes | The organization utilizes the "Tugboat Logic Platform" to manage InfoSec policies, provide security awareness training, implement and document security controls, and track compliance with customers, third party vendors, independent auditors and regulatory agencies. |
| 2. Are all employees required to formally agree to apply information security in accordance with the established policies and procedures of the organization? | Yes | Yes, Information security roles and responsibilities of employees, contractors, and our organization are stated in contractual agree |
| 3. Pursuant to local laws, regulations, ethics, and contractual constraints, are all employment candidates, contractors, and involved third parties subject to background verification? | Yes | New employees and contractors in our organization are subjected to a background and reference checks prior to joining the organization. |
| 4. Are all employees required to take recurring security awareness education and training, as relevant for their job function? | Yes | Yes, employees and contractors are required to complete an information security and privacy awareness training as part of the onboarding process and annually after that. |
| 5. Are employees subjected to disciplinary action in the event of non-compliance to security policies and procedures? | Yes | Syncfusion investigates all concerns and takes appropriate action depending on the facts. |
| 6. Are contractors monitored and managed by an employee at your organization to ensure compliance with company policies and procedures? | N/A | N/A |
| 7. Are all personnel required to adhere to a Confidentiality Agreement or an Acceptable Use Policy to protect customer information? | Yes | Yes. |
| 8. Are documented policies, procedures, and guidelines in place to govern change in employment and/or termination including timely revocation of access and return of assets? | Yes | Our organization has a formalized process and procedure to manage user access requests, change account permissions and revoke access when no longer needed. User access rights are reviewed on a quarterly basis and are based on least-privilege principle. |
| Compliance and Privacy | ||
| 1. Do all practices that involve the creation, modification, or storage of data comply with all legal, regulatory, and contractual obligations? | Yes | Our organization determines, documents and complies with the relevant lawful basis for the processing of personal data for the identified purposes in accordance with applicable privacy obligations. |
| 2. Are there procedures to ensure compliance of intellectual property with all legislative, regulatory, and contractual requirements? | Yes | We have scans andchecks in place to ensure we comply with all legislative, regulatory, and contractual requirements. |
| 3. Are there procedures in place regarding records retention to ensure records are protected from loss, destruction, falsification, unauthorized access, and unauthorized release in accordance with legislative, regulatory, and contractual requirements? | Yes | The organization has implemented the following control: |
| Formal data retention and disposal policy and procedure are in place to guide the secure retention and disposal of information. | ||
| 4. The organization has developed and maintained an approved and published external privacy notice. | Yes, management has designated both a security and a privacy official to oversee the development and implementation of security and privacy policies and procedures. | |
| 5. Do you notify your tenants when you make material changes to your information security and/or privacy policies? | Yes | The organization utilizes the "Tugboat Logic Platform" to manage InfoSec policies, provide security awareness training, implement and document security controls, and track compliance with customers, third party vendors, independent auditors and regulatory agencies. |
| 6. Does your organization conduct regular privacy impact / maturity assessments? | Yes | Our organization utilizes Tugboat Logic to document internal controls and continuously monitor its effectiveness. An assessment over the effectiveness and efficiency of the internal controls, processes and policies is reviewed by management on at least an annual basis and identified deficiencies are remediated in a timely manner. |
| 7. Do you perform, at a minimum, annual reviews to your privacy policies? | Yes | This is reviewed at least yearly. |
| 8. Does your organization have Cyber Insurance (technical or professional errors & omissions insurance)? | We have errors and omissions insurance. | |
| 9. Do you have independent reviews and assessments performed at least annually, for example by Internal Audit or third party providers, to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations? | Yes | We have independent third-party auditors review and assess the controls. |
| Identity & Access Management | ||
| 1. Is there a documented user access process that dictates requirements for requesting, approving, reviewing and removing access rights for all user types to all systems and services? | Yes | We have internal permission requests and permission processes. |
| 2. Are access rights established and limited based on specific business requirements? (principle of least privilege) .User access rights are reviewed on a quarterly basis and are based on least-privilege principle. | Yes | Our organization has a formalized process and procedure to manage user access requests, change account permissions, and revoke access when no longer needed. |
| 3. Are access rights for all users reviewed at regular intervals? | Yes | User access rights are reviewed on a quarterly basis and are based on least-privilege principle. |
| 4. Are processes or controls put in place to ensure no single individual can access, modify, or use critical assets without authorization or detection (i.e. a single individual should not able to both authorize and then initiate an event that affects critical data)? | Yes | We have multiple checks and balances in place to ensure no one person can change critical infrastructure. |
| 5. Do you manage and store the identity of all personnel who have access to IT infrastructure, including their level of access? | Yes | We have manual and automated checks to ensure everyone who has access is authorized. |
| 6. Where required by access control policy, are access to systems and applications password protected? | Yes | All application passwords are at least 8 characters long and use upper case, and lower case characters, digits and special characters. The passwords are anonymized and not in clear text. |
| 7. Are passwords compliant with access management policies governing password complexity and password handling? | Yes | All application passwords are at least 8 characters long and use upper case, lower case characters, digits and special characters. The passwords are anonymized and not in clear text. |
| 8. Are controls in place to lockout users after a defined number of unsuccessful attempts to access their account? | Yes | |
| 9. Do you require multi-factor authentication (MFA) for all users? | Yes | |
| 10. Do all users have a unique ID to perform system functions? If shared IDs are used, please describe. | Yes | Unique user IDs and strong passwords are required in order to gain access to the application production environment. |
| 11. Are inactive accounts disabled and/or removed after a set period of time? (e.g. 90 days) | Yes | Our organization's log management is enabled to monitor administrative activities, logon attempts, and data deletions at the application and infrastructure level. IT management is notified, logs reviewed, and issues identified are resolved in a timely manner |
| 12. For users that are authorized to access systems and data remotely, are access credentials required (VPN, MFA) to authenticate to the system? | Yes | The organization provides a protected, interconnected computing environment through the use of securely configured network devices to meet organizational missions, goals, and initiatives. |
| Asset Management & Data Protection | ||
| 1. Do you maintain a complete inventory of all of your assets that includes ownership of the asset and asset details? | Yes | Our organization maintains an inventory of information assets including the details on ownership, classification and location. The asset inventory is reviewed and updated on an as- needed basis. |
| 2. Is the asset inventory updated on a periodic basis for the addition and removal of assets? | Yes | Our organization maintains an inventory of information assets including the details on ownership, classification and location. The asset inventory is reviewed and updated on an as- needed basis. |
| 3. Do you have a formal information classification policy? | Yes | Yes. Syncfusion maintains an inventory list of servers used. of production information assets including details on asset ownership, data classification and location. The asset inventory listing is reviewed and updated by management on an as-needed basis. |
| 4. Are there appropriate procedures in place to ensure all data is correctly labeled and handled in accordance with its classification level and corresponding policy guidelines? | Yes | The organization has formalized data classification policies and procedures to identify confidential information in the system and to define instructions for handling and labeling confidential information. |
| 5. Do you store data from multiple clients on properly segregated databases, networks, and/or other storage capacities? | Yes | Yes, system components are configured such that our organization and customers' access is appropriately segmented from other tenant users. |
| 6. Will all devices and removable media storing or processing client data have full encryption? | Yes | A media handling policy and procedure have been established and implemented that governs any media movement |
| 7. Do you encrypt client data in transit? | Yes | The organization utilizes the latest commercially accepted encryption protocols. |
| 8. Do you encrypt client data at rest? | Yes | The organization utilizes the latest commercially accepted encryption protocols. |
| 9. Do you have a key management policy within your organization that addresses management and monitoring of keys? | Yes | Yes, a policy on the use of cryptographic controls and key management to protect electronic information is in place and in use. |
| 10. Is a key management system used to store the keys, and is use of the keys by personnel logged? | Yes | Yes, a policy on the use of cryptographic controls and key management to protect electronic information is in place and in use. |
| 11. Do you prohibit the use of removable media in your organization? | Yes | Yes |
| 12. (If Applicable) If you allow the use of removable media, do you have a policy governing the permissible use of removable media? | N/A | N/a |
| 13. Do you prevent client data from being accessed, modified, or stored on remote desktops or laptops? | Yes | |
| 14. Do you have a documented data disposal process in place (record management and retention policy)? | Yes | Yes, a data disposal policy is in place to guide the secure disposal of data |
| 15. Are all items of equipment containing storage media verified to ensure that any sensitive data and/or licensed software has been removed or securely overwritten prior to disposal or reuse? | Yes | Yes, a data disposal policy is in place to guide the secure disposal of data or media containing data, including guidelines on media sanitization before reuse. |
| Logging & Monitoring | ||
| 1. Do you log data such as access, exceptions, faults, security events, etc.? | Yes | Yes, logging is enabled to record administrative activities, access logon attempts, security events and it is monitored on a regular basis. Automated alerts are configured to notify IT management of any security issues to follow up and resolve in a timely manner through the incident management process. |
| 2. Are audit logs protected against modification, deletion and/or inappropriate access? (including system administrators and operators)? | Yes | Our organization uses the a centralized log and event management system to make sure that access to change the log configuration and access to modify logs is restricted. |
| 3. Do you employ monitoring solutions on the audit logs with alerting capabilities for suspicious activity? | Yes | Our organization maintains a formal data retention and disposal procedure for ensuring secure retention and disposal of information. |
| 4. Are audit logs maintained per retention policies? | Yes | Our organization mIntrusion detection or prevention systems are used to provide continuous monitoring of the company's network and to protect potential security breaches.aintains a formal data retention and disposal procedure for ensuring secure retention and disposal of information. |
| 5. Do you employ Intrusion Detection tools to facilitate timely detection, investigation, and response to security incidents? | Yes | Intrusion detection or prevention systems are used to provide continuous monitoring of the company's network and to protect potential security breaches. |
| 6. Do you monitor the network, including firewall and IDS/IPS, for security events on a 24x7x365 basis? | Yes | Yes, system firewalls are configured on the application gateway and production network to limit unnecessary ports, protocols, and services. Firewall rules are reviewed on an annual basis by IT management. |
| 7. Do you have a staffed SOC 24x7x365, or have an on-call process that supplements staffed coverage for full 24x7x365 coverage? | No | |
| 8. Do you have a defined incident response and management process/plan to manage and respond to information privacy and security incidents within agreed timeliness? | Yes | Incidents related to security and privacy are logged, tracked and communicated to affected parties. Incidents are resolved in a timely manner in accordance with the formal incident management process. |
| 9. Do you test your Incident Response Program at least annually? | Yes | |
| 10. Do you have a defined process and plan to notify relevant clients in the event of information breaches and/or incidents? | Yes | Yes, a formal incident management process has been established, which requires incidents (breaches) to be tracked, recorded, and resolved in a timely manner in accordance with the breach notification rule. The process document is reviewed and updated by management on an annual basis. |
| 11. Do you attest that your organization has not experienced an information security breach in the past three years? | Yes | |
| 12. In the event of an incident, do you have processes and procedures for forensic analysis and chain of custody? | Yes | |
| Physical & Environmental Security | ||
| 1. Does your organization have a formal documented physical and environmental security policy that is periodically reviewed and updated? | Yes | Our organization follows a physical security policy and controls are implemented to secure offices, rooms and facilities from unauthorized access. All entrances are guarded by key access and card systems and security surveillance cameras.Areas containing sensitive information are physically restricted and physical access is monitored. |
| 2. Are all physical premises and/or processing facilities protected to ensure that only authorized personnel are allowed access? | Yes | Our organization follows a physical security policy and controls are implemented to secure offices, rooms and facilities from unauthorized access. All entrances are guarded by key access and card systems and security surveillance cameras.Areas containing sensitive information are physically restricted and physical access is monitored. |
| 3. Do your physical premises and/or processing facilities have environmental controls to protect client data? | Yes | Environmental protections have been installed including the following and receive maintenance on at least an annual basis. - Cooling systems - UPS - Redundant communication lines - Smoke detectors and sprinklers. |
| 4. Do you have a documented visitor policy that ensures that visitors are escorted at all times? | Yes | Visitors are required to register at the entrance providing information such as their name, contact information, purpose of visit, host's name. Our organization uses visitor management software to log this information. They are provided identification badges for the duration of their visit. |
| Threats & Vulnerabilities | ||
| 1. Do you have anti-malware programs installed on all of your IT infrastructure network and system components? | Yes | Syncfusion maintains anti-virus and anti-spam software on all its servers running production services. It is configured to perform file-level scans during any read/write operations and to force updates to definitions on a periodic basis |
| 2. Do you have anti-virus (AV) or host based intrusion prevention systems (HIPS) in all resources that will be storing or processing client data? | Yes | Syncfusion maintains anti-virus and anti-spam software on all its servers running production services. It is configured to perform file-level scans during any read/write operations and to force updates to definitions on a periodic basis |
| 3. Do you regularly scan your external / internal infrastructure for vulnerabilities? | Yes | Yes, our organization uses code scanning tools to search for, identify and patch vulnerabilities. |
| 4. Do you have an established process to patch vulnerabilities across all of your computing devices, applications, and systems in a timely matter? | Yes | Our organization follows Patch Management Policy. All workstations have all critical security updates and patches installed in a timely manner. The organization uses patch management software to manage and deploy patches. |
| 5. Do you employ a risk-based prioritization approach to patching all servers, databases, and applications? (e.g.; critical within 7 days, high within 10 days) | Yes | Our organization follows Patch Management Policy. All workstations have all critical security updates and patches installed in a timely manner. The organization uses patch management software to manage and deploy patches. |
| 6. Do you utilize system hardening configurations to ensure only necessary features and services are provided? | Yes | |
| 7. Are there restrictions on the installation of software on operational systems? | Yes | |
| 8. Does the organization have a threat intelligence program and/or use external resources to stay up to date and monitor threats to your environment? | Yes | |
| 9. Do you conduct network and application penetration tests of your environment on at least an annual basis? | Yes | Yes. An external penetration test is performed on an annual basis to identify security exploits. Issues identified are classified according to risk, analyzed and remediated in a timely manner. |
| Development Security & Change Management | ||
| 1. Are there documented Change Management and Software Development Life Cycle Management policies and procedures in place? | Yes | Yes, our organization has a defined change management process that guides the changes to applications and supporting infrastructure. IT management reviews the process document on an annual basis and it is updated as needed. |
| 2. Are the development, testing, and operational environments separate to reduce the risks of unauthorized access or changes to the operational environment? | Yes | |
| 3. Are changes to information systems, operating platforms, and applications made during development appropriately reviewed and tested to ensure there is no adverse impact on the organization's operations or security? | Yes | |
| 4. Do you prevent the use of production data in lower environments? | Yes | Access to production data used outside of the production environment is restricted based on job needs and requires the same level of authorization as in production. |
| 5. Do you have a process in place to detect security defects in code prior to deployment through mechanisms like DAST and SAST? | N/A | N/A |
| 6. Are changes approved prior to migration to production through appropriate IT Owners and/or a Change Control Board? | Yes | Yes, our organization has an access request and approval process for provisioning new access and changes made to roles status/permissions. |
| Network Security | ||
| 1. Are all networks being used to transfer information formally identified and documented by IT? | Yes | Yes, a formal network diagram outlining boundary protection mechanisms (e.g. firewalls, IDS, etc.) is maintained for all network connections and reviewed annually by IT management. |
| 2. Are messaging system (including email, instant messaging, chat services, etc.) appropriately protected to the confidentiality and integrity of information is protected in transit? | Yes | Encryption technologies are used by our organization to protect communication and transmission of data over public networks and between systems. |
| 3. Is sensitive information passing over public networks protected from fraudulent activity, contract dispute, unauthorized disclosure and modification, mis-routing, and incomplete transmission? | Yes | Encryption technologies are used to protect communication and transmission of data over public networks. |
| 4. Are firewall rules reviewed and updated on a frequent basis? | Yes | Yes, system firewalls are configured on the application gateway and production network to limit unnecessary ports, protocols, and services. Firewall rules are reviewed on an annual basis by IT management. |
| 5. Does the organization maintain system and network topology and architecture diagrams that are reviewed and updated when changes occur? | Yes | Yes, a formal network diagram outlining boundary protection mechanisms (e.g. firewalls, IDS, etc.) is maintained for all network connections and reviewed annually by IT management. |
| 6. Are system and network environments protected by a firewall or virtual firewall to ensure business and customer security requirements? | Yes | System firewalls are configured on the application gateway and production network to limit unnecessary ports, protocols and services. Firewall rules are reviewed on an annual basis by IT management. |
| Business Continuity & Disaster Recovery | ||
| 1. Does your organization have a defined and implemented Business Continuity / Disaster Recovery Policy or an equivalent document for the continuity of offered services? | Yes | Yes, the organization has established a formal Business Impact Analysis process to assess the relative criticality of PHI applications and data to drive business continuity requirements. |
| 2. Do you test your Business Continuity/Disaster Recovery plan periodically, with critical business functions tested at least annually? | Yes | Business continuity plans have been developed and tested annually. Test results are reviewed and consequently, contingency plans are updated. |
| 3. Are there frequent backups of information, software, and system images in compliance with data management policy? | Yes | Data backups are performed regularly in accordance with an approved backup policy. Backups are monitored for failure using an automated system, and appropriate corrective actions are taken. |
| 4. Do you have an offsite backup storage facility or provider? | Yes | Yes, formal procedures that outline the data backup and restoration process are documented. The procedures are reviewed by IT management annually or in case of significant changes. |
| 5. Do you encrypt your backups? | Yes | |
| Third-Party Risk | ||
| 1. Has your organization defined and implemented a formal process (which includes due diligence) for managing any third parties that may require access to client information? | Yes | We do not allow third-parties access to our information. |
| 2. Does your organization have defined contractual agreements with third parties that process customer information? | Yes | |
| 3. Do you perform information security reviews and/or audits of your third party providers to ensure that all agreed upon security requirements are met on a periodic basis based on risk? | Yes | |
| 4. Do you ensure that services or products that are being provided to the end client are not sub-contracted out to a fourth party without client notification? | Yes | |
