IT Security, Continuity and Controls
This document contains answers to questions most likely asked by your IT Department.
Please feel free to contact Kerry Chamberlain to discuss anything from this document, or anything else not addressed here by either sending an email to firstname.lastname@example.org or calling (844) 438-8262.
1. Governance and Policy
- 1.1. Does TAO Connect have a formal information security policy? Yes
- 1.2. Does TAO Connect have a formal Information Security program in place? If so, what standard does it adhere to? NIST
2. Human Resource Security
- 2.1. Does TAO Connect perform criminal background checks on all employees? Yes
- 2.2. Does TAO Connect require your employees to sign NDAs or confidentiality agreements regarding client data stored on your systems? Yes
- 2.3. Does TAO Connect have an information security awareness program? Yes
- 2.4. Is the security awareness training mandatory for all employees? Yes
- 2.5. How frequently are employees required to undergo the security awareness training? Annually
- 2.6. Does TAO Connect have automated processes in place to terminate an employee’s access to client data as soon as the employee is no longer employed? Yes
3. Access Control Security
- 3.1. Is all access, including privileged administrator accounts, controlled and logged (i.e. firewalls, file system permissions, ACLs, database table permissions, packet logs, etc.)? Yes
- 3.2. Does your system enforce a lock on multiple log-on attempts? How many log-on attempts are allowed? Yes, 5
- 3.3. How are client end-users authenticated to your systems and services? Internal authentication or SAML
- 3.4. What are the system password / passphrase aging requirements? 90 days
- 3.5. What are the system password / passphrase complexity requirements? 8 characters minimum, 4-way complexity
- 3.6. Are user account passwords / passphrases visible in administration modules? No
- 3.7. Are stored user account passwords / passphrases hashed? Yes
- 3.8. What algorithm is used to hash passwords? MD5 hash with unique salt for each user
- 3.9. Please describe the access controls in place to prevent unauthorized access to client data by your employees and other clients. Employees do not have access to any client data (other than information technology workers that require access to maintain the product). The application maintains an access control list that only allows customers to access their own data, as granted by the customer’s designee. The application will only allow the user to view data for their university, based on their role(s), and only for clients for whom they are assigned, and their role allows them to view.
- 3.10. How often does TAO Connect perform periodic access reviews to ensure the principles of least privilege and separation of duties are not violated? Semi-annually
- 3.11. Does TAO Connect have a policy for administering privileged accounts including strong passwords and the prevention of shared or generic system administrator accounts? Yes
4. Physical / Geographic Security
- 4.1. Where are your data centers located? US and CA (US customers' data stays in US, and Canadian customers' data stays in CA)
- 4.2. Please describe the physical security controls protecting your data center. Our application is hosted by AWS. Amazon Web Services Datacenter – please see https://d1.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
- 4.3. Does TAO Connect ever store client data in data centers outside of the United States or Canada? No
- 4.4. Does TAO Connect have any SSAE 16 Type 1 or SSAE 16 Type 2 reports to attest to the security controls at your data center? Yes, our services are hosted by AWS. Please see https://aws.amazon.com/compliance/soc-faqs
5. Operations Security
- 5.1. What tools and procedures are used to manage change control? Git for code based and Docker for environmental controls
- 5.2. What tools and procedures are used to detect and prevent the threat of malware in your environment? Antivirus, intrusion detection software, multi-tiered network/host/web application firewalls, real-time and scheduled scans, file-level auditing
- 5.3. Please describe how your systems and data are backed up. We utilize AWS native tools to perform snapshots hourly of our data. Servers images are generated weekly, local data stores are replicated daily.
- 5.4. How often does TAO Connect test your restoration capabilities? Semi-annually
- 5.5. Please describe the logging and monitoring procedures employed by your company. All servers and applications maintain access logs which are consolidated into a centralized log management solution.
- 5.6. What tools and procedures are used to identify and mitigate technical vulnerabilities? All systems are scanned monthly for vulnerabilities utilizing Barracuda vulnerability service.
6. Data Security
- 6.1. How will sensitive data be securely stored at your facility? Data is protected both in transit and in rest utilizing industry standard encryption techniques and methods.
- 6.2. Has TAO Connect ever experienced a data breach, inadvertently or not? No
7. Application Security
- 7.1. How does TAO Connect address and mitigate the common application risks identified by the OWASP Top 10. We utilize a combination of secure coding methods and intrusion detection systems.
- 7.2. Are your systems and/or applications scanned for vulnerabilities by a qualified 3rd party? Yes
- 7.3. How often are operating systems and applications scanned? Varies per method. Real time file auditing scans, weekly and monthly malware and vulnerability scans.
- 7.4. Are updates to your product released on a regular schedule? We have a maintenance window currently scheduled for every Thursday from 7am - 9am Eastern Time, where we release product updates. Critical security patches are released as soon as they are identified.
- 7.5. How are critical security patches applied to your systems and applications? Operating systems are patched using an industry standard patch managing system. Dependent packages and software libraries are updated as they are released. Updates are deployed based on deployment schedule.
- 7.6. Will we be notified of major changes to your environment that could impact our security posture? Yes - we communicate platform updates, enhancements, and security issues via a listserv as well as posting a notification within the platform.
- 7.7. Does TAO Connect employ a third party to perform periodic penetration tests? Yes
8. Audit Controls
- 8.1. Does TAO Connect maintain any attestations to the security controls employed at TAO Connect (i.e. SSAE 16, SOC 1, or SOC 2 reports)? Yes, COBIT 5
- 8.2. Can you share the results of the most recent audit report? Yes
9. Business Continuity
- 9.1. Please describe how a customer will be able to retrieve data from your systems should the need arise. These requests would be handled by our support team, data would be transmitted as an encrypted CSV file through secure messaging.
- 9.2. What type of media is used for backups? Amazon S3 (encrypted and not publicly accessible)
- 9.3. How long are these backups kept? 3 Months
- 9.4. How is backup media destroyed? Utilizing AWS native tools and policies.
- 9.5. Are you encrypting your backups? Yes
- 9.6. Does TAO Connect have a disaster recovery plan? Yes
- 9.7. Are components of your disaster recovery plan located outside of the United States or Canada? No
- 9.8. When was the last time you tested your disaster recovery plan? December 2021
10. Incident Response Controls
- 10.1. Does TAO Connect have a documented Incident Response plan? Yes
- 10.2. How and when will you notify a customer if a breach occurs that affects a customer's data? When any type of improper use/disclosure of PHI is discovered, we will immediately notify the affected covered entity both by phone call and in writing and will immediately provide written documentation to the covered entity including: the details of the improper use/disclosure of PHI, the date the improper use/disclosure of PHI occurred, the date the improper use/disclosure was discovered, a list of names and associated contact information for those individuals whose PHI was affected, what steps those individuals whose PHI was affected should take, what steps we are taking to mitigate the improper use/disclosure of PHI, contact information for further information.
- 10.3. If sensitive data is breached, who will be responsible for remediation and remediation costs? TAO Connect will cover the cost of the following actions: notifying the affected covered entity both by phone call and in writing, providing written documentation to the covered entity including: the details of the improper use/disclosure of PHI, the date the improper use/disclosure of PHI occurred, the date the improper use/disclosure was discovered, a list of names and associated contact information for those individuals whose PHI was affected, what steps those individuals whose PHI was affected should take, what steps we are taking to mitigate the improper use/disclosure of PHI, contact information for further information.