This page outlines the required Statement of Applicabilty and all relevant links to the required documents/samples/templates/evidence.
...
AREA/SECTION | CONTROL | CONTROL APPLICABLE? | CONTROL IMPLEMENTED? | JUSTIFICATION FOR INCLUSION OR EXCLUSION | |||
A.5 Information security policies | |||||||
A.5.1 Management direction for information security | Yes | Yes | |||||
A.5.1.2 Review of the policies for information security | Yes | Yes | |||||
Totals: | 2 | 2 | |||||
A.6 Organisation of information security | |||||||
A.6.1 Internal organisation | Yes | Yes | |||||
Yes | Yes | ||||||
Yes | Yes | ||||||
Yes | Yes | ||||||
Yes | Yes | ||||||
A.6.2 Mobile devices and teleworking | Yes | Yes | |||||
Yes | Yes | ||||||
Totals: | 4 | 3 | |||||
A.7 Human resources security | |||||||
A.7.1 Prior to employment | Yes | Yes | |||||
Yes | Yes | Security requirements need to be incorporated in employment contracts. | |||||
A.7.2 During employment | Yes | Yes | |||||
A.7.2.2 Information security awareness, education and training | Yes | Yes | Build an employee presentation | ||||
Yes | Yes | ||||||
A.7.3 Termination and change of employment | A.7.3.1 Termination or change of employment responsibilities | Yes | Yes | Classified information must continue to be protected after termination. | |||
Totals: | 6 | 4 | |||||
A.8 Asset management | |||||||
A.8.1 Responsibility for assets | Yes | Yes | Build an asset register (soft and hard assets) | Asset Yes | Classification Yes Type | ||
Yes | Yes | ||||||
Yes | Yes | ||||||
Yes | Yes | ||||||
A.8.2 Information classification | Yes | Yes | |||||
A.8.2.2 Labelling of information | Yes | Yes | |||||
A.8.2.3 Handling of assets | Yes | Yes | |||||
A.8.3 Media Handling | A.8.3.1 Management of removable media | No | No | We don't manage removable media; everything is stored in cloud-based services. | |||
A.8.3.2 Disposal of media | Yes | Yes | |||||
A.8.3.3 Physical media transfer | No | No | We don't currently transfer any physical media. | ||||
Totals: | 4 | 4 | |||||
A.9 Access control | |||||||
A.9.1 Business requirements of access control | Yes | Yes | |||||
Yes | Yes | ||||||
A.9.2 User access management | Yes | Yes | |||||
Yes | Yes | ||||||
Yes | Yes | ||||||
A.9.2.4 Management of secret authentication information of users | Yes | Yes | |||||
Yes | No | ||||||
Yes | Yes | ||||||
A.9.3 User responsibilities | Yes | Yes | |||||
A.9.4 System and application access control | Yes | Yes | |||||
Yes | Yes | ||||||
Yes | Yes | ||||||
A.9.4.4 Use of privileged utility programs | No | No | This might be controlled by admin; could be software like a virus controller. | ||||
Yes | YesGitHub access | ||||||
Totals: | 12 | 11 | |||||
A.10 Cryptography | |||||||
A.10.1 Cryptographic controls | A.10.1.1 Policy on the use of cryptographic controls | No | No | Do we encrypt any data? | |||
A.10.1.2 Key management | No | No | Do we encrypt any data? | ||||
Totals: | 0 | 0 | |||||
A.11 Physical and environmental security | |||||||
A.11.1 Secure areas | Yes | Yes | |||||
Yes | Yes | ||||||
Yes | Yes | Doors and windows are locked where appropriate. | |||||
A.11.1.4 Protecting against external and environmental threats | Yes | YesAll reasonable actions are taken to protect the homes we work from; no physical servers are kept on any premises. | |||||
Yes | Yes | There are a few high security areas in the various homes. | |||||
Yes | Yes | This could be home delivery | |||||
A.11.2 Equipment | Yes | Yes | Where are laptops located? back to the wall for example. | ||||
A.11.2.2 Supporting utilities | Yes | Yes | We don't deal with power outages; Salesforce is a distributed ecosystem and Vertic's team works on laptops with hours of backup power available. | ||||
A.11.2.3 Cabling security | Yes | Yes | Once cables are in the ouse, how are they managed? | ||||
Yes | Yes | All equipment is maintained according to manufacturers' instructions. | |||||
Yes | Yes | ||||||
Yes | Yes | Assets are often used offsite in a home environment. | |||||
Yes | Yes | Secure disposal is in place with a third party. | |||||
Yes | Yes | Training has been provided to ensure that screens and equipment are locked when unattended. What are the parameters of securing devices (ie. screensaver) | |||||
Yes | Yes | We are a remote team and work primarily from home; all external doors are shut during the hours of work. IT policy. | |||||
Totals: | 7 | 7 | |||||
A.12 Operations security | |||||||
A.12.1 Operational procedures and responsibilities | Yes | Yes | Procedures must be performed the same way each time to avoid accidents. | ||||
A.12.1.2 Change management | Yes | Yes | Define a change management process | ||||
Yes | Yes | Capacity of key resources is monitored. | |||||
A.12.1.4 Separation of development, testing and operational environments | Yes | Yes | Consistent approach to Software Development is essential to Vertic's success. | ||||
A.12.2 Protection from malware | Yes | Yes | Anti-malware is in place and monitored from a central console within the Salesforce platform. | ||||
A.12.3 Backup | A.12.3.1 Information backup | Yes | Yes | The Salesforce digital platform provides this service directly to our clients (via third-party applications). Action: Reference cloud provider backup services. | |||
A.12.4 Logging and monitoring | A.12.4.1 Event logging | Yes | Yes | The Salesforce digital platform provides this service directly to our clients (via third-party applications). | |||
A.12.4.2 Protection of log information | Yes | Yes | This does not apply to Vertic as event logs are captured directly within the Salesforce platform. | ||||
A.12.4.3 Administrator and operator logs | Yes | Yes | All such access is recorded. | ||||
Yes | YesSingle Time Source; put this into the IT policy. | ||||||
A.12.5 Control of operational software | Yes | Yes | Software installation is planned and controlled. | ||||
A.12.6 Technical vulnerability management | Yes | Yes | A full patching process is in place via recurring Salesforce Health Checks. | ||||
Yes | Yes | Admin access is required to install software. | |||||
A.12.7 Information systems audit considerations | Yes | Yes | Audits are planned so that business activities are not disrupted. | ||||
Totals: | 11 | 9 | |||||
A.13 Communications security | |||||||
A.13.1 Network security management | Yes | Yes | |||||
Yes | Yes | ||||||
Yes | Yes | ||||||
A.13.2 Information transfer | A.13.2.1 Information transfer policies and procedures | Yes | Yes | We conduct ourselves within the frameworks of the software tools we use, like Atlassian. | |||
A.13.2.2 Agreements on information transfer | Yes | Yes | |||||
Yes | Yes | There is significant use of email and instant messaging. | |||||
Yes | Yes | NDAs should be in place with all parties with whom we share personal data. | |||||
Totals: | 3 | 3 | |||||
A.14 System acquisition, development and maintenance | |||||||
A.14.1 Security requirements of information systems | A.14.1.1 Information security | Yes | Yes | Security requirements are specified for all new or changed systems. | |||
A.14.1.2 Securing application | Yes | Yes | TLS is used in all circumstances as per the Salesforce platform. | ||||
A.14.1.3 Protecting application | Yes | Yes | TLS is used in all circumstances as per the Salesforce platform. | ||||
A.14.2 Security in development and support processes | Yes | Yes | All software development is undertaken in accordance with Salesforce guidelines and development processes. | ||||
Yes | Yes | ||||||
A.14.2.3 Technical review of applications after operating platform changes | Yes | Yes | Reviews are conducted as part of acceptance testing of new systems. | ||||
Yes | Yes | ||||||
Yes | Yes | ||||||
Yes | Yes | We are developing on top of the Salesforce platform and are limited and directed by their system engineering principles. | |||||
A.14.2.7 Outsourced development | Yes | Yes | We outsource some of the technical software development to an outsourcing firm which exclusively delivers to Vertic under the same rules, regulations, and processes as Vertic. | ||||
A.14.2.8 System security testing | Yes | Yes | New and changed systems are tested to check they meet security requirements. | ||||
A.14.2.9 System acceptance testing | Yes | Yes | New and changed systems are tested to check they meet security requirements. | ||||
A.14.3 Test data | Yes | Yes | We don’t handle data in production environments. Put this into the referenced policy. | ||||
Totals: | 11 | 11 | |||||
A.15 Supplier relationships | |||||||
A.15.1 Information security in supplier relationships | A.15.1.1 Information security policy for supplier relationships | No | No | Vertic does not use an external providers in relation to our client services. | |||
A.15.1.2 Addressing security within supplier agreements | No | No | Vertic does not use an external providers in relation to our client services. | ||||
A.15.1.3 Information and communication technology supply chain | No | No | Vertic does not use an external providers in relation to our client services. | ||||
A.15.2 Supplier service delivery management | A.15.2.1 Monitoring and review of supplier services | No | No | Vertic does not use an external providers in relation to our client services. | |||
A.15.2.2 Managing changes to supplier services | No | No | Vertic does not use an external providers in relation to our client services. | ||||
Totals: | 0 | 0 | |||||
A.16 Information security incident management | |||||||
A.16.1 Management of information security incidents and improvements | Yes | Yes | An incident response procedure is in place. | ||||
A.16.1.2 Reporting information security events | Yes | Yes | This is addressed as part of awareness training. | ||||
Yes | Yes | This is addressed via our Risk Submission Form. | |||||
A.16.1.4 Assessment of and decision on information security events | Yes | Yes | Systems and procedures are used to assess events and raise incidents where appropriate. | ||||
A.16.1.5 Response to information security incidents | Yes | Yes | Training in incident response has been carried out. | ||||
A.16.1.6 Learning from information security incidents | Yes | Yes | A review is part of the procedure. | ||||
Yes | Yes | We document all incident evidence via our Atlassian system. | |||||
Totals: | 7 | 7 | |||||
A.17 Information security aspects of business continuity management | |||||||
A.17.1 Information security continuity | A.17.1.1 Planning information security continuity | Yes | Yes | Security is considered as part of the business continuity plan. | |||
A.17.1.2 Implementing information security continuity | Yes | Yes | Security is considered as part of the business continuity plan. | ||||
A.17.1.3 Verify, review and evaluate information security continuity | Yes | No | Testing the plan is essential. | ||||
A.17.2 Redundancies | A.17.2.1 Availability of information processing facilities | No | No | We don't manage our own infrastructure and are using Salesforce's services to manage information processing. | |||
Totals: | 3 | 2 | |||||
A.18 Compliance | |||||||
A.18.1 Compliance with legal and contractual requirements | A.18.1.1 Identification of applicable legislation and contractual requirements | Yes | Yes | All applicable legislation and requirements from contracts have been identified. | |||
Yes | Yes | A policy on the use and protection of IP has been agreed and communicated. | |||||
Yes | Yes | Records are protected effectively. | |||||
A.18.1.4 Privacy and protection of personally identifiable information | Yes | Yes | A data protection policy is in place. | ||||
A.18.1.5 Regulation of cryptographic controls | No | No | Compliance has been reviewed deemed not applicable to Vertic. | ||||
A.18.2 Information security reviews | A.18.2.1 Independent review of information security | Yes | Yes | Auditors are used to review our information security approach. | |||
Yes | Yes | Managers have received training in ensuring compliance. | |||||
A.18.2.3 Technical compliance review | Yes | Yes | This will be part of Vertic’s annual compliance review. | ||||
Totals: | 7 | 7 |