This document is intended to provide a template for downstream customers of CloudSphere (where CloudSphere SAAS solution is acting as a “sub-processor” of customer data). This template answers a number of specific questions related to security operations and data manipulation and access. The FAQ provides a placeholder for the downstream customer name with the token<Customer-Organisation>where this is appropriate. In the case that this response is not being used as a sub-processor response, then the <Customer-Organisation> token can be interpreted as “our” or “us”. |
# | Question Text | Subordinate Question | Answers | Additional Comments |
1 |
Please provide a brief description of the service(s) that your organization provides to <Customer-Organization>. |
|
The SAAS solution CloudSphere’s Illuminate360 platform provides actionable insights for hybrid and multi-cloud optimization, compliance and security, This functionality is provided by scanning the customer estate and storing relevant information about the estate in the SAAS solution datastores. The CAM platform then exposes this data to the <Customer-Organization> as visualizations to enable actionable items to be identified. |
|
2 |
Who are the primary contact person(s) at <Customer-Organization> and CloudSphere? |
|
Customer Contact: To be provided by the <Customer-Organization> |
|
3 |
What is the approximate number of employees in your organization? |
|
10-99 |
|
4 |
Are information security policies and procedures made available to all personnel, authorized by accountable business role/function and supported by the information security management program as per industry best practices (e.g. ISO 27001, SOC 2)? |
|
Yes |
CloudSphere is SOC 2 Type II certified (AICPA) by an accredited third-party auditor in the following applicable security principles: security, availability, and confidentiality. The Report is available to customers and partners by request (under NDA) |
5 |
Do you perform, at minimum, annual reviews to your privacy and security policies? |
|
Yes |
All Policies are updated/reviewed on an annual basis (at a minimum). Risk register is review on a six month cycle. |
6 |
Does you organization maintain and review a company wide Risk register in order to document potential issues relating to the company activity. |
|
Yes |
CloudSphere is SOC 2 Type II compliant and the process of identifying and analysing risks is part of the strategic decision making process in order to quantify risks associated with business operations and where necessary allow them to be mitigated. |
7 |
Does your organization collect, store, use, process, or transmit any <Customer-Organization> privacy protected information or have the ability to access such information even if you do not require it to perform your services? |
|
Yes |
This organization does not collect or access information unless it is required to perform our service. For data content break down see item 12.
|
8 |
Does your organization have a policy that addresses privacy compliance? |
|
Yes |
|
9 |
Will you notify <Customer-Organization> about data breaches that involve or are likely to involve <Customer-Organization> privacy data? |
|
Yes |
|
10 |
Who is the individual (or individuals) responsible for privacy compliance related matters at your organization? |
|
The Customer Success team are the primary point of contact (customer-success-team@cloudsphere.com). All privacy compliance matters will be referred to the Director for Information Security and the CTO. |
|
11 |
Does your organization process, access, maintain, transmit, transfer, dispose of, receive, or store any data used by <Customer-Organization>? |
|
Yes |
|
12 |
|
If “yes”, Describe the data processed, accessed, maintained, transmitted, transferred, disposed of, received, or stored by your organization. |
|
|
13 |
What is the classification of <Customer-organization> data that will be shared with your organization? |
|
|
|
14 |
What level of access does your organization have to <Customer-Organization> data? |
|
Read |
|
15 |
Does your organization allow subordinate vendors, partners, joint ventures, or other parties to store, process, access, maintain, transmit, transfer, dispose of, receive, or store <Customer-Organization> data? |
|
No |
|
16 |
Do employees of your organization act on behalf of <Customer-Organization> (appearing as if they are an <Customer-Organization> employee)? |
|
No |
|
17 |
Do employees of your organization have access to <Customer-Organization>'s information systems? |
|
No |
|
18 |
|
If "Yes," What <Customer-Organization> systems do your employees have access to? |
N/A |
|
19 |
Who is responsible for managing the access your employees have to <Customer-Organization>'s information systems? |
|
N/A |
|
20 |
How is <Customer-Organization>'s data provided/transmitted to your organization? |
|
|
Definition of Transfer:
|
21 |
In which of your systems is <Customer-Organization>'s data stored? |
|
CloudSphere SAAS base solution available in AWS deployments |
AWS: Cloud Hosting Services (SOC 2 Type 2, SOC 3 audited, ISO 27001, 27017, 27018 Certified) |
22 |
What is the stated Recovery Time Objective in your contract with <Customer-Organization>? |
|
RTO is specified as 6 hrs |
|
23 |
What is the stated Recovery Point Objective in your contract with <Customer-Organization>? |
|
RPO is specified as 24hrs |
|
24 |
Will employees from your organization be working on <Customer-Organization>'s premises? |
|
No |
|
25 |
Has your organization experienced a security breach during the past 18 months? |
|
No |
|
26 |
|
If "Yes," Please Describe |
N/A |
|
27 |
An asset inventory is critical for assigning responsibility for controls and tracking control performance. Please indicate one type of asset for which you maintain an inventory. |
|
Cloud Assets and On-Prem/Data Center Hardware |
|
28 |
Are employees required to return information and information processing assets upon termination? |
|
Yes |
|
29 |
Is all employee access terminated within 24 hours of termination? |
|
Yes |
|
30 |
Do you manage and store the identity of all personnel who have access to the IT infrastructure, including their level of access? |
|
Yes |
Our Access Control Policy covers all controls that are in place to control access to IT infrastructure |
31 |
Do you document how you grant, approve and enforce access restrictions to tenant/customer credentials following the rules of least privilege? |
|
Yes |
Our Access Control Policy covers all controls that are in place to prevent unauthorized access. |
32 |
Do you require a periodical authorization and validation (e.g. at least annually) of the entitlements for all system users and administrators (exclusive of users maintained by your tenants), based on the rule of least privilege, by business leadership or other accountable business role or function? |
|
Yes |
Monthly reviews are performed. |
33 |
Does your organization have an information classification scheme that classifies all sensitive, proprietary and non-public information managed by the organization? |
|
Yes |
|
34 |
How long will your organization retain <Customer-Organization>'s confidential information? |
|
|
The SAAS datastores are kept alive for 60 days after the end of a subscription (to allow renewal without data loss). |
35 |
Do you require background checks of all your employees prior to working on <Customer-Organization> systems? |
|
Yes |
|
36 |
Do employees undergo security awareness training upon hire and at least annually thereafter? |
|
Yes |
|
37 |
How soon does your organization apply security patches to all systems following their publication? |
|
30 days or less |
|
38 |
How quickly after publication does your organization apply antivirus updates? |
|
Daily |
|
39 |
Are encryption ciphers in use by your organization to protect client confidential information in rest or in transit? |
|
Yes |
Encryption in transit is implemented using HTTPS over TLS1.2 |
40 |
Does your organization have a documented information security policy? |
|
Yes |
|
41 |
Does your organization have an incident response policy or process? |
|
Yes |
|
42 |
Does your organization have a formal business continuity plan? |
|
Yes |
|
43 |
Does your organization have a formal disaster recovery plan? |
|
Yes |
|
44 |
Do you audit and/or test your business continuity and disaster recovery plans at least annually? |
|
Yes |
|
45 |
Please identify all conditions under which policies are communicated to applicable staff. |
|
Employees must read the Employee Handbook and Code of Conduct during employee hire and all policies are continuously available online. |
|
46 |
Will you notify <Customer-Organization> about information security incidents that have or are suspected to have impacted <Customer-Organization> data? |
|
Yes |
|
47 |
Please identify your compliance obligations. |
|
SOC 2 Type II (Aug 2023) and annually |
|
48 |
Are you currently in compliance with all applicable regulations and standards? |
|
Yes |
|
49 |
Who is the individual (or individuals) responsible for compliance related matters? |
|
Andy Trayler (Director of Information Security); |
|
50 |
Do you have a backup data center/facility? |
|
No |
|
51 |
Where are your data centers located? |
|
Dublin, Ireland |
|
52 |
What type of physical access controls are used to limit access to your facilities? |
|
Multiple controls |
At Data center only |
53 |
Please select the locations that are monitored by video cameras within and around your facilities. |
|
Points of Authentication |
At Data center only |
54 |
Please describes the environmental controls you have in place in your data centers and other sensitive areas. |
|
Alerting capabilities |
At Data center only |
55 |
Please select the response that best describes how you segregate your network from the Internet, including DMZs, and untrusted networks. |
|
Stateful firewalls are used to segregate the network from the Internet |
|
56 |
What method of wireless network security does your network support for worker access? |
|
WPA2-PSK |
Only Applies if office space is being used; Currently all workers are working remotely. |
57 |
If you have any guest-accessible WIFI, is it adequately segregated from your corporate network? |
|
Yes |
|
58 |
Please select the response that best reflects your use of network-based Intrusion Detection (IDS) and/or Intrusion Prevention (IPS) solutions. |
|
We have an IDS solution that detects but cannot prevent intrusion attempts. |
|
59 |
Do you perform Internal network vulnerability scans? |
|
Yes |
|
60 |
Do you perform external network vulnerability scans? |
|
Yes |
|
61 |
Will SSO be configured for the SaaS tool? If not, can 2FA be used for user authentication? |
|
|
|
62 |
If SSO is not available, do you have a password policy which is applied to the accounts? If so, what is this? |
|
|
|
63 |
What penetration test was done at CloudSphere – was this White Box/Black Box |
|
This was done as Black Box test by 3rd party. The 3rd party provided the following description of its approach: "Our approach will involve testing the application using [company's] web security penetration testing approach, which simulates an attack by a malicious entity, coupled with technology specific attacks targeting the underlying system. This shall assist with the identification of technical security vulnerabilities from an external (no login credentials) and “trusted” (legitimate login credentials) threat perspective. Our application security testing approach is performed using our proprietary testing methodology. Similar to the approach described above, this also includes both a manual approach and the use of software tools, which have been proven effective in identifying areas within websites that are most vulnerable to attack. API testing shall cover all standard tests such as injection, validation, output encoding etc in addition to API specific testing such as HTTP methods, API Rate Limits, XML parsing & Content-type Security. We perform the testing from the perspective of a skilled and determined attacker with no specific insider knowledge of the system, other than that which can be gathered from normal enumeration techniques and from publicly available information. The tests will examine the security of the application and infrastructure in relation to its ability to withstand malware attacks, input manipulation, session hijacking, session redirects etc. and shall focus on current leading practice guidance in relation to web application security, such as the OWASP Top 10; 2013 and the WASC Top 20 |
|
64 |
Does/How does this product link to Atlassian |
|
CloudSphere CAM product has no direct linkage to Atlassian products. The Atlassian suite of Confluence and JIRA is used as part of the internal documentation, project management and Sprint management operations within CloudSphere. |
|
65 |
Is the data, which is housed in the CloudSphere portal, segregated from other company data? If so, how do you do this? |
|
The SAAS infrastructure is made up of mixed deployments:
|
|