IT Security, Continuity and Controls
This document contains answers to questions most likely asked by your IT Department.
Please feel free to contact Jason to discuss anything on this page, or anything not addressed here by emailing or calling.
1. Governance and Policy
- 1.1. Does TAO Connect have a formal information security policy? Yes
- 1.2. Does TAO Connect have a formal Information Security program in place? If so, what standard does it adhere to? NIST
2. Human Resource Security
- 2.1. Does TAO Connect perform criminal background checks on all employees? Yes
- 2.2. Does TAO Connect require your employees to sign NDAs or confidentiality agreements regarding client data stored on your systems? Yes
- 2.3. Does TAO Connect have an information security awareness program? Yes
- 2.4. Is the security awareness training mandatory for all employees? Yes
- 2.5. How frequently are employees required to undergo the security awareness training? Annually
- 2.6. Does TAO Connect have automated processes in place to terminate an employee’s access to client data as soon as the employee is no longer employed? Yes
3. Access Control Security
- 3.1. Is all access, including privileged administrator accounts, controlled and logged (i.e. firewalls, file system permissions, ACLs, database table permissions, packet logs, etc.)? Yes
- 3.2. Does your system enforce a lock on multiple log-on attempts? How many log-on attempts are allowed? Yes, 5
- 3.3. How are client end-users authenticated to your systems and services? Internal authentication or SAML
- 3.4. What are the system password / passphrase aging requirements? 90 days
- 3.5. What are the system password / passphrase complexity requirements? 8 characters minimum, 4-way complexity
- 3.6. Are user account passwords / passphrases visible in administration modules? No
- 3.7. Are stored user account passwords / passphrases hashed? Yes
- 3.8. What algorithm is used to hash passwords? MD5 hash with unique salt for each user
- 3.9. Please describe the access controls in place to prevent unauthorized access to client data by your employees and other clients. Employees do not have access to client data (other than information technology workers that require access to maintain and support the product). The platform employs logical barriers to separate and protect each client, their users and all associated data. The platform will only allow the users to view data for their institution, based on their role(s), and only for clients for whom they are assigned, if their role(s) permit.
- 3.10. How often does TAO Connect perform periodic access reviews to ensure the principles of least privilege and separation of duties are not violated? Semi-annually
- 3.11. Does TAO Connect have a policy for administering privileged accounts including strong passwords and the prevention of shared or generic system administrator accounts? Yes
4. Physical / Geographic Security
- 4.1. Where are your data centers located? US and Canada (US customers' data resides in US data centers, Canadian customers' data resides in Canadian data centers)
- 4.2. Please describe the physical security controls protecting your data center. The platform runs in AWS secure data centers. Please see https://d1.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
- 4.3. Does TAO Connect ever store client data in data centers outside of the United States or Canada? No
- 4.4. Does TAO Connect have any SSAE 16 Type 1 or SSAE 16 Type 2 reports to attest to the security controls at your data center? The platform runs in AWS secure data centers. Please see https://aws.amazon.com/compliance/soc-faqs
5. Operations Security
- 5.1. What tools and procedures are used to manage change control? All changes are maintained in Jira tickets/requests, reviewed and approved/denied as appropriate. If approved, the change is implemented during the next maintenance window.
- 5.2. What tools and procedures are used to detect and prevent the threat of malware in your environment? ESET server protection software, multi-tiered network/server/web application firewalls, real-time and scheduled scans, file-level auditing.
- 5.3. Please describe how your systems and data are backed up. Database snapshots every 60 seconds, data storage snapshots hourly, instance images weekly, workstation storage replicated daily.
- 5.4. How often does TAO Connect test your restoration capabilities? Semi-annually
- 5.5. Please describe the logging and monitoring procedures employed by your company. All servers and applications maintain access logs which are consolidated into a centralized log management solution.
- 5.6. What tools and procedures are used to identify and mitigate technical vulnerabilities? All servers are scanned nightly for vulnerabilities utilizing ESET server protection software.
6. Data Security
- 6.1. How will sensitive data be securely stored at your facility? All sensitive data is stored in secured data centers. All data is protected in transit and at rest utilizing NIST specified algorithms.
- 6.2. Has TAO Connect ever experienced a data breach, inadvertently or not? No
7. Application Security
- 7.1. How does TAO Connect address and mitigate the common application risks identified by the OWASP Top 10. ESET server protection software to include real-time file read/write scanning and multi-tiered network/server/web application firewalls employing OWASP Top 10 rulesets.
- 7.2. Are your systems and/or applications scanned for vulnerabilities by a qualified 3rd party? Yes
- 7.3. How often are operating systems and applications scanned? Real-time file read/write scans.
- 7.4. Are updates to your product released on a regular schedule? We have a maintenance window currently scheduled for every Thursday from 4am - 6am Eastern Time, where we release product updates. Critical security patches are released as soon as they are identified.
- 7.5. How are critical security patches applied to your systems and applications? Critical security patches are released as soon as they are identified. Operating systems are patched using an industry standard patch managing system. Dependent packages and software libraries are updated as they are released. Updates are deployed based on deployment schedule.
- 7.6. Will we be notified of major changes to your environment that could impact our security posture? Yes - we communicate platform updates, enhancements, and security issues via an email as well as posting site notifications in the platform.
- 7.7. Does TAO Connect employ a third party to perform periodic penetration tests? Yes
8. Audit Controls
- 8.1. Does TAO Connect maintain any attestations to the security controls employed at TAO Connect (i.e. SSAE 16, SOC 1, or SOC 2 reports)? Yes, COBIT 5
- 8.2. Can you share the results of the most recent audit report? Limited - TAO does not provide internal/proprietary information that could be disseminated intentionally or unintentionally which could compromise client/user data or the platform as a whole.
9. Business Continuity
- 9.1. Please describe how a customer will be able to retrieve data from your systems should the need arise. These requests would be handled by our support team. Data would be in CSV format, transmitted via secure messaging.
- 9.2. What type of media is used for backups? AWS and Druva (encrypted, multi-region and not publicly accessible)
- 9.3. How long are these backups kept? 3 Months
- 9.4. How is backup media destroyed? Utilizing AWS and Druva tools and policies.
- 9.5. Are you encrypting your backups? Yes
- 9.6. Does TAO Connect have a disaster recovery plan? Yes
- 9.7. Are components of your disaster recovery plan located outside of the United States or Canada? No
- 9.8. When was the last time you tested your disaster recovery plan? December 2022
10. Incident Response Controls
- 10.1. Does TAO Connect have a documented Incident Response plan? Yes
- 10.2. How and when will you notify a customer if a breach occurs that affects a customer's data? When any type of improper use/disclosure of PHI/PII is discovered, we will immediately notify the affected covered entities both by phone call and in writing and will immediately provide written documentation to the covered entity including: the details of the improper use/disclosure of PHI/PII, the date the improper use/disclosure of PHI/PII occurred, the date the improper use/disclosure was discovered, a list of names and associated contact information for those individuals whose PHI/PII was affected, what steps those individuals whose PHI/PII was affected should take, what steps we are taking to mitigate the improper use/disclosure of PHI/PII, contact information for further information.
- 10.3. If sensitive data is breached, who will be responsible for remediation and remediation costs? TAO Connect will cover the cost of the following actions: notifying the affected covered entity both by phone call and in writing, providing written documentation to the covered entity including: the details of the improper use/disclosure of PHI/PII, the date the improper use/disclosure of PHI/PII occurred, the date the improper use/disclosure was discovered, a list of names and associated contact information for those individuals whose PHI/PII was affected, what steps those individuals whose PHI/PII was affected should take, what steps we are taking to mitigate the improper use/disclosure of PHI/PII, contact information for further information.