Cloud security Alliance star · 2019-08-15 · This is not the case with OnBase in the Hyland Cloud. Users enjoy full functionality of ECM, capture, business process management, enterprise

CLOUD SECURITY ALLIANCE STAR (SECURITY, TRUST AND ASSURANCE REGISTRY) SUBMISSION FOR THE HYLAND CLOUD

August 2017

About the Cloud Security Alliance

The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of

best practices for providing security assurance within Cloud Computing and provides education on the

use of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by

a broad coalition of industry practitioners, corporations, associations and other key stakeholders.

The Cloud Security Alliance (CSA) launched the Security, Trust & Assurance Registry (STAR) initiative at

the end of 2011. The CSA STAR is the first step in improving transparency and assurance in the cloud. The

CSA Security, Trust & Assurance Registry (STAR) is a publicly accessible registry that documents the

security controls provided by various cloud computing offerings, thereby helping users assess the

security of cloud providers they currently use or are considering contracting with.

Hyland places the highest emphasis on delivering secure, reliable cloud solutions and is delighted to be

working with the CSA to deliver a transparent mechanism such as STAR to assist customers in their

cloud-related decision making process.

© Hyland Software, Inc. All rights reserved.

Introduction to the Hyland Cloud

When it comes to cloud deployments, experience matters. With experience comes more functionality, an

established history of demonstrated service levels, proven security and a large, active customer

community.

The Hyland Cloud delivers that experience. In 2004, Hyland’s enterprise content management (ECM)

offering, OnBase, was the first mainstream online ECM solution to be deployed in the cloud. Hyland

continues to pioneer innovative cloud solutions today.

When deployed in the Hyland Cloud, the exact same ECM software is used for 700+ hosted OnBase

customers as is used for Hyland’s on-premises OnBase deployments. The solution is offered via our

world-class hosting environments, located in several locations around the globe.

The Hyland Cloud provides a full technical infrastructure and software platform that allow organizations

to harness the power of OnBase without purchasing or managing hardware and software on-premises.

Hyland Cloud Provides

Functionality

When you deploy a cloud-based ECM solution, you don’t want to sacrifice functionality. However, many

other cloud-based ECM solutions provide less functionality than their on-premises equivalents. Other

solutions do not have the flexibility, nor are they advanced enough to provide a fully featured ECM suite.


Full ECM in the cloud with OnBase

Stringent compliance with ISO

27001:2013, SOC 1, 2 and 3 as well as

Privacy Shield standards

Physical and network security with

multiple network layers separated by

multiple firewalls

Burstable bandwidth for maximum upload

and download speed

Three copy replication management

spread across multiple physical locations

Disaster recovery processes and business

continuity commitments

Software performance optimization

including load-balanced application and

web servers

Environment operating system

purchase, maintenance and licensing

Solution availability, optimization and

assurance needed to support the

OnBase application

Database software purchase,

maintenance and licensing needed to

support the OnBase application

Centralized server management and

upgrades

This is not the case with OnBase in the Hyland Cloud. Users enjoy full functionality of ECM, capture,

business process management, enterprise file sync and share, mobility, integration and case

management. It’s so seamless that many users don’t even realize they are working on systems and data

stored in the cloud.

Software

Since 2004, Hyland has offered users the ability to use the OnBase application as a service in the Hyland

Cloud.

With our hosted offering, customers choose the features and functionality they want, then the OnBase

experts create that solution and provide access to it in the cloud. Your OnBase solutions is available

when and where you need it. In addition, our SLAs provide clear and concise details of available

remedies should availability be compromised at any point.


The Hyland Cloud features one of the most powerful server and networking infrastructure topologies in

the market. OnBase experts maintain the infrastructure and deploy and upgrade your solution, freeing

up your IT resources for other strategic initiatives. Plus, you can change and grow your cloud solution

when and how you need to.

Data Center Infrastructure

Worldwide Data Centers

Hyland provides you with complete details of where all copies of your data and systems are stored and

operated through a completely transparent data location policy. Customers have a designated primary

location in one of Hyland’s worldwide data centers— typically in the data center physically closest to

them (but accommodated to their preferences if necessary). We have data centers across the U.S., as

well as in London, England; Amsterdam, the Netherlands; Queretaro, Mexico; Sydney and Melbourne,

Australia; and Auckland and Wellington, New Zealand.


Network Infrastructure and Connectivity

The Hyland Cloud maintains access to the global IP backbone via dual-access routers connected to

multiple backbone nodes. Back-end connectivity and network service facilities include asynchronous

transfer mode (ATM), frame relay and circuit-switching. These capabilities provide high-speed internet

access with burstable WAN bandwidth as part of the service classes, ensuring your content is uploaded

to the system and put to use as quickly as possible.

Private, Managed, Multi-Instance Cloud

The Hyland Cloud provides an environment that delivers high-availability and high-performance ECM in

the cloud. Each organization deployed to the Hyland Cloud receives their own instance of the OnBase

software. Each solution includes dedicated resources for each customer and their data. In addition,

Hyland fully manages critical daily maintenance functions of all infrastructure, hardware and software

associated with the environment. This all comes together to create a unique, secure and resilient ECM in

the cloud solution.

Environmental Controls

All data centers are equipped with standard computer room environmental systems, including:

Computer room air conditioning (CRAC) units


Environmental monitoring system

Fire detection units

Fire suppression units

Water detection system

Raised floor

Emergency power off (EPO) switches or equivalent procedures

These controls ensure that the hardware infrastructure running your OnBase solution remains in

optimum condition at all times, minimizing the potential for downtime due to equipment failure or

environmental incidents.

Compliance

The Hyland Cloud serves more than 700 lifetime customers worldwide, many of whom depend on the

solution to meet a number of stringent regulatory demands including HIPAA, GLBA, SOX, SEC 17a-4 and

international data sovereignty requirements.

The success of the Hyland Cloud is driven by customer trust. Customers entrust the handling of their vital

business information and processes to the Hyland Cloud every day. In return, Hyland backs this trust with

product certifications and audits undertaken on associated data centers and processes. The Hyland

Cloud meets the following certifications and audits:

ISO 27001

ISO 27001 is a globally recognized information security standard that tests an organization’s information

security risks, taking account of threats, vulnerabilities and impacts. It is considered a coherent and

comprehensive suite of information security controls.

ISO 27001 certification has been achieved for Hyland’s cloud operations in New South Wales, Australia.

Expanding this certification scope across Hyland’s global footprint is a component of Hyland’s compliance

roadmap.

SOC 1, 2 & 3

SOC standards are among the most stringent standards of security measurement for an operations

center or data center. All Hyland Cloud data centers boast SOC 1, SOC 2 and/or SOC 3 certification.

Additionally, Hyland’s Cloud Services undertakes SOC 2 and SOC 3 audits annually, and performs

quarterly internal audits and ongoing penetration and vulnerability tests.


Security

Physical and Network Security

All Hyland Cloud data centers are staffed by security personnel and covered by surveillance cameras.

Hyland limits physical access to pre-authorized staff and visitors, who are provided with access via multi-

factor authentication that limits them to authorized areas only.

Hardware is physically separated from any other hosting provided in the data center.

Hardware is physically secured using separate cages and locking cabinets.

Man traps, air locks, multiple access doors and other security measures prevent unauthorized

access.

Biometric controls and other cutting-edge technologies are utilized.

Access to hardware is via multi-factor authentication.

Network infrastructure components and services such as routing, switching and bandwidth are

monitored 24/7.

Certified engineers are available to resolve any issues as per the customer’s chosen service class.

Automated network intrusion monitoring procedures operate 24/7.

Transport Security

Communication between OnBase clients and the Hyland Cloud is encrypted using up to AES-256 bit TLS

1.2 or higher and SSH2. This ensures that content and operations are secure from interference or

interception en route.

Power

Hyland provides redundant uninterruptible power supplies (UPS) with multiple modules synchronized to

work in unison or independently. Each data center also has multiple, redundant generators to provide

alternative power should the electricity fail. The switchover from commercial power to generator power

is managed and covered by the UPS system to ensure that there is no loss of power to Hyland Cloud

servers.

Application Security

Hyland Cloud users automatically receive access to new version upgrades when they are available.

However, no upgrade is performed without customer knowledge nor are upgrades forced. End users

elect when they prefer to upgrade to a more recent version. Upgrades can be performed in such a way

that limited downtime is experienced by users. Customers can also request test environments to

perform appropriate testing on new versions (or any other aspect of the solution).


Hyland Global Cloud Services Staff Selection

Hyland carefully selects and screens staff managing the Hyland Cloud against numerous government and

criminal checks. Hyland provides Cloud Services staff with detailed, customized and ongoing training,

and they are rigorously audited and certified every year.

Business Continuity

Availability and Disaster Recovery

The Hyland Cloud service classes allow you to select exactly how your service is managed and measured

in terms of both availability and recovery time.

Availability defines what percentage of time the service is online (i.e., accessible by users). Downtime

will have a negative effect on any organization, but the impact of that downtime will vary based on the

type of organization and the content managed within the system. OnBase in the Hyland Cloud is

delivered with a choice of four service classes: Silver, Gold, Platinum and Double Platinum. Pricing for

these service classes is combined with the hosting fee—ensuring a clear and simple monthly cost.

Availability commitments are as high as 99.9%.

Any hosting service needs to be both reliable and resilient. However, there is a risk of failure with any

system, and the speed and comprehensive ability to recover from any unexpected failure is a key aspect

of a cloud solution. The Hyland Cloud delivers two important elements to support business continuity:

Recovery Point Objective: If the system unexpectedly goes down without warning, a certain

amount of data may be lost between the point of failure and the last backup. The recovery point

objective is the amount of time that elapses during which data cannot be recovered and is

defined by the service class selected by the customer.

Recovery Time Objective: When a system experiences downtime, the relevant technical

team requires a period of time to not only restart the systems, but also to identify and fix any

lingering issues with the infrastructure— software or otherwise. The recovery time objective

represents the time required to restore the Hyland Cloud services and is defined by the service

class selected by the customer.


Hyland Cloud Response to the CSA Cloud Controls Matrix

Contents

Chapter 1: Application & Interface Security...............................................................................................11

Chapter 2: Audit Assurance & Compliance................................................................................................12

Chapter 3: Business Continuity Management & Operational Resilience...................................................14

Chapter 4: Change Control & Configuration Management........................................................................19

Chapter 5: Data Security & Lifecycle Management....................................................................................22

Chapter 6: Datacenter Security..................................................................................................................24

Chapter 7: Encryption & Key Management...............................................................................................27

Chapter 8: Governance and Risk Management.........................................................................................29

Chapter 9: Human Resources....................................................................................................................33

Chapter 10: Identity & Access Management.............................................................................................36

Chapter 11: Infrastructure & Virtualization Security..................................................................................42

Chapter 12: Interoperability & Portability.................................................................................................46

Chapter 13: Mobile Security......................................................................................................................48


Chapter 14: Security Incident Management, E-Discovery & Cloud............................................................52

Chapter 15: Supply Chain Management, Transparency and Accountability...............................................54

Chapter 16: Threat and Vulnerability Management..................................................................................58


Chapter 1: Application & Interface Security

Control Group Control ID Control Specification Hyland Response

Application & Interface SecurityApplication Security

AIS-01 Applications and programming interfaces (APIs) shall be designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations.

Applications and code not developed by Hyland Software, Inc is reviewed and testedby Hyland's Global Cloud Services (GCS) department before deployed in the Hyland Cloud Platform. Testing of applications developed by Hyland Software, Inc is completed by the Hyland Development Team on the Corporate network in accordance with industry best practices for security.

Application & Interface SecurityCustomer Access Requirements

AIS-02 Prior to granting customers access to data, assets, and information systems, identified security, contractual, and regulatory requirements for customer access shall be addressed.

Customer administrators control user access, user permissions, and data retention with respect to their Hosted Solutions.

Application & Interface SecurityData Integrity

AIS-03 Data input and output integrity routines (i.e., reconciliation and edit checks) shallbe implemented for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse.

Customer maintains ownership of all customer data uploaded to their Hosted Solution through the full lifecycle period. Hyland employee access to customer data is restricted to authorized users and requires valid business justification.


Chapter 2: Audit Assurance & Compliance


Audit Assurance & ComplianceAudit Planning

AAC-01 Audit plans shall be developed and maintained to address business process disruptions. Auditing plans shall focus on reviewing the effectiveness of the implementation of security operations. All audit activities must be agreed upon prior to executing any audits.

GCS maintains an internal audit program that focuses on developing, implementing, maintaining, and reassessing security controls to support risk mitigation strategies. The areas of focus include, but are not limited to, policy and procedure, logical and physical access, and business continuity. Quarterly internal audit results are compiled by the Governance, Risk and Compliance team and sent to the Associate Vice President of Hyland Global Cloud Services.

Audit program and testing plans are developed based on industry best practices and standards, including ISO 27001, AICPA Trust Services Criteria, NIST, FFIEC. Auditing plans are established annually and approved by the Associate Vice President ofGlobal Cloud Services. Auditing plans including selected controls, testing frequency, and scope.

Audit Assurance & ComplianceIndependent Audits

AAC-02 Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations.

The Hyland Cloud Platform is SOC 2 and SOC 3 audited on an annual basis. These reports are provided to customers with confidentiality agreements in place.

Hyland Global Cloud Services maintains an internal audit program that conducts reviews of the Hyland Cloud Platform on at least a quarterly basis. Risk Assessments areconducted on an annual basis. Customers have the ability to conduct reviews of the Hyland Cloud Platform at their sole expenseand within defined and mutually agreed upon parameters.

Audit Assurance & ComplianceInformation System Regulatory Mapping

AAC-03 Organizations shall create and maintain a control framework which captures standards, regulatory, legal, and statutory requirements relevant for their business needs. The control framework shall be reviewed at least annually to ensure changes that could affect the business processes are

Audit program and testing plans are developed based on industry best practices and standards, including ISO 27001, AICPA Trust Services Criteria, NIST, FFIEC. Auditing plans are established annually and approved by the Associate Vice President ofGlobal Cloud Services. Auditing plans including selected controls, testing


reflected. frequency, and scope.

The GCS GRC Team monitors regulatory changes within the relevant jurisdictions. When applicable, modifications are made to the ISMS and the Internal Audit Program to ensure continued compliance with all applicable legislative and regulatory requirements.

Chapter 3: Business Continuity Management & Operational Resilience


Business Continuity Management & Operational ResilienceBusiness Continuity

BCR-01 A consistent unified framework for business continuity planning and plan development shall be established, documented, and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security

Hyland Global Cloud Services maintains a documented policy that outlines the disaster recovery procedures. Disaster Recovery (DR) tests that include failover tests are performed at least annually against the Hyland Cloud platform.


Planning requirements. Requirements for business continuity plans include the following: • Defined purpose and scope, aligned with relevant dependencies • Accessible to and understood by those who will use them • Owned by a named person(s) who is responsible for their review, update, andapproval • Defined lines of communication, roles, and responsibilities • Detailed recovery procedures, manualwork-around, and reference information • Method for plan invocation

Hyland Global Cloud Services maintains a near real-time data replication process to back up customer data stored within the Hyland Cloud Platform production environment. The data replication process and data backup objectives are reviewed onat least an annual basis as part of the internal system review process by the Associate Vice President of Hyland Global Cloud Services. Access to modify the backup configuration is limited to authorized individuals.

Business Continuity Management & Operational ResilienceBusiness Continuity Testing

BCR-02 Business continuity and security incident response plans shall be subject to testing at planned intervals or upon significant organizational or environmental changes. Incident response plans shall involve impacted customers (tenant) and other business relationships that represent critical intra-supply chain business process dependencies.

GCS maintains a documented policy that outlines the disaster recovery procedures. Disaster Recovery (DR) tests that include failover tests are performed at least annually against the Hyland Cloud platform.

GCS maintains documented incident reporting procedures. Incident reports are recorded and tracked to completion within Hyland's document management system. Customer notification is provided when applicable.

GCS maintains a Customer Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedure for customers to report security and/or availability issues. The Customer Process Manual is updated and published annually by GCS directly to registered customers.

Business Continuity Management & Operational ResilienceDatacenter Utilities / Environmental

BCR-03 Datacenter utilities services and environmental conditions (e.g., water, power, temperature and humidity controls, telecommunications, and internet connectivity) shall be secured, monitored, maintained, and tested for continual effectiveness at planned intervals to ensure protection from

The Hyland Cloud platform is housed withinISO 27001 certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). GCS validates the each data center compliance certifications and applicable audit reports annually. Additionally documentation may be provided upon completion of a Non-


Conditions unauthorized interception or damage, and designed with automated fail-over or other redundancies in the event of planned or unplanned disruptions.

Disclosure Agreement.

Business Continuity Management & Operational ResilienceDocumentation

BCR-04 Information system documentation (e.g., administrator and user guides, andarchitecture diagrams) shall be made available to authorized personnel to ensure the following: • Configuring, installing, and operating the information system • Effectively using the system’s security features

Customers may access the Hyland Cloud Portal which provides information regardingproper usage of their solution. Customers are provided access to documentation describing the applicable security features available within their Hosted Solution and specifically how to ensure increased security in the Hyland Cloud Platform.

GCS maintains architecture diagrams of the Hyland Cloud Platform depicting the hosting environment and network. Customers may request specific diagrams oftheir solutions.

Employee Process Manual is established to describe the system descriptions and its boundaries, obligations of users as well as system commitments, system standards and procedures, and the procedure for submitting feedback, complaints, and issuesrelated to system availability and/or security and is distributed to Hyland Employees.

Business Continuity Management & Operational ResilienceEnvironmental Risks

BCR-05 Physical protection against damage fromnatural causes and disasters, as well as deliberate attacks, including fire, flood, atmospheric electrical discharge, solar induced geomagnetic storm, wind, earthquake, tsunami, explosion, nuclear accident, volcanic activity, biological hazard, civil unrest, mudslide, tectonic activity, and other forms of natural or man-made disaster shall be anticipated, designed, and have countermeasures applied.

The Hyland Cloud platform is housed withinISO 27001 certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). GCS validates the each data center compliance certifications and applicable audit reports annually. Additional documentation may be provided upon completion of a Non-Disclosure Agreement.

Business Continuity Management & Operational ResilienceEquipment Location

BCR-06 To reduce the risks from environmental threats, hazards, and opportunities for unauthorized access, equipment shall be kept away from locations subject to high probability environmental risks andsupplemented by redundant equipment located at a reasonable distance.

The Hyland Cloud platform is housed withinISO 27001 certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). GCS validates the each data center compliance certifications and applicable audit reports annually. Additional documentation may be provided


upon completion of a Non-Disclosure Agreement.Hyland Cloud data centers are not located in areas with a high probability of environmental risks. All backup sites are located at least 200 miles from the production data center.

Business Continuity Management & Operational ResilienceEquipment Maintenance

BCR-07 Policies and procedures shall be established, and supporting business processes and technical measures implemented, for equipment maintenance ensuring continuity and availability of operations and support personnel.

GCS monitors system capacity and resource usage to support the capacity objectives as determined by the GCS system owners. On at least an annual basis, future system capacity projections are planned to limit disruptions to the Hyland Cloud platform and to prepare future growth trends.

Business Continuity Management & Operational ResilienceEquipment PowerFailures

BCR-08 Protection measures shall be put into place to react to natural and man-made threats based upon a geographically-specific business impact assessment.

The Hyland Cloud platform is housed withinISO 27001 certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). GCS validates the each data center compliance certifications and applicable audit reports annually. Additional documentation may be provided upon completion of a Non-Disclosure Agreement.

The Hyland Cloud environment is N+1 redundant, providing automatic failover of the components that comprise the Hyland Cloud platform. The data is also replicated to a second copy in the primary data center and tertiary copy in a secondary data center.

Business Continuity Management & Operational ResilienceImpact Analysis

BCR-09 There shall be a defined and documented method for determining the impact of any disruption to the organization (cloud provider, cloud consumer) that must incorporate the following: • Identify critical products and services • Identify all dependencies, including processes, applications, business partners, and third party service providers • Understand threats to critical products and services • Determine impacts resulting from planned or unplanned disruptions and how these vary over time

System maintenance, classified as either planned or unplanned, which could affect the security and/or availability of the Hyland Cloud is communicated to affected customers per documented procedures outlined in the Customer Process Manual.

GCS maintains documented incident reporting procedures. Incidents reports are recorded and tracked to completion within Hyland's document management system. Customer notification is provided when applicable.

Hyland Cloud Platform customers may request a service availability report


• Establish the maximum tolerable period for disruption • Establish priorities for recovery • Establish recovery time objectives for resumption of critical products and services within their maximum tolerableperiod of disruption • Estimate the resources required for resumption

containing a list of service level availability (SLA) incidents that have been reported by Customer. The report will reflect each incident's confirmation or rejection by Hyland.

Business Continuity Management & Operational ResiliencePolicy

BCR-10 Policies and procedures shall be established, and supporting business processes and technical measures implemented, for appropriate IT governance and service management toensure appropriate planning, delivery, and support of the organization's IT capabilities supporting business functions, workforce, and/or customers based on industry acceptable standards (i.e., ITIL v4 and COBIT 5). Additionally, policies and procedures shall include defined roles and responsibilities supported by regular workforce training.

GCS maintains a documented policy that outlines the disaster recovery procedures. Disaster Recovery (DR) tests that include failover tests are performed at least annually against the Hyland Cloud platform.

GCS maintains an Employee Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedures for employees to report security and/or availability issues. The Employee Process Manual is released to the GCS department using Hyland's document management system. GCS employees are required to acknowledge and accept the latest version of the process manual by electronic acknowledgement using Hyland's document management system.

Business Continuity Management & Operational ResilienceRetention Policy

BCR-11 Policies and procedures shall be established, and supporting business processes and technical measures implemented, for defining and adhering to the retention period of any critical asset as per established policies and procedures, as well as applicable legal, statutory, or regulatory compliance obligations. Backup and recovery measures shall be incorporated as part of business continuity planning and tested accordingly for effectiveness.

Customer maintains ownership of all customer data uploaded to their Hosted Solution through the full lifecycle period. Customer administrators control user access, user permissions, and data retention with respect to their Hosted Solutions. GCS maintains a real-time data replication process to back up customer data stored within the Hyland Cloud Platform production environment. The data replication process and data backup objectives are reviewed on at least an annual basis as part of the internal system review process by the AVP of GCS. Access tomodify the backup configuration is limited to authorized individuals.


Hyland has documented policies and procedures which detail the retention period for its critical assets.

Chapter 4: Change Control & Configuration Management


Change Control & Configuration ManagementNew Development / Acquisition

CCC-01 Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network, and systems components, or any corporate, operations and/or datacenter facilities have been pre-authorized by the organization's business leadership or other accountable business role or function.

The GCS Leadership Team is responsible for reviewing and approving new system acquisitions and significant modifications tosystems and related components.

GCS maintains documented change management procedures and records all change requests in Hyland's document management system. Change requests must be approved by an authorized employee and tested before changes can beimplemented. System changes made in the case of an emergency and/or are noncompliant with policy are recorded as an exception and is subject to rollback procedures if approval is not granted.

Logical access to system configuration, super user functionality, master passwords, powerful utilities and security devices


(including firewall configurations) is restricted to authorized individual GCS employees based on specific roles that are established and maintained based on job responsibilities.

Change Control & Configuration ManagementOutsourced Development

CCC-02 External business partners shall adhere to the same policies and procedures for change management, release, and testing as internal developers within theorganization (e.g., ITIL service management processes).

External parties are not used in administration of the Hyland Cloud Platform.

Change Control & Configuration ManagementProduction Changes

CCC-05 Policies and procedures shall be established for managing the risks associated with applying changes to: • Business-critical or customer (tenant)-impacting (physical and virtual) applications and system-system interface (API) designs and configurations. • Infrastructure network and systems components.Technical measures shall be implemented to provide assurance that all changes directly correspond to a registered change request, business-critical or customer (tenant), and/or authorization by, the customer (tenant) as per agreement (SLA) prior to deployment.

GCS maintains a Customer Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedure for customers to report security and/or availability issues. The Customer Process Manual is updated and released annually by GCS directly to registered customers through email.

GCS maintains documented change management procedures and records all change requests in Hyland's document management system. Change requests must be approved by an authorized employee and tested before changes can beimplemented. System changes made in the case of an emergency or are noncompliant with policy are recorded as an exception and is subject to rollback procedures if approval is not granted. Changes made to a customer solution must have written documentation from the customer requesting the change. These changes are reviewed quarterly through the Internal Audit Program. All changes under a risk assessment, and when applicable are subject to documented roll back procedures.

Change Control & Configuration ManagementQuality Testing

CCC-03 Organization shall follow a defined quality change control and testing process (e.g., ITIL Service Management) with established baselines, testing, and

GCS defines the roles which are authorized to install software, hardware and other network devices within the Access Control policy. Access to these predefined roles is


release standards that focus on system availability, confidentiality, and integrity of systems and services.

restricted using Active Directory user group policy settings.


Changes to Hyland Cloud platform can only be made by authorized individuals based ontheir assigned roles as documented in GCS policies. Changes to end user's Hosted solution is restricted to authorized individuals based on assigned roles.

Change Control & Configuration ManagementUnauthorized Software Installations

CCC-04 Policies and procedures shall be established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorized software on organizationally-owned or managed user end-point devices (e.g., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components.


The Hyland Cloud Platform is built on virtualization technology and accessed through the use of virtual desktops. This prevents unauthorized installation of software. Privileged accounts are restricted to authorized users.


Chapter 5: Data Security & Lifecycle Management


Data Security & Information Lifecycle Management Classification

DSI-01 Data and objects containing data shall be assigned a classification by the data owner based on data type, value, sensitivity, and criticality to the organization.

GCS documents and maintains descriptions of the information used within the Hyland Cloud platform which includes customer data and system data classifications. These classifications are reviewed as part of the annual policy review process by the Associate Vice President of GCS.

Data Security & Information Lifecycle ManagementData Inventory / Flows

DSI-02 Policies and procedures shall be established, and supporting business processes and technical measures implemented, to inventory, document, and maintain data flows for data that is resident (permanently or temporarily) within the service's geographically distributed (physical and virtual) applications and infrastructure network and systems components and/or shared with other third parties to ascertain any regulatory, statutory, or supply chain agreement (SLA) compliance impact, and to address any other business risks associated with the data. Upon request, provider shall inform customer (tenant) of compliance impact and risk, especially if customer data is used as part of the services.

The Hyland Cloud uses firewalls to prevent unauthorized network access. Firewall standards are documented in the Operations Security Policy to only allow network access to specific protocols that are required to support end users solutions.

Architectural components (e.g. networks, servers, co-location data centers) are logically separated between (1) any customer, including GCS and (2) Hyland, prevent unauthorized access by internal or external users. Customer Hosted Solutions exist in a private virtualized environment secured by firewall configurations.


Data Security & Information Lifecycle ManagementEcommerce Transactions

DSI-03 Data related to electronic commerce (ecommerce) that traverses public networks shall be appropriately classified and protected from fraudulentactivity, unauthorized disclosure, or modification in such a manner to prevent contract dispute and compromise of data.

GCS utilizes security transport encryption methods, such as SSL, for securing user authentication and session data when accessing the Hyland Cloud platform remotely. Connections to the Hyland platform are encrypted using HTTPS, PCOIPS, or Blast secure protocol. Access to encryption configuration is limited to authorized individuals.

Data Security & Information Lifecycle ManagementHandling / Labeling / Security Policy

DSI-04 Policies and procedures shall be established for the labeling, handling, and security of data and objects which contain data. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data.

GCS documents and maintains descriptions of the information used within the Hyland Cloud platform which includes customer data and system data classifications. These classifications are reviewed as part of the annual policy review process by the Associate Vice President of GCS.

GCS documents and maintains descriptions of all assets, including hardware, software, and data, used, held, and/or managed within the Hyland Cloud Platform which includes customer data and system data classification. These classifications are reviewed as part of the annual policy review process by the AVP of GCS.

Data Security & Information Lifecycle ManagementNon-Production Data

DSI-05 Production data shall not be replicated or used in non-production environments. Any use of customer datain non-production environments requires explicit, documented approval from all customers whose data is affected, and must comply with all legal and regulatory requirements for scrubbing of sensitive data elements.

Customer production and non-production environments are logically separated. GCS does not input customer data into the non-production environment. These environments are separated using a domainauthentication source (Active Directory).

Data Security & Information Lifecycle ManagementOwnership / Stewardship

DSI-06 All data shall be designated with stewardship, with assigned responsibilities defined, documented, and communicated.

Customer maintains ownership of all customer data uploaded to their Hosted Solution through the full lifecycle period. GCS access to customer data is restricted toauthorized users and requires valid businessjustification.

Customer administrators control user access, user permissions, and data retention with respect to their Hosted Solutions.

Data Security & Information

DSI-07 Policies and procedures shall be established with supporting business

When a storage device has reached the endof its useful life, Global Cloud Services’


Lifecycle ManagementSecure Disposal

processes and technical measures implemented for the secure disposal and complete removal of data from all storage media, ensuring data is not recoverable by any computer forensic means.

procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. GCS uses the techniques recommended by the National Institute for Standards and Technology (NIST) to destroy data as part of the decommissioning process. If a hardware device is unable to be decommissioned using these procedures, the device will be virtually shredded or physically destroyed inaccordance with industry-standard practices. Devices used in the administration of the customer’s Hosted Solution that have been decommissioned will be subjected to these or equally effective standards.

Chapter 6: Datacenter Security


Datacenter SecurityAsset Management

DCS-01 Assets must be classified in terms of business criticality, service-level expectations, and operational continuityrequirements. A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time shall be maintained and updated regularly, and assigned ownership by defined roles and responsibilities.

An inventory of assets is established and maintained. Asset inventory lists document identifiable information for each asset listed, including vendor, version number, system owner and geographical location.

Datacenter SecurityControlled Access Points

DCS-02 Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) shall be implemented to safeguard sensitive data and information systems.

The Hyland Cloud platform is housed withinISO 27001 certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). Customer data is secured behind physical barriers to prevent unauthorized access. Only authorized personnel have access to the data centers, all others require special authorization fromHyland and data center staff and require an escort.

Datacenter SecurityEquipment Identification

DCS-03 Automated equipment identification shall be used as a method of connectionauthentication. Location-aware technologies may be used to validate connection authentication integrity

The Hyland Cloud platform is housed withinISO 27001 certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). Customer data is secured behind physical barriers to prevent


based on known equipment location. unauthorized access. Only authorized personnel have access to the data centers, all others require special authorization fromHyland and data center staff and require an escort.

Datacenter SecurityOff-Site Authorization

DCS-04 Authorization must be obtained prior to relocation or transfer of hardware, software, or data to an offsite premises.

Customer data will not be removed from the GCS data centers unless explicit written authorization from the customer.

Relocation or transfer of hardware or software within the data center follows the GCS Change Management Procedures.

Datacenter SecurityOff-Site Equipment

DCS-05 Policies and procedures shall be established for the secure disposal of equipment (by asset type) used outside the organization's premises. This shall include a wiping solution or destruction process that renders recovery of information impossible. The erasure shall consist of a full overwrite of the drive to ensure that the erased drive is released to inventory for reuse and deployment, or securely stored until it can be destroyed.

When a storage device has reached the endof its useful life, Global Cloud Services’ procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. Hyland Global Cloud Services uses the techniques recommended by the National Institute for Standards and Technology (NIST) to destroy data as part of the decommissioning process. If a hardware device is unable to be decommissioned using these procedures, the device will be virtually shredded or physically destroyed in accordance with industry-standard practices. Devices used in the administration of the customer’s hosted solution that have been decommissioned will be subjected to these or equally effective standards. Attestation letters to that effect can be provided to Customer, upon request.

Datacenter SecurityPolicy

DCS-06 Policies and procedures shall be established, and supporting business processes implemented, for maintaininga safe and secure working environment in offices, rooms, facilities, and secure areas storing sensitive information.

Access to the data centers is restricted to the pre-defined roles documented in the Access Management Policy. User access requests are subject to the change management procedures. Visitors to the data center must be escorted.

Only authorized personnel, with a justified business need, are permitted inside the secure data centers unescorted. All other personnel must be escorted at all times, after demonstrating a valid business need and obtaining approval.


Datacenter SecuritySecure Area Authorization

DCS-07 Ingress and egress to secure areas shall be constrained and monitored by physical access control mechanisms to ensure that only authorized personnel are allowed access.



Datacenter SecurityUnauthorized Persons Entry

DCS-08 Ingress and egress points such as serviceareas and other points where unauthorized personnel may enter the premises shall be monitored, controlled and, if possible, isolated from data storage and processing facilities to prevent unauthorized data corruption, compromise, and loss.



Datacenter SecurityUser Access

DCS-09 Physical access to information assets and functions by users and support personnel shall be restricted.




Chapter 7: Encryption & Key Management


Encryption & Key ManagementEntitlement

EKM-01 Keys must have identifiable owners (binding keys to identities) and there shall be key management policies.

GCS maintains a Cryptography Policy for cryptographic controls. Responsibility for effectively managing encryption keys is divided between the customer and Hyland. Knowledge of keys is split within Hyland.

Encryption & Key ManagementKey Generation

EKM-02 Policies and procedures shall be established for the management of cryptographic keys in the service's cryptosystem (e.g., lifecycle management from key generation to revocation and replacement, public key infrastructure, cryptographic protocol design and algorithms used, access controls in place for secure key generation, and exchange and storage including segregation of keys used for encrypted data or sessions). Upon request, provider shall inform the customer (tenant) of changes within thecryptosystem, especially if the customer(tenant) data is used as part of the service, and/or the customer (tenant) has some shared responsibility over implementation of the control.


Encryption technologies, such as SFTP, SSL/TLS, are employed for data in transit. Customers are responsible for the data that outside the boundaries of our environment.

Customer are made aware of their responsibilities for use of encryption technologies through the Customer ProcessManual and specific guides related to encryption technologies they have purchased.

Encryption & Key ManagementSensitive Data Protection

EKM-03 Policies and procedures shall be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive



data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.

Encryption technologies, such as SFTP, SSL/TLS, are employed for data in transit. Customers are responsible for the data that outside the boundaries of our environment.

Customer are made aware of their responsibilities for use of encryption technologies through the Customer ProcessManual and specific guides related to encryption technologies they have purchased.


Encryption & Key ManagementStorage and Access

EKM-04 Platform and data-appropriate encryption (e.g., AES-256) in open/validated formats and standard algorithms shall be required. Keys shall not be stored in the cloud (i.e., at the cloud provider in question), but maintained by the cloud consumer or trusted key management provider. Key management and key usage shall be separated duties.



Chapter 8: Governance and Risk Management


Governance and Risk ManagementBaseline Requirements

GRM-01 Baseline security requirements shall be established for developed or acquired, organizationally-owned or managed, physical or virtual, applications and infrastructure system and network components that comply with applicable legal, statutory, and regulatory compliance obligations. Deviations from standard baseline configurations must be authorized following change management policies and procedures prior to deployment, provisioning, or use. Compliance with security baseline requirements must be reassessed at least annually unless an alternate frequency has been established and authorized based on business need.

Baseline security configuration standards are established within the Operations Security Policy and reviewed on an annual basis. Individual teams set baseline securityconfiguration standards for the systems andassets they manage.

GCS maintains documented change management procedures and records all change requests in Hyland's document management system. Change requests must be approved by an authorized employee and tested before changes can beimplemented. System changes made in the case of an emergency and/or are noncompliant with policy is recorded as an exception and is subject to rollback procedures if approval is not granted.

Governance and Risk ManagementData Focus Risk Assessments

GRM-02 Risk assessments associated with data governance requirements shall be conducted at planned intervals and shallconsider the following: • Awareness of where sensitive data is stored and transmitted across applications, databases, servers, and network infrastructure • Compliance with defined retention periods and end-of-life disposal requirements • Data classification and protection from unauthorized use, access, loss, destruction, and falsification

A formal risk assessment is conducted annually by the Governance, Risk and Compliance team. Potential threats and vulnerabilities related to security and availability (which include environmental, regulatory, technological changes) are reviewed and categorized. Remediation plans are created as needed and may include updates/changes to the current Information Security policies. The completed assessment is reviewed and approved by the AVP of GCS.

Governance and GRM-03 Managers are responsible for The Associate Vice President of GCS and the


Risk ManagementManagement Oversight

maintaining awareness of, and complying with, security policies, procedures, and standards that are relevant to their area of responsibility.

entire GCS Leadership team is responsible for ensuring employees are aware and following the security policies and procedures. Managers are responsible for training each new employee regarding theirinformation security responsibilities.

The GCS Leadership Team, or subset, conducts Security Awareness Training and Education every year to all employees.

Governance and Risk ManagementManagement Program

GRM-04 An Information Security Management Program (ISMP) shall be developed, documented, approved, and implemented that includes administrative, technical, and physical safeguards to protect assets and data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The security program shall include, but not be limited to, the following areas insofar as they relate to the characteristics of the business: • Risk management • Security policy • Organization of information security • Asset management • Human resources security • Physical and environmental security • Communications and operations management • Access control • Information systems acquisition, development, and maintenance

GCS maintains an Information Security Policy Suite containing the documented policies related to the security and availability of the Hyland Cloud platform that include, but are not limited to, the elements contained within the applicable trust criterion.

GCS maintains an Information Security Management System based on the controls and implementation guidance of ISO 27001/ISO 27002.

The Customer Process Manual outlines the components of the ISMS that are pertinent to customers in administration of their Hosted Solution. Upon request, customers can conduct an audit of GCS and the HylandCloud Platform to determine compliance with the ISMS, Customer Process Manual, and customer Hosting Agreements.

Governance and Risk ManagementManagement Support/Involvement

GRM-05 Executive and line management shall take formal action to support information security through clearly-documented direction and commitment, and shall ensure the action has been assigned.

The GCS Leadership Team, including the Associate Vice President of GCS, provide strategic direction and ensure effective implementation of the Information SecurityManagement System.

Governance and Risk ManagementPolicy

GRM-06 Information security policies and procedures shall be established and made readily available for review by all impacted personnel and external business relationships. Information security policies must be authorized by the organization's business leadership (or other accountable business role or

GCS maintains a IS policy suite that is available to all GCS employees and communicated through the process manualand annual policy review.

GCS maintains an Employee Process Manual which describes the Hyland Cloud platform, its boundaries, the


function) and supported by a strategic business plan and an information security management program inclusive of defined information security roles and responsibilities for business leadership.

obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedures for employees to report security and/or availability issues. The Employee Process Manual is released to the GCS department using Hyland's document management system. GCS employees are required to knowledge and accept the latest version of the process manual by supplying electronic acknowledgement using Hyland's document management system.

Governance and Risk ManagementPolicy Enforcement

GRM-07 A formal disciplinary or sanction policy shall be established for employees who have violated security policies and procedures. Employees shall be made aware of what action might be taken in the event of a violation, and disciplinary measures must be stated in the policies and procedures.

The Global Cloud Services Employee Process Manual establishes the disciplinary actions and consequences of information security violations.

Governance and Risk ManagementPolicy Impact on Risk Assessments

GRM-08 Risk assessment results shall include updates to security policies, procedures,standards, and controls to ensure that they remain relevant and effective.

A formal risk assessment is conducted annually by the Governance, Risk and Compliance team. Potential threats and vulnerabilities related to security and availability (which include environmental, regulatory, technological changes) are reviewed and categorized. Remediation plans are created as needed and may include updates/changes to the current Information Security policies. The completed assessment is reviewed and approved by the appropriate personnel within GCS.

Governance and Risk ManagementPolicy Reviews

GRM-09 The organization's business leadership (or other accountable business role or function) shall review the information security policy at planned intervals or asa result of changes to the organization to ensure its continuing alignment with the security strategy, effectiveness, accuracy, relevance, and applicability to legal, statutory, or regulatory compliance obligations.

GCS maintains an Information Security policy suite containing the documented policies related to the security and availability of the Hyland Cloud platform that include, but are not limited to, the elements contained within the applicable trust criterion.

Security and availability policies are reviewed and approved on an annual basis by the GCS AVP or delegate of the management team.

Governance and GRM-10 Aligned with the enterprise-wide A formal risk assessment is conducted


Risk ManagementRisk Assessments

framework, formal risk assessments shall be performed at least annually or at planned intervals, (and in conjunctionwith any changes to information systems) to determine the likelihood and impact of all identified risks using qualitative and quantitative methods. The likelihood and impact associated with inherent and residual risk shall be determined independently, considering all risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance).

annually by the Governance, Risk and Compliance team. Potential threats and vulnerabilities related to security and availability (which include environmental, regulatory, technological changes) are reviewed and categorized. Remediation plans are created as needed and may include updates/changes to the current Information Security policies. The completed assessment is reviewed and approved by the appropriate personnel within GCS.

Risks identified as a result of the risk assessment are tracked, including remediation plans, compensating controls, or acceptance of the risk. Risks are tracked through to completion and retained according to policy.

Governance and Risk ManagementRisk Management Framework

GRM-11 Risks shall be mitigated to an acceptablelevel. Acceptance levels based on risk criteria shall be established and documented in accordance with reasonable resolution time frames and stakeholder approval.

A formal risk assessment is conducted annually by the Governance, Risk and Compliance team. Potential threats and vulnerabilities related to security and availability (which include environmental, regulatory, technological changes) are reviewed and categorized. Remediation plans are created as needed and may include updates/changes to the current Information Security policies. The completed assessment is reviewed and approved by the appropriate personnel within GCS

Risks identified as a result of the risk assessment are tracked, including remediation plans, compensating controls, or acceptance of the risk. Risks are tracked through to completion and retained according to policy.


Chapter 9: Human Resources


Human ResourcesAsset Returns

HRS-01 Upon termination of workforce personnel and/or expiration of external business relationships, all organizationally-owned assets shall be returned within an established period.

Access to the Hyland Cloud Platform is prohibited for terminated and/or inactive users. These accounts are disabled in a timely manner and all organizationally-owned assets are surrender on the last day of employment, whether voluntary or involuntary.

Human ResourcesBackground Screening

HRS-02 Pursuant to local laws, regulations, ethics, and contractual constraints, all employment candidates, contractors, and third parties shall be subject to background verification proportional to the data classification to be accessed, the business requirements, and acceptable risk.

All potential candidates are subject to background screening procedures before anoffer of employment is extended.

Human ResourcesEmployment Agreements

HRS-03 Employment agreements shall incorporate provisions and/or terms for adherence to established information governance and security policies and must be signed by newly hired or on-boarded workforce personnel (e.g., full or part-time employee or contingent staff) prior to granting workforce personnel user access to corporate facilities, resources, and assets.

GCS maintains an Employee Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedures for employees to report security and/or availability issues. The Employee Process Manual is released to the GCS department using Hyland's document management system. GCS employees are required to knowledge and accept the latest version of the process manual by supplying electronic acknowledgement using Hyland's document management system.

Human ResourcesEmployment Termination

HRS-04 Roles and responsibilities for performingemployment termination or change in employment procedures shall be assigned, documented, and communicated.

GCS follows internal procedures whenever there is a separation event within GCS and/or Hyland. These procedures include removal of all access that is no longer needed and rotation of applicable passwords.

Human ResourcesMobile Device Management

HRS-05 Policies and procedures shall be established, and supporting business processes and technical measures

There are no mobile devices on the Hyland Cloud Platform.


implemented, to manage business risks associated with permitting mobile device access to corporate resources and may require the implementation of higher assurance compensating controlsand acceptable-use policies and procedures (e.g., mandated security training, stronger identity, entitlement and access controls, and device monitoring).

Human ResourcesNon-Disclosure Agreements

HRS-06 Requirements for non-disclosure or confidentiality agreements reflecting the organization's needs for the protection of data and operational details shall be identified, documented, and reviewed at planned intervals.

All employees are required to sign confidentiality agreements as part of their employment at Hyland Software.


Human ResourcesRoles / Responsibilities

HRS-07 Roles and responsibilities of contractors,employees, and third-party users shall be documented as they relate to information assets and security.

The Customer Process Manual delineates the responsibilities of the customer and of Hyland in relation to administration of the Hyland Cloud Platform. Third parties are notgranted access in support of the Hyland Cloud Platform.

Human ResourcesTechnology Acceptable Use

HRS-08 Policies and procedures shall be established, and supporting business processes and technical measures implemented, for defining allowances and conditions for permitting usage of organizationally-owned or managed user end-point devices (e.g., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components. Additionally, defining allowances and conditions to

GCS maintains an Employee Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedures for employees to report security and/or availability issues. The Employee Process Manual is released to the GCS department using Hyland's document management system. GCS


permit usage of personal mobile devicesand associated applications with access to corporate resources (i.e., BYOD) shall be considered and incorporated as appropriate.

employees are required to knowledge and accept the latest version of the process manual by supplying electronic acknowledgement using Hyland's document management system.

The Hyland Cloud Platform is managed through the use of virtual desktops which prevents end-points devices from connecting directly to Platform.

Human ResourcesTraining / Awareness

HRS-09 A security awareness training program shall be established for all contractors, third-party users, and employees of the organization and mandated when appropriate. All individuals with access to organizational data shall receive appropriate awareness training and regular updates in organizational procedures, processes, and policies relating to their professional function relative to the organization.

Hyland conducts annual data handling training, SATE training, and requires annual acknowledgement of key policies including our data classification standards. These requirements are strongly enforced throughthe use of testing and written acknowledgements.

Human ResourcesUser Responsibility

HRS-10 All personnel shall be made aware of their roles and responsibilities for: • Maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations. • Maintaining a safe and secure working environment


Human ResourcesWorkspace

HRS-11 Policies and procedures shall be established to require that unattended workspaces do not have openly visible (e.g., on a desktop) sensitive documentsand user computing sessions are disabled after an established period of inactivity.

GCS maintains and enforces a clear desk/clear screen policy for employees. Physical access to the Hyland Cloud Platform hosting facilities is restricted via key card control.


Chapter 10: Identity & Access Management


Identity & Access ManagementAudit Tools Access

IAM-01 Access to, and use of, audit tools that interact with the organization's information systems shall be appropriately segregated and access restricted to prevent inappropriate disclosure and tampering of log data.

Logical access to system configuration, super user functionality, master passwords, powerful utilities, security devices (including firewall configurations), and audittools is restricted to authorized individual GCS employees based on specific roles that are established and maintained based on job responsibilities. Audit logs are logically separated from other storage and kept on adedicated server.

Identity & Access ManagementCredential Lifecycle / Provision Management

IAM-02 User access policies and procedures shall be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data and organizationally-owned or managed (physical and virtual) application interfaces and infrastructure network and systems components. These policies, procedures, processes, and measures must incorporate the following: • Procedures and supporting roles and responsibilities for provisioning and de-provisioning user account entitlements following the rule of least privilege based on job function (e.g., internal employee and contingent staff personnel changes, customer-controlledaccess, suppliers' business relationships,or other third-party business relationships) • Business case considerations for higher levels of assurance and multi-factor authentication secrets (e.g., management interfaces, key generation,remote access, segregation of duties, emergency access, large-scale provisioning or geographically-

User access requests for internal and external system users are documented in Hyland's change management system. User access is granted based on the pre-defined roles documented in the Access Management policy. User access requests are subject to the documented change management procedures which require approval from manager or assigned delegate before user access changes can be implemented. Access to Hyland Cloud platform is prohibited for terminated and/or inactive users. These accounts are disabled and or deleted in a timely manner by account administrators. Logical access tosystem configuration, super user functionality, master passwords, powerful utilities and security devices (including firewall configurations) is restricted to authorized individual GCS employees basedon specific roles that are established and maintained based on job responsibilities. Architectural components (e.g. networks, servers, co-location data centers) are logically separated between (1) any customer, including GCS and (2) Hyland, prevent unauthorized access by internal or external users. Customer Hosted Solutions exist in a private virtualized environment secured by firewall configurations.


distributed deployments, and personnel redundancy for critical systems) • Access segmentation to sessions and data in multi-tenant architectures by any third party (e.g., provider and/or other customer (tenant)) • Identity trust verification and service-to-service application (API) and information processing interoperability (e.g., SSO and federation) • Account credential lifecycle management from instantiation throughrevocation • Account credential and/or identity store minimization or re-use when feasible • Authentication, authorization, and accounting (AAA) rules for access to data and sessions (e.g., encryption and strong/multi-factor, expireable, non-shared authentication secrets) • Permissions and supporting capabilities for customer (tenant) controls over authentication, authorization, and accounting (AAA) rules for access to data and sessions • Adherence to applicable legal, statutory, or regulatory compliance requirements

Identity & Access ManagementDiagnostic / Configuration Ports Access

IAM-03 User access to diagnostic and configuration ports shall be restricted toauthorized individuals and applications.

Logical access to system configuration, super user functionality, master passwords, powerful utilities and security devices (including firewall configurations) is restricted to authorized individual GCS employees based on specific roles that are established and maintained based on job responsibilities.

Identity & Access ManagementPolicies and Procedures

IAM-04 Policies and procedures shall be established to store and manage identity information about every person who accesses IT infrastructure and to determine their level of access. Policies shall also be developed to control accessto network resources based on user identity.

User access requests for internal and external system users are documented in Hyland's change management system. User access is granted based on the pre-defined roles documented in the Access Management policy. User access requests are subject to the documented change management procedures which require approval from manager or assigned delegate before user access changes can be


implemented.Administrative access to the anti-virus configuration is restricted to authorized users.GCS defines the roles which are authorized to install software, hardware, and other network devices within the Access Management policy. Access to these pre-defined roles is restricted using Active Directory user group policy settings.

Identity & Access ManagementSegregation of Duties

IAM-05 User access policies and procedures shall be established, and supporting business processes and technical measures implemented, for restricting user access as per defined segregation of duties to address business risks associated with a user-role conflict of interest.

GCS maintains separation of duties within the change management procedures. Employees may not approve change requests they submitted. Employees may not implement change requests they approved.

Identity & Access ManagementSource Code Access Restriction

IAM-06 Access to the organization's own developed applications, program, or object source code, or any other form ofintellectual property (IP), and use of proprietary software shall be appropriately restricted following the rule of least privilege based on job function as per established user access policies and procedures.

Access to source code for Hyland products is strictly controlled and based on job responsibilities. This program source code isphysically and logically separated from the Hyland Cloud Platform. Development of Hyland applications occurs outside of the GCS department and GCS employees do nothave access to this source code.

Access to source code for products and services developed by GCS for managementof the Hyland Cloud Platform is based on specific roles that are established and maintained based on job responsibilities.

Identity & Access ManagementThird Party Access

IAM-07 The identification, assessment, and prioritization of risks posed by business processes requiring third-party access tothe organization's information systems and data shall be followed by coordinated application of resources to minimize, monitor, and measure likelihood and impact of unauthorized or inappropriate access. Compensating controls derived from the risk analysis shall be implemented prior to provisioning access.

Third parties are not granted access to the Hyland Cloud Platform.

Identity & Access ManagementTrusted Sources

IAM-08 Policies and procedures are established for permissible storage and access of identities used for authentication to

Logical access to system configuration, super user functionality, master passwords, powerful utilities and security devices


ensure identities are only accessible based on rules of least privilege and replication limitation only to users explicitly defined as business necessary.

(including firewall configurations) is restricted to authorized individual GCS employees based on specific roles that are established and maintained based on job responsibilities

Identity & Access ManagementUser Access Authorization

IAM-09 Provisioning user access (e.g., employees, contractors, customers (tenants), business partners, and/or supplier relationships) to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components shall be authorized by the organization's management prior to access being granted and appropriately restricted as per established policies andprocedures. Upon request, provider shall inform customer (tenant) of this user access, especially if customer (tenant) data is used as part the service and/or customer (tenant) has some shared responsibility over implementation of control.

User access requests for internal and external system users are documented in Hyland's change management system. User access is granted based on the pre-defined roles documented in the Access Management policy. User access requests are subject to the documented change management procedures which require approval from manager or assigned delegate before user access changes can be implemented.

Identity & Access ManagementUser Access Reviews

IAM-10 User access shall be authorized and revalidated for entitlement appropriateness, at planned intervals, by the organization's business leadership or other accountable business role or function supported by evidence to demonstrate the organization is adhering to the rule of least privilege based on job function. For identified access violations, remediation must follow established user access policies and procedures.

GCS maintains an internal audit program that focuses on developing, implementing, maintaining, and reassessing security controls to support risk mitigation strategies. The areas of focus include, but are not limited to, policy and procedure, logical and physical access, and business continuity. Quarterly internal audit results are compiled by the Governance, Risk and Compliance team and sent to the AVP of GCS.

Identity & Access ManagementUser Access Revocation

IAM-11 Timely de-provisioning (revocation or modification) of user access to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components, shall be implemented as per established policies and procedures and based on user's change in status (e.g., termination of employment or other business relationship, job change or transfer). Upon request, provider shall inform customer (tenant) of these

Access to Hyland Cloud platform is prohibited for terminated and/or inactive users. These accounts are disabled and or deleted in a timely manner by account administrators.


changes, especially if customer (tenant) data is used as part the service and/or customer (tenant) has some shared responsibility over implementation of control.

Identity & Access ManagementUser ID Credentials

IAM-12 Internal corporate or customer (tenant) user account credentials shall be restricted as per the following, ensuring appropriate identity, entitlement, and access management and in accordance with established policies and procedures: • Identity trust verification and service-to-service application (API) and information processing interoperability (e.g., SSO and Federation) • Account credential lifecycle management from instantiation throughrevocation • Account credential and/or identity store minimization or re-use when feasible • Adherence to industry acceptable and/or regulatory compliant authentication, authorization, and accounting (AAA) rules (e.g., strong/multi-factor, expireable, non-shared authentication secrets)

GCS requires employees to establish their identify using an authorized multi-factor authentication technology when administrating the Hyland cloud Platform. This includes a Windows username, a user specified PIN, a Windows password, and a token. All user accounts managed by GCS are subject to the password management requirements established within the Access Management policy. The Hyland Platform is configured to require internal and external system users to log into the system using a password that meets password management requirements within password policy. User access requests for internal and external system users are documented in Hyland's change management system. User access is grantedbased on the pre-defined roles documentedin the Access Control policy. User access requests are subject to the documented change management procedures which require approval from manager or assigned delegate before user access changes can be implemented. GCS maintains an Employee Process Manual which describes the HylandCloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedures for employees to report security and/or availability issues. The Employee Process Manual is released to the GCS department using Hyland's document management system. GCS employees are required to knowledge and accept the latest version of the process manual by supplying electronic acknowledgement using Hyland's document management system.

Identity & Access Management

IAM-13 Utility programs capable of potentially overriding system, object, network, Logical access to system configuration,

super user functionality, master passwords,


Utility Programs Access

virtual machine, and application controls shall be restricted.

powerful utilities and security devices (including firewall configurations) is restricted to authorized individual GCS employees based on specific roles that are established and maintained based on job responsibilities.

Chapter 11: Infrastructure & Virtualization Security


Infrastructure & Virtualization SecurityAudit Logging / Intrusion Detection

IVS-01 Higher levels of assurance are required for protection, retention, and lifecycle management of audit logs, adhering to applicable legal, statutory or regulatory compliance obligations and providing unique user access accountability to detect potentially suspicious network

Logical access to system configuration, super user functionality, master passwords, powerful utilities, security devices (including firewall configurations), and audittools is restricted to authorized individual GCS employees based on specific roles that are established and maintained based on


behaviors and/or file integrity anomalies, and to support forensic investigative capabilities in the event of a security breach. job responsibilities

Infrastructure & Virtualization SecurityChange Detection

IVS-02 The provider shall ensure the integrity of all virtual machine images at all times. Any changes made to virtual machine images must be logged and an alert raised regardless of their running state (e.g., dormant, off, or running). The results of a change or move of an image and the subsequent validation of the image's integrity must be immediately available to customers through electronic methods (e.g., portals or alerts).

Changes to virtual machines and servers that are used to host customer solutions are subject to the GCS change managementprocedures.

Infrastructure & Virtualization SecurityClock Synchronization

IVS-03 A reliable and mutually agreed upon external time source shall be used to synchronize the system clocks of all relevant information processing systemsto facilitate tracing and reconstitution ofactivity timelines.

All data center clocks are synchronized to UTC. All physical machines, including hosts and switches look to the internet to obtain the world wide NTP to ensure synchronization to the UTC.

Infrastructure & Virtualization SecurityHypervisor Hardening

IVS-11 Access to all hypervisor management functions or administrative consoles for systems hosting virtualized systems shallbe restricted to personnel based upon the principle of least privilege and supported through technical controls (e.g., two-factor authentication, audit trails, IP address filtering, firewalls, and TLS encapsulated communications to the administrative consoles).

GCS requires employees to establish their identity using an authorized multi-factor authentication technology when administrating the Hyland Cloud platform. This includes a Windows username, a user specified PIN, a Windows password, and a token. All user accounts managed by GCS are subject to the password management requirements established within the Access Management policy.

Logical access to system configuration, super user functionality, master passwords, powerful utilities and security devices (including firewall configurations) is restricted to authorized individual GCS employees based on specific roles that are established and maintained based on job responsibilities

Infrastructure & Virtualization SecurityInformation System Documentation

IVS-04 The availability, quality, and adequate capacity and resources shall be planned,prepared, and measured to deliver the required system performance in accordance with legal, statutory, and regulatory compliance obligations.

GCS monitors system capacity and resource usage to support the capacity objectives as determined by the GCS system owners. On at least an annual basis, future system capacity projections are planned to limit disruptions to the Hyland Cloud platform


Projections of future capacity requirements shall be made to mitigate the risk of system overload.

and to prepare future growth trends.

GCS maintains an internal audit program that focuses on developing, implementing, maintaining, and reassessing security controls to support risk mitigation strategies. The areas of focus include, but are not limited to, policy and procedure, logical and physical access, business continuity, and capacity planning. Quarterlyinternal audit results are compiled by the Governance, Risk and Compliance team andsent to the AVP of GCS.

Infrastructure & Virtualization SecurityNetwork Architecture

IVS-13 Network architecture diagrams shall clearly identify high-risk environments and data flows that may have legal compliance impacts. Technical measuresshall be implemented and shall apply defense-in-depth techniques (e.g., deep packet analysis, traffic throttling, and black-holing) for detection and timely response to network-based attacks associated with anomalous ingress or egress traffic patterns (e.g., MAC spoofing and ARP poisoning attacks) and/or distributed denial-of-service (DDoS) attacks.

GCS uses firewalls to prevent unauthorized network access. Firewall standards are documented in the Operations Security Policy to only allow network access to specific protocols that are required to support end users solutions.

GCS utilizes third party software to conduct internal and external vulnerabilities assessments on a quarterly basis. Assessments are reviewed to ensure that unencrypted network protocols are disabled. Remediation plans are created to address critical issues and are tracked to completion as part of the internal review process.

Architectural components (e.g., networks, servers, co-location data centers) are logically separated between (1) any customers, including GCS and (2) Hyland, preventing unauthorized access by internal or external users. Customer Hosted Solutions exist in a private virtualized environment secured by firewall configurations.

Anti-virus software is configured to update virus definitions on a daily basis.

Infrastructure & Virtualization SecurityNetwork Security

IVS-06 Network environments and virtual instances shall be designed and configured to restrict and monitor trafficbetween trusted and untrusted connections. These configurations shall

GCS collects logs for the external firewall and IDS/IPS admin logs. These logs are evaluated periodically evaluated.

Any changes to the firewall configuration is


be reviewed at least annually, and supported by a documented justificationfor use for all allowed services, protocols, and ports, and by compensating controls.

logged. Before any changes implemented on the firewall they are approved using the internal change management system and approved with documentation on the firewall.

Infrastructure & Virtualization SecurityOS Hardening and Base Controls

IVS-07 Each operating system shall be hardened to provide only necessary ports, protocols, and services to meet business needs and have in place supporting technical controls such as: antivirus, file integrity monitoring, and logging as part of their baseline operating build standard or template.

Virtual machines and operating systems aredeployed using the minimum amount of services and functionality required for themto run. Vulnerability scans and security assessments are run against the internal and external environment, these scans demonstrate whether only the minimum amount of ports are open.

Infrastructure & Virtualization SecurityProduction / Non-Production Environments

IVS-08 Production and non-production environments shall be separated to prevent unauthorized access or changesto information assets. Separation of the environments may include: stateful inspection firewalls, domain/realm authentication sources, and clear segregation of duties for personnel accessing these environments as part of their job duties.

Customer production and non-production environments are separated through security and use of a domain/realm authentication sources. Any changes made to these environments follows the change management procedures, including separation of duties between requestor, approver, and implementer.

Infrastructure & Virtualization SecuritySegmentation

IVS-09 Multi-tenant organizationally-owned or managed (physical and virtual) applications, and infrastructure system and network components, shall be designed, developed, deployed, and configured such that provider and customer (tenant) user access is appropriately segmented from other tenant users, based on the following considerations: • Established policies and procedures • Isolation of business critical assets and/or sensitive user data, and sessions that mandate stronger internal controls and high levels of assurance • Compliance with legal, statutory, and regulatory compliance obligations

The OnBase Application is not a multi-tenant application. These customers are logically separated through use of virtual machines.

Infrastructure & Virtualization SecurityVM Security - Data Protection

IVS-10 Secured and encrypted communication channels shall be used when migrating physical servers, applications, or data to virtualized servers and, where possible, shall use a network segregated from production-level networks for such migrations.

GCS utilizes security transport encryption methods, such as SSL, for securing user authentication and session data when accessing the Hyland Cloud platform remotely. Connections to the OnBase Online platform are encrypted using HTTPS,PCOIP, or Blast secure protocol. Access to


the encryption configuration is limited to authorized individuals.

Infrastructure & Virtualization SecurityVulnerability Management

IVS-05 Implementers shall ensure that the security vulnerability assessment tools or services accommodate the virtualization technologies used (e.g., virtualization aware).

GCS utilizes third-party software to conduct internal and external vulnerabilities assessments on a quarterly basis. These vulnerability assessments scan all virtual and physical servers and machines. Remediation plans are created to address critical issues and are tracked to completionas part of the internal review process.

Chapter 12: Interoperability & Portability


Interoperability & PortabilityAPIs

IPY-01 The provider shall use open and published APIs to ensure support for interoperability between components and to facilitate migrating applications.

GCS utilizes security transport encryption methods, such as SSL, for securing user authentication and session data when accessing the Hyland Cloud platform remotely. Connections to the Hyland Cloud Platform are encrypted using HTTPS, PCOIP, or Blast secure protocol. Access to the encryption configuration is limited to authorized individuals.

OnBase has a proprietary API that is approved for use by customers. Customers can use their own API, however it must


undergo a review by GCS employees and beapproved before it can be used.

Interoperability & PortabilityData Request

IPY-02 All structured and unstructured data shall be available to the customer and provided to them upon request in an industry-standard format (e.g., .doc, .xls,.pdf, logs, and flat files).

Hyland applications do not utilize a proprietary data format. Customer data canbe uploaded in any format accepted by the application (industry-standard formats) and will be returned in the same format.

Interoperability & PortabilityPolicy & Legal

IPY-03 Policies, procedures, and mutually-agreed upon provisions and/or terms shall be established to satisfy customer (tenant) requirements for service-to-service application (API) and information processing interoperability, and portability for application development and information exchange,usage, and integrity persistence.

Customers are given the option of purchasing a license for the OnBase API. To interact with the API (other than as an end user) the customer must have an individual attend the OnBase API Training Class. Upon completion of this class, the customer will receive documentation and information on proper use of the API and continued support from Hyland.

Interoperability & PortabilityStandardized Network Protocols

IPY-04 The provider shall use secure (e.g., non-clear text and authenticated) standardized network protocols for the import and export of data and to manage the service, and shall make available a document to consumers (tenants) detailing the relevant interoperability and portability standards that are involved.

GCS utilizes security transport encryption methods, such as SSL, for securing user authentication and session data when accessing the OnBase Online Cloud platform remotely. Connections to the Hyland Cloud Platform are encrypted using HTTPS, PCOIP, or Blast secure protocol. Access to the encryption configuration is limited to authorized individuals.

Interoperability & PortabilityVirtualization

IPY-05 The provider shall use an industry-recognized virtualization platform and standard virtualization formats (e.g., OVF) to help ensure interoperability, and shall have documented custom changes made to any hypervisor in use and all solution-specific virtualization hooks available for customer review.

GCS uses an industry-recognized virtualization platform and the OVF virtualization format. GCS maintains documented change management procedures and records all change requests related to virtual machines in Hyland's document management system. Change requests must be approved by an authorized employee and tested before changes can be implemented.


Chapter 13: Mobile Security


Mobile SecurityAnti-Malware

MOS-01 Anti-malware awareness training, specific to mobile devices, shall be included in the provider's information security awareness training.

Mobile devices are not permitted on the Hyland Cloud Platform.

Mobile SecurityApplication Stores

MOS-02 A documented list of approved application stores has been defined as acceptable for mobile devices accessing or storing provider managed data.


Mobile SecurityApproved Applications

MOS-03 The company shall have a documented policy prohibiting the installation of non-approved applications or approved applications not obtained through a pre-identified application store.


Mobile SecurityApproved

MOS-04 The BYOD policy and supporting awareness training clearly states the



Software for BYOD

approved applications, application stores, and application extensions and plugins that may be used for BYOD usage.

Mobile SecurityAwareness and Training

MOS-05 The provider shall have a documented mobile device policy that includes a documented definition for mobile devices and the acceptable usage and requirements for all mobile devices. Theprovider shall post and communicate the policy and requirements through the company's security awareness and training program.


Mobile SecurityCloud Based Services

MOS-06 All cloud-based services used by the company's mobile devices or BYOD shall be pre-approved for usage and the storage of company business data. Mobile devices are not permitted on the

Hyland Cloud Platform.

Mobile SecurityCompatibility

MOS-07 The company shall have a documented application validation process to test for mobile device, operating system, and application compatibility issues. Mobile devices are not permitted on the


Mobile SecurityDevice Eligibility

MOS-08 The BYOD policy shall define the device and eligibility requirements to allow for BYOD usage.


Mobile SecurityDevice Inventory

MOS-09 An inventory of all mobile devices used to store and access company data shall be kept and maintained. All changes to the status of these devices (i.e., operating system and patch levels, lost or decommissioned status, and to whom the device is assigned or approved for usage (BYOD)) will be included for each device in the inventory.


Mobile SecurityDevice Management

MOS-10 A centralized, mobile device management solution shall be deployed to all mobile devices permitted to store, transmit, or process customer data. Mobile devices are not permitted on the


Mobile SecurityEncryption

MOS-11 The mobile device policy shall require the use of encryption either for the entire device or for data identified as sensitive on all mobile devices, and shall



be enforced through technology controls.

Mobile SecurityJailbreaking and Rooting

MOS-12 The mobile device policy shall prohibit the circumvention of built-in security controls on mobile devices (e.g., jailbreaking or rooting) and shall enforcethe prohibition through detective and preventative controls on the device or through a centralized device management system (e.g., mobile device management).


Mobile SecurityLegal

MOS-13 The BYOD policy includes clarifying language for the expectation of privacy, requirements for litigation, e-discovery, and legal holds. The BYOD policy shall clearly state the expectations regarding the loss of non-company data in the case a wipe of the device is required.


Mobile SecurityLockout Screen

MOS-14 BYOD and/or company-owned devices are configured to require an automatic lockout screen, and the requirement shall be enforced through technical controls.


Mobile SecurityOperating Systems

MOS-15 Changes to mobile device operating systems, patch levels, and/or applications shall be managed through the company's change management processes.


Mobile SecurityPasswords

MOS-16 Password policies, applicable to mobile devices, shall be documented and enforced through technical controls on all company devices or devices approved for BYOD usage, and shall prohibit the changing of password/PIN lengths and authentication requirements.


Mobile SecurityPolicy

MOS-17 The mobile device policy shall require the BYOD user to perform backups of data, prohibit the usage of unapproved application stores, and require the use of anti-malware software (where supported).


Mobile SecurityRemote Wipe

MOS-18 All mobile devices permitted for use through the company BYOD program or a company-assigned mobile device shall allow for remote wipe by the company'scorporate IT or shall have all company-



provided data wiped by the company's corporate IT.

Mobile SecuritySecurity Patches

MOS-19 Mobile devices connecting to corporate networks, or storing and accessing company information, shall allow for remote software version/patch validation. All mobile devices shall have the latest available security-related patches installed upon general release by the device manufacturer or carrier and authorized IT personnel shall be able to perform these updates remotely.


Mobile SecurityUsers

MOS-20 The BYOD policy shall clarify the systemsand servers allowed for use or access ona BYOD-enabled device.



Chapter 14: Security Incident Management, E-Discovery & Cloud


Security Incident Management, E-Discovery & CloudForensicsContact / Authority Maintenance

SEF-01 Points of contact for applicable regulation authorities, national and locallaw enforcement, and other legal jurisdictional authorities shall be maintained and regularly updated (e.g., change in impacted-scope and/or a change in any compliance obligation) to ensure direct compliance liaisons have been established and to be prepared fora forensic investigation requiring rapid engagement with law enforcement.

GCS maintains contacts with applicable industry contacts.

Security Incident Management, E-Discovery & CloudForensicsIncident Management

SEF-02 Policies and procedures shall be established, and supporting business processes and technical measures implemented, to triage security-related events and ensure timely and thorough incident management, as per established IT service management policies and procedures.


GCS maintains a Customer Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedure for customers to report security and/or availability issues. The Customer Process Manual is updated and released annually by GCS directly to registered customers through email.

GCS maintains an internal audit program that focuses on developing, implementing, maintaining, and reassessing security controls to support risk mitigation strategies. The areas of focus include, but


are not limited to, policy and procedure, logical and physical access, and business continuity. Quarterly internal audit results are compiled by the Governance, Risk and Compliance team and sent to the AVP of GCS.

Security Incident Management, E-Discovery & CloudForensicsIncident Reporting

SEF-03 Workforce personnel and external business relationships shall be informed of their responsibilities and, if required, shall consent and/or contractually agreeto report all information security events in a timely manner. Information security events shall be reported through predefined communications channels in a timely manner adhering to applicable legal, statutory, or regulatory compliance obligations.


Security Incident Management, E-Discovery & CloudForensicsIncident ResponseLegal Preparation

SEF-04 Proper forensic procedures, including chain of custody, are required for the presentation of evidence to support potential legal action subject to the relevant jurisdiction after an informationsecurity incident. Upon notification, customers and/or other external business partners impacted by a security breach shall be given the opportunity to participate as is legally permissible in the forensic investigation.

GCS maintains procedures for proper collection of evidence during a security incident, including legal requirements for maintaining proper chain of custody.

Security Incident Management, E-Discovery & CloudForensicsIncident ResponseMetrics

SEF-05 Mechanisms shall be put in place to monitor and quantify the types, volumes, and costs of information security incidents.



Chapter 15: Supply Chain Management, Transparency and Accountability


Supply Chain Management, Transparency and AccountabilityData Quality and Integrity

STA-01 Providers shall inspect, account for, and work with their cloud supply-chain partners to correct data quality errors and associated risks. Providers shall design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privilege access for all personnel within their supply chain.

GCS has a Vendor Management Program which includes a process to review critical vendors on an annual basis.

Supply Chain Management, Transparency and AccountabilityIncident Reporting

STA-02 The provider shall make security incident information available to all affected customers and providers periodically through electronic methods (e.g., portals).

GCS maintains documented incident reporting procedures. Incidents reports are recorded and tracked to completion within Hyland's document management system. Customer notification is provided when applicable.

Supply Chain Management, Transparency and AccountabilityNetwork / Infrastructure Services

STA-03 Business-critical or customer (tenant) impacting (physical and virtual) application and system-system interface (API) designs and configurations, and infrastructure network and systems components, shall be designed, developed, and deployed in accordance with mutually agreed-upon service and capacity-level expectations, as well as IT governance and service management policies and procedures.

GCS monitors system capacity and resource usage to support the capacity objectives as determined by the GCS system owners. On at least an annual basis, future system capacity projections are planned to limit disruptions to the Hyland Cloud Platform and to prepare future growth trends.



Supply Chain Management, Transparency and AccountabilityProvider Internal Assessments

STA-04 The provider shall perform annual internal assessments of conformance to,and effectiveness of, its policies, procedures, and supporting measures and metrics.

GCS has a Vendor Management Program which includes a process to review critical vendors on an annual basis.

Supply Chain Management, Transparency and AccountabilitySupply Chain Agreements

STA-05 Supply chain agreements (e.g., SLAs) between providers and customers (tenants) shall incorporate at least the following mutually-agreed upon provisions and/or terms: • Scope of business relationship and services offered (e.g., customer (tenant) data acquisition, exchange and usage, feature sets and functionality, personneland infrastructure network and systems components for service delivery and support, roles and responsibilities of provider and customer (tenant) and any subcontracted or outsourced business relationships, physical geographical location of hosted services, and any known regulatory compliance considerations) • Information security requirements, provider and customer (tenant) primary points of contact for the duration of the business relationship, and references to detailed supporting and relevant business processes and technical measures implemented to enable effectively governance, risk management, assurance and legal, statutory and regulatory compliance obligations by all impacted business relationships • Notification and/or pre-authorization of any changes controlled by the provider with customer (tenant) impacts • Timely notification of a security incident (or confirmed breach) to all customers (tenants) and other business relationships impacted (i.e., up- and down-stream impacted supply chain) • Assessment and independent verification of compliance with agreement provisions and/or terms

GCS maintains a Vendor Management Program that assesses risks associated with critical vendors. This includes reviewing of contract and contractual obligations, items related to services offered, financial viability, and legal and compliance concerns, and any information security risks.


(e.g., industry-acceptable certification, attestation audit report, or equivalent forms of assurance) without posing an unacceptable business risk of exposure to the organization being assessed • Expiration of the business relationshipand treatment of customer (tenant) data impacted • Customer (tenant) service-to-service application (API) and data interoperability and portability requirements for application development and information exchange,usage, and integrity persistence

Supply Chain Management, Transparency and AccountabilitySupply Chain Governance Reviews

STA-06 Providers shall review the risk management and governance processesof their partners so that practices are consistent and aligned to account for risks inherited from other members of that partner's cloud supply chain.


Supply Chain Management, Transparency and AccountabilitySupply Chain Metrics

STA-07 Policies and procedures shall be implemented to ensure the consistent review of service agreements (e.g., SLAs) between providers and customers (tenants) across the relevant supply chain (upstream/downstream). Reviews shall be performed at least annually andidentify any non-conformance to established agreements. The reviews should result in actions to address service-level conflicts or inconsistencies resulting from disparate supplier relationships.


Supply Chain Management, Transparency and AccountabilityThird Party Assessment

STA-08 Providers shall assure reasonable information security across their information supply chain by performing an annual review. The review shall include all partners/third party-providers upon which their information supply chain depends on.


Supply Chain Management, Transparency and Accountability

STA-09 Third-party service providers shall demonstrate compliance with information security and confidentiality, access control, service definitions, and

GCS maintains a Vendor Management Program that assesses risks associated with critical vendors. This includes reviewing of contract and contractual obligations, items


Third Party Audits delivery level agreements included in third-party contracts. Third-party reports, records, and services shall undergo audit and review at least annually to govern and maintain compliance with the service delivery agreements.

related to services offered, financial viability, and legal and compliance concerns, and any information security risks.

At least annually, an independent review of the Information Security Management System is conducted by a trusted third party. This review validates the information security management system effectively monitors the organization for security and availability, including the policies and procedures governing maintenance of the OnBase Online Cloud Platform and the Internal Audit Program. The external audit reports are available to customers upon request.


Chapter 16: Threat and Vulnerability Management


Threat and Vulnerability ManagementAnti-Virus / Malicious Software

TVM-01 Policies and procedures shall be established, and supporting business processes and technical measures implemented, to prevent the execution of malware on organizationally-owned or managed user end-point devices (i.e.,issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components.

Anti-virus software is configured to update virus definitions on a daily basis.

Administrative access to the anti-virus configuration is restricted to authorized users.

GCS uses firewalls to prevent unauthorized network access. Firewall standards are documented in the Operations Security Policy to only allow network access to specific protocols that are required to support end users solutions.

GCS utilizes third party software to conduct internal and external vulnerabilities assessments on a quarterly basis. Assessments are reviewed to ensure that unencrypted network protocols are disabled. Remediation plans are created to address critical issues and are tracked to completion as part of the internal review process.

Threat and Vulnerability ManagementMobile Code

TVM-03 Policies and procedures shall be established, and supporting business processes and technical measures implemented, to prevent the execution of unauthorized mobile code, defined assoftware transferred between systems over a trusted or untrusted network andexecuted on a local system without explicit installation or execution by the recipient, on organizationally-owned or managed user end-point devices (e.g., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components.

There is no mobile code is permitted in the Hyland Cloud Platform.

Threat and Vulnerability ManagementVulnerability / Patch Management

TVM-02 Policies and procedures shall be established, and supporting processes and technical measures implemented, for timely detection of vulnerabilities within organizationally-owned or managed applications, infrastructure network and system components (e.g.,

GCS utilizes third party software to conduct internal and external vulnerabilities assessments on a quarterly basis. Assessments are reviewed to ensure that unencrypted network protocols are disabled. Remediation plans are created to address critical issues and are tracked to


network vulnerability assessment, penetration testing) to ensure the efficiency of implemented security controls. A risk-based model for prioritizing remediation of identified vulnerabilities shall be used. Changes shall be managed through a change management process for all vendor-supplied patches, configuration changes, or changes to the organization's internally developed software. Upon request, the provider informs customer (tenant) of policies and procedures and identified weaknesses especially if customer (tenant) data is used as part the service and/or customer (tenant) has some shared responsibility over implementation of control.

completion as part of the internal review process.


A formal risk assessment is conducted annually by the Governance, Risk and Compliance team. Potential threats and vulnerabilities related to security and availability (which include environmental, regulatory, technological changes) are reviewed and categorized. Remediation plans are created as needed and may include updates/changes to the current Information Security policies. The completed assessment is reviewed and approved by the AVP of GCS.


Cloud security Alliance star · 2019-08-15 · This is not the case with OnBase in the Hyland Cloud. Users enjoy full functionality of ECM, capture, business process management, enterprise

Documents