|
This document answers a number of specific questions related to security operations and data manipulation and access to the CAM solution. This document is also intended to provide a template for customers of CloudSphere (where the CloudSphere SAAS solution is a “sub-processor” of customer data - as per SOC 2 definition ). Some questions/answers provide a placeholder for the downstream customer name with the token <Customer-Organisation> where this is appropriate. If this is not then the case then <customer-organization> can be interpreted as "us" or "our". |
| # | Question Text | Subordinate Question | Answers | Additional Comments |
| 1 | Please provide a brief description of the service(s) that your organization provides to <Customer-Organization>. | The SAAS solution CloudSphere’s Cyber Asset Management Platform provides actionable insights for hybrid and multi-cloud optimization, compliance, and security, This functionality is provided by scanning the customer estate and storing relevant information about the estate in the SAAS solution datastores. The CAM platform then exposes this data to the <Customer-Organization> as visualizations to enable actionable items to be identified. | ||
| 2 | Who are the primary contact person(s) at <Customer-Organization> and CloudSphere? | Customer Contact: To be provided by the <Customer-Organization> CloudSphere Contact: customer-success-team@cloudsphere.com |
||
| 3 | What is the approximate number of employees in your organization? | 10-99 | ||
| 4 | Are information security policies and procedures made available to all personnel, authorized by accountable business role/function, and supported by the information security management program as per industry best practices (e.g. ISO 27001, SOC 2)? | Yes | CloudSphere is SOC 2 Type 2 certified by an accredited third-party auditor. The report is available to customers and partners by request (under NDA) | |
| 5 | Do you perform, at minimum, annual reviews of your privacy and security policies? | Yes | All Policies are reviewed on an annual basis (at a minimum) | |
| 6 | Does your organization maintain and review a company-wide Risk register in order to document potential issues relating to the company's activity? The process of identifying and analyzing risks should be a part of tactical decision-making and initial planning. The worth of business plans can be improved significantly if the risks associated with proposals are analyzed and where necessary, mitigated. |
Yes | CloudSphere is SOC 2 Type II compliant and the process of identifying and analyzing risks is part of tactical decision-making in order to quantify risks associated with business operations and where necessary allow them to be mitigated. |
|
| 7 | Does your organization collect, store, use, process, or transmit any <Customer-Organization> privacy-protected information or have the ability to access such information even if you do not require it to perform your services? | Yes | This organization does not collect or access information unless it is required to perform our service. For data, content break down see item 12. | |
| 8 | Does your organization have a policy that addresses privacy compliance? | Yes | ||
| 9 | Will you notify <Customer-Organization> about data breaches that involve or are likely to involve <Customer-Organization> privacy data? | Yes | ||
| 10 | Who is the individual (or individuals) responsible for privacy compliance-related matters at your organization? | The Customer Success team is the primary point of contact (customer-success-team@cloudsphere.com). All privacy compliance matters will be referred to the Director for Information Security and the CTO. | ||
| 11 | Does your organization process, access, maintain, transmit, transfer, dispose of, receive, or store any data used by <Customer-Organization>? | Yes | ||
| 12 | If “yes”, Describe the data processed, accessed, maintained, transmitted, transferred, disposed of, received, or stored by your organization. |
|
||
| 13 | What is the classification of <Customer-organization> data that will be shared with your organization? |
|
||
| 14 | What level of access does your organization have to <Customer-Organization> data? | Read | ||
| 15 | Does your organization allow subordinate vendors, partners, joint ventures, or other parties to store, process, access, maintain, transmit, transfer, dispose of, receive, or store <Customer-Organization> data? | No | ||
| 16 | Do employees of your organization act on behalf of <Customer-Organization> (appearing as if they are an <Customer-Organization> employee)? | No | ||
| 17 | Do employees of your organization have access to <Customer-Organization>'s information systems? | No | ||
| 18 | Who is responsible for managing the access your employees have to <Customer-Organization>'s information systems? | N/A | ||
| 19 | How is <Customer-Organization>'s data provided/transmitted to your organization? |
|
Definition of Transfer:
|
|
| 20 | In which of your systems is <Customer-Organization>'s data stored? | CloudSphere SAAS base solution available in either AWS or Azure deployments | AWS: Cloud Hosting Services (SOC 2 Type 2, SOC 3 audited, ISO 27001, 27017, 27018 Certified) AZURE: Cloud Hosting Services (SOC 2 Type 2, SOC 3 audited, ISO 27001, 27017, 27018 Certified) | |
| 21 | What is the stated Recovery Time Objective in your contract with <Customer-Organization>? | RTO specified as 6 hrs. | ||
| 22 | What is the stated Recovery Point Objective in your contract with <Customer-Organization>? | RPO specified as 24 hrs. | ||
| 23 | Will employees from your organization be working on <Customer-Organization>'s premises? | No | ||
| 24 | Has your organization experienced a security breach during the past 18 months? | No | ||
| 26 | An asset inventory is critical for assigning responsibility for controls and tracking control performance. Please indicate one type of asset for which you maintain an inventory. | Cloud Assets and Internal Hardware | ||
| 27 | Are employees required to return information and information processing assets upon termination? | Yes | ||
| 28 | Is all employee access terminated within 24 hours of termination? | Yes | ||
| 29 | Do you manage and store the identity of all personnel who have access to the IT infrastructure, including their level of access? | Yes | Our Access Control Policy covers all controls that are in place to control access to IT infrastructure | |
| 30 | Do you document how you grant, approve and enforce access restrictions to tenant/customer credentials following the rules of least privilege? | Yes | Our Access Control Policy covers all controls that are in place to prevent unauthorized access. | |
| 31 | Do you require a periodical authorization and validation (e.g. at least annually) of the entitlements for all system users and administrators (exclusive of users maintained by your tenants), based on the rule of least privilege, by business leadership or other accountable business role or function? | Yes | Monthly reviews are performed. | |
| 32 | Does your organization have an information classification scheme that classifies all sensitive, proprietary and non-public information managed by the organization? | Yes | ||
| 33 | How long will your organization retain <Customer-Organization>'s confidential information? |
|
The SAAS datastores are kept alive for 60 days after the end of a subscription (to allow renewal without data loss). | |
| 34 | Do you require background checks of all your employees prior to working on <Customer-Organization> systems? | Yes | ||
| 35 | Do employees undergo security awareness training upon hire and at least annually thereafter? | Yes | ||
| 36 | How soon does your organization apply security patches to all systems following their publication? | 30 days or less | ||
| 37 | How quickly after publication does your organization apply antivirus updates? | Daily | ||
| 38 | Are encryption ciphers in use by your organization to protect client confidential information in rest or in transit? | Yes | Encryption in transit is implemented using HTTPS over TLS1.2 Encryption at rest is provided through a cloud-specific KMS. |
|
| 39 | Does your organization have a documented information security policy? | Yes | ||
| 40 | Does your organization have an incident response policy or process? | Yes | ||
| 41 | Does your organization have a formal business continuity plan? | Yes | ||
| 42 | Does your organization have a formal disaster recovery plan? | Yes | ||
| 43 | Do you audit and/or test your business continuity and disaster recovery plans at least annually? | Yes | ||
| 44 | Please identify all conditions under which policies are communicated to applicable staff. | Employees must read the Employee Handbook and Code of Conduct during employee hire and all policies are continuously available online. | ||
| 45 | Will you notify <Customer-Organization> about information security incidents that have or are suspected to have impacted <Customer-Organization> data? | Yes | ||
| 46 | Please identify your compliance obligations. | SOC 2 Type II (Dec 2021) and annually | ||
| 47 | Are you currently in compliance with all applicable regulations and standards? | Yes | ||
| 48 | Who is the individual (or individuals) responsible for compliance-related matters? | Andy Trayler (Director of Information Security); Paul Mansfield (CTO) |
||
| 49 | Do you have a backup data center/facility? | No | ||
| 50 | Where are your data centers located? | Dublin, Ireland | ||
| 51 | What type of physical access controls are used to limit access to your facilities? | Multiple controls | At Datacenter only | |
| 52 | Please select the locations that are monitored by video cameras within and around your facilities. | Points of Authentication | At Datacenter only | |
| 53 | Please describes the environmental controls you have in place in your data centers and other sensitive areas. |
|
At Datacenter only | |
| 54 | Please select the response that best describes how you segregate your network from the Internet, including DMZs, and untrusted networks. | Stateful firewalls are used to segregate the network from the Internet | ||
| 55 | What method of wireless network security does your network support for worker access? | WPA2-PSK | This applies if office space is being used; Due to Covid restrictions, work is primarily remote. | |
| 56 | If you have any guest-accessible WIFI, is it adequately segregated from your corporate network? | Yes | ||
| 57 | Please select the response that best reflects your use of network-based Intrusion Detection (IDS) and/or Intrusion Prevention (IPS) solutions. | We have an IDS solution that detects but cannot prevent intrusion attempts. | ||
| 58 | Do you perform Internal network vulnerability scans? | Yes | ||
| 59 | Do you perform external network vulnerability scans? | Yes | ||
| 60 | Will SSO be configured for the SaaS tool? If not, can 2FA be used for user authentication? |
|
||
| 61 | If SSO is not available, do you have a password policy that is applied to the accounts? If so, what is this? | Yes, the password policy is configurable by the customer but is shipped with defaults of: 10 character length, Digit required, Capital required, Punctuation required. Initial login requires a password change. Lockout after 10 failures. |
||
| 62 | What penetration test was done at CloudSphere – was this White Box/Black Box | This was done as Black Box test by 3rd party. The 3rd party provided the following description of its approach:"Our approach will involve testing the application using [company's] web security penetration testing approach, which simulates an attack by a malicious entity, coupled with technology-specific attacks targeting the underlying system. This shall assist with the identification of technical security vulnerabilities from an external (no login credentials) and “trusted” (legitimate login credentials) threat perspective. Our application security testing approach is performed using our proprietary testing methodology. Similar to the approach described above, this also includes both a manual approach and the use of software tools, which have been proven effective in identifying areas within websites that are most vulnerable to attack. API testing shall cover all standard tests such as injection, validation, output encoding, etc in addition to API-specific testing such as HTTP methods, API Rate Limits, XML parsing & Content-type Security. We perform the testing from the perspective of a skilled and determined attacker with no specific insider knowledge of the system, other than that which can be gathered from normal enumeration techniques and from publicly available information. The tests will examine the security of the application and infrastructure in relation to its ability to withstand malware attacks, input manipulation, session hijacking, session redirects, etc. and shall focus on current leading practice guidance in relation to web application security, such as the OWASP Top 10; 2013 and the WASC Top 20" | ||
| 63 | Does/How does this product link to Atlassian | CloudSphere CAM product has no direct linkage to Atlassian products. The Atlassian suite of Confluence and JIRA is used as part of the internal documentation, project management, and Sprint management operations within CloudSphere. | ||
| 64 | Is the data, which is housed in the CloudSphere portal, segregated from other company data? If so, how do you do this? | The SAAS infrastructure is made up of mixed deployments:
|