OrgChart Now Information Security Overview. OfficeWork Software LLC



Similar documents
Cloud Security Trust Cisco to Protect Your Data

Security Information & Policies

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Clever Security Overview

SNAP WEBHOST SECURITY POLICY

Data Processing Agreement for Oracle Cloud Services

Hengtian Information Security White Paper

Office 365 Data Processing Agreement with Model Clauses

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Data Management Policies. Sage ERP Online

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

WALKME WHITEPAPER. WalkMe Architecture

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

Security Controls What Works. Southside Virginia Community College: Security Awareness

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

MUSC Information Security Policy Compliance Checklist for System Owners Instructions

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Security and Data Protection for Online Document Management Software

Internal Control Guide & Resources

Access Control Policy. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

Tenzing Security Services and Best Practices

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Security Overview Enterprise-Class Secure Mobile File Sharing

Logz.io See the logz that matter

VMware vcloud Air Security TECHNICAL WHITE PAPER

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

STATE OF NEW JERSEY Security Controls Assessment Checklist

Security Considerations

Southern Law Center Law Center Policy #IT0004. Title: Policy

Security & Infra-Structure Overview

Level I - Public. Technical Portfolio. Revised: July 2015

I. Introduction to Privacy: Common Principles and Approaches

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

PII Compliance Guidelines

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

IBX Business Network Platform Information Security Controls Document Classification [Public]

Information Security Program Management Standard

DCH File Transfer Application User Manual

BMC s Security Strategy for ITSM in the SaaS Environment

The supplier shall have appropriate policies and procedures in place to ensure compliance with

Paxata Security Overview

Estate Agents Authority

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

How Microsoft is taking Privacy by Design to Work. Alan Chan National Technology Officer Microsoft Hong Kong 7 May 2015

HOSTING SERVICES ADDENDUM TO MASTER SOFTWARE LICENCE AGREEMENT

GoodData Corporation Security White Paper

University of Pittsburgh Security Assessment Questionnaire (v1.5)

PBGC Information Security Policy

Famly ApS: Overview of Security Processes

KeyLock Solutions Security and Privacy Protection Practices

CHIS, Inc. Privacy General Guidelines

The Essential Security Checklist. for Enterprise Endpoint Backup

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Ellucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

State of Oregon. State of Oregon 1

Qualification Guideline

FormFire Application and IT Security. White Paper

The Anti-Corruption Compliance Platform

SUPPLIER SECURITY STANDARD

California State University, Sacramento INFORMATION SECURITY PROGRAM

PCI Data Security and Classification Standards Summary

Intel Enhanced Data Security Assessment Form

M&T BANK CANADIAN PRIVACY POLICY

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

With Eversync s cloud data tiering, the customer can tier data protection as follows:

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

CounselorMax and ORS Managed Hosting RFP 15-NW-0016

ShareFile Security Overview

ISMS Implementation Guide

Central Agency for Information Technology

Apteligent White Paper. Security and Information Polices

Information Security Awareness Training

Information security controls. Briefing for clients on Experian information security controls

ONLINE PRIVACY POLICY

Protecting Sensitive Data Reducing Risk with Oracle Database Security

Oracle Cloud Hosting and Delivery Policies Effective Date: June 1, 2015 Version 1.5

RDM on Demand Privacy Policy

Qualtrics. Security White Paper Lite. Defining our security processes. Revised February 23,

Newcastle University Information Security Procedures Version 3

BERKELEY COLLEGE DATA SECURITY POLICY

Transcription:

OrgChart Now Information Security Overview OfficeWork Software LLC Version 1.3 May 13, 2015

OrgChart Now Information Security Overview Introduction OrgChart Now is a SaaS (Software as a Service) product that allows customers to create organizational charts and workforce plans. A user s account typically contains employee data. Employee data can be either be uploaded or manually inputted into OrgChart Now. Employee data records may contain information that is considered confidential. We know that one of your greatest concerns is the safety of your confidential data. OrgChart Now is designed from the ground up with security in mind. We follow industry best practices to ensure your data is safe. Hosting Providers All OrgChart Now servers are only hosted by providers that adhere to certain compliance standards and regulations. We require that our hosting providers are: SSAE 16/ISAE 3204 certified Safe Harbor certified ISO 27001 certified Formerly known as SAS70 Type II, SSAE 16 and ISAE 3402 are the international service organizational reporting standards. These standards allow an auditor to assess the internal controls of hosted data center. ISAE 3402/SSAE 16 Type II SOC 1 reports are available to our customers and prospects upon request. Safe Harbor is essentially a process for organizations in the US and EU that store customer data designed to prevent accidental information disclosure or loss. Companies certified under Safe Harbor must follow several guidelines regarding how data is collected, used, transferred and secured. ISO/IEC 27001:2005 is the formal international security standard against which organizations may seek independent certification of their Information Security Management System (ISMS). It is intended to be used with ISO 27002:2005, a Security Code of Practice. ISO 27001 provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving ISMS, which is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization s information risk management processes. Physical Security Access to each data center is controlled 24X7X365 by guards at the front entrance. Entrance to a hosting facility is only allowed when accompanied by an employee of the hosting provider. OrgChart Now Information Security Overview Page 2 of 5

Network Security Firewalls - All servers are protected by state of the art firewall technology to prevent unauthorized network access to servers and equipment. Intrusion Detection - Intrusion Detection and Prevention appliances are used to track and prevent unauthorized system access. SSL Https is used for network connections to all servers to protect data in transit. Server Security All servers are hardened using industry standard guidelines as applicable. Passwords are changed on a periodic basis. All customer passwords are one way encrypted when at stored. Information Security All our employees and contractors receive information security training on an annual basis to ensure that they are aware of all information security related policies and procedures. Other training sessions are conducted on an ad-hoc basis as need arises. Data Access Employee Access Control - A small group of designated employees are given access to customer data on an as needed basis. Access is granted and revoked as necessary by senior personnel. Customer Access - Customer is solely responsible for granting/revoking access to their employees/agents. Customer is responsible for making sure appropriate controls are in place for granting access privileges to their employees and contractors. Data Retention Discontinued Usage - If a customer decides to discontinue usage of OrgChart Now, we will retain the customer data for a period of ninety (90) days. At that time we reserve the right to purge that customer s data from all systems. The customer can submit a written request that all data be purged immediately. We will purge data within ten (10) business days of a written request. Extended Retention - A customer can submit a written request to retain customer data for a longer than ninety days; however, this may result in additional storage fees to the customer. OrgChart Now Information Security Overview Page 3 of 5

Data Destruction Decommissioned and Repurposed Equipment - When equipment is decommissioned or repurposed, industry standard techniques are used to fully erase data from any attached storage media. Hard Copy Destruction - Hard copies of customer data are sometimes created in order to resolve a support ticket. Employees are trained to shred hard copies of customer data as soon as an issue is resolved. Downloading of Customer Data by Employees - If customer data must be downloaded to resolve a customer issue, the data can only be downloaded to designated servers. Employees are trained to perform a deep delete of the data as soon as an issue is resolved. Data Destruction Certificate - We will provide a data destruction certificate within ten (10) business days of a written request from customer. Customer Guidelines Although our systems are secure, we recommend that customers should avoid loading data elements that do not pertain to their business needs. For example, data elements relating to identify theft (e.g. Credit card information, bank account or financial account numbers, driver s license numbers or any health related records) should be avoided unless required by customer use case. Data Ownership Customer is the sole owner of their data. We acknowledge that customer data cannot be used for any purposes not expressly approved by customer. Data Classification Customer data is classified into three categories: Public Customer data can that can be posted on public website Official Use Only Customer data that can be used by us for business purposes (e.g. email campaigns or sales calls) Confidential Customer data that is only accessible on an as needed basis in support of customer request (professional services or technical support). All customer data stored in OrgChart Now is considered Confidential and is treated as such. Data Segregation We segregate customer data to ensure unauthorized access by another customer cannot occur. Segregation is achieved using industry standard database and file systems mechanisms. OrgChart Now Information Security Overview Page 4 of 5

Data Requests At any time customer can request an electronic copy of any of their data. Customer must provide the request in written form and request must be signed by a corporate officer. The request must also contain specific delivery instructions for the requested data. We will provide the data within ten (10) business days of this written request. A fee may be charged to customer based on the complexity of the request. Testing Guidelines In the event customer data is required for resolving an issue or testing a new software release, the data must be made anonymous before moving to development or test systems. OrgChart Now Information Security Overview Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information