Data Security Addendum
Data Security Requirements
Asserts maintains a comprehensive, written information security program that contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of Asserts’s business; (b) the type of information that Asserts will store; and (c) the need for security and confidentiality of such information.
Asserts’s security program includes:
Security Awareness and Training. A mandatory security awareness and training program for all members of Asserts’s workforce (including management), which includes:
Training on how to implement and comply with its Information Security Program;
and Promoting a culture of security awareness through periodic communications from senior management with employees.
Access Controls. Policies, procedures, and logical controls:
To limit access to its information systems and the facility or facilities in which they are housed to properly authorized persons;
To prevent those workforce members and others who should not have access from obtaining access; and
To remove access in a timely basis in the event of a change in job responsibilities or job status.
Physical and Environmental Security. Controls that provide reasonable assurance that access to physical servers at the production data center, if applicable, is limited to properly authorized individuals and that environmental controls are established to detect, prevent and control destruction due to environmental extremes. These controls are implemented by Amazon Web Services (AWS) and they are listed here: https://aws.amazon.com/compliance/data-center/controls/. Specific to Asserts:
Logging and monitoring of unauthorized access attempts to the data center by the data center security personnel;
Camera surveillance systems at critical internal and external entry points to the data center, with retention of data per legal or compliance requirements;
Systems that monitor and control the air temperature and humidity at appropriate levels for the computing equipment; and
Redundant power supply modules and backup generators that provide backup power in the event of an electrical failure, 24 hours a day.
Security Incident Procedures. A security incident response plan that includes procedures to be followed in the event of any Security Breach. Such procedures include:
Roles and responsibilities: formation of an internal incident response team with a response leader;
Investigation: assessing the risk the incident poses and determining who may be affected;
Communication: internal reporting as well as a notification process in the event of unauthorized disclosure of Customer Data;
Recordkeeping: keeping a record of what was done and by whom to help in later analysis and possible legal action; and
Audit: conducting and documenting root cause analysis and remediation plan.
Contingency Planning. Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, pandemic flu, and natural disaster) that could damage Customer Data or production systems that contain Customer Data. Such procedures include:
Data Backups: A policy for performing periodic backups of production data sources, as applicable, according to a defined schedule;
Disaster Recovery: A formal disaster recovery plan for the production data center;
Business Continuity Plan: A formal process to address the framework by which an unplanned event might be managed in order to minimize the loss of vital resources.
Audit Controls. Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information.
Data Integrity. Policies and procedures to ensure the confidentiality, integrity, and availability of Customer Data and protect it from disclosure, improper alteration, or destruction.
Storage and Transmission Security. Security measures to guard against unauthorized access to Customer Data that is being transmitted over a public electronic communications network or stored electronically. Such measures include requiring encryption of any Customer Data stored on desktops, laptops or other removable storage devices.
Secure Disposal. Policies and procedures regarding the secure disposal of tangible property containing Customer Data, taking into account available technology so that Customer Data cannot be practicably read or reconstructed.
Assigned Security Responsibility. Assigning responsibility for the development, implementation, and maintenance of Asserts’s security program, including:
Designating a security official with overall responsibility;
Defining security roles and responsibilities for individuals with security responsibilities; and
Designating a Security Council consisting of cross-functional management representatives to meet on a regular basis.
Testing. Regularly testing the key controls, systems and procedures of its information security program to validate that they are properly implemented and effective in addressing the threats and risks identified.
Monitoring. Network and systems monitoring, including error logs on servers, disks and security events for any potential problems. Such monitoring includes:
Reviewing changes affecting systems handling authentication, authorization, and auditing;
Reviewing privileged access to Asserts production systems; and
Engaging third parties to perform network vulnerability assessments and penetration testing on a regular basis.
Change and Configuration Management. Maintaining policies and procedures for managing changes Asserts makes to production systems, applications, and databases. Such policies and procedures include:
process for documenting, testing and approving the patching and maintenance of the Asserts Product;
A security patching process that requires patching systems in a timely manner based on a risk analysis; and
A process for Asserts to utilize a third party to conduct application level security assessments. These assessments generally include testing, where applicable, for:
Cross-site request forgery
Services scanning
Improper input handling (e.g. cross-site scripting, SQL injection, XML injection, cross-site flashing)
XML and SOAP attacks
Weak session management
Data validation flaws and data model constraint inconsistencies
Insufficient authentication
Insufficient authorization
Program Adjustments. Monitoring, evaluating, and adjusting, as appropriate, the security program in light of:
Any relevant changes in technology and any internal or external threats to Asserts or the Customer Data;
Security and data privacy regulations applicable to Asserts; and
Asserts’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.
Devices – Ensuring that all laptop and desktop computing devices utilized by Asserts and any subcontractors when accessing Customer Data:
will be equipped with a minimum of AES 128 bit full hard disk drive encryption;
will have up to date virus and malware detection and prevention software installed with virus definitions updated on a regular basis; and
will maintain virus and malware detection and prevention software so as to remain on a supported release. This will include, but not be limited to, promptly implementing any applicable security-related enhancement or fix made available by the supplier of such software.
Last updated