Cloud security Alliance star · 2019-08-15 · This is not the case with OnBase in the Hyland Cloud. Users enjoy full functionality of ECM, capture, business process management, enterprise
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
CLOUD SECURITY ALLIANCE STAR (SECURITY, TRUST AND ASSURANCE REGISTRY) SUBMISSION FOR THE HYLAND CLOUD
August 2017
About the Cloud Security Alliance
The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of
best practices for providing security assurance within Cloud Computing and provides education on the
use of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by
a broad coalition of industry practitioners, corporations, associations and other key stakeholders.
The Cloud Security Alliance (CSA) launched the Security, Trust & Assurance Registry (STAR) initiative at
the end of 2011. The CSA STAR is the first step in improving transparency and assurance in the cloud. The
CSA Security, Trust & Assurance Registry (STAR) is a publicly accessible registry that documents the
security controls provided by various cloud computing offerings, thereby helping users assess the
security of cloud providers they currently use or are considering contracting with.
Hyland places the highest emphasis on delivering secure, reliable cloud solutions and is delighted to be
working with the CSA to deliver a transparent mechanism such as STAR to assist customers in their
AIS-01 Applications and programming interfaces (APIs) shall be designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations.
Applications and code not developed by Hyland Software, Inc is reviewed and testedby Hyland's Global Cloud Services (GCS) department before deployed in the Hyland Cloud Platform. Testing of applications developed by Hyland Software, Inc is completed by the Hyland Development Team on the Corporate network in accordance with industry best practices for security.
AIS-02 Prior to granting customers access to data, assets, and information systems, identified security, contractual, and regulatory requirements for customer access shall be addressed.
Customer administrators control user access, user permissions, and data retention with respect to their Hosted Solutions.
Application & Interface SecurityData Integrity
AIS-03 Data input and output integrity routines (i.e., reconciliation and edit checks) shallbe implemented for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse.
Customer maintains ownership of all customer data uploaded to their Hosted Solution through the full lifecycle period. Hyland employee access to customer data is restricted to authorized users and requires valid business justification.
Control Group Control ID Control Specification Hyland Response
Audit Assurance & ComplianceAudit Planning
AAC-01 Audit plans shall be developed and maintained to address business process disruptions. Auditing plans shall focus on reviewing the effectiveness of the implementation of security operations. All audit activities must be agreed upon prior to executing any audits.
GCS maintains an internal audit program that focuses on developing, implementing, maintaining, and reassessing security controls to support risk mitigation strategies. The areas of focus include, but are not limited to, policy and procedure, logical and physical access, and business continuity. Quarterly internal audit results are compiled by the Governance, Risk and Compliance team and sent to the Associate Vice President of Hyland Global Cloud Services.
Audit program and testing plans are developed based on industry best practices and standards, including ISO 27001, AICPA Trust Services Criteria, NIST, FFIEC. Auditing plans are established annually and approved by the Associate Vice President ofGlobal Cloud Services. Auditing plans including selected controls, testing frequency, and scope.
Audit Assurance & ComplianceIndependent Audits
AAC-02 Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations.
The Hyland Cloud Platform is SOC 2 and SOC 3 audited on an annual basis. These reports are provided to customers with confidentiality agreements in place.
Hyland Global Cloud Services maintains an internal audit program that conducts reviews of the Hyland Cloud Platform on at least a quarterly basis. Risk Assessments areconducted on an annual basis. Customers have the ability to conduct reviews of the Hyland Cloud Platform at their sole expenseand within defined and mutually agreed upon parameters.
Audit Assurance & ComplianceInformation System Regulatory Mapping
AAC-03 Organizations shall create and maintain a control framework which captures standards, regulatory, legal, and statutory requirements relevant for their business needs. The control framework shall be reviewed at least annually to ensure changes that could affect the business processes are
Audit program and testing plans are developed based on industry best practices and standards, including ISO 27001, AICPA Trust Services Criteria, NIST, FFIEC. Auditing plans are established annually and approved by the Associate Vice President ofGlobal Cloud Services. Auditing plans including selected controls, testing
The GCS GRC Team monitors regulatory changes within the relevant jurisdictions. When applicable, modifications are made to the ISMS and the Internal Audit Program to ensure continued compliance with all applicable legislative and regulatory requirements.
Chapter 3: Business Continuity Management & Operational Resilience
Control Group Control ID Control Specification Hyland Response
Business Continuity Management & Operational ResilienceBusiness Continuity
BCR-01 A consistent unified framework for business continuity planning and plan development shall be established, documented, and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security
Hyland Global Cloud Services maintains a documented policy that outlines the disaster recovery procedures. Disaster Recovery (DR) tests that include failover tests are performed at least annually against the Hyland Cloud platform.
Planning requirements. Requirements for business continuity plans include the following: • Defined purpose and scope, aligned with relevant dependencies • Accessible to and understood by those who will use them • Owned by a named person(s) who is responsible for their review, update, andapproval • Defined lines of communication, roles, and responsibilities • Detailed recovery procedures, manualwork-around, and reference information • Method for plan invocation
Hyland Global Cloud Services maintains a near real-time data replication process to back up customer data stored within the Hyland Cloud Platform production environment. The data replication process and data backup objectives are reviewed onat least an annual basis as part of the internal system review process by the Associate Vice President of Hyland Global Cloud Services. Access to modify the backup configuration is limited to authorized individuals.
Business Continuity Management & Operational ResilienceBusiness Continuity Testing
BCR-02 Business continuity and security incident response plans shall be subject to testing at planned intervals or upon significant organizational or environmental changes. Incident response plans shall involve impacted customers (tenant) and other business relationships that represent critical intra-supply chain business process dependencies.
GCS maintains a documented policy that outlines the disaster recovery procedures. Disaster Recovery (DR) tests that include failover tests are performed at least annually against the Hyland Cloud platform.
GCS maintains documented incident reporting procedures. Incident reports are recorded and tracked to completion within Hyland's document management system. Customer notification is provided when applicable.
GCS maintains a Customer Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedure for customers to report security and/or availability issues. The Customer Process Manual is updated and published annually by GCS directly to registered customers.
Business Continuity Management & Operational ResilienceDatacenter Utilities / Environmental
BCR-03 Datacenter utilities services and environmental conditions (e.g., water, power, temperature and humidity controls, telecommunications, and internet connectivity) shall be secured, monitored, maintained, and tested for continual effectiveness at planned intervals to ensure protection from
The Hyland Cloud platform is housed withinISO 27001 certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). GCS validates the each data center compliance certifications and applicable audit reports annually. Additionally documentation may be provided upon completion of a Non-
Conditions unauthorized interception or damage, and designed with automated fail-over or other redundancies in the event of planned or unplanned disruptions.
Disclosure Agreement.
Business Continuity Management & Operational ResilienceDocumentation
BCR-04 Information system documentation (e.g., administrator and user guides, andarchitecture diagrams) shall be made available to authorized personnel to ensure the following: • Configuring, installing, and operating the information system • Effectively using the system’s security features
Customers may access the Hyland Cloud Portal which provides information regardingproper usage of their solution. Customers are provided access to documentation describing the applicable security features available within their Hosted Solution and specifically how to ensure increased security in the Hyland Cloud Platform.
GCS maintains architecture diagrams of the Hyland Cloud Platform depicting the hosting environment and network. Customers may request specific diagrams oftheir solutions.
Employee Process Manual is established to describe the system descriptions and its boundaries, obligations of users as well as system commitments, system standards and procedures, and the procedure for submitting feedback, complaints, and issuesrelated to system availability and/or security and is distributed to Hyland Employees.
Business Continuity Management & Operational ResilienceEnvironmental Risks
BCR-05 Physical protection against damage fromnatural causes and disasters, as well as deliberate attacks, including fire, flood, atmospheric electrical discharge, solar induced geomagnetic storm, wind, earthquake, tsunami, explosion, nuclear accident, volcanic activity, biological hazard, civil unrest, mudslide, tectonic activity, and other forms of natural or man-made disaster shall be anticipated, designed, and have countermeasures applied.
The Hyland Cloud platform is housed withinISO 27001 certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). GCS validates the each data center compliance certifications and applicable audit reports annually. Additional documentation may be provided upon completion of a Non-Disclosure Agreement.
Business Continuity Management & Operational ResilienceEquipment Location
BCR-06 To reduce the risks from environmental threats, hazards, and opportunities for unauthorized access, equipment shall be kept away from locations subject to high probability environmental risks andsupplemented by redundant equipment located at a reasonable distance.
The Hyland Cloud platform is housed withinISO 27001 certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). GCS validates the each data center compliance certifications and applicable audit reports annually. Additional documentation may be provided
upon completion of a Non-Disclosure Agreement.Hyland Cloud data centers are not located in areas with a high probability of environmental risks. All backup sites are located at least 200 miles from the production data center.
Business Continuity Management & Operational ResilienceEquipment Maintenance
BCR-07 Policies and procedures shall be established, and supporting business processes and technical measures implemented, for equipment maintenance ensuring continuity and availability of operations and support personnel.
GCS monitors system capacity and resource usage to support the capacity objectives as determined by the GCS system owners. On at least an annual basis, future system capacity projections are planned to limit disruptions to the Hyland Cloud platform and to prepare future growth trends.
Business Continuity Management & Operational ResilienceEquipment PowerFailures
BCR-08 Protection measures shall be put into place to react to natural and man-made threats based upon a geographically-specific business impact assessment.
The Hyland Cloud platform is housed withinISO 27001 certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). GCS validates the each data center compliance certifications and applicable audit reports annually. Additional documentation may be provided upon completion of a Non-Disclosure Agreement.
The Hyland Cloud environment is N+1 redundant, providing automatic failover of the components that comprise the Hyland Cloud platform. The data is also replicated to a second copy in the primary data center and tertiary copy in a secondary data center.
Business Continuity Management & Operational ResilienceImpact Analysis
BCR-09 There shall be a defined and documented method for determining the impact of any disruption to the organization (cloud provider, cloud consumer) that must incorporate the following: • Identify critical products and services • Identify all dependencies, including processes, applications, business partners, and third party service providers • Understand threats to critical products and services • Determine impacts resulting from planned or unplanned disruptions and how these vary over time
System maintenance, classified as either planned or unplanned, which could affect the security and/or availability of the Hyland Cloud is communicated to affected customers per documented procedures outlined in the Customer Process Manual.
GCS maintains documented incident reporting procedures. Incidents reports are recorded and tracked to completion within Hyland's document management system. Customer notification is provided when applicable.
Hyland Cloud Platform customers may request a service availability report
• Establish the maximum tolerable period for disruption • Establish priorities for recovery • Establish recovery time objectives for resumption of critical products and services within their maximum tolerableperiod of disruption • Estimate the resources required for resumption
containing a list of service level availability (SLA) incidents that have been reported by Customer. The report will reflect each incident's confirmation or rejection by Hyland.
Business Continuity Management & Operational ResiliencePolicy
BCR-10 Policies and procedures shall be established, and supporting business processes and technical measures implemented, for appropriate IT governance and service management toensure appropriate planning, delivery, and support of the organization's IT capabilities supporting business functions, workforce, and/or customers based on industry acceptable standards (i.e., ITIL v4 and COBIT 5). Additionally, policies and procedures shall include defined roles and responsibilities supported by regular workforce training.
GCS maintains a documented policy that outlines the disaster recovery procedures. Disaster Recovery (DR) tests that include failover tests are performed at least annually against the Hyland Cloud platform.
GCS maintains an Employee Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedures for employees to report security and/or availability issues. The Employee Process Manual is released to the GCS department using Hyland's document management system. GCS employees are required to acknowledge and accept the latest version of the process manual by electronic acknowledgement using Hyland's document management system.
Business Continuity Management & Operational ResilienceRetention Policy
BCR-11 Policies and procedures shall be established, and supporting business processes and technical measures implemented, for defining and adhering to the retention period of any critical asset as per established policies and procedures, as well as applicable legal, statutory, or regulatory compliance obligations. Backup and recovery measures shall be incorporated as part of business continuity planning and tested accordingly for effectiveness.
Customer maintains ownership of all customer data uploaded to their Hosted Solution through the full lifecycle period. Customer administrators control user access, user permissions, and data retention with respect to their Hosted Solutions. GCS maintains a real-time data replication process to back up customer data stored within the Hyland Cloud Platform production environment. The data replication process and data backup objectives are reviewed on at least an annual basis as part of the internal system review process by the AVP of GCS. Access tomodify the backup configuration is limited to authorized individuals.
Hyland has documented policies and procedures which detail the retention period for its critical assets.
Chapter 4: Change Control & Configuration Management
Control Group Control ID Control Specification Hyland Response
Change Control & Configuration ManagementNew Development / Acquisition
CCC-01 Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network, and systems components, or any corporate, operations and/or datacenter facilities have been pre-authorized by the organization's business leadership or other accountable business role or function.
The GCS Leadership Team is responsible for reviewing and approving new system acquisitions and significant modifications tosystems and related components.
GCS maintains documented change management procedures and records all change requests in Hyland's document management system. Change requests must be approved by an authorized employee and tested before changes can beimplemented. System changes made in the case of an emergency and/or are noncompliant with policy are recorded as an exception and is subject to rollback procedures if approval is not granted.
Logical access to system configuration, super user functionality, master passwords, powerful utilities and security devices
(including firewall configurations) is restricted to authorized individual GCS employees based on specific roles that are established and maintained based on job responsibilities.
Change Control & Configuration ManagementOutsourced Development
CCC-02 External business partners shall adhere to the same policies and procedures for change management, release, and testing as internal developers within theorganization (e.g., ITIL service management processes).
External parties are not used in administration of the Hyland Cloud Platform.
Change Control & Configuration ManagementProduction Changes
CCC-05 Policies and procedures shall be established for managing the risks associated with applying changes to: • Business-critical or customer (tenant)-impacting (physical and virtual) applications and system-system interface (API) designs and configurations. • Infrastructure network and systems components.Technical measures shall be implemented to provide assurance that all changes directly correspond to a registered change request, business-critical or customer (tenant), and/or authorization by, the customer (tenant) as per agreement (SLA) prior to deployment.
GCS maintains a Customer Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedure for customers to report security and/or availability issues. The Customer Process Manual is updated and released annually by GCS directly to registered customers through email.
GCS maintains documented change management procedures and records all change requests in Hyland's document management system. Change requests must be approved by an authorized employee and tested before changes can beimplemented. System changes made in the case of an emergency or are noncompliant with policy are recorded as an exception and is subject to rollback procedures if approval is not granted. Changes made to a customer solution must have written documentation from the customer requesting the change. These changes are reviewed quarterly through the Internal Audit Program. All changes under a risk assessment, and when applicable are subject to documented roll back procedures.
Change Control & Configuration ManagementQuality Testing
CCC-03 Organization shall follow a defined quality change control and testing process (e.g., ITIL Service Management) with established baselines, testing, and
GCS defines the roles which are authorized to install software, hardware and other network devices within the Access Control policy. Access to these predefined roles is
release standards that focus on system availability, confidentiality, and integrity of systems and services.
restricted using Active Directory user group policy settings.
The GCS Leadership Team is responsible for reviewing and approving new system acquisitions and significant modifications tosystems and related components.
Changes to Hyland Cloud platform can only be made by authorized individuals based ontheir assigned roles as documented in GCS policies. Changes to end user's Hosted solution is restricted to authorized individuals based on assigned roles.
Change Control & Configuration ManagementUnauthorized Software Installations
CCC-04 Policies and procedures shall be established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorized software on organizationally-owned or managed user end-point devices (e.g., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components.
The GCS Leadership Team is responsible for reviewing and approving new system acquisitions and significant modifications tosystems and related components.
The Hyland Cloud Platform is built on virtualization technology and accessed through the use of virtual desktops. This prevents unauthorized installation of software. Privileged accounts are restricted to authorized users.
Control Group Control ID Control Specification Hyland Response
Data Security & Information Lifecycle Management Classification
DSI-01 Data and objects containing data shall be assigned a classification by the data owner based on data type, value, sensitivity, and criticality to the organization.
GCS documents and maintains descriptions of the information used within the Hyland Cloud platform which includes customer data and system data classifications. These classifications are reviewed as part of the annual policy review process by the Associate Vice President of GCS.
Data Security & Information Lifecycle ManagementData Inventory / Flows
DSI-02 Policies and procedures shall be established, and supporting business processes and technical measures implemented, to inventory, document, and maintain data flows for data that is resident (permanently or temporarily) within the service's geographically distributed (physical and virtual) applications and infrastructure network and systems components and/or shared with other third parties to ascertain any regulatory, statutory, or supply chain agreement (SLA) compliance impact, and to address any other business risks associated with the data. Upon request, provider shall inform customer (tenant) of compliance impact and risk, especially if customer data is used as part of the services.
The Hyland Cloud uses firewalls to prevent unauthorized network access. Firewall standards are documented in the Operations Security Policy to only allow network access to specific protocols that are required to support end users solutions.
Architectural components (e.g. networks, servers, co-location data centers) are logically separated between (1) any customer, including GCS and (2) Hyland, prevent unauthorized access by internal or external users. Customer Hosted Solutions exist in a private virtualized environment secured by firewall configurations.
Data Security & Information Lifecycle ManagementEcommerce Transactions
DSI-03 Data related to electronic commerce (ecommerce) that traverses public networks shall be appropriately classified and protected from fraudulentactivity, unauthorized disclosure, or modification in such a manner to prevent contract dispute and compromise of data.
GCS utilizes security transport encryption methods, such as SSL, for securing user authentication and session data when accessing the Hyland Cloud platform remotely. Connections to the Hyland platform are encrypted using HTTPS, PCOIPS, or Blast secure protocol. Access to encryption configuration is limited to authorized individuals.
Data Security & Information Lifecycle ManagementHandling / Labeling / Security Policy
DSI-04 Policies and procedures shall be established for the labeling, handling, and security of data and objects which contain data. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data.
GCS documents and maintains descriptions of the information used within the Hyland Cloud platform which includes customer data and system data classifications. These classifications are reviewed as part of the annual policy review process by the Associate Vice President of GCS.
GCS documents and maintains descriptions of all assets, including hardware, software, and data, used, held, and/or managed within the Hyland Cloud Platform which includes customer data and system data classification. These classifications are reviewed as part of the annual policy review process by the AVP of GCS.
Data Security & Information Lifecycle ManagementNon-Production Data
DSI-05 Production data shall not be replicated or used in non-production environments. Any use of customer datain non-production environments requires explicit, documented approval from all customers whose data is affected, and must comply with all legal and regulatory requirements for scrubbing of sensitive data elements.
Customer production and non-production environments are logically separated. GCS does not input customer data into the non-production environment. These environments are separated using a domainauthentication source (Active Directory).
Data Security & Information Lifecycle ManagementOwnership / Stewardship
DSI-06 All data shall be designated with stewardship, with assigned responsibilities defined, documented, and communicated.
Customer maintains ownership of all customer data uploaded to their Hosted Solution through the full lifecycle period. GCS access to customer data is restricted toauthorized users and requires valid businessjustification.
Customer administrators control user access, user permissions, and data retention with respect to their Hosted Solutions.
Data Security & Information
DSI-07 Policies and procedures shall be established with supporting business
When a storage device has reached the endof its useful life, Global Cloud Services’
processes and technical measures implemented for the secure disposal and complete removal of data from all storage media, ensuring data is not recoverable by any computer forensic means.
procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. GCS uses the techniques recommended by the National Institute for Standards and Technology (NIST) to destroy data as part of the decommissioning process. If a hardware device is unable to be decommissioned using these procedures, the device will be virtually shredded or physically destroyed inaccordance with industry-standard practices. Devices used in the administration of the customer’s Hosted Solution that have been decommissioned will be subjected to these or equally effective standards.
Chapter 6: Datacenter Security
Control Group Control ID Control Specification Hyland Response
Datacenter SecurityAsset Management
DCS-01 Assets must be classified in terms of business criticality, service-level expectations, and operational continuityrequirements. A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time shall be maintained and updated regularly, and assigned ownership by defined roles and responsibilities.
An inventory of assets is established and maintained. Asset inventory lists document identifiable information for each asset listed, including vendor, version number, system owner and geographical location.
Datacenter SecurityControlled Access Points
DCS-02 Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) shall be implemented to safeguard sensitive data and information systems.
The Hyland Cloud platform is housed withinISO 27001 certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). Customer data is secured behind physical barriers to prevent unauthorized access. Only authorized personnel have access to the data centers, all others require special authorization fromHyland and data center staff and require an escort.
Datacenter SecurityEquipment Identification
DCS-03 Automated equipment identification shall be used as a method of connectionauthentication. Location-aware technologies may be used to validate connection authentication integrity
The Hyland Cloud platform is housed withinISO 27001 certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). Customer data is secured behind physical barriers to prevent
based on known equipment location. unauthorized access. Only authorized personnel have access to the data centers, all others require special authorization fromHyland and data center staff and require an escort.
Datacenter SecurityOff-Site Authorization
DCS-04 Authorization must be obtained prior to relocation or transfer of hardware, software, or data to an offsite premises.
Customer data will not be removed from the GCS data centers unless explicit written authorization from the customer.
Relocation or transfer of hardware or software within the data center follows the GCS Change Management Procedures.
Datacenter SecurityOff-Site Equipment
DCS-05 Policies and procedures shall be established for the secure disposal of equipment (by asset type) used outside the organization's premises. This shall include a wiping solution or destruction process that renders recovery of information impossible. The erasure shall consist of a full overwrite of the drive to ensure that the erased drive is released to inventory for reuse and deployment, or securely stored until it can be destroyed.
When a storage device has reached the endof its useful life, Global Cloud Services’ procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. Hyland Global Cloud Services uses the techniques recommended by the National Institute for Standards and Technology (NIST) to destroy data as part of the decommissioning process. If a hardware device is unable to be decommissioned using these procedures, the device will be virtually shredded or physically destroyed in accordance with industry-standard practices. Devices used in the administration of the customer’s hosted solution that have been decommissioned will be subjected to these or equally effective standards. Attestation letters to that effect can be provided to Customer, upon request.
Datacenter SecurityPolicy
DCS-06 Policies and procedures shall be established, and supporting business processes implemented, for maintaininga safe and secure working environment in offices, rooms, facilities, and secure areas storing sensitive information.
Access to the data centers is restricted to the pre-defined roles documented in the Access Management Policy. User access requests are subject to the change management procedures. Visitors to the data center must be escorted.
Only authorized personnel, with a justified business need, are permitted inside the secure data centers unescorted. All other personnel must be escorted at all times, after demonstrating a valid business need and obtaining approval.
DCS-07 Ingress and egress to secure areas shall be constrained and monitored by physical access control mechanisms to ensure that only authorized personnel are allowed access.
Access to the data centers is restricted to the pre-defined roles documented in the Access Management Policy. User access requests are subject to the change management procedures. Visitors to the data center must be escorted.
Only authorized personnel, with a justified business need, are permitted inside the secure data centers unescorted. All other personnel must be escorted at all times, after demonstrating a valid business need and obtaining approval.
Datacenter SecurityUnauthorized Persons Entry
DCS-08 Ingress and egress points such as serviceareas and other points where unauthorized personnel may enter the premises shall be monitored, controlled and, if possible, isolated from data storage and processing facilities to prevent unauthorized data corruption, compromise, and loss.
Access to the data centers is restricted to the pre-defined roles documented in the Access Management Policy. User access requests are subject to the change management procedures. Visitors to the data center must be escorted.
Only authorized personnel, with a justified business need, are permitted inside the secure data centers unescorted. All other personnel must be escorted at all times, after demonstrating a valid business need and obtaining approval.
Datacenter SecurityUser Access
DCS-09 Physical access to information assets and functions by users and support personnel shall be restricted.
Access to the data centers is restricted to the pre-defined roles documented in the Access Management Policy. User access requests are subject to the change management procedures. Visitors to the data center must be escorted.
Only authorized personnel, with a justified business need, are permitted inside the secure data centers unescorted. All other personnel must be escorted at all times, after demonstrating a valid business need and obtaining approval.
Control Group Control ID Control Specification Hyland Response
Encryption & Key ManagementEntitlement
EKM-01 Keys must have identifiable owners (binding keys to identities) and there shall be key management policies.
GCS maintains a Cryptography Policy for cryptographic controls. Responsibility for effectively managing encryption keys is divided between the customer and Hyland. Knowledge of keys is split within Hyland.
Encryption & Key ManagementKey Generation
EKM-02 Policies and procedures shall be established for the management of cryptographic keys in the service's cryptosystem (e.g., lifecycle management from key generation to revocation and replacement, public key infrastructure, cryptographic protocol design and algorithms used, access controls in place for secure key generation, and exchange and storage including segregation of keys used for encrypted data or sessions). Upon request, provider shall inform the customer (tenant) of changes within thecryptosystem, especially if the customer(tenant) data is used as part of the service, and/or the customer (tenant) has some shared responsibility over implementation of the control.
GCS maintains a Cryptography Policy for cryptographic controls. Responsibility for effectively managing encryption keys is divided between the customer and Hyland. Knowledge of keys is split within Hyland.
Encryption technologies, such as SFTP, SSL/TLS, are employed for data in transit. Customers are responsible for the data that outside the boundaries of our environment.
Customer are made aware of their responsibilities for use of encryption technologies through the Customer ProcessManual and specific guides related to encryption technologies they have purchased.
Encryption & Key ManagementSensitive Data Protection
EKM-03 Policies and procedures shall be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive
GCS maintains a Cryptography Policy for cryptographic controls. Responsibility for effectively managing encryption keys is divided between the customer and Hyland. Knowledge of keys is split within Hyland.
data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
Encryption technologies, such as SFTP, SSL/TLS, are employed for data in transit. Customers are responsible for the data that outside the boundaries of our environment.
Customer are made aware of their responsibilities for use of encryption technologies through the Customer ProcessManual and specific guides related to encryption technologies they have purchased.
GCS utilizes security transport encryption methods, such as SSL, for securing user authentication and session data when accessing the Hyland Cloud platform remotely. Connections to the Hyland platform are encrypted using HTTPS, PCOIPS, or Blast secure protocol. Access to encryption configuration is limited to authorized individuals.
Encryption & Key ManagementStorage and Access
EKM-04 Platform and data-appropriate encryption (e.g., AES-256) in open/validated formats and standard algorithms shall be required. Keys shall not be stored in the cloud (i.e., at the cloud provider in question), but maintained by the cloud consumer or trusted key management provider. Key management and key usage shall be separated duties.
GCS utilizes security transport encryption methods, such as SSL, for securing user authentication and session data when accessing the Hyland Cloud platform remotely. Connections to the Hyland platform are encrypted using HTTPS, PCOIPS, or Blast secure protocol. Access to encryption configuration is limited to authorized individuals.
Control Group Control ID Control Specification Hyland Response
Governance and Risk ManagementBaseline Requirements
GRM-01 Baseline security requirements shall be established for developed or acquired, organizationally-owned or managed, physical or virtual, applications and infrastructure system and network components that comply with applicable legal, statutory, and regulatory compliance obligations. Deviations from standard baseline configurations must be authorized following change management policies and procedures prior to deployment, provisioning, or use. Compliance with security baseline requirements must be reassessed at least annually unless an alternate frequency has been established and authorized based on business need.
Baseline security configuration standards are established within the Operations Security Policy and reviewed on an annual basis. Individual teams set baseline securityconfiguration standards for the systems andassets they manage.
GCS maintains documented change management procedures and records all change requests in Hyland's document management system. Change requests must be approved by an authorized employee and tested before changes can beimplemented. System changes made in the case of an emergency and/or are noncompliant with policy is recorded as an exception and is subject to rollback procedures if approval is not granted.
Governance and Risk ManagementData Focus Risk Assessments
GRM-02 Risk assessments associated with data governance requirements shall be conducted at planned intervals and shallconsider the following: • Awareness of where sensitive data is stored and transmitted across applications, databases, servers, and network infrastructure • Compliance with defined retention periods and end-of-life disposal requirements • Data classification and protection from unauthorized use, access, loss, destruction, and falsification
A formal risk assessment is conducted annually by the Governance, Risk and Compliance team. Potential threats and vulnerabilities related to security and availability (which include environmental, regulatory, technological changes) are reviewed and categorized. Remediation plans are created as needed and may include updates/changes to the current Information Security policies. The completed assessment is reviewed and approved by the AVP of GCS.
Governance and GRM-03 Managers are responsible for The Associate Vice President of GCS and the
maintaining awareness of, and complying with, security policies, procedures, and standards that are relevant to their area of responsibility.
entire GCS Leadership team is responsible for ensuring employees are aware and following the security policies and procedures. Managers are responsible for training each new employee regarding theirinformation security responsibilities.
The GCS Leadership Team, or subset, conducts Security Awareness Training and Education every year to all employees.
Governance and Risk ManagementManagement Program
GRM-04 An Information Security Management Program (ISMP) shall be developed, documented, approved, and implemented that includes administrative, technical, and physical safeguards to protect assets and data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The security program shall include, but not be limited to, the following areas insofar as they relate to the characteristics of the business: • Risk management • Security policy • Organization of information security • Asset management • Human resources security • Physical and environmental security • Communications and operations management • Access control • Information systems acquisition, development, and maintenance
GCS maintains an Information Security Policy Suite containing the documented policies related to the security and availability of the Hyland Cloud platform that include, but are not limited to, the elements contained within the applicable trust criterion.
GCS maintains an Information Security Management System based on the controls and implementation guidance of ISO 27001/ISO 27002.
The Customer Process Manual outlines the components of the ISMS that are pertinent to customers in administration of their Hosted Solution. Upon request, customers can conduct an audit of GCS and the HylandCloud Platform to determine compliance with the ISMS, Customer Process Manual, and customer Hosting Agreements.
Governance and Risk ManagementManagement Support/Involvement
GRM-05 Executive and line management shall take formal action to support information security through clearly-documented direction and commitment, and shall ensure the action has been assigned.
The GCS Leadership Team, including the Associate Vice President of GCS, provide strategic direction and ensure effective implementation of the Information SecurityManagement System.
Governance and Risk ManagementPolicy
GRM-06 Information security policies and procedures shall be established and made readily available for review by all impacted personnel and external business relationships. Information security policies must be authorized by the organization's business leadership (or other accountable business role or
GCS maintains a IS policy suite that is available to all GCS employees and communicated through the process manualand annual policy review.
GCS maintains an Employee Process Manual which describes the Hyland Cloud platform, its boundaries, the
function) and supported by a strategic business plan and an information security management program inclusive of defined information security roles and responsibilities for business leadership.
obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedures for employees to report security and/or availability issues. The Employee Process Manual is released to the GCS department using Hyland's document management system. GCS employees are required to knowledge and accept the latest version of the process manual by supplying electronic acknowledgement using Hyland's document management system.
Governance and Risk ManagementPolicy Enforcement
GRM-07 A formal disciplinary or sanction policy shall be established for employees who have violated security policies and procedures. Employees shall be made aware of what action might be taken in the event of a violation, and disciplinary measures must be stated in the policies and procedures.
The Global Cloud Services Employee Process Manual establishes the disciplinary actions and consequences of information security violations.
Governance and Risk ManagementPolicy Impact on Risk Assessments
GRM-08 Risk assessment results shall include updates to security policies, procedures,standards, and controls to ensure that they remain relevant and effective.
A formal risk assessment is conducted annually by the Governance, Risk and Compliance team. Potential threats and vulnerabilities related to security and availability (which include environmental, regulatory, technological changes) are reviewed and categorized. Remediation plans are created as needed and may include updates/changes to the current Information Security policies. The completed assessment is reviewed and approved by the appropriate personnel within GCS.
Governance and Risk ManagementPolicy Reviews
GRM-09 The organization's business leadership (or other accountable business role or function) shall review the information security policy at planned intervals or asa result of changes to the organization to ensure its continuing alignment with the security strategy, effectiveness, accuracy, relevance, and applicability to legal, statutory, or regulatory compliance obligations.
GCS maintains an Information Security policy suite containing the documented policies related to the security and availability of the Hyland Cloud platform that include, but are not limited to, the elements contained within the applicable trust criterion.
Security and availability policies are reviewed and approved on an annual basis by the GCS AVP or delegate of the management team.
Governance and GRM-10 Aligned with the enterprise-wide A formal risk assessment is conducted
framework, formal risk assessments shall be performed at least annually or at planned intervals, (and in conjunctionwith any changes to information systems) to determine the likelihood and impact of all identified risks using qualitative and quantitative methods. The likelihood and impact associated with inherent and residual risk shall be determined independently, considering all risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance).
annually by the Governance, Risk and Compliance team. Potential threats and vulnerabilities related to security and availability (which include environmental, regulatory, technological changes) are reviewed and categorized. Remediation plans are created as needed and may include updates/changes to the current Information Security policies. The completed assessment is reviewed and approved by the appropriate personnel within GCS.
Risks identified as a result of the risk assessment are tracked, including remediation plans, compensating controls, or acceptance of the risk. Risks are tracked through to completion and retained according to policy.
Governance and Risk ManagementRisk Management Framework
GRM-11 Risks shall be mitigated to an acceptablelevel. Acceptance levels based on risk criteria shall be established and documented in accordance with reasonable resolution time frames and stakeholder approval.
A formal risk assessment is conducted annually by the Governance, Risk and Compliance team. Potential threats and vulnerabilities related to security and availability (which include environmental, regulatory, technological changes) are reviewed and categorized. Remediation plans are created as needed and may include updates/changes to the current Information Security policies. The completed assessment is reviewed and approved by the appropriate personnel within GCS
Risks identified as a result of the risk assessment are tracked, including remediation plans, compensating controls, or acceptance of the risk. Risks are tracked through to completion and retained according to policy.
Control Group Control ID Control Specification Hyland Response
Human ResourcesAsset Returns
HRS-01 Upon termination of workforce personnel and/or expiration of external business relationships, all organizationally-owned assets shall be returned within an established period.
Access to the Hyland Cloud Platform is prohibited for terminated and/or inactive users. These accounts are disabled in a timely manner and all organizationally-owned assets are surrender on the last day of employment, whether voluntary or involuntary.
Human ResourcesBackground Screening
HRS-02 Pursuant to local laws, regulations, ethics, and contractual constraints, all employment candidates, contractors, and third parties shall be subject to background verification proportional to the data classification to be accessed, the business requirements, and acceptable risk.
All potential candidates are subject to background screening procedures before anoffer of employment is extended.
Human ResourcesEmployment Agreements
HRS-03 Employment agreements shall incorporate provisions and/or terms for adherence to established information governance and security policies and must be signed by newly hired or on-boarded workforce personnel (e.g., full or part-time employee or contingent staff) prior to granting workforce personnel user access to corporate facilities, resources, and assets.
GCS maintains an Employee Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedures for employees to report security and/or availability issues. The Employee Process Manual is released to the GCS department using Hyland's document management system. GCS employees are required to knowledge and accept the latest version of the process manual by supplying electronic acknowledgement using Hyland's document management system.
Human ResourcesEmployment Termination
HRS-04 Roles and responsibilities for performingemployment termination or change in employment procedures shall be assigned, documented, and communicated.
GCS follows internal procedures whenever there is a separation event within GCS and/or Hyland. These procedures include removal of all access that is no longer needed and rotation of applicable passwords.
Human ResourcesMobile Device Management
HRS-05 Policies and procedures shall be established, and supporting business processes and technical measures
There are no mobile devices on the Hyland Cloud Platform.
implemented, to manage business risks associated with permitting mobile device access to corporate resources and may require the implementation of higher assurance compensating controlsand acceptable-use policies and procedures (e.g., mandated security training, stronger identity, entitlement and access controls, and device monitoring).
Human ResourcesNon-Disclosure Agreements
HRS-06 Requirements for non-disclosure or confidentiality agreements reflecting the organization's needs for the protection of data and operational details shall be identified, documented, and reviewed at planned intervals.
All employees are required to sign confidentiality agreements as part of their employment at Hyland Software.
GCS maintains an Employee Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedures for employees to report security and/or availability issues. The Employee Process Manual is released to the GCS department using Hyland's document management system. GCS employees are required to knowledge and accept the latest version of the process manual by supplying electronic acknowledgement using Hyland's document management system.
Human ResourcesRoles / Responsibilities
HRS-07 Roles and responsibilities of contractors,employees, and third-party users shall be documented as they relate to information assets and security.
The Customer Process Manual delineates the responsibilities of the customer and of Hyland in relation to administration of the Hyland Cloud Platform. Third parties are notgranted access in support of the Hyland Cloud Platform.
Human ResourcesTechnology Acceptable Use
HRS-08 Policies and procedures shall be established, and supporting business processes and technical measures implemented, for defining allowances and conditions for permitting usage of organizationally-owned or managed user end-point devices (e.g., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components. Additionally, defining allowances and conditions to
GCS maintains an Employee Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedures for employees to report security and/or availability issues. The Employee Process Manual is released to the GCS department using Hyland's document management system. GCS
permit usage of personal mobile devicesand associated applications with access to corporate resources (i.e., BYOD) shall be considered and incorporated as appropriate.
employees are required to knowledge and accept the latest version of the process manual by supplying electronic acknowledgement using Hyland's document management system.
The Hyland Cloud Platform is managed through the use of virtual desktops which prevents end-points devices from connecting directly to Platform.
Human ResourcesTraining / Awareness
HRS-09 A security awareness training program shall be established for all contractors, third-party users, and employees of the organization and mandated when appropriate. All individuals with access to organizational data shall receive appropriate awareness training and regular updates in organizational procedures, processes, and policies relating to their professional function relative to the organization.
Hyland conducts annual data handling training, SATE training, and requires annual acknowledgement of key policies including our data classification standards. These requirements are strongly enforced throughthe use of testing and written acknowledgements.
Human ResourcesUser Responsibility
HRS-10 All personnel shall be made aware of their roles and responsibilities for: • Maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations. • Maintaining a safe and secure working environment
GCS maintains an Employee Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedures for employees to report security and/or availability issues. The Employee Process Manual is released to the GCS department using Hyland's document management system. GCS employees are required to knowledge and accept the latest version of the process manual by supplying electronic acknowledgement using Hyland's document management system.
Human ResourcesWorkspace
HRS-11 Policies and procedures shall be established to require that unattended workspaces do not have openly visible (e.g., on a desktop) sensitive documentsand user computing sessions are disabled after an established period of inactivity.
GCS maintains and enforces a clear desk/clear screen policy for employees. Physical access to the Hyland Cloud Platform hosting facilities is restricted via key card control.
Control Group Control ID Control Specification Hyland Response
Identity & Access ManagementAudit Tools Access
IAM-01 Access to, and use of, audit tools that interact with the organization's information systems shall be appropriately segregated and access restricted to prevent inappropriate disclosure and tampering of log data.
Logical access to system configuration, super user functionality, master passwords, powerful utilities, security devices (including firewall configurations), and audittools is restricted to authorized individual GCS employees based on specific roles that are established and maintained based on job responsibilities. Audit logs are logically separated from other storage and kept on adedicated server.
IAM-02 User access policies and procedures shall be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data and organizationally-owned or managed (physical and virtual) application interfaces and infrastructure network and systems components. These policies, procedures, processes, and measures must incorporate the following: • Procedures and supporting roles and responsibilities for provisioning and de-provisioning user account entitlements following the rule of least privilege based on job function (e.g., internal employee and contingent staff personnel changes, customer-controlledaccess, suppliers' business relationships,or other third-party business relationships) • Business case considerations for higher levels of assurance and multi-factor authentication secrets (e.g., management interfaces, key generation,remote access, segregation of duties, emergency access, large-scale provisioning or geographically-
User access requests for internal and external system users are documented in Hyland's change management system. User access is granted based on the pre-defined roles documented in the Access Management policy. User access requests are subject to the documented change management procedures which require approval from manager or assigned delegate before user access changes can be implemented. Access to Hyland Cloud platform is prohibited for terminated and/or inactive users. These accounts are disabled and or deleted in a timely manner by account administrators. Logical access tosystem configuration, super user functionality, master passwords, powerful utilities and security devices (including firewall configurations) is restricted to authorized individual GCS employees basedon specific roles that are established and maintained based on job responsibilities. Architectural components (e.g. networks, servers, co-location data centers) are logically separated between (1) any customer, including GCS and (2) Hyland, prevent unauthorized access by internal or external users. Customer Hosted Solutions exist in a private virtualized environment secured by firewall configurations.
distributed deployments, and personnel redundancy for critical systems) • Access segmentation to sessions and data in multi-tenant architectures by any third party (e.g., provider and/or other customer (tenant)) • Identity trust verification and service-to-service application (API) and information processing interoperability (e.g., SSO and federation) • Account credential lifecycle management from instantiation throughrevocation • Account credential and/or identity store minimization or re-use when feasible • Authentication, authorization, and accounting (AAA) rules for access to data and sessions (e.g., encryption and strong/multi-factor, expireable, non-shared authentication secrets) • Permissions and supporting capabilities for customer (tenant) controls over authentication, authorization, and accounting (AAA) rules for access to data and sessions • Adherence to applicable legal, statutory, or regulatory compliance requirements
IAM-03 User access to diagnostic and configuration ports shall be restricted toauthorized individuals and applications.
Logical access to system configuration, super user functionality, master passwords, powerful utilities and security devices (including firewall configurations) is restricted to authorized individual GCS employees based on specific roles that are established and maintained based on job responsibilities.
Identity & Access ManagementPolicies and Procedures
IAM-04 Policies and procedures shall be established to store and manage identity information about every person who accesses IT infrastructure and to determine their level of access. Policies shall also be developed to control accessto network resources based on user identity.
User access requests for internal and external system users are documented in Hyland's change management system. User access is granted based on the pre-defined roles documented in the Access Management policy. User access requests are subject to the documented change management procedures which require approval from manager or assigned delegate before user access changes can be
implemented.Administrative access to the anti-virus configuration is restricted to authorized users.GCS defines the roles which are authorized to install software, hardware, and other network devices within the Access Management policy. Access to these pre-defined roles is restricted using Active Directory user group policy settings.
Identity & Access ManagementSegregation of Duties
IAM-05 User access policies and procedures shall be established, and supporting business processes and technical measures implemented, for restricting user access as per defined segregation of duties to address business risks associated with a user-role conflict of interest.
GCS maintains separation of duties within the change management procedures. Employees may not approve change requests they submitted. Employees may not implement change requests they approved.
IAM-06 Access to the organization's own developed applications, program, or object source code, or any other form ofintellectual property (IP), and use of proprietary software shall be appropriately restricted following the rule of least privilege based on job function as per established user access policies and procedures.
Access to source code for Hyland products is strictly controlled and based on job responsibilities. This program source code isphysically and logically separated from the Hyland Cloud Platform. Development of Hyland applications occurs outside of the GCS department and GCS employees do nothave access to this source code.
Access to source code for products and services developed by GCS for managementof the Hyland Cloud Platform is based on specific roles that are established and maintained based on job responsibilities.
Identity & Access ManagementThird Party Access
IAM-07 The identification, assessment, and prioritization of risks posed by business processes requiring third-party access tothe organization's information systems and data shall be followed by coordinated application of resources to minimize, monitor, and measure likelihood and impact of unauthorized or inappropriate access. Compensating controls derived from the risk analysis shall be implemented prior to provisioning access.
Third parties are not granted access to the Hyland Cloud Platform.
Identity & Access ManagementTrusted Sources
IAM-08 Policies and procedures are established for permissible storage and access of identities used for authentication to
Logical access to system configuration, super user functionality, master passwords, powerful utilities and security devices
ensure identities are only accessible based on rules of least privilege and replication limitation only to users explicitly defined as business necessary.
(including firewall configurations) is restricted to authorized individual GCS employees based on specific roles that are established and maintained based on job responsibilities
IAM-09 Provisioning user access (e.g., employees, contractors, customers (tenants), business partners, and/or supplier relationships) to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components shall be authorized by the organization's management prior to access being granted and appropriately restricted as per established policies andprocedures. Upon request, provider shall inform customer (tenant) of this user access, especially if customer (tenant) data is used as part the service and/or customer (tenant) has some shared responsibility over implementation of control.
User access requests for internal and external system users are documented in Hyland's change management system. User access is granted based on the pre-defined roles documented in the Access Management policy. User access requests are subject to the documented change management procedures which require approval from manager or assigned delegate before user access changes can be implemented.
Identity & Access ManagementUser Access Reviews
IAM-10 User access shall be authorized and revalidated for entitlement appropriateness, at planned intervals, by the organization's business leadership or other accountable business role or function supported by evidence to demonstrate the organization is adhering to the rule of least privilege based on job function. For identified access violations, remediation must follow established user access policies and procedures.
GCS maintains an internal audit program that focuses on developing, implementing, maintaining, and reassessing security controls to support risk mitigation strategies. The areas of focus include, but are not limited to, policy and procedure, logical and physical access, and business continuity. Quarterly internal audit results are compiled by the Governance, Risk and Compliance team and sent to the AVP of GCS.
IAM-11 Timely de-provisioning (revocation or modification) of user access to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components, shall be implemented as per established policies and procedures and based on user's change in status (e.g., termination of employment or other business relationship, job change or transfer). Upon request, provider shall inform customer (tenant) of these
Access to Hyland Cloud platform is prohibited for terminated and/or inactive users. These accounts are disabled and or deleted in a timely manner by account administrators.
changes, especially if customer (tenant) data is used as part the service and/or customer (tenant) has some shared responsibility over implementation of control.
Identity & Access ManagementUser ID Credentials
IAM-12 Internal corporate or customer (tenant) user account credentials shall be restricted as per the following, ensuring appropriate identity, entitlement, and access management and in accordance with established policies and procedures: • Identity trust verification and service-to-service application (API) and information processing interoperability (e.g., SSO and Federation) • Account credential lifecycle management from instantiation throughrevocation • Account credential and/or identity store minimization or re-use when feasible • Adherence to industry acceptable and/or regulatory compliant authentication, authorization, and accounting (AAA) rules (e.g., strong/multi-factor, expireable, non-shared authentication secrets)
GCS requires employees to establish their identify using an authorized multi-factor authentication technology when administrating the Hyland cloud Platform. This includes a Windows username, a user specified PIN, a Windows password, and a token. All user accounts managed by GCS are subject to the password management requirements established within the Access Management policy. The Hyland Platform is configured to require internal and external system users to log into the system using a password that meets password management requirements within password policy. User access requests for internal and external system users are documented in Hyland's change management system. User access is grantedbased on the pre-defined roles documentedin the Access Control policy. User access requests are subject to the documented change management procedures which require approval from manager or assigned delegate before user access changes can be implemented. GCS maintains an Employee Process Manual which describes the HylandCloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedures for employees to report security and/or availability issues. The Employee Process Manual is released to the GCS department using Hyland's document management system. GCS employees are required to knowledge and accept the latest version of the process manual by supplying electronic acknowledgement using Hyland's document management system.
Identity & Access Management
IAM-13 Utility programs capable of potentially overriding system, object, network, Logical access to system configuration,
virtual machine, and application controls shall be restricted.
powerful utilities and security devices (including firewall configurations) is restricted to authorized individual GCS employees based on specific roles that are established and maintained based on job responsibilities.
IVS-01 Higher levels of assurance are required for protection, retention, and lifecycle management of audit logs, adhering to applicable legal, statutory or regulatory compliance obligations and providing unique user access accountability to detect potentially suspicious network
Logical access to system configuration, super user functionality, master passwords, powerful utilities, security devices (including firewall configurations), and audittools is restricted to authorized individual GCS employees based on specific roles that are established and maintained based on
IVS-02 The provider shall ensure the integrity of all virtual machine images at all times. Any changes made to virtual machine images must be logged and an alert raised regardless of their running state (e.g., dormant, off, or running). The results of a change or move of an image and the subsequent validation of the image's integrity must be immediately available to customers through electronic methods (e.g., portals or alerts).
Changes to virtual machines and servers that are used to host customer solutions are subject to the GCS change managementprocedures.
IVS-03 A reliable and mutually agreed upon external time source shall be used to synchronize the system clocks of all relevant information processing systemsto facilitate tracing and reconstitution ofactivity timelines.
All data center clocks are synchronized to UTC. All physical machines, including hosts and switches look to the internet to obtain the world wide NTP to ensure synchronization to the UTC.
IVS-11 Access to all hypervisor management functions or administrative consoles for systems hosting virtualized systems shallbe restricted to personnel based upon the principle of least privilege and supported through technical controls (e.g., two-factor authentication, audit trails, IP address filtering, firewalls, and TLS encapsulated communications to the administrative consoles).
GCS requires employees to establish their identity using an authorized multi-factor authentication technology when administrating the Hyland Cloud platform. This includes a Windows username, a user specified PIN, a Windows password, and a token. All user accounts managed by GCS are subject to the password management requirements established within the Access Management policy.
Logical access to system configuration, super user functionality, master passwords, powerful utilities and security devices (including firewall configurations) is restricted to authorized individual GCS employees based on specific roles that are established and maintained based on job responsibilities
Infrastructure & Virtualization SecurityInformation System Documentation
IVS-04 The availability, quality, and adequate capacity and resources shall be planned,prepared, and measured to deliver the required system performance in accordance with legal, statutory, and regulatory compliance obligations.
GCS monitors system capacity and resource usage to support the capacity objectives as determined by the GCS system owners. On at least an annual basis, future system capacity projections are planned to limit disruptions to the Hyland Cloud platform
Projections of future capacity requirements shall be made to mitigate the risk of system overload.
and to prepare future growth trends.
GCS maintains an internal audit program that focuses on developing, implementing, maintaining, and reassessing security controls to support risk mitigation strategies. The areas of focus include, but are not limited to, policy and procedure, logical and physical access, business continuity, and capacity planning. Quarterlyinternal audit results are compiled by the Governance, Risk and Compliance team andsent to the AVP of GCS.
IVS-13 Network architecture diagrams shall clearly identify high-risk environments and data flows that may have legal compliance impacts. Technical measuresshall be implemented and shall apply defense-in-depth techniques (e.g., deep packet analysis, traffic throttling, and black-holing) for detection and timely response to network-based attacks associated with anomalous ingress or egress traffic patterns (e.g., MAC spoofing and ARP poisoning attacks) and/or distributed denial-of-service (DDoS) attacks.
GCS uses firewalls to prevent unauthorized network access. Firewall standards are documented in the Operations Security Policy to only allow network access to specific protocols that are required to support end users solutions.
GCS utilizes third party software to conduct internal and external vulnerabilities assessments on a quarterly basis. Assessments are reviewed to ensure that unencrypted network protocols are disabled. Remediation plans are created to address critical issues and are tracked to completion as part of the internal review process.
Architectural components (e.g., networks, servers, co-location data centers) are logically separated between (1) any customers, including GCS and (2) Hyland, preventing unauthorized access by internal or external users. Customer Hosted Solutions exist in a private virtualized environment secured by firewall configurations.
Anti-virus software is configured to update virus definitions on a daily basis.
IVS-06 Network environments and virtual instances shall be designed and configured to restrict and monitor trafficbetween trusted and untrusted connections. These configurations shall
GCS collects logs for the external firewall and IDS/IPS admin logs. These logs are evaluated periodically evaluated.
be reviewed at least annually, and supported by a documented justificationfor use for all allowed services, protocols, and ports, and by compensating controls.
logged. Before any changes implemented on the firewall they are approved using the internal change management system and approved with documentation on the firewall.
Infrastructure & Virtualization SecurityOS Hardening and Base Controls
IVS-07 Each operating system shall be hardened to provide only necessary ports, protocols, and services to meet business needs and have in place supporting technical controls such as: antivirus, file integrity monitoring, and logging as part of their baseline operating build standard or template.
Virtual machines and operating systems aredeployed using the minimum amount of services and functionality required for themto run. Vulnerability scans and security assessments are run against the internal and external environment, these scans demonstrate whether only the minimum amount of ports are open.
IVS-08 Production and non-production environments shall be separated to prevent unauthorized access or changesto information assets. Separation of the environments may include: stateful inspection firewalls, domain/realm authentication sources, and clear segregation of duties for personnel accessing these environments as part of their job duties.
Customer production and non-production environments are separated through security and use of a domain/realm authentication sources. Any changes made to these environments follows the change management procedures, including separation of duties between requestor, approver, and implementer.
IVS-09 Multi-tenant organizationally-owned or managed (physical and virtual) applications, and infrastructure system and network components, shall be designed, developed, deployed, and configured such that provider and customer (tenant) user access is appropriately segmented from other tenant users, based on the following considerations: • Established policies and procedures • Isolation of business critical assets and/or sensitive user data, and sessions that mandate stronger internal controls and high levels of assurance • Compliance with legal, statutory, and regulatory compliance obligations
The OnBase Application is not a multi-tenant application. These customers are logically separated through use of virtual machines.
Infrastructure & Virtualization SecurityVM Security - Data Protection
IVS-10 Secured and encrypted communication channels shall be used when migrating physical servers, applications, or data to virtualized servers and, where possible, shall use a network segregated from production-level networks for such migrations.
GCS utilizes security transport encryption methods, such as SSL, for securing user authentication and session data when accessing the Hyland Cloud platform remotely. Connections to the OnBase Online platform are encrypted using HTTPS,PCOIP, or Blast secure protocol. Access to
IVS-05 Implementers shall ensure that the security vulnerability assessment tools or services accommodate the virtualization technologies used (e.g., virtualization aware).
GCS utilizes third-party software to conduct internal and external vulnerabilities assessments on a quarterly basis. These vulnerability assessments scan all virtual and physical servers and machines. Remediation plans are created to address critical issues and are tracked to completionas part of the internal review process.
Chapter 12: Interoperability & Portability
Control Group Control ID Control Specification Hyland Response
Interoperability & PortabilityAPIs
IPY-01 The provider shall use open and published APIs to ensure support for interoperability between components and to facilitate migrating applications.
GCS utilizes security transport encryption methods, such as SSL, for securing user authentication and session data when accessing the Hyland Cloud platform remotely. Connections to the Hyland Cloud Platform are encrypted using HTTPS, PCOIP, or Blast secure protocol. Access to the encryption configuration is limited to authorized individuals.
OnBase has a proprietary API that is approved for use by customers. Customers can use their own API, however it must
undergo a review by GCS employees and beapproved before it can be used.
Interoperability & PortabilityData Request
IPY-02 All structured and unstructured data shall be available to the customer and provided to them upon request in an industry-standard format (e.g., .doc, .xls,.pdf, logs, and flat files).
Hyland applications do not utilize a proprietary data format. Customer data canbe uploaded in any format accepted by the application (industry-standard formats) and will be returned in the same format.
Interoperability & PortabilityPolicy & Legal
IPY-03 Policies, procedures, and mutually-agreed upon provisions and/or terms shall be established to satisfy customer (tenant) requirements for service-to-service application (API) and information processing interoperability, and portability for application development and information exchange,usage, and integrity persistence.
Customers are given the option of purchasing a license for the OnBase API. To interact with the API (other than as an end user) the customer must have an individual attend the OnBase API Training Class. Upon completion of this class, the customer will receive documentation and information on proper use of the API and continued support from Hyland.
IPY-04 The provider shall use secure (e.g., non-clear text and authenticated) standardized network protocols for the import and export of data and to manage the service, and shall make available a document to consumers (tenants) detailing the relevant interoperability and portability standards that are involved.
GCS utilizes security transport encryption methods, such as SSL, for securing user authentication and session data when accessing the OnBase Online Cloud platform remotely. Connections to the Hyland Cloud Platform are encrypted using HTTPS, PCOIP, or Blast secure protocol. Access to the encryption configuration is limited to authorized individuals.
Interoperability & PortabilityVirtualization
IPY-05 The provider shall use an industry-recognized virtualization platform and standard virtualization formats (e.g., OVF) to help ensure interoperability, and shall have documented custom changes made to any hypervisor in use and all solution-specific virtualization hooks available for customer review.
GCS uses an industry-recognized virtualization platform and the OVF virtualization format. GCS maintains documented change management procedures and records all change requests related to virtual machines in Hyland's document management system. Change requests must be approved by an authorized employee and tested before changes can be implemented.
Control Group Control ID Control Specification Hyland Response
Mobile SecurityAnti-Malware
MOS-01 Anti-malware awareness training, specific to mobile devices, shall be included in the provider's information security awareness training.
Mobile devices are not permitted on the Hyland Cloud Platform.
Mobile SecurityApplication Stores
MOS-02 A documented list of approved application stores has been defined as acceptable for mobile devices accessing or storing provider managed data.
Mobile devices are not permitted on the Hyland Cloud Platform.
Mobile SecurityApproved Applications
MOS-03 The company shall have a documented policy prohibiting the installation of non-approved applications or approved applications not obtained through a pre-identified application store.
Mobile devices are not permitted on the Hyland Cloud Platform.
Mobile SecurityApproved
MOS-04 The BYOD policy and supporting awareness training clearly states the
Mobile devices are not permitted on the Hyland Cloud Platform.
approved applications, application stores, and application extensions and plugins that may be used for BYOD usage.
Mobile SecurityAwareness and Training
MOS-05 The provider shall have a documented mobile device policy that includes a documented definition for mobile devices and the acceptable usage and requirements for all mobile devices. Theprovider shall post and communicate the policy and requirements through the company's security awareness and training program.
Mobile devices are not permitted on the Hyland Cloud Platform.
Mobile SecurityCloud Based Services
MOS-06 All cloud-based services used by the company's mobile devices or BYOD shall be pre-approved for usage and the storage of company business data. Mobile devices are not permitted on the
Hyland Cloud Platform.
Mobile SecurityCompatibility
MOS-07 The company shall have a documented application validation process to test for mobile device, operating system, and application compatibility issues. Mobile devices are not permitted on the
Hyland Cloud Platform.
Mobile SecurityDevice Eligibility
MOS-08 The BYOD policy shall define the device and eligibility requirements to allow for BYOD usage.
Mobile devices are not permitted on the Hyland Cloud Platform.
Mobile SecurityDevice Inventory
MOS-09 An inventory of all mobile devices used to store and access company data shall be kept and maintained. All changes to the status of these devices (i.e., operating system and patch levels, lost or decommissioned status, and to whom the device is assigned or approved for usage (BYOD)) will be included for each device in the inventory.
Mobile devices are not permitted on the Hyland Cloud Platform.
Mobile SecurityDevice Management
MOS-10 A centralized, mobile device management solution shall be deployed to all mobile devices permitted to store, transmit, or process customer data. Mobile devices are not permitted on the
Hyland Cloud Platform.
Mobile SecurityEncryption
MOS-11 The mobile device policy shall require the use of encryption either for the entire device or for data identified as sensitive on all mobile devices, and shall
Mobile devices are not permitted on the Hyland Cloud Platform.
MOS-12 The mobile device policy shall prohibit the circumvention of built-in security controls on mobile devices (e.g., jailbreaking or rooting) and shall enforcethe prohibition through detective and preventative controls on the device or through a centralized device management system (e.g., mobile device management).
Mobile devices are not permitted on the Hyland Cloud Platform.
Mobile SecurityLegal
MOS-13 The BYOD policy includes clarifying language for the expectation of privacy, requirements for litigation, e-discovery, and legal holds. The BYOD policy shall clearly state the expectations regarding the loss of non-company data in the case a wipe of the device is required.
Mobile devices are not permitted on the Hyland Cloud Platform.
Mobile SecurityLockout Screen
MOS-14 BYOD and/or company-owned devices are configured to require an automatic lockout screen, and the requirement shall be enforced through technical controls.
Mobile devices are not permitted on the Hyland Cloud Platform.
Mobile SecurityOperating Systems
MOS-15 Changes to mobile device operating systems, patch levels, and/or applications shall be managed through the company's change management processes.
Mobile devices are not permitted on the Hyland Cloud Platform.
Mobile SecurityPasswords
MOS-16 Password policies, applicable to mobile devices, shall be documented and enforced through technical controls on all company devices or devices approved for BYOD usage, and shall prohibit the changing of password/PIN lengths and authentication requirements.
Mobile devices are not permitted on the Hyland Cloud Platform.
Mobile SecurityPolicy
MOS-17 The mobile device policy shall require the BYOD user to perform backups of data, prohibit the usage of unapproved application stores, and require the use of anti-malware software (where supported).
Mobile devices are not permitted on the Hyland Cloud Platform.
Mobile SecurityRemote Wipe
MOS-18 All mobile devices permitted for use through the company BYOD program or a company-assigned mobile device shall allow for remote wipe by the company'scorporate IT or shall have all company-
Mobile devices are not permitted on the Hyland Cloud Platform.
provided data wiped by the company's corporate IT.
Mobile SecuritySecurity Patches
MOS-19 Mobile devices connecting to corporate networks, or storing and accessing company information, shall allow for remote software version/patch validation. All mobile devices shall have the latest available security-related patches installed upon general release by the device manufacturer or carrier and authorized IT personnel shall be able to perform these updates remotely.
Mobile devices are not permitted on the Hyland Cloud Platform.
Mobile SecurityUsers
MOS-20 The BYOD policy shall clarify the systemsand servers allowed for use or access ona BYOD-enabled device.
Mobile devices are not permitted on the Hyland Cloud Platform.
SEF-01 Points of contact for applicable regulation authorities, national and locallaw enforcement, and other legal jurisdictional authorities shall be maintained and regularly updated (e.g., change in impacted-scope and/or a change in any compliance obligation) to ensure direct compliance liaisons have been established and to be prepared fora forensic investigation requiring rapid engagement with law enforcement.
GCS maintains contacts with applicable industry contacts.
SEF-02 Policies and procedures shall be established, and supporting business processes and technical measures implemented, to triage security-related events and ensure timely and thorough incident management, as per established IT service management policies and procedures.
GCS maintains documented incident reporting procedures. Incident reports are recorded and tracked to completion within Hyland's document management system. Customer notification is provided when applicable.
GCS maintains a Customer Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedure for customers to report security and/or availability issues. The Customer Process Manual is updated and released annually by GCS directly to registered customers through email.
GCS maintains an internal audit program that focuses on developing, implementing, maintaining, and reassessing security controls to support risk mitigation strategies. The areas of focus include, but
are not limited to, policy and procedure, logical and physical access, and business continuity. Quarterly internal audit results are compiled by the Governance, Risk and Compliance team and sent to the AVP of GCS.
SEF-03 Workforce personnel and external business relationships shall be informed of their responsibilities and, if required, shall consent and/or contractually agreeto report all information security events in a timely manner. Information security events shall be reported through predefined communications channels in a timely manner adhering to applicable legal, statutory, or regulatory compliance obligations.
GCS maintains an Employee Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedures for employees to report security and/or availability issues. The Employee Process Manual is released to the GCS department using Hyland's document management system. GCS employees are required to knowledge and accept the latest version of the process manual by supplying electronic acknowledgement using Hyland's document management system.
SEF-04 Proper forensic procedures, including chain of custody, are required for the presentation of evidence to support potential legal action subject to the relevant jurisdiction after an informationsecurity incident. Upon notification, customers and/or other external business partners impacted by a security breach shall be given the opportunity to participate as is legally permissible in the forensic investigation.
GCS maintains procedures for proper collection of evidence during a security incident, including legal requirements for maintaining proper chain of custody.
SEF-05 Mechanisms shall be put in place to monitor and quantify the types, volumes, and costs of information security incidents.
GCS maintains documented incident reporting procedures. Incident reports are recorded and tracked to completion within Hyland's document management system. Customer notification is provided when applicable.
Chapter 15: Supply Chain Management, Transparency and Accountability
Control Group Control ID Control Specification Hyland Response
Supply Chain Management, Transparency and AccountabilityData Quality and Integrity
STA-01 Providers shall inspect, account for, and work with their cloud supply-chain partners to correct data quality errors and associated risks. Providers shall design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privilege access for all personnel within their supply chain.
GCS has a Vendor Management Program which includes a process to review critical vendors on an annual basis.
Supply Chain Management, Transparency and AccountabilityIncident Reporting
STA-02 The provider shall make security incident information available to all affected customers and providers periodically through electronic methods (e.g., portals).
GCS maintains documented incident reporting procedures. Incidents reports are recorded and tracked to completion within Hyland's document management system. Customer notification is provided when applicable.
Supply Chain Management, Transparency and AccountabilityNetwork / Infrastructure Services
STA-03 Business-critical or customer (tenant) impacting (physical and virtual) application and system-system interface (API) designs and configurations, and infrastructure network and systems components, shall be designed, developed, and deployed in accordance with mutually agreed-upon service and capacity-level expectations, as well as IT governance and service management policies and procedures.
GCS monitors system capacity and resource usage to support the capacity objectives as determined by the GCS system owners. On at least an annual basis, future system capacity projections are planned to limit disruptions to the Hyland Cloud Platform and to prepare future growth trends.
GCS maintains an internal audit program that focuses on developing, implementing, maintaining, and reassessing security controls to support risk mitigation strategies. The areas of focus include, but are not limited to, policy and procedure, logical and physical access, and business continuity. Quarterly internal audit results are compiled by the Governance, Risk and Compliance team and sent to the AVP of GCS.
Supply Chain Management, Transparency and AccountabilityProvider Internal Assessments
STA-04 The provider shall perform annual internal assessments of conformance to,and effectiveness of, its policies, procedures, and supporting measures and metrics.
GCS has a Vendor Management Program which includes a process to review critical vendors on an annual basis.
Supply Chain Management, Transparency and AccountabilitySupply Chain Agreements
STA-05 Supply chain agreements (e.g., SLAs) between providers and customers (tenants) shall incorporate at least the following mutually-agreed upon provisions and/or terms: • Scope of business relationship and services offered (e.g., customer (tenant) data acquisition, exchange and usage, feature sets and functionality, personneland infrastructure network and systems components for service delivery and support, roles and responsibilities of provider and customer (tenant) and any subcontracted or outsourced business relationships, physical geographical location of hosted services, and any known regulatory compliance considerations) • Information security requirements, provider and customer (tenant) primary points of contact for the duration of the business relationship, and references to detailed supporting and relevant business processes and technical measures implemented to enable effectively governance, risk management, assurance and legal, statutory and regulatory compliance obligations by all impacted business relationships • Notification and/or pre-authorization of any changes controlled by the provider with customer (tenant) impacts • Timely notification of a security incident (or confirmed breach) to all customers (tenants) and other business relationships impacted (i.e., up- and down-stream impacted supply chain) • Assessment and independent verification of compliance with agreement provisions and/or terms
GCS maintains a Vendor Management Program that assesses risks associated with critical vendors. This includes reviewing of contract and contractual obligations, items related to services offered, financial viability, and legal and compliance concerns, and any information security risks.
(e.g., industry-acceptable certification, attestation audit report, or equivalent forms of assurance) without posing an unacceptable business risk of exposure to the organization being assessed • Expiration of the business relationshipand treatment of customer (tenant) data impacted • Customer (tenant) service-to-service application (API) and data interoperability and portability requirements for application development and information exchange,usage, and integrity persistence
Supply Chain Management, Transparency and AccountabilitySupply Chain Governance Reviews
STA-06 Providers shall review the risk management and governance processesof their partners so that practices are consistent and aligned to account for risks inherited from other members of that partner's cloud supply chain.
GCS maintains a Vendor Management Program that assesses risks associated with critical vendors. This includes reviewing of contract and contractual obligations, items related to services offered, financial viability, and legal and compliance concerns, and any information security risks.
Supply Chain Management, Transparency and AccountabilitySupply Chain Metrics
STA-07 Policies and procedures shall be implemented to ensure the consistent review of service agreements (e.g., SLAs) between providers and customers (tenants) across the relevant supply chain (upstream/downstream). Reviews shall be performed at least annually andidentify any non-conformance to established agreements. The reviews should result in actions to address service-level conflicts or inconsistencies resulting from disparate supplier relationships.
GCS maintains a Vendor Management Program that assesses risks associated with critical vendors. This includes reviewing of contract and contractual obligations, items related to services offered, financial viability, and legal and compliance concerns, and any information security risks.
Supply Chain Management, Transparency and AccountabilityThird Party Assessment
STA-08 Providers shall assure reasonable information security across their information supply chain by performing an annual review. The review shall include all partners/third party-providers upon which their information supply chain depends on.
GCS maintains a Vendor Management Program that assesses risks associated with critical vendors. This includes reviewing of contract and contractual obligations, items related to services offered, financial viability, and legal and compliance concerns, and any information security risks.
Supply Chain Management, Transparency and Accountability
STA-09 Third-party service providers shall demonstrate compliance with information security and confidentiality, access control, service definitions, and
GCS maintains a Vendor Management Program that assesses risks associated with critical vendors. This includes reviewing of contract and contractual obligations, items
Third Party Audits delivery level agreements included in third-party contracts. Third-party reports, records, and services shall undergo audit and review at least annually to govern and maintain compliance with the service delivery agreements.
related to services offered, financial viability, and legal and compliance concerns, and any information security risks.
At least annually, an independent review of the Information Security Management System is conducted by a trusted third party. This review validates the information security management system effectively monitors the organization for security and availability, including the policies and procedures governing maintenance of the OnBase Online Cloud Platform and the Internal Audit Program. The external audit reports are available to customers upon request.
Control Group Control ID Control Specification Hyland Response
Threat and Vulnerability ManagementAnti-Virus / Malicious Software
TVM-01 Policies and procedures shall be established, and supporting business processes and technical measures implemented, to prevent the execution of malware on organizationally-owned or managed user end-point devices (i.e.,issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components.
Anti-virus software is configured to update virus definitions on a daily basis.
Administrative access to the anti-virus configuration is restricted to authorized users.
GCS uses firewalls to prevent unauthorized network access. Firewall standards are documented in the Operations Security Policy to only allow network access to specific protocols that are required to support end users solutions.
GCS utilizes third party software to conduct internal and external vulnerabilities assessments on a quarterly basis. Assessments are reviewed to ensure that unencrypted network protocols are disabled. Remediation plans are created to address critical issues and are tracked to completion as part of the internal review process.
Threat and Vulnerability ManagementMobile Code
TVM-03 Policies and procedures shall be established, and supporting business processes and technical measures implemented, to prevent the execution of unauthorized mobile code, defined assoftware transferred between systems over a trusted or untrusted network andexecuted on a local system without explicit installation or execution by the recipient, on organizationally-owned or managed user end-point devices (e.g., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components.
There is no mobile code is permitted in the Hyland Cloud Platform.
Threat and Vulnerability ManagementVulnerability / Patch Management
TVM-02 Policies and procedures shall be established, and supporting processes and technical measures implemented, for timely detection of vulnerabilities within organizationally-owned or managed applications, infrastructure network and system components (e.g.,
GCS utilizes third party software to conduct internal and external vulnerabilities assessments on a quarterly basis. Assessments are reviewed to ensure that unencrypted network protocols are disabled. Remediation plans are created to address critical issues and are tracked to
network vulnerability assessment, penetration testing) to ensure the efficiency of implemented security controls. A risk-based model for prioritizing remediation of identified vulnerabilities shall be used. Changes shall be managed through a change management process for all vendor-supplied patches, configuration changes, or changes to the organization's internally developed software. Upon request, the provider informs customer (tenant) of policies and procedures and identified weaknesses especially if customer (tenant) data is used as part the service and/or customer (tenant) has some shared responsibility over implementation of control.
completion as part of the internal review process.
GCS maintains an internal audit program that focuses on developing, implementing, maintaining, and reassessing security controls to support risk mitigation strategies. The areas of focus include, but are not limited to, policy and procedure, logical and physical access, and business continuity. Quarterly internal audit results are compiled by the Governance, Risk and Compliance team and sent to the AVP of GCS.
A formal risk assessment is conducted annually by the Governance, Risk and Compliance team. Potential threats and vulnerabilities related to security and availability (which include environmental, regulatory, technological changes) are reviewed and categorized. Remediation plans are created as needed and may include updates/changes to the current Information Security policies. The completed assessment is reviewed and approved by the AVP of GCS.