Security FAQs

What security policies are enforced across your organisation?

CPA Global has various security policies available and uploaded on the Intranet. These policies are accessible to all CPA Global employees and vendors with access into CPA Global network. Some of the policies are highlighted below:

  • Information Security Policy
  • Acceptable Usage Policy
  • Personnel Security Policy
  • Clear Desk and Clear Screen Policy

It is important for every CPA Global employee to read Security Policies and conduct themselves in a manner that is consistent with the importance, value, and sensitivity of information. This will help to ensure that employees are protected against security threats such as hacking, social engineering, and unauthorized access. All Policies are reviewed at least on annual basis, to:

  • Ensure employees understand their responsibility in prioritizing information security
  • Increase awareness around how individual actions can compromise or strengthen company-wide security
  • Be prepared should we encounter a security threat
  • Align with evolving threats, risks and regulatory requirements, such as those of our customers
  • Adhere to CPA Global’s security practices and guidelines
How does CPA Global protect client data on public cloud platforms like Amazon Web Services (AWS) and Microsoft Azure?

CPA Global operates on a unified security model and on the principles of least privilege. All the products hosted on Microsoft Azure and Amazon Web Services are designed and build using reference architecture provided by AWS and Microsoft Azure, cloud security guidelines and industry best practices. Client’s data are stored securely on cloud services, in highly resilient datacenters and remains encrypted within the database and storage accounts throughout the lifecycle.

CPA Global does not access or use client data for its own purposes and the client remains in control of the data and is responsible for determining appropriate data access and use for the parties it authorizes. All CPA Global products, except MEMOTECHTM , are multi-tenanted SaaS solutions with an in-house global team of DevOps experts, have a standard security and data privacy framework that protects all data. 

Will CPA Global permit its clients to agree on their security policies or audit CPA Global?

Multi-tenant SaaS products at CPA Global are built on leading cloud and cyber security standards, deriving controls from ISO/IEC:27001 and AICPA SOC2 and audited regularly which would generally align with most client security policies. CPA Global would entertain requests to remediate any genuinely missing security control if commercially reasonable but does not agree to accept and comply to individual client’s security policies as it’s not feasible to support and maintain. model.

For security and operational reasons, CPA Global does not allow customers to perform their own audits on cloud hosted products, although customers can request for certificates, audit reports and executive summary of annual 3rd Party security assessments. These certifications and attestations accurately represent how we obtain and meet our security and compliance objectives and serve as a practical mechanism to validate our promises for all customers.

What should the client do in response to cyber threats?

All organizations have been forced to change the way they do business and implement new security measures as a result of the profusion of malware and well-publicized breaches. CPA Global puts a lot of emphasis on a continuously improving security posture for all products to avert any threats, however it is recommended for the clients to adopt following best practices to keep their data secure on our products:

  • Make sure that user accounts are authenticated using Single Sign On (SSO) with your organization’s centralized directory store and Use strong passwords.
  • Enable Multi-Factor Authentication (MFA) at your end for user accounts with access to CPA Global products or additional security during user authentication.
  • Define role based access with least privilege configuration for the users within your organization while granting access to data within CPA Global products.
  • Promote safe behavior regarding executable files and applications from untrusted sources, ZIP files, documents and PDF files with an untrusted origin.

Client is responsible for all end user administration within the products and for defining roles and fine-grained access privileges to their IP data. CPA Global does not manage client end user accounts. Refer to the table below outlining the ownerships -

 

 

Control with CPA Global

Control with Client

User Authentication Security

 

X

Role Based Access

 

X

Physical Security

X

 

System Operations

X

 

Data Backup & Restoration

X

 

Perimeter Defense

X

 

Operating System Security

X

 

Database Security

X

 

Network Security

X

 

Security Testing

X

 

Data Isolation

X

 

Vendor Security Assessment

X

 

Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance?

CPA Global has a very well-defined and robust framework for application security of all software products. All applications undergo rigorous internal and external testing which includes penetration testing and application vulnerability scans using OWASP and SANS guidelines. All major and critical issues reported are fixed immediately followed up with confirmation retests and other issues are fixed in upcoming releases.

Third party services are utilized to conduct annual network and application security assessment to identify security threats and vulnerabilities. Formal procedures are in place to assess, validate, prioritize, and remediate identified issues. CPA Global subscribes to vulnerability notification systems to stay apprised of security incidents, advisories, and other related information. CPA Global takes actions on the notification of a threat or risk once confirmed that a valid risk exists, that the recommended changes are applicable to service environments, and the changes will not otherwise adversely affect the services.

Do you encrypt data at rest for cloud hosted products?

Yes, all tenant data within databases and storage accounts for CPA Global products hosted on Amazon Web Services (AWS) and Microsoft Azure are encrypted at rest.  

All data in transit remains encrypted using HTTPS/TLS v1.1 or higher.

Do you support client-generated encryption keys or permit the clients to encrypt data to an identity without access to a public key certificate (e.g. identity-based encryption)? 

No, CPA Global does not support tenant-generated keys or permit tenants to encrypt data to an identity.

Has CPA Global sub-contracted any services to a 3rd party vendor other than hosting provider/s?

Yes, CPA Global has outsourced network and security monitoring of cloud hosted products to vendors specializing in relevant services with 24x7 operations, including managed services to USA based premium partners for 24x7 support on products using Oracle RDBMS.

All CPA Global vendors with access to our systems and data undergo rigorous evaluation and validations including the capability to adhere against CPA Global Security and compliance requirements, continuous improvement initiatives, legal liabilities, service level targets, governance framework and commercial integrity.

Does CPA Global employees and involved third parties have been trained regarding your documented policies, standards and procedures? Can you provide a copy of the training documents?

CPA Global employees and support partner personnel with access to CPA Global systems are required to complete Code of conduct and Ethics training along with Security Awareness training upon hiring and throughout the term of their employment. The Security Awareness program educates the employees and 3rd party personnel on applicable security policies, respective security roles and responsibilities and industry security best practices. CPA Global also may update existing training courses, and develop new courses from time to time, which employees will be directed to complete.

No, CPA Global does not intend to share the security and compliance training documents as some of the content is proprietary and protected by copyright.

Do you provide clients with option to choose geographically resilient hosting options and/or infrastructure service failover capability to other providers?

All CPA Global products, except MEMOTECHTM are designed and purpose built to be hosted on cloud platforms in specific region. All the components are configured for high resiliency and data recoverability leveraging Amazon Web Services (AWS) or Microsoft Azure’s multi-datacenter or geo-replication and PaaS failover features. CPA Global has built a robust disaster recovery infrastructure with best possible configurations to ensure least disruptions and data loss for its clients.

Currently, CPA Global does not provide any hosting flexibility to choose regions or datacenters with failover capability to other hosting service providers. MEMOTECHTM is single-tenant client dedicated instance and is available in following AWS regions/geography for clients to select for hosting their environment.

  • North America (US) - US East (N. Virginia), US West (Oregon) & AWS GovCloud
  • Europe (EU) - EU (Ireland)
  • Asia Pacific (APAC) - Singapore
Does your organization have a “bring your own device” policy? If so, what are the rules around using the personal devices?

No, CPA does not have a “Bring Your Own Device” policy as we do not allow use of personal devices for accessing CPA Global systems, network or data unless accessible over the Internet hence. However, CPA Global has a “Mobile Computing & Teleworking Policy” which highlights the process for using company issued mobile devices. CPA Global has a defined policy for internet usage “Acceptable Use Policy“ which permits use of Internet only for business purposes and can be referred to by employees in case of any questions and concerns on use of internet.

How does CPA Global restrict and monitor the installation of unauthorized software onto your systems?

Employees lack the ability to install unauthorized software onto any system unless duly tested and authorized. This is also applicable on all cloud hosted production or non-production system sand monitoring controls are in place to prevent this type of activity. All installations undergo through formal change control procedures.

Have you implemented information security baselines for every IaaS and PaaS components within the cloud environment?

Yes, CPA Global employs a standardized system hardening practice across all the cloud hosted products using Amazon Web Services (AWS) standard machine images or against Center for Internet Security (CIS) guidelines. This includes but not limited to, restricting protocol access, removing or disabling unnecessary software and services, removing unnecessary user accounts, use of system accounts, patch management, exception handling and logging. Change controls are in place to ensure only approved changes are applied. Regular internal and third party external audits are also performed to confirm compliance with security and operational procedures.

Do you use dedicated secure networks to provide management access to your cloud service infrastructure?

All cloud hosted infrastructure is completely segregated from CPA Global corporate network and is accessible through secure site-to-site IPSec VPN tunnels into specific CPA Global offices or through CPA Global Active Directory (AD) federated and Two-Factor Authentication (2FA) enabled VPN.

Do you manage and store the user identity of all personnel who have network access, including their level of access?

CPA Global has documented and continuously update to manage the details of all personnel with their network identity who have any level of administrative access into the products and are responsible for management, monitoring, support or build of the environment.

Privileges and access rights granted to employees are restricted and controlled through a formal authorization and approval process. Privileges and access rights are granted to employees or 3rd party resources based on “Need-to-know”, “Need-to-do”, and “Segregation of Duties” principles. An authorization record of all privileges is maintained and such privileges and access rights are reviewed monthly to prevent against unauthorized access and disclosure.

Would you share the documentation on how you maintain segregation of duties within your cloud service offering?

No. All access into within Amazon Web Services and Microsoft Azure are authenticated against CPA Global Active Directory (AD) server and leverages AWS and Azure provided Identity and Access Management (IAM) feature to configure appropriate roles and privileges at each component level.

Do you have tools implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents?

All CPA Global products have a multi-layered defense and detection mechanism at application, network and host level including use of Web Application Firewalls (WAF) for Layer 7 traffic filtering and threat detection, Network ACLs to achieve Layer 3 firewall capability, File Integrity Monitoring on hosts, Network Intrusion Detection systems.to protect the environment and to proactively monitor, block suspicious network traffic from reaching the internal network. Alerts and logs are routed to a centralized threat monitoring and correlation Security Incident and Event Management (SIEM) system to detect anomalous behaviors through a 24x7 SOC team. Corrective actions are undertaken, where applicable.

How do you notify your clients when you make material changes to your information security and/or privacy policies?

All policies are reviewed at-least once annually and CPA Global clients will be notified on any security or privacy policy changes if it materially impacts the service offering. Any significant changes to organization or to CPA Global’s information security program would be reflected in the ISO/IEC:27001 and /or AICPA SOC2 reports.

How to do you manage security incidents and report to clients?

CPA Global has a well-documented Cyber Response Framework which establishes the policy and procedures to manage security incidents leading to suspected or confirmed data breach or compromise. The policy requires incidents to be effectively reported, investigated, and monitored to ensure that corrective action is taken to control and remediate security incidents in a timely manner.

Incident handling, management roles and responsibilities have been defined for management of the incidents. It outlines the steps to be taken to minimize the impact of a security incident, to investigate why, how and when it happened, identify any weaknesses and apply appropriate measures to reduce security risks to an acceptable level.

Security Operations & Incident Managers are responsible for overseeing investigation and resolution of security and privacy incidents with support from other functions. An escalation and communication plan to notify Privacy, Legal or Executive Management in the event of a security incident has been established.

Clients are notified within 24 hours in the event of a confirmed breach and 48 hours for a suspected breach.