Encryption and Key Management

Governance

Human Resources Security

Identity and Access Management

Incident Response

Mobile Device Security

Privacy Management

Product Security

Risk Management

Secure System Development

Security Culture

Vendor Management

Business continuity is the ability of an organization to maintain essential functions during, as well as after, a disaster has occurred.

Business Continuity

Organization has instrumented an infrustructure monitoring system, e.g. PagerDuty, and has designated responsible workforce members for incident response.

Infrastructure Monitoring & Dedicated Response Team

Encryption keys for at-rest data are rotated frequently

Rotates At-rest Encryption Keys

Organization performs routine access control reviews for information systems. 

Perfoms Access Control Reviews

Organization routinely applies latest security patches to information systems. 

Performs Regular Security Updates

Organization monitors systems and networks for malicious activity or policy violations.

Host and/or Network Intrusion Detection

Encrypts Data At-rest

Organization requires all workforce members execute a confidentiality agreement prior to accessing organizational information systems.

Requires Confidentiality Agreement With Workforce Members

Organization prohibits workforce members from accessing organizational information or information systems from personal devices.

Prohibits Bring Your Own Device

Organization routinely performs penetration testing

Performs Routine Penetration Testing

Organization prohibits use of insecure encryption protocols such as SSL and TSL 1.0.

Strong TLS Protocols Required

Organization reviews the Business Continuity Plan and performs technical or tabletop testing exercises on a routine basis.

Conducts Business Continuity Training & Testing

Organization deploys information systems across multiple physical locations (e.g. Availability Zones on AWS)

Distrubution of Systems

Employee workstations used to store or access non-public information have full disk encryption enabled

Full Disk Encryption of Employee Workstations

Organization requires all workforce members complete Anti-phishing Training on a routine basis.

Anti-phishing Simulation and Training

Organization has created an Incident Response Plan designed to reduce the negative impacts resulting from a security or privacy incident.

Incident Response Plan

Organization has completed an audit or certification process for one or more of the following audit frameworks: ISO 27001:2013, HITRUST, SOC 2 TYPE II, FedRAMP, NIST 800-171)

Holds Audit Report or Certification from Major Audit Framework

Organization reviews common vulnerability databases and mailing lists on a routine basis.

Subscribes to Vulnerability Mailing Lists

Organization prohibits workfroce members from creating local copies of production data.

Forbids Local Download of Production Customer Data

Organization publicly shares software release notes for major product updates.

Publicly Available Release Notes

Organization publicly discloses data collection and processing methods to data subjects.

Public Privacy Policy

Organization performs routine backups of databases and other data stores. 

Automated, Distributed Backups

Organization requires access and access controls to abide by the principles of Deny-by-default, Need-to-know, and Least Privilege. 

Requires Strong, Role-Based Access Control Principles

Organization has implemented a risk management program in order to identify risks and treatment opportunities.

Risk Assessment and Treatment Program

Organization requires all non-trivial code changes be reviewed and approved prior to merge.

Requires Code Review Before Merge

Organization implements DDos avoidance/protection techniques such as network isolation, DNS Amplification or application load balancers on AWS.

DDos Avoidance and Protection

Workforce members are required to use a password manager such as 1Password for managing account credentials.

Requires Password Manager for Workforce Members

Organization audits security configuration of all workforce phones and tables used to access organizational information or information systems.

Enforces Strong Mobile Device Security Configuration MDM

Organization encourages responsible disclosure of suspected vulnerabilities and awards researchers a cash bonus for reporting vulnerabilities.

Responsible Disclosure/Bug Bounty Program

Organization publicly discloses Government Request activity.

Government Requests Transparency

Organization has commited to service uptime greater than 99%.

99+% Uptime Service Level Agreement

Organization prohibits use of shared accounts for systems that maintain sensitive data.

Restricts Shared Accounts

Organization''s sytem development procedures ensure strong password and authentication requirements. 

Requires Strong Password and Authentication Requirements

Organization requires all non-trivial code changes to be unit and/or acceptance tested. 

Automated Testing

Organization routinely performs internal audits in order to ensure effective operation of their compliance and security pgoram.  

Routine Internal Audits

Organization only uses encryption technologies based on standard algorithms approved in FIPS 140-2.  

Requires Strong Encryption Algorithms

Organization utilizes strong encryption methods for transfer of any non-public information outside of the organizations'' network.

Encrypts Data In Transit

Organization reviews the Incident Response Plan and performs functional or tabletop testing exercises on a routine basis.

Conducts Incident Response Training & Testing

Organization routinely performs host and/or network vulnerability scans.

Performs Automated Host/Network Vulnerability Scans

Services deployed by organization support Multifactor Authentication (MFA), a security system that requires more than one method of authentication.

Supports MFA

Organization publicly shares system status updates & availability incidents. 

Publicly Available Status Page

Organization performs professional-reference and criminal background screens on all prospective employees and contractors that require access to non-public data. 

Performs Due Diligence in Hiring Workforce Members

Organization prohibits attempts to interfere with reporting of security or policy incidents

Prohibits Retaliation Against Whistleblowers

Organization routinely performs web application vulnerability scans.

Performs Automated Application Vulnerability Scans

Services deployed by organization support Single Sign-On (SSO) from providers such as Okta or OneLogin.

Supports SSO

Organization has created a Business Continuity Plan designed to reduce disruptions in uptime as a result of an incident. 

Business Continuity Plan

Organization requires all workforce members complete Privacy and Security Awareness Training on a routine basis.

Security & Privacy Training

Organization audits security configuration of all laptops and workstations used to access organizational information or information systems. 

Enforces Strong Workstation Security Configuration by MDM

Organization maintains host-level and application-level event logs.

Host and Application Audit Logging

Organization is not the subject of any Privacy violation investigations. 

Investigations for Privacy Violations

FedRAMP simplifies security for the digital age by providing a standardized approach to security for the cloud.

FedRAMP

SOC 2 Type 1

ISO 27001

SOC 1 Type 2

GDPR

HITRUST

HIPAA

SOC 3

SOC 2 Type 2

FISMA

SOC 1 Type 1

EU-US Privacy Shield

Swiss-US Privacy Shield

Cloud Security Alliance

CCPA

Preferred technology partner for professional services to create and deliver personalised digital experiences

Vuture

 * Freshdesk: Vuture uses Freshdesk as Vuture’s ticketing service and help desk software. Freshdesk, Inc., is located at 311 California Street, San Francisco, CA 94104, USA and hosts and processes data in the US, EEA and possibly in other countries, has been awarded with the TRUSTe’s Privacy seal and has certified that it adheres to the relevant <b>US-EU and US-Swiss Privacy Shield</b> Principles of the Government of the United States. See Freshdesk's Privacy Policy for further details.

 * Freshdesk: Vuture uses Freshdesk as Vuture’s ticketing service and help desk software. Freshdesk, Inc., is located at 311 California Street, San Francisco, CA 94104, USA and hosts and processes data in the US, EEA and possibly in other countries, has been awarded with the TRUSTe’s Privacy seal and has certified that it adheres to the relevant US-EU and <b>US-Swiss Privacy Shield</b> Principles of the Government of the United States. See Freshdesk's Privacy Policy for further details.

We adhere to the principles of ISO 27001 and achieved certification in June, 2018, from the British Standards Institute.

We have controls in place to protect personally identifiable information (PII), a plan in place for the EU GDPR, and we are currently registering with the U.S. Privacy Shield

website

tags

Last Updated

Vuture

Summary

EU-US Privacy Shield

Swiss-US Privacy Shield

ISO 27001

GDPR

EU-US Privacy Shield

EU-US Privacy Shield

Swiss-US Privacy Shield

Swiss-US Privacy Shield

ISO 27001

ISO 27001