GENERAL PRODUCT SECURITY
In an increasingly competitive global market with rapid adoption of cloud services for information management, good security practices are essential for all companies to protect its own, customer and employee data against continuously evolving cyber security threats and to demonstrate compliance against statutory and /or regulatory requirements.
CPA Global software products are available in United States (US), European Union (EU), Asia Pacific (APAC); hosted on public or private cloud environments as multi-tenant and single tenant mode SaaS product.
The private cloud environments run on CPA Global managed hardware and systems in dedicated cages of 3rd Party datacenters offering co-location services. Software products hosted on public cloud are implemented on Amazon Web Services (AWS) and Microsoft Azure that serves as the development, production and service management environment for the product.
AWS and Microsoft Azure provides the capability for on-demand compute, storage, networking, and content delivery capabilities to host, scale, and manage web applications on the Internet through their globally distributed datacenters.
CPA Global places importance upon the protection of all information assets belonging to the Company, Customer and Personnel; and has responded to this challenge by adopting the security frameworks based on the International Standards Organization (ISO) 27000 family of standards – ISO/IEC 27001:2013, the international Code of Practice for Information Security Management and National Institute of Standards and Technology (NIST), as a basis for good security management within its policies and processes. Our security framework based on ISO 27001 enables customers to evaluate how CPA Global meets or exceeds the security standards and implementation guidelines.
ISO 27001 defines how to implement, monitor, maintain, and continually improve the Information Security Management System (ISMS). Information security controls at CPA Global are designed and implemented to ensure that all requirements relating to Information Security Management System are recognized and that consistent, uniform control of these requirements is maintained. CPA Global has established- documented-implemented all policies and controls as per ISMS framework which are audited internally semi-annually by cyber security team and externally by accredited auditors. In addition, CPA Global has adopted many other leading standards including Cloud Security Alliance (CSA) Cloud Control Matrix (CCM), NIST, SSAE-16 SOC2 Type 2 all aspects of Data Protection guidelines.
CPA Global’s cyber security framework begins with a high-level Security Directive, ratified by the Cyber Security Steering Group and members of management group, supported by a series of detailed policies. All the policies are referenced and built into our externally audited CPA Global’s Quality Library. The policies are available on-line to all CPA Global employees and extended vendors/partners through CPA Global Intranet.
For security and operational reasons, CPA Global does not allow customers to perform their own audits on cloud hosted products, although customers can request for certificates, audit reports and executive summary of annual 3rd Party security assessments. These certifications and attestations accurately represent how we obtain and meet our security and compliance objectives and serve as a practical mechanism to validate our promises for all customers.
To obtain a copy of our current certifications, 3rd party reports or audit attestations, please contact us at firstname.lastname@example.org
Introducing the Cyber Security Organization
CPA Global’s management commitment to Cyber Security is achieved through a Cyber Security Steering Committee which consists of executive leadership representing business, technology and enabling functions to provide strategic direction and continued support for various programs under the road map CPA Global has an established Cyber Security Organization under the Head of Cyber Security, in order to drive information security within the organization with overall responsibility for security including policy setting, compliance, investigation, monitoring, audits, risk management, establishing roles and responsibilities and providing advice and guidance.
The Cyber Security Steering Group has delegated the Cyber Security Team with the responsibilities of: A. Designing – Cyber Security in alignment with business demands; B. Governing - by providing globally shared accountability, situational awareness, and unity of effort across Cyber Security; C. Protecting - by reducing risk to the business and protect CPA Global’s assets, including customer data in a timely manner and; D. Defending – to actively identify, respond, and recover from cyber-attacks against the business.
Information security clauses are included in an employee's terms and conditions of employment. All CPA Global employees are required to sign an Employee Undertaking at the time of their appointment, which contains clauses related to non-disclosure of confidential information, information security, compliance to applicable laws, copyright, code of ethics and noncompeting requirements.
All employees are required to acknowledge acceptable use undertaking to confirm to acceptable use of resources.
Background verification checks are performed while recruiting any person as permanent staff to ensure the authenticity of the person and to reduce the possibility of threat to critical information assets.
CPA Global employees are trained on CPA Global’s policies and processes as part of New Joiner’s Learning Program which includes Information Security and Data Privacy awareness trainings through an online tool which are mandatory for all new joiners to complete.
In addition to this, employees are imparted annual refresher online Security and Data Privacy awareness sessions as part of the Compliance Learning Program through, which are mandatory for all employees to complete. Areas of training include such items as:
- Cybersecurity Basics: Best practices to maintain IT Security at work & increase awareness of Cybersecurity risks along with the actions to prevent & mitigate these risks.
- Data Privacy & Information Security: Data protection principles that underlying privacy laws around the world and how they apply in business.
- Acceptable Use Policy: Guidelines to safeguard the information contained in or processed by the firm’s IT systems against unauthorized access.
- Code of Business Ethics and Corporate conduct- Guidelines to uphold the highest levels of ethics and personal integrity in all its business dealings.
- Disciplinary and legal consequences associated with unauthorized use and abuse of resources and position of trust.
- Clear Desk & Clear Screen Policy.
- Disciplinary action for non-compliance to CPA Global security policies and processes is initiated under the provisions of CPA Global Human Resources Disciplinary Procedure.
- Employee exit process at CPA Global is governed by the provisions of CPA Global Leavers Process. Employees exit process is initiated by employee’s manager and involves revocation of system permissions and access rights and return of company assets.
Physical & Environmental Security
CPA Global has established and implemented a robust physical and environmental security policy along with controls to ensure that all information processing facilities, third-party datacenters, on-premise server rooms and hub /communications room, etc. are protected against unauthorized access and damages.
CPA Global facilities management process defines the methodology for issuance of access cards and photo identification to employees, contractors and visitors. It establishes the procedures for issuance of temporary and permanent cards for new joiners, clients, visitors and vendors, the respective access levels granted based on business requirements, change in access levels and the procedure to be followed for re-issuance in the event of loss of access card.The physical security of our office buildings is based on defined internal standards according to the operations performed within the building. Buildings are assessed for all risks and appropriate action taken depending upon those risks and the operational processes employed within the building. All buildings are secured, either by means of an electronic access control system to ensure that access is only gained in a controlled way on an operational needs basis.
All CPA Global facilities have proximity card-based access control & fire alarms in all building with secondary & tertiary level of access control for restricted entry zones like datacentre, hub room etc. CPA Global controls all entry to/exit from the secure areas using Access Cards and CCTV Cameras. CCTV cameras are positioned such that all access into and out of the Secure Area is monitored and recorded. Environmental controls (heat / smoke detectors, fire suppression systems, alarms, sprinklers, temperature / humidity monitor etc.) are in place to prevent damage from fire, flooding, explosion, civil unrest and other forms of disaster of natural or man-made disaster.
To protect computer hardware and business operations from power failure, multiple feeds (to avoid a single point of failure), uninterruptible power supplies (UPS) and back-up generator are installed to enable multi-tier power backup. In some buildings, or parts of buildings, more stringent access control methods are needed to protect business critical operations e.g. hub rooms, computer centres. In these cases, a higher level of security and access control is implemented and operated. Computer operations, server rooms, or any other similarly sensitive area located in a physically separate, secure area designated as “Sensitive Area”, where entry is restricted to authorized personnel only and is subject to a formal authorization and approval process. Access is granted strictly based on job requirements and is controlled via use of swipe cards in addition to biometric devices where necessary.
Business Continuity Management
CPA Global has a business continuity planning programme focusing on the collection of base planning data for our business processes and products. This programme utilizes Business Impact Analysis (BIA) tools and methodologies to highlight critical processes and ensures that contingency plans are established for use should a major incident occur.
In addition to the above, CPA Global has a process for identifying and prioritizing key or critical computer systems using a CPA Global developed methodology of risk scoring. The planning process includes identification and agreement of all responsibilities and emergency arrangements with specific responsibilities for development and maintenance of contingency plans assigned to individuals.
These plans are produced for all delivery centres, hosting locations, business applications, critical systems and software products. Detailed procedures and information aimed at reducing the risk of disaster and to provide contingency plans that will allow recovery to a fall-back site. Plans are regularly tested under a programme of rehearsals. Facilities for fall-back are provided for critical CPA Global systems and products as detailed above.
Data Retention and Disposal
CPA Global has an established data retention and disposal policy to standardize the process of retaining and disposing off confidential information in electronic or paper form. The policy defines periodicity for retaining information based upon statutory and other applicable requirements and how to safely dispose it off at the end of the retention period.
Upon contract termination, all client data on cloud hosted SaaS products is deleted logically in 30 days unless notified, in a manner designed to ensure that it cannot reasonably be accessed or read, unless there is a legal obligation imposed on CPA Global preventing it from deleting all or part of the environments from the servers and storage volumes. Replicas at DR site are updated to match production and backup copies are overwritten.
Memotech is a single tenant product dedicated for each client. Upon termination of the contract, CPA Global will delete the entire AWS Virtual Private Cloud (VPC) for client environments and any production data residing therein within 30 days unless notified, in a manner designed to ensure that they cannot reasonably be accessed or read, unless there is a legal obligation imposed on CPA Global preventing it from deleting all or part of the environments. All compute (AWS EC2) and storage (AWS S3) instances in AWS are encrypted using Elastic Block Storage (EBS) volumes and TDE. AWS allows to data be wiped as per NIST 800-88 or DoD 5220.22-M guidelines.
CPA Global’s software support team works with clients to ensure a copy of the data is provided before any data is deleted from CPA Global products.
Secure Software Development
CPA Global has a defined Secure Software Development Lifecycle which is based on Microsoft’s Secure Development Lifecycle (SDL) for software development. All releases undergo several levels of security assessments prior to product deployment. Through controls like Establish Design Requirements, Analyze Attack Surface, and Threat Modeling, the Security Development Lifecycle helps CPA Global identify potential threats while running a service, exposed aspects of the service that are open to attack.
The software is assessed for exposure to a variety of both common and complex attack types and vulnerabilities. The quality assurance process at CPA Global for every feature and /or patch release incorporates security specific test plans around input validation, processing and output sanitization controls including access control, password control, administrative privileges, end-user role privileges, data access rules, and cross-customer data security.
Static Application Security Testing (SAST) of source code is the initial line of defence used during the product development cycle and CPA Global’s security team uses HP Fortify and Checkmarx tools to conduct end of sprint cycle tests by an inhouse dedicated team of application security experts. Veracode is being actively deployed across products in a continuous testing mode to conduct SAST and Dynamic Application Security Testing (DAST) during each code commit by the developers during the sprint cycle.
CPA Global utilizes third party services to conduct annual network and application security assessment to identify security threats and vulnerabilities. Formal procedures are in place to assess, validate, prioritize, and remediate identified issues.
CPA Global runs a 24x7 cyber security operations (SOC) team which monitors all threats, events and exceptions from logs captured through Security Incident and Event Management (SIEM) tool. The logs collected through the SIEM are encrypted end to end and is correlated with threat intelligence databases for anomaly detection and possible threats to the product or hosted environment. The team also subscribes to vulnerability notification systems to stay apprised of security incidents, advisories, and other related information to initiate actions; in collaboration with cloud operations team, on the notification of a threat or risk once confirmed that a valid risk exists, that the recommended changes are applicable to service environments, and the changes will not otherwise adversely affect the services. Access to logs is restricted and defined by policy and logs are reviewed on a regular basis.
SOC team also conducts audit of cloud hosted assets using AWS Inspector and using automated vulnerability assessment tools across AWS and Co-lo environments.
Security Incident Response
CPA Global has a well-documented Cyber Response Framework which establishes the policy and procedures to manage security incidents leading to suspected or confirmed data breach or compromise. The policy requires incidents to be effectively reported, investigated, and monitored to ensure that corrective action is taken to control and remediate security incidents in a timely manner.
Incident handling, management roles and responsibilities have been defined for management of the incidents. It outlines the steps to be taken to minimize the impact of a security incident, to investigate why, how and when it happened, identify any weaknesses and apply appropriate measures to reduce security risks to an acceptable level.
Security Operations & Incident Managers are responsible for overseeing investigation and resolution of security and privacy incidents with support from other functions. An escalation and communication plan to notify Privacy, Legal or Executive Management in the event of a security incident has been established.
Clients shall be notified without undue delay and as soon as reasonably possible in the event of a confirmed breach or a suspected breach.
SECURITY SUMMARY BY PRODUCT