SIG Compliance

Risk Governance Plan

  • Is there a formalized risk governance plan approved by management that defines the Enterprise Risk Management program requirements?
  • Answer: Yes.

 

  • Does the risk governance plan include risk management policies, procedures, and internal controls?
  • Answer: Yes.

Fourth-Nth Party Management

  • Do fourth parties (e.g., backup vendors, service providers, subcontractors, equipment support maintenance, software maintenance vendors, data recovery vendors, hosting providers, etc.) have access to scoped systems and data or processing facilities?
  • Answer: Yes. Only the primary service provider (Inap) and Backup Vendor (Amazon S3) have access.

 

  • Is there a documented third party risk management program in place for the selection, oversight and risk assessment of fourth Parties (e.g., subcontractors, suppliers, service providers, dependent service providers, sub-processors) in scope for the services?
  • Answer: Yes.

 

  • For all organizational entities (e.g., vendor’s vendors, subcontractors, fourth parties, Nth parties) is there a contractual relationship that extends obligations to each entity?
  • Answer: Yes. (No enterprise contracts. Only Vendor relationships.)

 

  • Does the third party risk management program include an assigned individual or group responsible for capturing, maintaining, and tracking Information Security, Privacy, or other issues?
  • Answer: Yes

 

  • Do fourth parties, (e.g., subcontractors, sub-processors, sub-service organizations) have access to, receive, or process client scoped data?
  • Answer: Yes. Only Primary Hosting Provider and Primary Backup Provider.

Information Security Program

  • Is there a set of information security policies that have been approved by management, published and communicated to constituents?
  • Answer: Yes.
 
  • Do the information security policies and procedures establish requirements for the protection of information that is processed, stored or transmitted on external systems?
  • Answer: Yes.
 
  • Have all information security policies and standards been reviewed in the last 12 months?
  • Answer: Yes.

Security Organization

  • Are responsibilities for asset protection and for carrying out specific information security processes clearly identified and communicated to the relevant parties?
  • Answer: Yes.
 
  • Are information security personnel (internal or outsourced) responsible for information security processes?
  • Answer: Yes.

Security Oversight

  • Do all projects involving scoped systems and data go through some form of information security assessment?
  • Answer: Yes.

Asset Inventory

  • Is there an asset management program approved by management, communicated to constituents and an owner to maintain and review?
  • Answer: N/A (Yes, When applicable)
 
  • Is there an asset Inventory list or configuration management Database (CMDB)?
  • Answer: N/A (Yes, When applicable)

Acceptable Use

  • Is there an acceptable use policy for information and associated assets that has been approved by management, communicated to appropriate constituents, and assigned an owner to maintain and periodically review the policy?
  • Answer: N/A (Yes, it’s just an informal one. Don’t mess up websites, don’t share data/source, etc)

Asset Recovery

  • Is there a process to verify return of constituent assets (computers, cell phones, access cards, tokens, smart cards, keys, etc.) upon termination?
  • Answer: N/A (Active3D does not issue personal work devices. All access controls to facility are digitally controlled. No physical keys or cards are issued.)

Information Classifications

  • Is Information classified according to legal or regulatory requirements, business value, and sensitivity to unauthorized disclosure or modification?
  • Answer: Yes

Information Handling

  • Is there a policy or procedure for information handling consistent with its classification that has been approved by management, communicated to appropriate constituents and assigned an owner to maintain and periodically review e.g., authorized parties, encryption, public cloud storage, removable media, classification labeling, etc.?
  • Answer: Yes

 

  • Is there a data retention/destruction requirement that includes information on live media, backup/archived media, and information managed by fourth parties?
  • Answer: Yes

Physical Media Transport

  • Is scoped data sent or received via physical media?
  • Answer: No, Unless specifically requested.

Data Transmission

  • Is scoped data sent or received electronically?
  • Answer: Yes.

Encryption

  • Is regulated or confidential scoped data stored electronically with data protection safeguards e.g., full-disk encryption, databases, files, encryption keys, etc.?
  • Answer: Yes.

Human Resource Policy

  • Are Human Resource policies and/or procedures approved by management, communicated to constituents and an owner to maintain and review?
  • Answer: Yes.

Termination or Change in Employment

  • Is there a process to remove access to systems containing scoped data within 24 hours for terminated constituents?
  • Answer: Yes.

Physical Security Program

  • Is there a physical security program approved by management, communicated to constituents, and has an owner been assigned to maintain and review?
  • Answer: Yes.

Environmental Controls

  • Are assessment of the physical and environmental hazards conducted prior to establishing the location or site of a facility where systems reside?
  • Answer: Yes.

Visitor Management

  • Are visitors permitted in the facility?
  • Answer: No.

Change Management

  • Is there an operational Change Management/Change Control policy or program that has been documented, approved by management, communicated to appropriate constituents and assigned an owner to maintain and review the policy?
  • Answer: Yes.

System Acceptance Criteria

  • Are Information Security requirements specified and implemented when new systems are introduced, upgraded, or enhanced?
  • Answer: Yes.

Password Controls

  • Is there an access control program that has been approved by management, communicated to constituents and an owner to maintain and review the program?
  • Answer: Yes

 

  • Are constituents able to access Scoped data?
  • Answer: Yes.

 

  • Is password reset authority restricted to authorized persons and/or an automated password reset tool?
  • Answer: Yes.

 

  • Does the password policy require changing passwords at regular intervals?
  • Answer: Yes.

 

  • Does the password policy require keeping passwords confidential?
  • Answer: Yes.

 

  • Are user IDs and passwords communicated/distributed via separate media e.g., e-mail and phone?
  • Answer: No. (Active3D does not use email or phone to communicate passwords for internal systems. )

 

  • Does the password policy require changing passwords when there is an indication of possible system or password compromise?
  • Answer: Yes.

 

  • Are vendor default passwords removed, disabled or changed prior to placing any device or system into production?
  • Answer: Yes

Access Provisioning

  • Are unique IDs required for authentication to applications, operating systems, databases and network devices?
  • Answer: Yes

Authentication

  • Is there a password policy for systems that transmit, process or store scoped systems and data that has been approved by management, communicated to constituents, and enforced on all platforms and network devices? If no, please explain in the Additional Information field.
  • Answer: Yes

Multi-factor Authentication

  • Is Multi-factor Authentication deployed?
  • Answer: No (Eric – Yes, this is super broad. For internal systems or by request.)

User Awareness of Remote Sessions

  • Does system policy require terminating or securing active sessions when finished e.g., end user devices or systems?
  • Answer: Yes

Monitoring of System Access Rights

  • Is there a process for reviewing access e.g., periodical review, role changes etc.?
  • Answer: Yes

Controls for Unattended Systems

  • Are inactive constituent user IDs disabled and deleted after defined periods of inactivity?
  • Answer: Yes

Application Security

  • Are applications used to transmit, process or store scoped data?
  • Answer: Yes

Secure Architectural Design Standards

  • Are development, test, and staging environment separate from the production environment?
  • Answer: Yes, When applicable.

Access Control

  • Are Scoped systems and data used in the test, development, or QA environments?
  • Answer: No, Generic random data is used unless a specific test case needs to be verified. In those situations, minimal scoped data is used. Scoped systems will be used if integration is required and no dev version of the system is available.

SDLC

  • Is application development performed?
  • Answer: Yes

 

  • Is there a secure software development lifecycle policy that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?
  • Answer: Yes

 

  • Are applications evaluated from a security perspective prior to promotion to production?
  • Answer: Yes

 

  • Are identified security vulnerabilities remediated prior to promotion to production?
  • Answer: Yes.

Web Server Security

  • Is a web site or web application supported, hosted or maintained that processes scoped systems and data?
  • Answer: Yes.

 

  • Are security configuration standards documented for web server software?
  • Answer: Yes.

API Security

  • Is an Application Programming Interface (API) available to clients?
  • Answer: No.

 

  • Is there a formal security program established to include API security reviews?
  • Answer: N/A.

 

  • Is scoped data encrypted in transit within the API for both request and response?
  • Answer: N/A.

Cybersecurity Governance

  • Is there an established Cybersecurity Incident Management Program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the program?
  • Answer: Yes.

Cybersecurity Incident Management

  • Is there a formal Incident Response Plan that includes an escalation procedure?
  • Answer: Yes.

IS/IT Incident Management - Detection

  • Is there a staffed form of communications (e.g., e-mail, web form, phone, etc.) available to customers/clients 24/7/365 to report security incidents?
  • Answer: Yes.

 

  • Does regular security monitoring include malware activity alerts such as uncleaned infections and suspicious activity?
  • Answer: Yes.

IS/IT Incident Management - Incident Documentation

  • Is there a staffed form of communications (e.g., e-mail, web form, phone, etc.) available to customers/clients 24/7/365 to report security incidents?
  • Answer: Yes.

Resilience Program Governance

  • Is there an established Business Resilience Program that has been approved by management, communicated to appropriate constituents, and an owner to maintain and review the program?
  • Answer: Yes.

Business Continuity Management

  • Do the products and/or services specified in the scope of this assessment fall within the scope of the business resilience program?
  • Answer: Yes

 

  • Has the organization established processes and formal agreements for third party service providers to provide immediate notification in the event of a disruption that impacts delivery of the products and/or services they provide?
  • Answer: Yes.

 

  • Is there a policy or process for the backup of production data?
  • Answer: Yes.

 

  • Is there a formal process focused on identifying and addressing risks of disruptive events to business operations?
  • Answer: Yes.

 

  • Are formal business continuity procedures developed and documented?
  • Answer: Yes.

 

  • Is scoped data backed up and stored offsite?
  • Answer: Yes.

 

  • Is there a data retention policy or process with a retention schedule for scoped data?
  • Answer: Yes.

Disaster Recovery Management

  • Is there a formal, documented information technology disaster recovery exercise and testing program in place?
  • Answer: Yes.

 

  • Are there any dependencies on critical third party service providers?
  • Answer: No.

Pandemic and Infectious Disease Risk Management

  • Is there a pandemic/infectious disease outbreak plan?
  • Answer: Yes.

 

  • Does the pandemic plan include a preventive program to reduce the likelihood that an organization’s operations will be significantly affected by a pandemic event?
  • Answer: Yes.

Crisis Management

  • Has senior management assigned the responsibility for overall management of business disruption events, critical response and recovery efforts?
  • Answer: Yes.

Compromised Data Recovery Management

  • Is there a plan for managing a data recovery effort in the aftermath of a successful data compromising cyberattack e.g., ransomware, data-wipe malware?
  • Answer: Yes.

Corporate Governance

  • Are there policies and procedures to ensure compliance with applicable legislative, regulatory and contractual requirements?
  • Answer: Yes.

 

  • Is there an internal audit, risk management, or compliance department, or similar management oversight function with responsibility for tracking resolution of outstanding regulatory or compliance issues?
  • Answer: Yes.

 

  • Is there a records retention policy and retention schedule covering paper and electronic records, including email in support of applicable regulations, standards and contractual requirements?
  • Answer: Yes.

Environmental, Social, and Corporate Governance (ESG)

  • Does the organization have a formalized Environmental, Social, and Corporate Governance (ESG) program or set of policies and procedures approved by management?
  • Answer: Yes.

 

  • Is there a documented policy or set of procedures for Ethical Sourcing?
  • Answer: Yes.

 

  • Are there documented policies and procedures that address prevention of modern slavery and human trafficking?
  • Answer: Yes.

 

  • Is there a compliance program and procedures that address health and safety risks?
  • Answer: Yes.

Trade, Marketing and Sales Compliance

  • Is a web site(s) maintained or hosted for the purpose of advertising, offering, managing, or servicing accounts, products or services to clients’ customers?
  • Answer: No.

Business Ethics and Corporate Compliance

  • Is there a compliance program or set of policies and procedures in place to restrict activities or transactions for sanctioned countries (e.g., country blocking)?
  • Answer: Yes.

 

  • Is there a compliance program or set of policies and procedures to address bribery, corruption, prohibition of providing monetary offers, incentives, or improper actions that create unfair advantage in business practices?
  • Answer: Yes.

 

  • Is there a compliance program or set of policies and procedures that address Anti-Trust and Anti-Competitive Business Practices?
  • Answer: Yes.

 

  • Is there a documented internal compliance and ethics program?
  • Answer: Yes.

 

  • Is there a compliance program or set of policies and procedures that address internal and external Fraud Detection and Fraud Prevention?
  • Answer: Yes.

Cybersecurity Regulatory Compliance

  • Are documented policies and procedures maintained to enforce applicable legal, regulatory or contractual cybersecurity compliance obligations?
  • Answer: Yes.

End User Device Security

  • Are End User Devices (desktops, laptops, tablets, smartphones) used for transmitting, processing or storing Scoped data?
  • Answer: Yes.

Security Configuration Standards

  • Are there end user device security configuration standards?
  • Answer: No.

Malware Protection

  • Are defined procedures in place to identify and correct systems without anti-virus at least weekly for all end user devices?
  • Answer: N/A

Mobile Device Management

  • Are constituents allowed to utilize mobile devices within your environment?
  • Answer: No.

 

  • Is there a mobile device management program in place that has been approved by management and communicated to appropriate constituents?
  • Answer: Yes.

 

  • Can constituents access corporate e-mail using mobile devices?
  • Answer: Yes

BYOD

  • Are non-company managed computing devices used to connect to the company network?
  • Answer: No.

 

  • Are any mobile devices with access to scoped data Constituent owned (BYOD)?
  • Answer: No.

Collaborative Computing

  • Are collaborative computing devices and applications (e.g., networked white boards, cameras, and microphones) used for accessing, transmitting, processing, or storing Scoped data?
  • Answer: Yes, Only by client request.

 

  • Does the organization maintain policies and procedures for the access to and the usage of collaborative computing devices or applications e.g., networked white boards, cameras, and microphones?
  • Answer: Yes.

Network Security Program

  • Is there a policy that defines network security requirements that is approved by management, communicated to constituents and has an owner to maintain and review?
  • Answer: Yes.

Hardening Standards

  • Are there security and hardening standards for network devices, including Firewalls, Switches, Routers and Wireless Access Points (baseline configuration, patching, passwords, Access control)?
  • Answer: Yes

 

  • Are default passwords changed or disabled prior to placing network devices into production?
  • Answer: Yes

Patch Management

  • Does network device patch management include testing of patches, service packs, and hot fixes prior to installation?
  • Answer: Yes.

 

  • Are all systems and applications patched regularly?
  • Answer: Yes.

 

  • Are there any Operating System versions in use within the Scoped Services that no longer have patches released? If yes, please describe in the Additional Information section.
  • Answer: No.

Network Segregation and Segmentation

  • Is every connection to an external network terminated at a firewall (e.g., the Internet, partner networks)?
  • Answer: Yes.

 

  • Are network or security technologies used to establish and enforce security requirements and block unauthorized traffic between segregated systems and other networks and systems?
  • Answer: Yes.

ACL Management

  • Are all firewall and other network Access Control List (ACL) rules reviewed and updated at least quarterly and include identification and removal of networks, sub networks, hosts, protocols or ports no longer in use?
  • Answer: Yes.

Remote Network Access

  • Is there a policy that defines the requirements for remote access from external networks to networks containing Scoped systems and data that has been approved by management and communicated to constituents?
  • Answer: Yes.

 

  • Are encrypted communications required for all remote network connections from external networks to networks containing scoped systems and data?
  • Answer: Yes.

Intrusion Detection and Prevention Systems - (IDS-IPS)

  • Are Network Intrusion Detection capabilities employed e.g., appliance, software, etc.?
  • Answer: Yes.

DMZ Security

  • Is there a DMZ environment within the network that transmits, processes or stores Scoped systems and data e.g., web servers, DNS, directory services, remote access, etc.?
  • Answer: No.

Wireless Security

  • Is there a wireless policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?
  • Answer: Yes.

Data Privacy Program

  • Is there collection, access , processing, disclosure, or retention of any classification of personal information or personal data of individuals on behalf of the client?
  • Answer: Yes.

 

  • Has the organization developed and maintained a formal privacy program for the protection of personal information collected, accessed, transmitted, processed, disclosed, or retained on behalf of the client?
  • Answer: Yes.

Financial Services Privacy

  • Is client scoped data collected, accessed, transmitted, processed, disclosed, or retained that can be classified as personally identifiable financial information under the Gramm-Leach-Bliley Act (GLBA)?
  • Answer: No. (Active3D does not gather or provide. Loan, Financial, Insurance, or Investment advice)

 

  • Is client scoped data collected, accessed, processed, disclosed, or retained that can be classified as consumer report information or derived from a consumer report under the Fair and Accurate Credit Reporting Act (FACTA)
  • Answer: No. (Active3D does not gather or provide Credit Reporting information)

Healthcare Privacy

  • Is client scoped data collected, accessed, transmitted, processed, disclosed, or retained that can be classified as Protected Health Information (PHI) or other higher healthcare classifications of privacy data under the U.S. Health Insurance Portability and Accountability Act (HIPAA)?
  • Answer: No.

 

  • Are there documented policies and procedures to detect and report unauthorized acquisition, use, or disclosure of PHI client scoped data?
  • Answer: N/A

U.S. Privacy and Data Protection

  • Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified under U.S. State Privacy Regulations (e.g., CA, MA, NY, NV, VA, WA, CO etc.)?
  • Answer: No.

European Privacy and Data Protection

  • Is client scoped data collected, accessed, transmitted, processed, disclosed, or retained that can be classified as European Union Personal Data or Sensitive Personal Data (e.g., racial or ethnic origin, genetic data, biometric data, health data, sexual orientation, criminal history)?
  • Answer: No.

Canadian Privacy and Data Protection

  • Is client scoped data collected, transmitted, processed, disclosed, or retained that can be classified as Personal Information as defined by Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) or Canadian Provincial Privacy Regulations?
  • Answer: Yes.

International Privacy and Data Protection

  • Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified under any other international privacy jurisdictions? If Yes, list the applicable international location in the Additional Information field.
  • Answer: N/A, (Active3D primarily operates in the United States of America and Canada. International privacy and data policy compliance available upon request.)

Data Governance

  • Is documentation of data flows and/or data inventories maintained for client scoped data based on data classification?
  • Answer: N/A (Documentation can be delivered upon request.)

Privacy Awareness Training

  • Is there a training and awareness program that addresses data privacy and data protection obligations based on role?
  • Answer: Yes.

Privacy Incident Management

  • Are documented policies and procedures maintained to detect and report unauthorized acquisition, use, or disclosure of client scoped data?
  • Answer: Yes.

Privacy Notice

  • Does the organization have or maintain internet-facing website(s), mobile applications, or other digital services or applications that, collect, use, disclose, or retain client-scoped data that are accessed directly by individuals?
  • Answer: Yes.

Choice and Consent

  • Is personal information collected directly from an individual by the organization on behalf of the client?
  • Answer: Yes.

Data Collection

  • Is personal information provided to the organization directly by the client?
  • Answer: Yes

 

  • Are there documented policies and procedures regarding limiting the personal information collected and used to the minimum necessary?
  • Answer: Yes

Use, Retention, and Disposal

  • Are there documented policies and procedures in place to ensure that the access, transmission, processing, disclosure, and retention of client scoped data is limited, and in compliance with applicable law?
  • Answer: Yes

Disclosure of Personal Information

  • Are policies and procedures in place to address third party privacy obligations including limitations on disclosure and use of client scoped data?
  • Answer: Yes

Data Protection Safeguards

  • Is there a Third Party Risk Management Program (including ongoing monitoring) in place to address data protection safeguards (administrative, technical, and physical safeguards for the security of the client scoped data?
  • Answer: Yes

Accuracy and Completeness of Personal Information

  • Is there a documented policy or process to maintain accurate, complete, timely and relevant records of client scoped data?
  • Answer: Yes

Monitoring and Enforcement

  • Are there enforcement mechanisms in place to address privacy inquiries, complaints, disputes and recourse for violations of privacy compliance?
  • Answer: Yes

Vulnerability Management Program

  • Is there a Vulnerability Management Policy or Program that has been approved by management, communicated to appropriate constituent and an owner assigned to maintain and review the policy?
  • Answer: Yes

Cyber Supply Chain Risk Management

  • Does the organization maintain policies, standards and procedures for identifying and managing cyber supply chain risks (i.e. ensuring software and hardware components used as part of delivering a service or product do not present a risk)?
  • Answer: Yes

Server Security Management Program

  • Are Servers used for transmitting, processing or storing scoped data?
  • Answer: Yes

Configuration Standards

  • Are server security standards reviewed and/or updated at least annually to account for any changes in environment, available security features and/or leading practices?
  • Answer: Yes.

 

  • Are all unnecessary/unused services uninstalled or disabled on all servers?
  • Answer: Yes.

Anti-malware Protection Program

  • Are Windows servers used to process, store or used for scoped services?
  • Answer: No.

 

  • Is there an anti-malware policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?
  • Answer: Yes.

Unix/Linux Security

  • Is Unix or Linux used to process, store or used for scoped services?
  • Answer: Yes.

AS/400 Security

  • Are AS/400s used to process, store or used for scoped services?
  • Answer: No.

Mainframe Security

  • Are Mainframes used to process, store or used for scoped services?
  • Answer: No.

Hypervisor and Virtualization Security

  • Are Hypervisors used to manage systems used to transmit, process or store Scoped data?
  • Answer: No.

Internet of Things (IoT) Security

  • Do asset inventory and management processes include all physical objects with network connectivity (IoT Devices)?
  • Answer: N/A (Active3D does not integrate IoT devices in its environment.)

Service and Deployment Models

  • Are Cloud Hosting services provided?
  • Answer: No

Configuration Management

  • Is there a management approved process to ensure that backup image snapshots containing Scoped data are authorized by Outsourcer prior to being snapped?
  • Answer: Yes.

Independent Oversight

  • Does the Cloud Hosting Provider provide independent audit reports for their cloud hosting services (e.g., Service Operational Control – SOC)?
  • Answer: Yes.