Do you have a corporate information security officer ("iso") or equivalent that has been named and is responsible for implementing and managing an information security program?

CTO and Director of IT

Is the existing information security program aligned with overall it strategic plans

Yes. Security is off utmost importance. It strategic plans must adhere to stringent security policies and procedures in order to be implemented

Are roles and responsibilities defined for all staff in the organization supporting and enforcing security policies and standards

Personnel manual is established, shared, and accepted by all employees. Training is compulsory for all staff. Specific training and documentation are enforced for staff with direct responsibility

Are information security issues considered in the organization’s hiring and termination practices

Yes. Background checks and references at hire are performed before hire. Access removal and “change the locks” procedures at termination.

Have comprehensive information security policies, procedures, standards, and guidelines been created and disseminated to all employees

Information security policy is documented and shared. The policy must be accepted by all employees. In addition, the policy is reviewed periodically to enforce and update controls

Has an information security awareness program been implemented for all employees?

All employees are required to undergo a security awareness course annually

Do you have a formal it risk acceptance process in place?

Risk assessment is performed and reviewed periodically. Senior management and appropriate IT team members identify exposure, formulate plans to reduce, eliminate or accept risk

Are employee access controls established

RBAC is established to assign permission/access based on position. Least privilege model is used to grant permission/access.

Is access to facilities restricted to authorized personnel? Does it require appropriate identification and authentication?

Badge access and biometric fingerprint is required at colocation where customer data resides

Is access to data center and computer rooms restricted to specific personnel, and does it require higher authentication and security levels? Explain.

Access is restricted to the specific employees of DATABASICS, Inc. Any change to access requires approval by management.

Has the organization implemented a change control process and committee to review major changes to production applications and environments including patches, updates and production system reboots?

Yes. All changes by adhere to our change control policy. Changes are approved by management through an internal ticketing system

Does a formal approval process exist for granting access and revoking privileges to systems and data?

Access is granted and approved by management through an internal ticketing system

Are policies and procedures in place to maintain the effectiveness of authentication and access mechanisms

Yes. Authentication and access controls are reviewed periodically to ensure secure policies are in place and followed

What security mechanisms are in place to secure sensitive data transmissions (e.g. SSL, secure VPN, etc.)?

TLS 1.2 and SSH are used for data transmission

Is data at rest encrypted?

SQL and PGP encryption are used to ensure data at rest is secure

Do you have a formal, written SDLC?

Agile software development methodology is used

Does your SDLC incorporate a code review process

Code is reviewed by director of development and by other development team members.

Does your SDLC incorporate an information security specific code review process as well as specific security testing?

Netsparker is used to identify vulnerabilities such as XSS and other top 10 OWASP and CWE. Our maintenance agreement with Netsparker provides us with support and reporting to keep us up to date regarding the current threat landscape for internet applications.  We also depend upon rigorous adherence to internal policies to keep our sites and application compliant with OWASP. Our policies include but are not limited to the following:

No customization is allowed to spring-based security framework.  We keep it up to date with the latest service updates by springsource.org.  Our strong authentication and session management control is based on spring security framework.

Session id timeout is enforced.

The session id is validated against the randomly hidden token in the return request and the original IP address on each request/page.  If you copy and paste the URL from one computer to another it will force the new browser session to re-login to the application.

Session id are not rotated.

All passwords are encrypted.

All credit card numbers are encrypted.

We do not store SSN’S under any circumstance.

Manual code review is performed weekly or as new objects and classes get added to the product.  Reviews are conducted by the director of development. To move code forward in the development process requires approval by both director of development and CTO.

OS, database servers, firewalls, application servers, and all code libraries are kept up to date with the latest updates.

Error handling and exception handling for any parameters that they are not valid possibilities expire the session, force the user to re-login and log the event for review.

All database commands are validated before execution to enforce user session and user role restrictions.

Text input fields are validated to ensure no scripting such as <script> is allowed

What network monitoring controls do you have in place?

SIEM and endpoint security software are in place to prevent and alert for unauthorized activity

Are network and application penetration test performed?

We perform network penetration no less than every six months.

Application penetration tests are performed during update, release and on an as needed basis

Are vulnerability scans performed?

Internal and external vulnerability scans are performed quarterly

Has a patch management program been implemented to ensure that operating system, application patches and security updates are maintained, communicated, reviewed, and tested prior to being implemented into production environments?

Servers are patched after updates are reviewed and tested. Patches are installed based on criticality.

Updates are first installed our test and sandbox environments before being installed in production.

Does the application support MFA/2F?

Customers can establish MFA/2FA by leveraging their identity provider if using SAML 2.0 SSO

Do you maintain data retention and destruction policies with respect to customer data?

Customer data is retained as long as the customer has a valid contract. Customer data is removed/deleted/destroyed once the customer’s contract has ended

Has a wireless policy been implemented as part or separate from the organization's information security policy?

No wireless devices are used at data centers

Does your organization maintain a formal web site privacy policy?

Yes. available on both application and company site.

Has a disaster recovery plan been developed, approved, and implemented?

Yes. A comprehensive disaster recovery plan is in place and has been approved by management

Are the production and DR environments separated

The Production and DR environments are logically and physically separated. Production and DR environments are hosted in separate colocation environments in Virginia

Does the incident response plan define emergency points of contact, threats, action plans, responsibility matrices and problem escalation procedures to ensure that problems are resolved in a timely manner

An emergency response team is in place and team member responsibilities roles/responsibilities are assigned