We consider these controls as foundational for effective information security and privacy.
Understanding the business context, resources that support critical functions, and the related information security risks, we focus our efforts and resources to properly secure the network and cloud resources. We focus on the following categories:
The Asset Management section of the Information Security Program addresses the data, personnel, devices, systems, and facilities that enable an organization to achieve business goals and objectives that are identified and managed consistent with their relative importance to our objectives and risk strategy.
We maintain accurate inventories of our information systems and components.
We maintain accurate inventories of our approved operating systems and applications.
We document our data flows by maintaining network diagrams and Data Flow Diagrams (DFDs).
We identify and document information systems and services hosted or maintained by third parties.
We assign assets and resource a classification based on the business value and criticality in accordance with our policies and standards.
We establish and document information security-specific roles and responsibilities for the workforce, including third-party stakeholders.
The Business Environment section of our Information Security Program addresses our mission, objectives, stakeholders, and activities. This information is used to inform information security roles (people and teams), responsibilities, and prioritize risk management decisions.
We establish and communicate our mission and objectives to ensure organizational awareness of critical business functions and how that impacts clients.
We identify and document dependencies and critical functions within its business processes that impact the delivery of critical services.
We identify and document resilience requirements to support the delivery of services to clients.
The Governance section of our Information Security Program addresses the policies, standards, procedures, and processes to manage and monitor our statutory, regulatory, and contractual requirements. These external and internal influencers are understood to properly manage information security risk.
We document formal information security policies, standards, and procedures. This information-security-related documentation is clearly made available to our workforce via Atlassian Confluence and Microsoft SharePoint.
We coordinate and align designated information security roles with internal and external stakeholders to ensure all applicable information security and privacy responsibilities are properly addressed.
We adhere to all applicable information security and privacy-related statutory, regulatory, and contractual obligations.
We maintain a documented program to govern information security and privacy risks.
The Risk Assessment section of our Information Security Program addresses the organization’s understanding of information security risk to organizational operations, organizational assets, individuals, and teams.
We identify, document, and remediate vulnerabilities as part of a formal Vulnerability and Patch Management Program.
We receive threat and vulnerability information from information sharing forums and sources via RSS and vendor feeds.
We maintain a process to identify and assess both internal and external threats.
We perform Business Impact Assessments to assess the likelihood and potential impact associated with inherent and residual risk, considering all available risk sources.
We assess threats, vulnerabilities, likelihoods, impacts, and compensating controls to determine overall risk.
We identify and prioritize risk responses via our Compliance Committee.
The Risk Management Strategy section of our Information Security Program addresses the organization’s priorities, constraints, risk tolerances, and assumptions that are established and used to support operational risk decisions.
We maintain an enterprise-wide Risk Management Program to manage risk to an acceptable level.
We determine and document our risk tolerance level.
We determine and document thresholds for incident alerts.
The Supply Chain Risk Management section of our Information Security Program addresses the organization’s priorities, constraints, risk tolerances, and assumptions that are used to support risk decisions associated with managing supply chain risk.
Our supply chain risk management processes are identified, established, assessed, managed, and agreed to by our stakeholders.
Our suppliers and third-party service providers of information systems and services are identified, prioritized, and assessed using a risk assessment process that takes both information security and privacy into consideration.
We contract with our suppliers and third-party service providers to implement appropriate measures designed to meet the objectives of our information security and privacy program.
Our suppliers and third-party service providers are routinely assessed using audits, test results, or other forms of evaluations to confirm those parties are meeting their contractual obligations.