Information Security Management Standards

To what standards does RiskSpan manage its information security program?

RiskSpan manages its information security program to ISO Standards 27001 and 27002.

Where are RiskSpan's commercial cloud analytics products hosted?

On secure Amazon Web Services (AWS). RiskSpan's client-facing data and analytics solutions have been hosted on Amazon Web Services for almost a decade.

Where does RiskSpan manage its internal productivity applications and data?

On secure Microsoft Azure data centers. RiskSpan's day-to-day productivity applications and data (including access control, encryption) are hosted by and backed-up by Microsoft Azure data centers and Microsoft Office365. 


 

IT Security Risk Assessment Program

Does you organization have an IT Security Risk Assessment Program?

Yes.

IT Security GoverningDocuments

Are there formally documented information security policies, standards and procedures that are approved by senior management, published and available for reference and application?

Yes.

Have a review of security policies, standards, procedures, and/or guidelines been performed within the last 12 months for your organization and any subcontractors (including hosting or cloud provider(s))?

Yes. These are reviewed on an annual basis and as part of our BCP/DR exercises.

Do you have a documented privacy policy or statement supported by a Written Information Security Program (WISP), or an Information Security Management Program (ISMP), a comprehensive written program detailing the intended administrative, technical and physical safeguards for the protection of information?

Yes.

Are new hires required to sign any agreements that pertain to non-disclosure, confidentiality, acceptable use or code of ethics upon hire?

Yes.

Is there a security awareness training program?

Yes.

Describe the process for ensuring ongoing employee awareness and effective response to cyber risks.

We distribute periodic reminders (via email) that are tied to general news items and we make employees aware of specific threats that have been directed to other employees. Annual training also revisits and explains the importance of this topic.

Has your company's personnel been trained in handling of privacy data (e.g., GLBA, EU Data Directive, PIPEDA, MA201, etc.) including any national and regional regulations, legislation or industry guidance? 

Yes.

Asset Classification

Are information assets classified within your organization?

Yes. 

Do you maintain an accurate inventory of technologies, including devices and software?

Yes.

Do you have policies, procedures and technical measures implemented to restrict the installation of unauthorized software on assets owned or managed by your organization; including end-point devices, IT infrastructure network and system components?

Yes.

Asset Decommissioning And Destruction

Are physical media and other assets disposed of securely and safely when no longer required, using formal procedures?

Yes.

Is there a Decommissioning and Deconstruction Policy, standards and procedures to securely remove and destroy information based on sensitivity of data and type of various mediums (e.g., paper, tapes, disks, etc.) stored or presented on?

Yes.

Are unique user IDs used for access to data including systems, services, utilities, etc.?

Yes.

Is there a standard identity and access management process for user IDs which governs their creation and management (including add, modify, removal upon termination or transfer)?

Yes.

Is multi-factor authentication required when accessing a secure environment remotely (e.g., two-factor using PIN)?

Yes.

Is administrative access to desktops and laptops restricted for employees or third parties?

Yes.

Is hard disk encryption required for laptops?

Yes. We use Microsoft Bitlocker for endpoint encryption.

Does the organization of your Hosted, Co-Location or Cloud Provider have a Data Center Tier / Certification?

Yes.

External Connectivity

Is your technology environment being maintained, updated and repaired in a timely manner?

Yes.

Are all external network connections monitored by an IPS/IDS or other network monitoring tools that generate alerts when a security event is detected; and are the alerts acted on according to a response time based upon severity level?

Yes.

Does the company support e-mail encryption or use of TLS?

Yes.

Are smartphones, mobile devices and PDA's connected to company resources secured (e.g., controlled) by passwords, encryption and the ability to remote wipe?

Yes.

Does your organization allow employees or other parties who use their own devices (i.e., BYOD) to connect to your organizations network?

Yes. Staff is required to register devices through Microsoft Intune, in order to connect to the corporate network.

Communication / Firewall

Does you organization, in support of the services provided, use instant messaging?

Yes. We use Microsoft Skype for Business for instant messaging.

Is antivirus software deployed, updated and maintained for desktops, servers, firewalls, and Internet email gateways?

Yes. 

Is spyware protection deployed, updated and maintained on desktops, servers, firewalls and Internet email gateways?

Yes.

Do you use firewalls to provide segmentation between internal, external and DMZ security zones?

Yes.

For environments in hosted, co-locations or private clouds, are there controls to prevent one client attempting to compromise another client in a resource pooled environment?

Yes.

Does your organization restrict developers' access to production environments as well as to any non-production environments containing client data?

Yes.

Are separate environments maintained for production, UAT, testing, and development?

Yes.