Incident Management & Reporting | - RecordPoint maintains an incident management & reporting policy
- Incidents are managed by an incident manager who triages them based on severity and policy and determines how incidents are handled, escalated and communicated
|
Security Incident Management & Reporting | - RecordPoint maintains a security incident-specific management & reporting policy
- Security incidents are managed by an incident manager who based on severity and policy determines how incidents are handled, escalated and communicated
|
Vulnerabilities Management & Reporting | - Web application penetration testing is conducted on a regular basis by a 3rd party
- Internal network penetration testing is conducted on a regular basis by a 3rd party
- External network penetration testing is conducted on a regular basis by a 3rd party
|
Change Management | - RecordPoint maintains a Change Control Board that assesses the risks of any changes to production systems
- Change Requests are logged, have detailed risk assessments, deployment steps and rollback procedures
|
Employee Security Awareness Training | - Employees are required to formally acknowledge the RecordPoint Information Security policy
- Employees are required to formally acknowledge the RecordPoint Employee Handbook
- Employees in an engineering capacity are required to undergo OWASP Top 10 awareness training
|
Access Control | - Production access is only granted to authorized RecordPoint personnel
- Authorized personnel are allocated unique named credentials for specifically designed for privileged access
- Unique named credentials allocated to authorized personnel are least privilege domain accounts
- Multi-factor authentication is used to authenticate all privileged users and any other positions of trust
- Privileged access to systems, applications and information is validated when first requested and re-validated on an annual basis
- Police background checks are conducted on all authorized personnel with privileged access
- All privileged access is based on the principle of least access
|
Data Segregation & Isolation | - Customer data is logically separated at the storage layer
- A dedicated database is provisioned for each Records365 customer
- A dedicated blob storage account is provisioned for each Records365 customer
|
Infrastructure, Application & Network Hardening | - Perimeter network firewall configuration standards are defined, audited and enforced on a regular basis
- Host-based firewall configuration standards are defined, audited and enforced on a regular basis
- Baseline operating system and application configuration are automatically enforced on a periodic basis
- Virtual network segmentation isolates production environments
- Distributed Denial of Service (DDoS) protection is in-place for public-facing service endpoints
|
Patch Management | - All virtual infrastructure is part of a regular automated patching cycle
- Operating system and application patches addressing security vulnerabilities are assessed for criticality and applied based on policy
- Patch management events are audited to ensure that patches are successfully being applied
|
Logging & Auditing | - All production access attempts are logged & audited and regularly reviewed
- Logs are retained for 90 days
|
Malware Detection & Prevention | - All virtual infrastructure have anti-malware protection installed
- All virtual infrastructure have regular anti-malware scan schedules configured
- All virtual infrastructure have regular anti-malware signature configured
|
Intrusion Detection & Prevention | - Intrusion detection and prevention systems are deployed and configured for all production environments
- Automated security alerts notify RecordPoint operations personnel when:
- Abnormal/suspicious access patterns are detected
- Abnormal/suspicious network traffic is detected
- Abnormal/suspicious application behavior is detected
|
Encryption Standards | - All data is encrypted at rest using 256-bit AES encryption
- All inbound and outbound traffic is encrypted via HTTP over TLS
- All HTTP-based service endpoints only accept TLSv1.2 and above
|
Physical Security Standards | - The Records365 service is delivered on Microsoft Azure. This platform provides many of the underlying infrastructure, security, networking and management services that support the application workloads.
- All Records365 data centers are audited against SSAE 16, SOC 1 and SOC 2.
|