MURAL

GDPR
GDPR
SOC 2
SOC 2 Type 2
Privacy Shield
EU-US Privacy Shield
Privacy Shield
Swiss-US Privacy Shield
CSA
Cloud Security Alliance

Digital workspaces for visual collaboration, inspiration and innovation anytime, anywhere, on any device

Security at MURAL
Business Continuity
Encryption and Key Management
Governance
Human Resources Security
Identity and Access Management
Incident Response
Mobile Device Security
Privacy Management
Risk Management
Secure System Development
Security Culture
Compliance Certifications & Regulations
GDPR
GDPR
The General Data Protection Regulation, or GDPR, is a regulation on data protection and privacy for all individual citizens of the European Union and the European Economic Area.
View Source
SOC 2
SOC 2 Type 2
SOC 2 is a widely-used framework for building trust between vendors (called "service organizations") and customers (called "user entities").
View Source
Privacy Shield
EU-US Privacy Shield
The Privacy Shield Frameworks provide a mechanism to comply with data protection requirements when transferring personal data from the EU and Switzerland to the United States.
View Source
Privacy Shield
Swiss-US Privacy Shield
The Privacy Shield Frameworks provide a mechanism to comply with data protection requirements when transferring personal data from the EU and Switzerland to the United States.
View Source
CSA
Cloud Security Alliance
The Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the Cloud Security Alliance for cloud consumers and auditors to assess the security capabilities of a cloud service provider.
View Source
Security at MURAL
Business Continuity

Business continuity is the ability of an organization to maintain essential functions during, as well as after, a disaster has occurred.

Infrastructure Monitoring & Dedicated Response Team

Organization has instrumented an infrastructure monitoring system, and has designated responsible workforce members for incident response.

Conducts Business Continuity Training & Testing

Organization reviews the Business Continuity Plan and performs technical or tabletop testing exercises on a routine basis.

Distrubution of Systems

Organization deploys information systems across multiple physical locations.

Automated, Distributed Backups

Organization performs routine backups of databases and other data stores.

99+% Uptime Service Level Agreement

Organization has commited to service uptime greater than 99%.

Publicly Available Status Page

Organization publicly shares system status updates & availability incidents.

Business Continuity Plan

Organization has created a Business Continuity Plan designed to reduce disruptions in uptime as a result of an incident.

Encryption and Key Management

Encrypts Data At-rest

Data at rest is encrypted with AES-256.

Full Disk Encryption of Employee Workstations

Employee workstations have full disk encryption enabled

Encrypts Data In Transit

All network communication uses TLS v1.2, and it is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. Qualys' SSL Labs scored MURAL's SSL implementation as "A+" on their SSL Server test.

Governance

Holds Audit Report or Certification from Major Audit Framework

Organization has completed an audit or certification process for SOC 2 TYPE II

Routine Internal Audits

Organization routinely performs internal audits in order to ensure effective operation of their compliance and security pgoram.

Human Resources Security

Requires Confidentiality Agreement With Workforce Members

Organization requires all workforce members execute a confidentiality agreement prior to accessing organizational information systems.

Anti-phishing Simulation and Training

Organization requires all workforce members complete Anti-phishing Training on a routine basis.

Performs Due Diligence in Hiring Workforce Members

Organization performs professional-reference and criminal background screens on all prospective employees and contractors.

Security & Privacy Training

Organization requires all workforce members complete Privacy and Security Awareness Training on a routine basis.

Identity and Access Management

Perfoms Access Control Reviews

Organization performs routine access control reviews for information systems.

Requires Strong, Role-Based Access Control Principles

Organization requires access and access controls to abide by the principles of Deny-by-default, Need-to-know, and Least Privilege.

Requires Password Manager for Workforce Members

Workforce members are required to use a password manager for managing account credentials.

Incident Response

Incident Response Plan

Organization has created an Incident Response Plan designed to reduce the negative impacts resulting from a security or privacy incident.

Conducts Incident Response Training & Testing

Organization reviews the Incident Response Plan and performs functional or tabletop testing exercises on a routine basis.

Mobile Device Security

Enforces Strong Mobile Device Security Configuration MDM

Organization audits security configuration of all workforce phones and tables used to access organizational information or information systems.

Enforces Strong Workstation Security Configuration by MDM

Organization audits security configuration of all laptops and workstations used to access organizational information or information systems.

Privacy Management

Public Privacy Policy

Organization publicly discloses data collection and processing methods to data subjects.

Investigations for Privacy Violations

Organization is not the subject of any Privacy violation investigations.

Risk Management

Risk Assessment and Treatment Program

Organization has implemented a risk management program in order to identify risks and treatment opportunities.

Secure System Development

Performs Regular Security Updates

Organization routinely applies latest security patches to information systems.

Host and/or Network Intrusion Detection

Organization monitors systems and networks for malicious activity or policy violations.

Performs Routine Penetration Testing

Organization routinely performs penetration testing

Strong TLS Protocols Required

Organization prohibits use of insecure encryption protocols such as SSL and TSL 1.0.

Subscribes to Vulnerability Mailing Lists

Organization reviews common vulnerability databases and mailing lists on a routine basis.

Requires Code Review Before Merge

Organization requires all non-trivial code changes be reviewed and approved prior to merge.

Responsible Disclosure/Bug Bounty Program

Organization encourages responsible disclosure of suspected vulnerabilities and awards researchers a cash bonus for reporting vulnerabilities.

Requires Strong Password and Authentication Requirements

Organization''s sytem development procedures ensure strong password and authentication requirements.

Automated Testing

Organization requires all non-trivial code changes to be unit and/or acceptance tested.

Supports MFA

Services deployed by organization support Multifactor Authentication (MFA), a security system that requires more than one method of authentication.

Performs Automated Application Vulnerability Scans

Organization routinely performs web application vulnerability scans.

Supports SSO

Services deployed by organization support Single Sign-On (SSO) from providers such as Okta or OneLogin.

Host and Application Audit Logging

Organization maintains host-level and application-level event logs.

Security Culture

Publicly Available Release Notes

Organization publicly shares software release notes for major product updates.