Technical and Organizational Measures (TOMS)
SAI360’s Information Security program includes, but is not limited to, the following:
Roles and Responsibilities: Established roles and responsibilities for information security, data protection, and compliance across the organization including assignment of Chief Information Security and Data Protection Officers, and Information Security Management Committee (ISMC) that consist of executive and senior leadership members who provide privacy, security, and compliance oversight
Risk Management: A risk management program which includes an analysis of the criticality of data, an annual assessment of risks to the privacy and security of data which is commensurate with the criticality of the data, and a remediation plan to address any identified vulnerabilities and risks
Security Policy: An Information Security Policy program which addresses creating and maintaining a comprehensive library of documented policies and procedures which support all aspects of the Information Security program and which is reviewed and approved by senior leadership annually or when significant changes to the regulatory or technical environment occur, to ensure that the policies and procedures are appropriate, accurate, and current, and in alignment with industry standards
Workforce Security: Comprehensive screening of new workforce members before being granted access to personal data, including background checks, as well as appropriate supervision during employment, procedures for personnel sanctions, and procedures for terminations and role change
Security Awareness Training: Training workforce about information security best practices, internal information security policies, and their obligations to protect personal data. Training should be required upon hiring and at a minimum frequency of annually thereafter
Physical and Environmental Security: Policies and standards specific to protecting physical areas which store data and systems as well as guarding against environmental damage and theft
Change / Test Procedures: Documented policies about system and application change control process, including appropriate segregation of test and operational data, system-supported segregation of duties, system planning, acceptance, and release
Third-Party Risk Management: Accurate and current accounting of all third parties, sub-processors, along with enforceable agreements which outline related security controls, audit rights, and compliance with applicable laws
Malicious Code Protection: Implementation of technical and procedural controls to guard against malicious software ensuring that the use of current software is configured and maintained according to suppliers’ recommendations
Back-up and Testing Procedures: Maintaining documented procedures for backing up and restoring data and testing those procedures regularly
Network Security Management: Implementation of technical and procedural controls to protect the confidentiality and integrity of restricted and confidential information passing over networks (internal and external), using well-defined industry standard perimeter controls and appropriate security zones, and the segmentation of internal networks
Media Handling: Procedures for media management including controls for portable media, media sanitization and disposal, and media accountability and tracking
Exchange of Information: Procedures for secure exchange of information being transmitted or physically shipped to external parties, including encryption of personal data, protection of information in transit, and policies governing appropriate disclosure of information to third parties
System Event Logging and Monitoring: Configuring systems to log critical system events and user activity to a central system, procedures for protecting, retaining, and accessing all logs. Automated and manual processes for appropriately monitoring logs
Access Controls: Documented policies for authorizing and provisioning user and system access to electronic resources which are based on the principle of least privilege, enforced industry standard authentication methods, and procedures for routine reviews of user and system accounts
Mobile Computing Controls: Policies governing the use of mobile devices and remote access
Encryption: Policies which address the use of cryptographic controls for information in a manner which is supported by current industry standards
Patching and Vulnerability Management: Implemented tools and procedures in a manner consistent with system developer recommendations and industry best practices for the following: routine vulnerability scanning; procedures for identification, mitigation procedures for and applying security patches and updates
Incident and Event Reporting and Management: Documented procedures for monitoring security events, identifying personal data breaches, responding to and mitigating personal data breaches, and providing required notifications
Disaster Recovery and Contingency Planning: Documented procedures for disaster response, data recovery, and emergency mode operations
Operations Security Management: focuses on establishing effective operations management of the SAI360 environments with respect to information security requirements and IT and cloud security leading practices
SAI360 considers its Policies, Procedures and Standards as confidential intellectual property and in some instances external access would pose a significant risk to our information security. As such we limit the availability of such documents directly to customers. SAI360 will allow customers and or the independent auditors of our current customers to view in full relevant Information Security Management System (ISMS) documentation on request either on SAI360 site, or via an online meeting screen share or ‘Read Only’ access via SAI360 SharePoint for nominated personnel for a limited period under a on-Disclosure Agreement (NDA) or existing Customer Agreement Confidentiality Clause(s).
