SecureCoders Security Portal
Vendor Management Review
This procedure is recommended for all third-party service providers who transmit or store any type of client or employee information but is mandatory for all business critical systems and providers who handle confidential, high risk data including Personally Identifiable Information (PII) and Protected Health Information (PHI).
Upon selection of a vendor or service provider where customer or employee information will be transmitted or stored the requester shall contact SecureCoders’s Chief Information Security Officer
The Chief Information Security Officer or their designee will assist the requestor in identifying the classification of the data that will be transmitted or stored by the service provider.
The Chief Information Security Officer or their designee will participate in a risk assessment review with the service provider and requester by completing the Third-Party Risk Assessment (attached as Appendix A).
Note that the Chief Information Security Officer may accept relevant security documentation such as Certifications and Attestations of Laws, Regulations and Privacy and Certifications of Alignments and Frameworks in Lieu of Completed Third-Party Risk Assessment
During the assessment the assessor should ensure that there are contractual controls to ensure that personal information transmitted, processed, stored or disclosed to or retained by third parties is limited to defined parameters for access, use and disclosure.
Once completed, the Chief Information Security Officer or their designee will evaluate the results of the survey and make a recommendation to:
Eliminate the service provider from consideration due to high risk finding
Ask for more information from the service provider to complete the survey
Approve the service provider
All Assessments will be approved or rejected with cause by the Chief Information Security Officer or their designee. Copies of the assessments shall be retained for SecureCoders’s records on SecureCoders’s Google Drive.
Results are then shared with the requestor, who completes the procurement process with the service provider.
Approved Risk Management Program
Risk assessment and risk treatment are applied to the entire scope of SecureCoders’s information security and privacy program, and to all assets which are used within SecureCoders or which could have an impact on information security and privacy within it.
All risk is ultimately owned and accepted by the SecureCoders Chief Executive Officer.
Internally Shared User Accounts
SecureCoders employees do not share user accounts.
Staff Scoped Data Access
Employees are given access to company systems and customer information on an as-needed basis.
All contractors and employees must agree to an employment agreement and non-disclosure agreement prior to employment.
All employees and contractors must undergo local and federal background checks prior to beginning work for SecureCoders.
When an employee or contractor is terminated, access to accounts is removed prior to an exit interview with the head of Human Resources.
Roles and Responsibilities
Roles and responsibilities are well defined and documented within the HR management software which SecureCoders utilizes.
Designated Security Point of Contact
Single Sign On
All SecureCoders employees are issued accounts using our Identity Provider which enforces MFA (multi-factor authentication) and the SecureCoders Password Policy.
Data Encrypted in Transit
All applications utilized for conducting SecureCoders business utilize the HTTP TLS 1.2 transport.
Customer Data Removal
Customer data is removed within 30 days of being no longer needed for SecureCoders to conduct their services.
Data Encrypted at Rest
Customer data is stored utilizing a well known cloud data storage platform which encrypts data at rest.
Personally Identifiable Information (PII)
SecureCoders does not store customer PII.
Protected Health Information (PHI)
SecureCoders does not store PHI.
Asset Management Policy
Assets are tracked via an industry standard asset management software which ensure local security configurations are correctly enabled as per SecureCoders policies.
Physical Security Controls
SecureCoders data is stored via a well-known corporate storage provider which employs strong physical security Controls. All employee laptops are configured with encrypted hard disks to prevent data spillage in the event of a device being lost or stolen.
SecureCoders implements industry leading endpoint protection on all company devices.