Security White Paper Version 3.0 Last Updated: December … · 1 Security White Paper Version 3.0 ... Scanning and Patching ... , see their Overview on Security Paper

1

SecurityWhitePaper

Version3.0

LastUpdated:December2017

2

Date:December19,2017

Confidential-donotduplicateordistributewithoutwrittenpermissionfromSurveyGizmo.ThisisacontrolleddocumentthatcanonlybeobtainedfromtheSurveyGizmoportal,whichrequiresthatyouprovideyournameandcontactdetails.

ThisdocumentisbeinggiventoyoutohelpyouunderstandthesecurityenvironmentandcultureofSurveyGizmo,andtoanswerquestionsthatyoumayhavefromyoursecurityteam.Thisdocumentmaybeusedinplaceoftraditionalsecurityassessmentcheckliststohelpyouwithyourduediligence.PossessionofthisdocumentfallswithinSurveyGizmo’sTermsofUse.

Ourteamstrivestoensureaccurateinformation,butbecausewearealwaysevolvingoursecurityposturetomatchcurrentandchangingconditions,thisdocumentmaynotalwaysreflectourexactarchitectureanditmaynotbeerrorfree.

Wereservetherighttomodifythisinformationatanytime.

Questionsorcomments:[email protected]

3

TableofContentsExecutiveSummary......................................................................................................................................5

Environment.................................................................................................................................................5

Application&InterfaceSecurity..................................................................................................................7

ApplicationDevelopment.........................................................................................................................7

AuditAssurance...........................................................................................................................................8

IndependentAudits..................................................................................................................................8

CustomersAuditingSurveyGizmo............................................................................................................8

SecurityIncidentManagement....................................................................................................................8

IncidentResponsePlan............................................................................................................................8

BreachNotification...................................................................................................................................9

BusinessContinuityManagement&OperationalResilience.......................................................................9

ServiceHealthandFailover......................................................................................................................9

BusinessContinuityPlan(BCP).................................................................................................................9

DisasterRecoveryPlan(DRP).................................................................................................................10

PlanTesting............................................................................................................................................11

BusinessImpactAnalysis(BIA)...............................................................................................................11

ReliabilityandBackup............................................................................................................................11

DataRetention.......................................................................................................................................11

ChangeControl&ConfigurationManagement..........................................................................................11

DataSecurity&InfoLifecycle.....................................................................................................................12

DatacenterSecurity....................................................................................................................................12

Encryption&KeyManagement.................................................................................................................13

AWSEncryptionofDataatRest.............................................................................................................13

EncryptionMethodologyandKeyStrength...........................................................................................13

EncryptionKeyManagement.................................................................................................................13

DataEncryption......................................................................................................................................13

SecureSurveyShareLinks......................................................................................................................14

Governance&RiskManagement...............................................................................................................14

SecurityStandards..................................................................................................................................14

4

HumanResources......................................................................................................................................15

BackgroundChecks................................................................................................................................15

BringYourOwnDevice(BYOD)..............................................................................................................15

SecuritySkillsAssessmentandAppropriateTraining.................................................................................15

Training..................................................................................................................................................16

Phishing..................................................................................................................................................16

AccessProvisioningManagement..............................................................................................................16

AdministrativeAccess............................................................................................................................16

AccessforThirdPartyITSolutionandServiceProvider.........................................................................16

PasswordSettings..................................................................................................................................17

AWSHostDatacenter.................................................................................................................................17

AWSFirewalls.........................................................................................................................................18

AWSSecureNetworkArchitecture........................................................................................................19

AWSSecureAccessPoints......................................................................................................................19

AmazonCorporateSegregation.............................................................................................................19

AWSFault-TolerantDesign....................................................................................................................19

Logging&Alerting......................................................................................................................................20

Logs........................................................................................................................................................20

FederatedMulti-TenantDatabaseDesigns............................................................................................20

BackgroundQueuedProcesses..............................................................................................................20

RedundantDataStores..........................................................................................................................20

SupplyChainManagement........................................................................................................................20

Threat&VulnerabilityManagement.........................................................................................................21

ScanningandPatching...........................................................................................................................21

AWSServiceOrganizationControls(SOC)3Report...................................................................................21

References..................................................................................................................................................21

5

ExecutiveSummaryAtSurveyGizmowetakedatasecurity-veryseriously.

SurveyGizmoisanexceptionallypowerful,easytousesoftwarethatgivesyouaccesstotheanswersyou’reafter,nomatteryourbudget.Collectdataofallkindsonourglobal,scalable,reliableplatform,thenuseourreportingtoolstofindtrendsandpatterns.

BecauseSurveyGizmoisprimarilyaDo-it-Yourself(DIY)applicationandisutilizedglobally,westrivetoensurecompliancewithspecificrequirements,butwedon’tguaranteeit.Wehaveimplementedaholisticandcomprehensiveapproachtobothsecurityandprivacy,butSurveyGizmodoesnotclaimtohaveacompleteunderstandingofalltheuniquecomplianceandprivacyrequirementsforeachcountry.SeetheSurveyGizmoPrivacyWhitepaperformoreinformationoncompliance.

Wegiveyouthetoolsbutitisuptoyoutoimplementthemcorrectly.Ultimately,thesecurityofthedatayoucollectisyourresponsibility.

Yourdataisprotectedwithnumerousanti-hackingmeasures,redundantfirewalls,andconstantsecurityscans.Becausesecurityissoimportanttous,ourCEOhasapprovedallInformationSecurityandPrivacypolicies,andourTeamDirectorsandManagersareresponsibleforcomplianceandsecurityattheteamlevel.

Inadditiontoundergoingfullbackgroundchecks,allemployeesattendsecurityawarenessandcompliancetrainingwhentheystartatSurveyGizmo.Thereisalsoanannualrefreshertrainingforcurrentemployees.

Finally,weannuallyreviewallourSecurityandPrivacypolicies,andthisSurveyGizmoSecurityDocumentisfrequentlyupdatedtobringyouup-to-the-momentinformationaboutourdataprotectionefforts.

Someofourmostimportantsecurityinitiativesinclude:

Allofoursoftwareandservicesareonline,andwedon’trequireanysoftwaredownloads.

Weoffermultiplemethodsforsurveytaking,suchaswebbrowsing,offlinemode,QRcodes,smartphones,andtablets.

ThroughAmazonWebServices(AWS),wehaveafault-tolerant,HighlyAvailable(HA),andscalableinfrastructure.Weemployredundantfirewallsandloadbalancerstoprotectagainstintrusionandsurgesintrafficvolume.Wearecommittedtoprovidinga99.9%uptimeforsurveytakersandapplicationusers,andin2015wewereabletoprovide99.95%availability.

EnvironmentSurveyGizmo’sofficesarelocatedat4888EastPearlCircleinBoulder,Colorado.Itisanenergeticanddynamicplacetoworkwhichallowsemployeesthefreedomtoexpressthemselveswhileworkingveryhardtoprovidethebestservicesandapplicationtothecustomers.AfewremoteofficesarelocatedintheUnitedStatesandemployeesareallowedtoworkfromhome.TheBoulderofficesareaccessedviasecurebadgeaccessonlyandthereisastrictvisitorpolicy.

6

SurveyGizmoisamidsizedbusinesssothedefinitionof“formal”and“documented”iswhethertheprocessispredictableandconstantlyrepeatable.SurveyGizmohasimplementedtheexactlevelofpolicies,standards,plans,andproceduresfortheenvironment.SurveyGizmofollowssimilarguidelinesasbiggercompaniesandhowtheseguidelinesareimplementedalignswiththecorporatevisionandmission.

SurveyGizmohasaleanagiledevelopmentenvironmentwithbi-weeklysprints.Releasearesometimedonemultipletimesperday.Thesereleasesareautomaticandthecustomerdoesnotdecideifandwhentheyareapplied.SurveyGizmomayfromtimetotime,initssolediscretion,changesomeorallofthefunctionalityoranycomponentoftheSurveyGizmoapplication.

ApplicationswithcustomerspecificinformationareonlyavailablewhileemployeesarephysicallyintheBoulderofficeorthroughaVPNconnectedtothephysicaloffice.Bypolicy,SurveyGizmodoesnotallowemployeestoworkfrom“Starbuckslike”locationsoruseasplit-tunnelVPN.SurveyGizmohasmultipleemployeepoliciesincludinganAcceptableUsepolicy.NewHiretrainingismandatoryandSurveyGizmoprovidesquarterlytrainingupdates.

BecausewearehostedbyAWS,weleveragetheirpowertobehighlyavailable,toincreaseourreliability,andtoofferincreasedflexibilitythatletsusscaleupforsurgesintrafficinalmostrealtime.Automatedredundanciesareinplaceforascalableinfrastructuretoaccommodatehightraffic.Becauseofthis,securityinthecloudisslightlydifferentthansecurityinonpremisedatacenters.

BecauseSurveyGizmoishostedbyAWS,SurveyGizmoleveragestheirpowertobehighlyavailable,toincreasethereliability,andtoofferincreasedflexibilitythatletsSurveyGizmoscaleupforsurgesintrafficinnearrealtime.WehaveasharedsecurityresponsibilitymodelwithAWS.WeutilizeAWSforInfrastructureasaservice(Iaas),andtheyareresponsiblefortheunderlyinginfrastructurethatsupportsthecloud.TheyareresponsibleforprotectingtheglobalinfrastructurethatrunsalltheservicesofferedintheAWScloud.Thisinfrastructureiscomprisedofthehardware,software,networking,andfacilitiesthatrunAWSservices.

Unlikethetraditionalonpremisesoftwaremodel,wherethecustomerhas100%responsibilityforsecuringtheirsystems.WhenacustomerutilizesaCloudServiceProvider(CSP),theyarenowutilizingthesharedsecuritymodel.AWShasamodelwhichcanbefoundintheSharedResponsibilityModel.BelowistheSurveyGizmosharedsecuritymodel.DependingontheCSPmodeleitherInfrastructure-as-a-Service(Iaas),Platform-as-a-Service(PaaS),orSoftware-as-a-Service(SaaS)selected,thelevelofresponsibilityshiftsfromoneparttotheother.Inallthemodels,WhiteindicatestheCustomer’sResponsibility;theLightGreyisAWS’sResponsibility;andtheDarkGrayisSurveyGizmo’sResponsibility.

7

SharedSecurityDiagramIaaS PaaS SaaSPhysical Physical PhysicalInfrastructure Infrastructure InfrastructureNetwork Network NetworkVirtualization Virtualization VirtualizationOperatingSystem OperatingSystem OperatingSystemApplication Application ApplicationServiceConfiguration

ServiceConfiguration

ServiceConfiguration

Access Access AccessData Data Data

FormoreinformationonAmazon’sextensivesecuritycontrols,seetheirOverview on Security Paperorcheckouttheirenormouslibraryofresources.

Application&InterfaceSecurityApplicationDevelopmentSurveyGizmoisatraditionalLinux,Apache,MySQL,andPHP(LAMP)basedapplication.LAMPisanacronymwhichstandsforLinuxoperatingsystem(OS),ApacheHTTPServer,MySQLrelationaldatabasemanagementsystem(RDBMS),andPHPprogramminglanguage.We’vedevelopedSurveyGizmoasamulti-tier(N-Tier)ApplicationusingtheMVC(Model-View-Controller)Designpattern.

TheN-Tierarchitectureisaclient-serversoftwarearchitectureplatforminwhichthepresentation(webapplication),theprocessing/functionlogic(workers),andthedatabasearelogicallyseparatedprocesses.Thisallowsanypartofthethreetierstobedevelopedandmaintainedindependentlyoftheothers,creatingmaximumflexibilityandtheabilitytorespondtotechnologychangesinanyonetier.MVCisasoftwarearchitecturepatternforimplementinguserinterfacesoncomputers.Thesearchitecturaldecisionshelptocreateseparateofthedifferentlogicalresponsibilitiesoftheapplication.

Wealsoneveroutsource;alldevelopmentandqualityassuranceactivitiesareperformedin-house.TheSurveyGizmoapplicationis100%developedbyemployees.

• Weusesupported3rdpartylibrariesasnecessarytoenhanceandproducenewfeatures.• ManualSourceCodereviewbeforecheck-in.• PeerReviewforcriticalcode.• StateCodeAnalysistool.• WeuseJenkinsforautomatedDevOps.

Toensureasecureplatform,weutilizetheOpenWebApplicationSecurityProject(OWASP)standardsduringthesoftwaredevelopmentprocess.Wefocusonnotonlyimprovingthefunctionalityofourproduct,butonalsoimprovingthesecurityofoursoftware.

AllmembersoftheProductDevelopmentGrouparerequiredtoadheretotheOWASPtop10standards:injection;weakauthenticationandsessionmanagement;crosssitescripting;insecuredirectobject

Customer

8

references;securitymisconfiguration;sensitivedataexposure;missingfunctionlevelaccesscontrol;crosssiterequestforgery;usingcomponentswithknownvulnerabilities,andinvalidatedredirectsandforwards.Formoreinformationpleasesee:OWASPtop10.

Weuseacoderepositoryalongwithamanagedticketing,review,andapprovalprocess.Ourdevelopmentteamutilizesstandardqualityassuranceprocedures,andautomatedregressiontestingisperformedpriortoeachproductiondeployment.

Weneveruseproductiondatafortestingpurposes,unlessitisrequiredtoresolveaclient-reportedsupportissue.

Wehaveseparatedevelopment,test,andproductionenvironmentsforbothourwebsiteandapplication.Workprogressesfromdevelopmenttoqualityassurancetoproduction,whereitcanbeseenandusedbyourcustomers.AmodifiedLeanAgileSystemDevelopmentLifeCycle(SDLC)methodologyisusedfordevelopment,andissuesarereportedfrombothclientsandemployees.IssuesaretestedanddocumentedinSupportandprioritizedbytheProductDevelopmentTeam.ProductionserversareonlyaccessedthroughSecureShell(SSH),orfromtheofficenetworkthroughaVirtualPrivateNetwork(VPN).VPNisIPSECandtrafficislogged.

AuditAssuranceIndependentAuditsIndependentreviewsandassessmentsshallbeperformedatleastannuallytoensurethattheorganizationaddressesnonconformitiesofestablishedpolicies,standards,procedures,andcomplianceobligations.

SurveyGizmoutilizesWhiteHatSecurityhttps://www.whitehatsec.com/toperformanannualapplicationpenetrationtestontheSurveyGizmoapplication.SurveyGizmoalsoutilizestheWhiteHatSecurityapplicationscannertodocontinuousscanningoftheapplication.

SurveyGizmoutilizesTrustWavehttps://www.trustwave.com/home/toperformquarternetworkpenetrationtestsontheSurveyGizmonetworkenvironment.

SurveyGizmostaffalsoutilizesBurpSuitehttps://portswigger.net/burptoperformtheirownquarterscans.

SurveyGizmohiredanindependent,third-partytoperformaHealthInsurancePortabilityandAccountabilityAct(HIPAA)audit.

CustomersAuditingSurveyGizmoWedon’tallowcustomerstoperformapplicationornetworkpenetrationtestingonus.

SecurityIncidentManagementIncidentResponsePlanIncidentResponseisasignificantaspectofanyInformationTechnologyprogram.Preventiveactivitiessuchasapplicationscanning,passwordmanagement,intrusiondetectionandintrusionpreventionsystems,firewalls,riskassessments,malware&anti-virusprevention,anduserawarenessandtraining

9

canreducethenumberofincidents;however,notallincidentscanbeprevented.IncidentResponsecapabilitiesarenecessaryfordetectingincidents,minimizinglossanddestruction,mitigatingtheweaknessesthatwereexploited,andrestoringservices.

OurplancoverstheIncidentResponseRequirements,RolesandResponsibilitiesofeachIncidentResponseTeammember,theircontactinformation,IncidentsHandlingProcedures,IncidentReportingProcedures,andcomplementaryMetrics.Wehaveproceduresfornormalbusinesshoursaswellasforafter-hoursandweekends.Allemployeesaretrainedintheprocedures,andtheyunderstandhowandwhentoescalateanissue.OurComplianceManagerandtheITManagerareresponsibleforenforcinginformationsecuritypolicies,procedures,andcontroltechniquestoaddressallapplicablerequirements.Theyalsoensure100%participationofpersonnelintheSecurityAwarenessTrainingProgram.OurIncidentResponseTeamconsistsoftheDirectorofOperations,DirectorofDevelopment,ComplianceManager,ITManager,andspecificITadministrativeandsupportstaff.

BreachNotificationSuspectedincidentsarereportedtotheTeamManagers,whoareresponsiblefororganizingtheinvestigationandnotifyinginternalstakeholders.Iftheinvestigationfindsaneedforcontainment,thatwilloccur,thenanalysiswillfollow.Ifrepair,recoveryorremediationisneeded,thatwillfollow.

Notificationstoclientswillbemadebasedoncontractualorlegalobligations,reportingwillbemadetoExecutiveManagement,andtrainingissueswillbeaddressed.Ifabreachisdetectedwithyourdata,youwillbenotifiedassoonasweareabletonotify.

BusinessContinuityManagement&OperationalResilienceThepurposeofpreparingforcontingenciesanddisastersistoprovideforthecontinuationofcriticalmissionsandbusinessfunctionsintheeventofdisruptions.SurveyGizmohasbothaBusinessContinuityPlan(BCP)andaDisasterRecoveryPlan(DRP).TheBCPreferstostrategiesabouthowthebusinessshouldplanforbothinterruptionsinserviceandcontinuationafteradisaster.TheBCPallowsfortheadvanceplanningtoensurethebusinesshasdefineditscriticalbusinessproductsandservicesandthatthesecriticalassetscancontinuetobedelivered.WhiletheDRPreferstohowtheinformationtechnologyandinformationsystemsshouldrecoverintheeventofadisaster.TheDRPshoulddetailwhatshouldbedoneimmediatelyafteradisastertorecoverfromtheevent.

ServiceHealthandFailoverCustomerscansubscribetotheSurveyGizmoStatusIOpageforimmediatenotificationofissuesrelatedtotheSurveyGizmoapplication.https://surveygizmo.statuspage.io/AstheSurveyGizmoapplicationiscompletelyreliantontheavailabilityofAWS,customerscancustomizethefollowingAWSpagefortheiravailability.http://status.aws.amazon.com/Also,ifyousendemailsviatheSurveyGizmoapplication,youcanensurethatRackSpace(thehostingproviderforemailservice)isavailableviathefollowingpage.https://rackspace.service-now.com/system_status/.Wecurrentlydon’tallowourcustomerstomoveawayfromeitherAWSorRackSpaceasthehostingprovider.

BusinessContinuityPlan(BCP)TheBCPidentifiesthecriticalbusinessfunctionsneededtoensuretheavailabilityofessentialservicesandprogramsandensuresthecontinuityofoperations.TheidentificationofcriticalbusinessfunctionsiscalledaBusinessImpactAnalysis(BIA).Continuityplanningisonecomponentofamuchbroader

10

emergencypreparednessprocessthatincludesitemssuchascontingencyplanning,businesspractices,andoperationalcontinuity.Preparingforsucheventsofteninvolvesimplementingpoliciesandprocessesatanorganizationallevelandmayrequirenumerousplanstoproperlypreparefor,respondto,recoverfrom,andcontinueactivitiesifimpactedbyanevent.Managersmustalsoconsidertheimpactsofdisruptionsandplan,inalignmentwithorganizationalstandardsandpolicies,forsuchevents.Asonecomponentofacomprehensiveriskmanagementapproach,BusinessContinuityplanningshouldidentifypotentialvulnerabilitiesandthreatsandthenimplementapproachestoeitherpreventsucheventsfromhappeningorlimittheirpotentialimpact.

SurveyGizmo’sBCPidentifiesthetypesofincidentswhichcouldleadtotheactivationoftheBCPanditincludestherolesandresponsibilitiesofSurveyGizmostaffshouldtheplanbeactivated.Tohelpwithrankingoftasks,itincludesaBIAwhichwasdevelopedbydeterminingthebusinessprocessesandrecoverycriticality,identifyingresourcerequirements,andthenidentifyingrecoveryprioritiesforsystemresources.

DisasterRecoveryPlan(DRP)Bydefinition,adisastercannotbepreventedbutstepscanbetakentoeliminateorreducetheimpactofthedisasteronthebusiness.ForSurveyGizmo,adisastercouldbecompletelossofAWSAvailabilityZonesformorethan24hours,compromiseofinformation/architectureintegrityformorethan24hours,naturaldisasterthatdestroysBoulderOffices,orglobaltolocalenvironmentalfactors.Agreatdealofconsiderationistakentoensurethatifadisasteroccursthenecessarystrategiesareinplacetoreducetheimpacttoourcustomers.SomeofthepreventivemeasuresthatSurveyGizmoutilizesareensuringpropersupportfordatamigrationanddurablestoragefromAWS,ensuringproperalerting,ensuringgoodbackups,ensuringemployeeshaveconnectionsfromtheirhomes,andmonitoringearlywarningsystems.

TheDRPidentifiestherequirementstorecovertheinformationtechnologyassetsfromadisaster.ItalsodefinestheRecoveryPointObjective(RPO)andRecoveryTimeObjective(RTO)andMaximumTolerableDowntime(MTD).Organizationswhosemajorapplicationsareprocessedatasharedfacilityshouldworkwiththefacilitymanagementtodevelopaplanforpost-disasterrecovery(i.e.,whichapplications/buildings/systemsshouldberestoredfirst).SurveyGizmohasaDRPthatincludessharedresponsibilitieswithAmazonanditisreviewedannually.Amazonutilizesdisasterrecoveryfacilitiesthataregeographicallyremotefromtheirprimarydatacenter.WhenusingAWSdisasterrecoverysharedsecuritymodel,theyprovidethephysicalinfrastructure,network,andoperatingsystems,andSurveyGizmoensurestheproperconfigurationandlogicalaccesstotheresources.

ThefollowingrecoveryplanobjectiveshavebeenestablishedforSurveyGizmo:

• Identifytheactivities,resources,andprocedurestocarryoutSurveyGizmoprocessingrequirementsduringprolongedinterruptionstonormaloperations.

• AssignresponsibilitiestodesignatedpersonnelandprovideguidanceforrecoveringSurveyGizmoduringprolongedperiodsofinterruptiontonormaloperations.

• CoordinateDisasterRecoveryplanningactivitieswithBusinessContinuityactionsandIncidentResponseactivities.

• EnsurecoordinationwithexternalpointsofcontactandvendorsassociatedwithSurveyGizmo.• EnsurecoordinationwithotherplansassociatedwithSurveyGizmo.

11

PlanTestingTestandexerciseeventsshouldbeconductedperiodicallytodeterminetheplan’seffectivenessandtoensurethatallpersonnelknowtheirroleandareinformedofthespecificactionsrequiredofthem.Foreachtestand/orexerciseactivitywhichisconductedtheresultswillbedocumentedandlessonslearnedactionitemswillbetakensothattheassociatedplans,polices,andprocedurescanbeupdated.WeannuallytesttheBCPandDRP.

BusinessImpactAnalysis(BIA)Asstatedabove,tohelpwithrankingoftasks,ourBCPincludesaBIAwhichwasdevelopedbydeterminingthebusinessprocessesandrecoverycriticality,identifyingresourcerequirements,andthenidentifyingrecoveryprioritiesforsystemresources.

ReliabilityandBackupAllnetworkcomponentsareconfiguredinaredundantconfiguration.Allcustomerdataisstoredonaprimarydatabaseserverwithmultipleactiveclustersforredundancy.ThedatabaseserversutilizeRAIDdisksandmultipledatapathstoensurereliabilityandperformance.

Automatedencryptedsnapshots(differentials)ofdatabasesareperformedhourly,andalldatastorageisredundant.Encrypteddailysnapshotsaremaintainedforaminimum30daysandtestrestoresareconductedatleastquarterly.BackupmediaresidesonAWS’SimpleStorageService(S3)infrastructure,whichoffers‘119s’ofredundancy.

DataRetentionSurveyGizmoretainsdatathatweprocessonbehalfofourcustomersanddatacollecteddirectlyfromourcustomersaslongasitisneededtoprovideservicestoourcustomers.SurveyGizmowillretainandusethisdataasnecessarytocomplywithourlegalobligations,resolvedisputes,andenforceouragreements.

Sometimesusershaveuniqueneeds,eitherunderspecificregulationsorotherinstitutionalorstaterequirements,thatrequireexceptionstotheseguidelines.Ifyouneedyourdatadeleted,youareresponsibletocontactSurveyGizmoandrequestthisaction.Youcangotothislocationformoreinformationondeletion.https://help.surveygizmo.com/help/delete-data

Forinstance,occasionallydataneedstobecompletelydestroyedafteritsintendeduse.Inmanycases,dataisretiredandlockedawayratherthanactuallydestroyed(e.g.whenacustomerstopspayingforanaccount,downgradestoadifferentaccountplan,etc.).Inmostcasesthismakesthelossretrievableintheeventofamistake.Wecan,however,complywitharequestfortotaldatadestructionifnecessary.

ChangeControl&ConfigurationManagementSystem modifications can introduce risks to system integrity or reliability as well as threats to dataconfidentiality unless the systems include adequate controls. Changemanagement is the process ofrequesting, analyzing, approving, developing, implementing, and reviewing a planned or unplannedchangewithintheITinfrastructure.ThechangemanagementprocessbeginswiththecreationofachangerequestwithinSurveyGizmo’sselectedtechnologyplatform.Itendswiththesatisfactoryimplementationofthechangeandthecommunicationoftheresultofthatchangetoallinterestedparties.

12

Thesystemriskimpactfromchangesandtheriskprobabilityofadverseeventsfallsintothreecategories:

• Low-Ifanadverseeventisencountered,thefinancialdamageorconfidentialdataexposureisminimalornon-existent.Theriskofanadverseeventisstatisticallyverylowandwouldrequirepreventionmeasuresthatoutweightheexpenditureofresources(bothtimeormoney)togainasignificantimprovementinordernottoencounterthisrisk.

• Medium-Ifanadverseeventisencountered,thefinancialdamageorconfidentialdataexposureimpactismoderate,andcouldbeoutsideoftherisktoleranceforSurveyGizmo.Theriskofanadverseeventisstatisticallymoderateandtheinvestmentofresourcestomitigatethepossibilityofaneventwouldessentiallycostaboutasmuchastheimpactoftheeventinresources.

• High-Ifanadverseeventisencountered,thefinancialdamagecouldbehigh,thefinancialdamageorexposureofconfidentialdatacouldbewidespreadorcritical.Theriskofanadverseeventisstatisticallyhigh.TheadverseeffectsfaroutweightheinvestmentinresourcestosignificantlyreducethelikelihoodofaneventortoreducetheoverallriskimpactofdamagestoplaceitintoalowerRiskImpactcategory.

Inadditiontoimpactandprobability,thescopeornumberofcomponentstouchedduringachangealsocanpartiallydeterminethesecurityrisk.Ingeneral,moreplacestouchedmeansthepotentialformorerisk. SurveyGizmo defines scope as small, medium, large, and extra-largewith extra-large being theriskiness.

DataSecurity&InfoLifecycleWeallowtheabilityforcustomerstopermanentlydeletetheirdatafromoursystems.Duetobeingamulti-tenantsolution,backupsforanyindividualtenantwillbepermanentlydeletedoncetheageofthebackupexceedtheageoftheoldestbackupbeingretained.

DatacenterSecurityAccordingtotheAWSSecuritywhitepaper,AWS’sdatacentersarestateoftheart,utilizinginnovativearchitecturalandengineeringapproaches.Amazonhasmanyyearsofexperienceindesigning,constructing,andoperatinglarge-scaledatacenters.ThisexperiencehasbeenappliedtotheAWSplatformandinfrastructure.

AWSdatacentersarehousedinnondescriptfacilities.Physicalaccessisstrictlycontrolled,bothattheperimeterandatbuildingingresspointsbyprofessionalsecuritystaffutilizingvideosurveillance,intrusiondetectionsystems,andotherelectronicmeans.IntheUS,wearepartoftheUSEast(VA)Region,whichhas5highlyredundantandreliablezones.TheyareinNewYork,NY;DA3&DA6,DallasTX;DC6&DC10Ashburn,VA.IntheEU,ourdatacenterisinFrankfurt,Germany,whichispartoftheEUCentralregion.ForsecurityreasonsandaspartofAWSpolicy,AWSdoesn'tprovidethephysicaladdressesofthedatacenters.Themainreasonourcustomerswouldwantthephysicaladdressistoensurethedatacentersaresufficientlygeographicallyseparatedtoconformtostandarddisasterrecoveryrequirements.AWSensurestheyhavethatlevelofredundancyandreliability,whicheliminatestheneedforactualphysicaladdresses.

13

AllphysicalaccesstodatacentersbyAWSemployeesisloggedandauditedroutinely.Authorizedstaffmustpasstwo-factorauthenticationaminimumoftwotimestoaccessdatacenterfloors.Allvisitorsandcontractorsarerequiredtopresentidentificationandaresignedinandcontinuallyescortedbyauthorizedstaff.

AWSisalsoresponsibleforthesecurityconfigurationoftheirproductsthatareconsideredmanagedservices.Theseservicesprovidethescalabilityandflexibilityofcloud-basedresourceswiththeadditionalbenefitofbeingmanaged.Fortheseservices,AWSwillhandlebasicsecuritytaskslikeguestoperatingsystem(OS)anddatabasepatching,firewallconfiguration,anddisasterrecovery.

Encryption&KeyManagementData encryption is a primary control to protect confidential information fromunauthorized access ormisuse.PrivacylawsinsomeUSstatesdesignatedataencryptionastheonlycontrolthatcanhelpavertclaimsfornegligenceinprotectingconfidentialinformation,andprovidessafeharborfrombeingrequiredtodiscloseadatabreach.

SurveyGizmo employees do not on a regular basis transmit protected confidential information.SurveyGizmoemployeesdonotstoreconfidentialinformationincleartextontheirlaptops,smartphonesorothermobiledevices.

AWSEncryptionofDataatRestAlldataatrestisencryptedondiskusingAWSEBSencryptedvolumes.AWSprovidestheabilitytoencryptEBSvolumesandtheirsnapshotswithAES-256.TheencryptionoccursontheserversthathosttheEC2instances,providingencryptionofdataasitmovesbetweenEC2instancesandEBSstorage.

EncryptionMethodologyandKeyStrengthAllencryption isaccomplishedusingnon-proprietary industry standardencryptionalgorithms. Wherepossible,SurveyGizmowillensurethatstrongencryptionkeysareimplemented.AES-256keylengthandgreaterarerecommendedencryptionalgorithmsandkeystrengths.

EncryptionKeyManagement EncryptionkeyswhethercreatedandmanagedbySurveyGizmooranencryptionsolutionvendor,aresecurelystoredandmaintained.

DataEncryptionAllsurveydata,eventhosethataredesignatedasunencrypted,areencryptedatthedisklevelonthedatabaseservers.Surveysthataredesignatedbythecustomerasencryptedarefurtherencryptedattherowlevel.Whensurveysareflaggedtobeencrypted(bythecustomer),wefurtherencryptthedataattherowlevelwhenit’sinsertedintothedatabaseonthosedrives,viasurveyspecificapplicationlevelencryption.Thismeansthatstoreddatacannotbeaccessedwithoutakeyandalgorithmthatismanagedoutsideofthedatastore,andthereforeprovidesahigherlevelofprotectionforyourstoreddata.ProjectDataEncryptionmustbeactivatedonasurvey-by-surveybasis.Onceyouhavecollecteddatainanencryptedsurvey,encryptioncannotbeenabled/disabled.

14

AccesstotheSurveyGizmoApplicationisavailableonlythroughsecureHTTPS.DataintransitisencryptedwhencustomerschoosetouseHTTPSprotocolsfortheiraccount,API,orsurvey.WeutilizeTLSforoursecurecommunicationprotocolandwearecurrentlyatthemostrecentpatchlevel.

Additionally,dataisencryptedatrestandadditionallayersofencryptioncanbeenabled,managed,andcontrolledviaclient-facingfeatures.

SecureSurveyShareLinksIfyouwishtotakeadvantageofanextralayerofsecuritywhencollectingdata,youcanusesecurelinks,designatedbythe“https”protocol.HttpslinksuseaSecureSocketLayer(SSL)totransportdatasafelybetweenclientandsurveyusinganencryptionalgorithm.Bydefault,allnewlycreatedstandardweblinksaresecuredbydefault.

Governance&RiskManagementTheSurveyGizmoITRiskManagementProgramintegratesriskidentificationandmitigationwithpolicyand regulatory IT compliance management. SurveyGizmo will implement and maintain an IT RiskManagementProgramthatwill leverageindustrybestpractices,guidelinesandstandards,andincludethefollowingelements.SurveyGizmowill:

• PerformanITRiskAssessmentandanalysisatleastonceperyear.• Developand implementPoliciesandStandards tomeet IT riskmitigationobjectivesaswellas

maintainingcompliancewithprivacyandotherregulatoryrequirements.• Establish a remediation prioritization process that allocates a priority level to the threat and

vulnerabilities that have the potential to cause significant impact or harm to SurveyGizmoservices,systems,devices,orconfidentialdata.

• Perform an information technology risk assessment and select adequate controls tomitigateknownrisks.ThecontrolswillbeconsolidatedinaRiskRegister.AnITRiskAssessmentwillbeperformedpriortodeploymentofnewormodifiedsystems.

RiskDeterminationisusedtoassessthelevelofrisktotheITsystems.Thedeterminationofriskforaparticularthreat/vulnerabilitypairwillbemeasuredusingarisklevelmatrix.Therisklevelmatrixwillbeexpressedintermsofprobabilityandimpactlevelasshownbelow:

SecurityStandardsIn2016,weareimplementingtheCISCriticalSecurityControls.WealsoutilizetheOpenWebApplicationSecurityProject(OWASP)standardsduringthesoftwaredevelopmentprocess.Weperformariskassessmentandself-audit,whichisdoneeachfall.AllemployeesreceiveannualrefresherSecurityAwarenessTraining.

Wedonotallowunauthorized,externalpartiestoconducttestingagainstoursystems.Itisourpolicythatwedonotshare,atanylevel,thepoliciesandproceduresrelatedtothesecurityandcomplianceofoursystems.

15

HumanResourcesThepurposeofimplementingaHumanResourcesStandardistoensurethatdataandITAssetsareusedinanappropriate,responsible,andlegallycompliantmannerconsistentwiththebusinessstrategyofSurveyGizmo.TheHumanResourceStandardensurestheconfidentiality,integrity,andavailabilityofSurveyGizmosystemsanddata.Thefollowingdescribeshowouremployeesaremanaged.

• Allemployeesaresubjecttobackgroundverification.• We specifically train our employees in regard to their specific role and information security

controlstheymustfulfill.• Allemployeetrainingisdocumentedwiththeiracknowledgementofcompletion.• All personnel are required to sign NDA or Confidentiality Agreements as a condition of

employmenttoprotectcustomerinformation.• Allpersonnelaretrainedandprovidedwithsecurityawarenesstrainingprogramsatleastoncea

year.• We have documented policies, procedures and guidelines in place to govern change in

employmentand/ortermination.Ourdocumentedpolicies,proceduresandguidelinesaccountfortimelyrevocationofaccessandreturnofassets.

• WecanprovidedocumentationregardinghowwemayaccesscustomerdataviaanAcceptableUsePolicy.

• Usersaremadeawareoftheirresponsibilitiesformaintainingawarenessandcompliancewithpublished securitypolicies,procedures, standardsandapplicable regulatory requirementsandunderstandthesanctionsfornon-compliance.

• Users aremade aware of their responsibilities for leaving unattended equipment in a securemanner.

• Weuseindustrystandardendpointprotectionsoftwareonallcompanylaptops.Laptopscanningisscheduledtorundaily,andemployeesareencouragedtoreportanyerrorstotheprivilegedITAdmins.Wemanageadministratorprivilegesonallequipmentandallnewlaptopsareencrypted.

BackgroundChecksWepartnerwithanemploymentscreeningvendortocompletebackgroundchecksonallemployeesbeforetheyarehired.Thehumanresourcesdepartmentcompletesreferencechecksonallemployees.WecomplywiththefederallymandatedrequirementsregardingI-9(TheEmploymentEligibilityVerificationForm)documentation.

BringYourOwnDevice(BYOD)Allemployeesareissuedcompany-ownedequipment,andallcompany-ownedequipmentismanagedbytheofficeITadministrators.Percompanypolicy,employeescannotaccesscustomerdatafromtheirpersonaldevices,includinglaptopsandcellphones.

SecuritySkillsAssessmentandAppropriateTrainingSecurityTrainingandmeasurementistheresponsiblyoftheSecurityandComplianceManager.The9thannual,Verizon2016DataBreachInvestigationReport(DBIR)statesthatthehumanthreatvectoristhemostpressingissuestoday.Ouremployeesareourbiggestweaknessandthat63%ofconfirmed

16

breachesinvolvedweak,default,orstolenpasswords.Tocombatthisthreat,SurveyGizmoensuresmanagementsupport,increasesemployeeawarenessofsecurityissues,measuresoursuccess,andcontinuouslyimprovesourmethods.Studiesshowthatittakes90daystobreakahabitand90daystoformanewhabitsoasuccessfulprogramwilltakeconsistentattentionanddeterminationtoturnouremployeesfromsecurityliabilitiestosecurityassets.

TrainingWehavedevelopedarobust,ongoingtrainingplanforallnewandexistingemployees.AllnewemployeesarerequiredtoattendsevendaysofSurveyGizmotraining.

Duringthistraining,inadditiontotheapplicationtrainingtheyalsoattendthefollowing:

• two-hourWelcomeandOrientation• two-hourSGBrandandLifecycleofanSGCustomer• three-hourGivingGreatService• one-hourSecurityandComplianceTrainingsession

PhishingIn2016,weimplementeduserbehaviortrainingduringwhichwe‘phish’ourownemployees.Thistrainingallowsustotrainouremployeesongoodemailandwebbrowsinghabits.Weutilizeamethodofassessingtheirknowledgeandidentifyingareasofvulnerability,educateandperformquicklessonslearned,followedbyadditionaltrainingifneeded.Weareconstantlymeasuringandreinforcinggoodinternet-usehabits.

ExistingemployeesreceiveannualrefresherSecurityAwarenessTraining.WehaveaweeklycompanymeetingwheretheExecutiveManagementTeamreportsourrevenue,expenses,andaccountnumbers.Wealsoutilizethistimewiththeentirecompanytodiscussimportanttopics,likesecurityandcompliancetraining.

AccessProvisioningManagementAccesswillbeprovisionedtousersbasedonspecificjobona‘needtoknow’basis.Userswillbeprovidedthe least amount of access required to successfully complete their job requirements. A request toprovisionaccesstosystemsordatabeyondthosenormallyrequiredforjobresponsibilitiesthatincludeadministrative access or elevated access to confidential data must be reviewed and approved bySurveyGizmoSeniorManagement.

AdministrativeAccessAdministrativeprivilegesmustbe limited toonly thoseadministratoraccounts required tomanageormaintain systems, applications or data. Only Administrator accounts will be used to performadministrativefunctions. Allotheruseraccountswillhavelowerlevelsofprivilege. Highlevelsystemprivilegessuchas‘root’,administrator,SAordefaultuserfilepermissionsthatallowunrestrictedaccesstocomputersystemsarereservedforITsystemadministration.

AccessforThirdPartyITSolutionandServiceProviderSurveyGizmoutilizesAWS,athird-partyproviderofITsolutionsandservices,toprovidetheSaaSservicesincluding network and system infrastructure to support SurveyGizmo IT needs. AWS has agreed to

17

maintaintheconfidentiality,integrityandavailabilityofthesystemsanddatapertheirITSecurityPolicies,andcontractualobligationstoSurveyGizmo.

• AcontractwasenteredintowithAWSinJuly2014.Thestandardtermsofusewereutilizedwithnocustomization.

• ABusinessAssociateAgreement(BAA)wassignedwithAWSonJune10,2015.• ADataProcessingAgreement(DPA)wassignedwithAWSonSeptember20,2016.

SurveyGizmoutilizesSalesforce,forcustomersupportticketing.• AcontractwasenteredwithSaleforcein2016.Thestandardtermsofusewereutilizedwithno

customization.• ABusinessAssociateAgreement(BAA)wassignedwithSalesforceonJanuary23,2017.• ADataProcessingAgreement(DPA)wassignedwithSalesforceonDecember14,2016.

PasswordSettingsPasswordsarestoredusingasaltedencryption.Applicationcredentials-username/passwordsareNEVERlogged.Ifyouchoosetousethelogin/passwordaction,thisinformationisstoredincleartextsothisshouldn’tbeusedforsensitivedatacollection.SurveyGizmopersonnelwillnotresetuserpasswords.Intheeventofapasswordbeingmisplaced,usersaresentauniquelinkviaemail,whichtheywillusetoresettheirpassword.

SomeSurveyGizmocustomerscollecthighlysensitivedatathatrequirestheutmostsecurity,whileothersfindthesestringentmeasuresannoying.Toaccommodateourwiderangeofusers,ourpasswordsecuritysettingsallowadministratorstodeterminethepreciselevelofsecuritynecessarytoprotecteachSurveyGizmoaccount.Anadministratorcanconfiguretheseoptionswithintheiraccount:

• ExpirationInterval:Setatimeintervalforpasswordexpiration(e.g.3daysto12months)• PasswordReuseRules:Disallowpasswordreuse,eitherbypasswordhistoryorintervaloftime

elapsed(e.g.everyXpasswordsoreveryXmonths/years)• Minimum/MaximumLength:Specifyaminimumand/ormaximumpasswordlength• Requireatleastoneupperandonelowercaseletter:Choosingthisoptionrequiresallusers'

passwordstocontainatleastoneuppercaseandonelowercaseletter• Requireatleastonenumber:Choosingthisoptionrequiresallusers'passwordstocontainat

leastonenumber• Requireatleastonespecialcharacter:Choosingthisoptionrequiresallusers'passwordsto

containatleastonespecialcharacter• Setupacomplexrule(usingRegex):YoucanspecifyyourownpasswordpatternusingRegular

Expressions(Regex)• PasswordcannotcontainSurveyGizmouserinformation:Thismakesitimpossibleforusersto

incorporatetheirusername,emailaddress,oruseridintotheirpassword.

AWSHostDatacenterThefollowingisahighlevelviewofSurveyGizmo’stopology.

18

AWSFirewallsAccordingtotheAWSSecurityWhitePaper,AmazonEC2providesacompletefirewallsolution;thismandatoryinboundfirewallisconfiguredinadefaultdeny-allmode,andweexplicitlyopentheportsneededtoallowinboundtraffic.Thetrafficisrestrictedbyprotocol,byserviceport,andbysourceIPaddress(individualIPorClasslessInter-DomainRouting(CIDR)block).

Amazon Web Services - Overview of Security Processes - August 2015 page 28

TheAWSfirewallresideswithinthehypervisorlayer,betweenthephysicalnetworkinterfaceandtheinstance'svirtualinterface.Allpacketsmustpassthroughthislayer;thusaninstance’sneighborshavenomoreaccesstothatinstancethananyotherhostontheInternet.Theycanbetreatedasiftheyareonseparatephysicalhosts.ThephysicalRAMisseparatedusingsimilarmechanisms.Thefirewallisn’tcontrolledthroughtheguestOS;rather,itrequiresaX.509certificateandkeytoauthorizechanges,addinganextralayerofsecurity.

ToeliminateIPSpoofing,thefirewallwillnotpermitaninstancetosendtrafficwithasourceIPorMACaddressotherthanitsown.

AWStechnologies:WebApplicationFirewall/CloudFront/Route53. FunctionsInclude:IDS,IPS,blacklists,DDoSandspoofingprevention.

AWStechnologies:VirtualPrivateCloud/SecurityGroups/NetworkACLs,EC2 Functionsinclude:Subnetacls,inboundandoutboundportrestrictions,DMZproxylayer.

19

Additionaltechnologies:TheDMZproxylayerwhichincludessoftwarethatprovidesadditionallayer3-7protectionHost-basedprotection:Functionsinclude:subnet/portacls

Amazon Web Services - Overview of Security Processes - August 2015 page 23

AWSSecureNetworkArchitectureAccordingtotheAWSSecurityWhitePaper,networkdevices,includingfirewallandotherboundarydevices,areinplacetomonitorandcontrolcommunicationsattheexternalboundaryofthenetworkandatkeyinternalboundarieswithinthenetwork.Theseboundarydevicesemployrulesets,accesscontrollists(ACL),andconfigurationstoenforcetheflowofinformationtospecificinformationsystemservices.

ACLs,ortrafficflowpolicies,areestablishedoneachmanagedinterface,whichmanageandenforcetheflowoftraffic.ACLpoliciesareapprovedbyAmazonInformationSecurity.ThesepoliciesareautomaticallypushedusingAWS’sACLManagetool,tohelpensurethesemanagedinterfacesenforcethemostup-to-dateACLs.

AWSSecureAccessPointsAccordingtotheAWSSecurityWhitePaper,theyhavestrategicallyplacedalimitednumberofaccesspointstothecloudtoallowforamorecomprehensivemonitoringofinboundandoutboundcommunicationsandnetworktraffic.ThesecustomeraccesspointsarecalledAPIendpoints,andtheyallowsecureHTTPaccess(HTTPS).ThisaccesstypeallowsyoutoestablishasecurecommunicationsessionwithyourstorageorcomputeinstanceswithinAWS.

Inaddition,AWShasimplementednetworkdevicesthatarededicatedtomanaginginterfacingcommunicationswithInternetServiceProviders(ISPs).AWSemploysaredundantconnectiontomorethanonecommunicationserviceateachinternet-facingedgeoftheAWSnetwork.Theseconnectionseachhavededicatednetworkdevices.

AmazonCorporateSegregationAccordingtotheAWSSecurityWhitePaper,logically,theAWSProductionnetworkissegregatedfromtheAmazonCorporatenetworkbymeansofacomplexsetofnetworksecurityandsegregationdevices.AWSdevelopersandadministratorsonthecorporatenetworkwhoneedtoaccessAWScloudcomponentsinordertomaintainthemmustexplicitlyrequestaccessthroughtheAWSticketingsystem.Allrequestsarereviewedandapprovedbytheapplicableserviceowner.ApprovedAWSpersonnelthenconnecttotheAWSnetworkthroughabastionhostthatrestrictsaccesstonetworkdevicesandothercloudcomponents,loggingallactivityforsecurityreview.AccesstobastionhostsrequireSSHpublickeyauthenticationforalluseraccountsonthehost.

AWSFault-TolerantDesignAccordingtotheAWSSecurityWhitePaper,Amazon’sinfrastructurehasahighlevelofavailabilityandprovidesitscustomerswiththecapabilitytodeployaresilientITarchitecture.AWShasdesigneditssystemstotoleratesystemorhardwarefailureswithminimalcustomerimpact.Datacentersarebuiltinclustersinvariousglobalregions.Alldatacentersareonlineandservingcustomers;nodatacenteris

20

“cold.”Incaseoffailure,automatedprocessesmovecustomerdatatrafficawayfromtheaffectedarea.CoreapplicationsaredeployedinanN+1configuration,sothatintheeventofadatacenterfailure,thereissufficientcapacitytoenabletraffictobeload-balancedtotheremainingsites.

Logging&AlertingThelackofeffectivesystemloggingandmonitoringreducesSurveyGizmo’sabilitytoidentifythreats,cyber-attacksorsecurityevents.

LogsLogsarekeptforaminimumof90daysandarestoredinAWS.Wemaintainuseraccesslogentriesthatcontainthedate,time,customerinformation,operationperformed,andsourceIPaddress.Ifthereissuspiciousofinappropriateuse,SurveyGizmocanprovidecustomerlogentryrecordstoassistinanalysis.Thisserviceisprovidedonatimeandmaterialsbasis.

Robustmonitoringsoftwareisusedtomonitorperformanceandnotifyusofanyproblemsinourproductionenvironment.Thechecksinclude,butarenotlimitedto,businesslogic,databaselayer,diskspace,resources,andapplicationlogs.

FederatedMulti-TenantDatabaseDesignsInordertoensurethatdatacollectedfordifferentpurposescanbeprocessedseparately,SurveyGizmologicallyseparatesthedataofeachofitsclients.WeensurethateachcustomerhasauniqueloginID,andthatdatasegmentationiskeyedoffauniquecustomerID.Eachcustomerhasauniqueusername(emailaddress)andauniquepassword.Afterrepeated,unsuccessfullogins,thelockoutfeaturespreventtheloginpagefrombeingresubmitted.ByFederatingourdata,wearealsoabletoscalehorizontallytosupportincreasingusersandcustomers.

BackgroundQueuedProcessesWeleverageanumberofqueuingsystemstodeferjobsthatdonotneedtobetransactional.Thisallowsustoscaleupanddownthenumberofqueuesandworkerstomirrorthedemandsonoursystemswithoutimpactingthefront-endexperienceofusersintheapplication

RedundantDataStoresToensurethatweneverloseanyofourcustomer’sdata,wehavemultiplestrategiesutilizingredundantdatastores.ThisincludesRAID-basedstorage,Master/ReadDatabasesin-memorycaching

SupplyChainManagementSurveyGizmowillidentify,classifyandfulfilltherequiredbusinessneedthroughaconciseandconsistentVendorManagementprocess.SurveyGizmoprospectiveandcurrentvendorswilladheretothesamelevelofsecuritythatSurveyGizmohas.

SurveyGizmorequiresthevendorprocurementprocesstofollowaspecificsetofstepsbeforeadeterminationismadetocontractwithavendorforaparticularbusinessneed.Creatingandfollowinganappropriateselectionprocess,selectioncriteriaandassignmentofvendorrisklevelprovidestheconsistencyneededtoensurethatallcontractedvendorsarefulfillingtherequiredbusinessneed.

21

Threat&VulnerabilityManagementVulnerabilitymanagementisapro-activeapproachtomanagingnetworksecurity.Itincludesprocessesfor checking for and identifying vulnerabilities, verifying and mitigating vulnerabilities, and patchingvulnerabilities.Avulnerabilitymanagementprogramprovidesawaytoassess,monitorandremediatevulnerabilitiestoITSystems.Managingvulnerabilitieshelpstodecreasetheriskandexposuretimethatvulnerabilitiescanbeexploited.Patcheswillalsobedeployedtominimizevulnerabilitiesresultingfromnon-patchedsystems.

ScanningandPatchingFirewalllogsandotherlogsarerestrictedtoauthorizedusersviasecuremulti-factorauthentication(MFA)controls.WeutilizeAmazon’sRecommendMFA,andonlyourprivilegedITAdminshaveaccesstothisinformation.

Localsystemsareprotectedwithindustrystandardantivirussoftware.ProductionserversareLinux-basedandfrequentlypatchedtoensuretheirsecurityisalwaysuptodate.Securitypatchesareappliedwithin2-3daysofnotificationofthepatchesbeingavailable.Werollpatchesoutthroughthedevelopmentrolloutprocessoutlinedearlierinthisdocument:developmenttoQAtoproduction.

Whenvulnerabilitiesareidentified,ourmitigationscaleisasfollows:

• Critical:addressedimmediately• High:addressedwithin72hours• Medium:includedinthenextappropriatesprint

AWSServiceOrganizationControls(SOC)3ReportHereisthelinktoAWS’sreport.Thisreportisdated4-25-16andisrelevanttosecurityandavailabilityfortheperiodofOctober1,2015-March31,2016.

ReferencesThisdocumentwascreatedwiththefollowingreferences:

https://aws.amazon.com/compliance/resources/

https://aws.amazon.com/security/

https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf

https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf