...
Actions to address the potentially insecure use of partner cloud services have also been identified and many of the controls listed in section A.15 of Annex A from the ISO/IEC 27001 standard are recommended to be implemented, together with additional measures as proposed by the ISO/IEC 27017 code of practice.
Completion of these actions will be monitored as part of the regular management review process.
...
REF
...
RISK DESCRIPTION
...
RISK OWNER
...
RISK LEVEL
...
TREATMENT OPTION
...
ACTION
...
ACTION OWNER
...
TIME- SCALE
...
RESIDUAL RISK LEVEL
...
1
...
Password Breach
...
CEO
...
Modify
Two-Factor Authentication
Secure Password Management
...
Monitor Environment Setup
...
COO
...
Ongoing
...
Low
...
2
...
Transactional Data Breach
...
CEO
...
Modify
Use Salesforce Platform Features
Do not store Transactional Data on Vertic Infrastructure
Use Australian Salesforce Data Centres
Monitor Salesforce Trust Website
Internal Audit/Planning to ensure this
...
COO
...
Ongoing
...
Low
...
3
...
Employee Breach
...
COO
...
Share
Employment Contracts
Control Salesforce Access
Require Employment Contracts for each Employee
Use Salesforce Security Model to control user access
...
COO
...
Ongoing
...
4
...
Incorrect Development Standards
...
COO
...
Modify
...
Perform Regular Salesforce Health Checks
Monitor Salesforce Health Checks
Review Salesforce Optimiser
...
COO
...
Ongoing
...
5
...
Data Centre Failures
...
CEO
...
Share
Monitor Salesforce Trust Website
Use Salesforce’s Redundancy Controls
...
Inform Customers when this happens; data loss is extremely unlikely due to Salesforce’s platform redundancy controls
...
CFO
...
Ongoing
Table 3: Risk treatment planVertic’s Organisational Risk Register can be found here.