Expand | ||
---|---|---|
| ||
Does your organisation keep an up-to-date inventory of all IT assets with assigned owners? Yes, we hold a device register for all assets. More information: https://commonplace.atlassian.net/l/cp/T932Q17u |
Expand | ||
---|---|---|
| ||
Does your organisation keep an up-to-date inventory of all data repositories (such as databases) with assigned owners? Yes. More information: https://commonplace.atlassian.net/l/cp/mREyzmQk |
Expand | |||||
---|---|---|---|---|---|
| Yes. We have an offboarding process for all leavers which includes the return of all IT assets.|||||
More information: https://commonplace.atlassian.net/l/cp/TkH6cH18 |
Expand | ||||
---|---|---|---|---|
| ||||
More information: https://commonplace.atlassian.net/l/cp/h1Jccs9A |
Expand | ||
---|---|---|
| ||
Does your organisation have a documented process for provisioning user accounts for all of your IT services that includes appropriate authorisation and secure account creation with unique user IDs? We have an access control procedure that requires all requests to be submitted via a centralised channel that is overseen by the CEO, CPTO and InfoSec Officer. Approval for account creation is given by one of these roles (typically CPTO) and actioned by an appropriately authorised individual. More information: https://commonplace.atlassian.net/l/cp/epDzN51a |
Expand | |||||
---|---|---|---|---|---|
| Where available, MFA is in use for our systems and enforced on all critical systems such as AWS. If MFA is unavailable, we will always seek to use Single Sign On via Google. If neither MFA nor Single Sign On is available, employees are required to store unique and complex passwords in their 1Password application.|||||
For the Commonplace product, two factor authentication is in place for account creation via a personalised link in invitation email, but not on login. A new multi-factor authentication solution is on the roadmap and will be developed in the future. More information: https://commonplace.atlassian.net/l/cp/DvBykkLj |
Expand | |||||
---|---|---|---|---|---|
| |||||
More information: https://commonplace.atlassian.net/l/cp/1JgqZr1m |
Expand | |||
---|---|---|---|
| |||
Yes. Each service is on an automated schedule for access rights reviews. Depending on the level of risk associated with each service, these are 1x, 2x or 4x per year. Services like AWS are reviewed quarterly, and services like Adobe (that holds no confidential or personal information) are reviewed annually. More information: https://commonplace.atlassian.net/l/cp/6MA9BJ9F |
Expand | |||
---|---|---|---|
| |||
Only IT admins have administrative access on employee machines. Employees may sometimes be granted permission to perform advanced tasks as an admin but the access is revoked automatically after a given time. More information: https://commonplace.atlassian.net/l/cp/18dzFfeE |
Expand | ||
---|---|---|
| ||
Do all of your organisations systems automatically lock after a short period of inactivity (requiring re-authentication)? Not all systems do this. However critical systems such as AWS and Google Workspace do. The Commonplace platform does not currently do this for users, but it is on our short term roadmap. More information: https://commonplace.atlassian.net/l/cp/urN201PV |
Expand | ||||
---|---|---|---|---|
| ||||
More information: https://commonplace.atlassian.net/l/cp/aUR8cA2h |
Expand | |||
---|---|---|---|
| |||
We do not use Windows devices, we only use Apple Macs / iPads. More information: https://commonplace.atlassian.net/l/cp/oCCUquHU |
Expand | ||
---|---|---|
| ||
Has your organisation removed local administrator rights on all end point devices for all employees that do not require it? Yes. This is managed and enforced via Mobile Device Management, JamfPro. More information: https://commonplace.atlassian.net/l/cp/p1JHM9Wu |
Expand | |||
---|---|---|---|
| |||
Yes, XXXXX More information: https://commonplace.atlassian.net/l/cp/3AxhbHXt |
Expand | ||
---|---|---|
| ||
Do all systems (such as network devices) have their default credentials changed on installation or provision? Yes. This is managed by external third parties who take care of our office network and cloud hosting. More information: https://commonplace.atlassian.net/l/cp/M59XmU0d |
Expand | ||||
---|---|---|---|---|
| ||||
The Development of the Commonplace platform is managed through the development lifecycle. When the need for a change is identified that may impact on information security or data protection, we engage our Information Security Officer who reviews the scope and objectives of the change and completes our Change Management review, including a DPIA triage to identify if this is required. Where this process identifies items that impact information security or data protection, implementation planning and testing steps are put into place and worked through by a team consisting of internal stakeholders relevant to the change. Any new risks are added to the risk register with appropriate controls implemented where required. As part of our Change Management procedure, where new processing activity requiring an appropriate lawful basis is identified and Legitimate Interests is the selected basis, a Legitimate Interests Assessment is incorporated as part of the procedure to ensure it is completed and recorded along with the DPIA and other change records. A copy of our Change Management Policy is available upon request from customers@commonplace.is More information: https://commonplace.atlassian.net/l/cp/biUCVqVS |
Expand | ||
---|---|---|
| ||
Does your organisation use anti-malware controls, such as an Endpoint Detection and Response (EDR) solution, to protect all of its endpoints and internal IT infrastructure? Due to the nature of the service architecture (use of AWS, etc) we operate a hybrid of service administration via bastion hosts and direct service administration. The service is only accessible by authorised staff using secured VPN and SSH and utilising AWS IAM provisioning. This is done on devices also used for other general working purposes. These devices are all monitored via JamfPro and have up to date anti-malware software in place along with other controls such as FileVault, GateKeeper and XProtect. Device users have standard profiles by default with permissions elevated for fixed time periods upon request and authorisation. More information: https://commonplace.atlassian.net/l/cp/0mAsv0gH |
Expand | |||||
---|---|---|---|---|---|
| Due to the nature of the service architecture (use of AWS, etc), this is handled by third parties. XXXXX|||||
More information: https://commonplace.atlassian.net/l/cp/0CARWvTN |
Expand | |||
---|---|---|---|
| |||
Yes, via our Mobile Device Management solution JamfPro. More information: https://commonplace.atlassian.net/l/cp/orSKMh3F |
Expand | |||
---|---|---|---|
| |||
Yes, each employee is given a company owned Mac Book, provisioned via Apple Business Manager and monitored via JamfPro. More information: https://commonplace.atlassian.net/l/cp/iMn3S555 |
Expand | |||||
---|---|---|---|---|---|
| Yes.|||||
More information: https://commonplace.atlassian.net/l/cp/tJ6Pqgms |
Expand | ||||
---|---|---|---|---|
| ||||
More information: https://commonplace.atlassian.net/l/cp/B4d4Sj8v |
Expand | ||
---|---|---|
| ||
Does your organisation allow employees to access company data or services through mobile phones or tablets? Our Mobile & Teleworking Policy provides base level requirements for devices to access our systems. Company owned iPads are used to access our systems, which are monitored via JamfPro Mobile Device Management software and Avast antivirus / malware. Employee and contractors may access company systems via their own mobile devices, with the same access restrictions and privelege levels as they have on company owned machines. All devices used to access our core services via a Google Workspace are registered and monitored in Google’s Mobile Device Management service. This allows us to monitor devices and operating systems for any vulnerabilities. https://commonplace.atlassian.net/l/cp/jLc1uDWh |
Expand | ||
---|---|---|
| ||
Can your organisation remotely wipe company data on employee / contractor personal mobile phones and tablets? Yes. We are able to delete all connectivity to our company Google Workspace. Our mobile & teleworking policy prohibits employees from storing data on their personal devices.https://commonplace.atlassian.net/l/cp/PAUimccf |
Expand | ||
---|---|---|
| ||
Does your organisation encrypt customer data on its IT systems? Yes. The Commonplace platform is hosted in AWS. The database is MongoDB Atlas, also hosted in AWS. In both cases, this is within the AWS London, UK region. AWS facilities comply with ISO 9001, ISO27001, ISO 27017 and ISO 28018 among others. Within our MongoDB Atlas database, all data is encrypted at rest using MongoDB’s inbuilt services through encrypted storage volumes. Within the Commonplace infrastructure, the following measures are in place: | ||
Expand | ||
---|---|---|
| ||
Does your organisation ensure that all IT systems are regularly patched with security patches in line with vendor recommendations, including end point devices, servers, network devices, and applications? Yes. We use a number of automated security testing and patching tools to ensure we stay up to date with latest security updates to mitigate vulnerabilities and to validate any new code against a set of security standards. Additionally, our use of AWS ensures that the infrastructure underpinning the platform benefits from the world leading expertise and innovation delivered by AWS and significantly simplifies the process of maintaining a secure environment. Our CPTO, Head of Technology and Information Security Officer monitor new technologies and our Information Security Working Group meet monthly to discuss any emerging threats and technologies to understand where there may be risk or benefit to us and our customers.https://commonplace.atlassian.net/l/cp/gSdyGXKg |
Expand | ||
---|---|---|
| ||
Does your organisation run any applications or systems that are no longer supported and no longer receive security updates? |
Expand | ||
---|---|---|
| ||
Does your organisation ensure that all used digital media (that may have stored data) is disposed of securely and are certificates of destruction obtained? Media storage devices used to store customer data are classified by AWS as critical and treated accordingly, as high impact, throughout their life-cycles. AWS has exacting standards on how to install, service, and eventually destroy the devices when they are no longer useful. When a storage device has reached the end of its useful life, AWS decommissions media using techniques detailed in NIST 800-88. Media that stored customer data is not removed from AWS control until it has been securely decommissioned.https://commonplace.atlassian.net/l/cp/GfC6f8mE |
Expand | ||
---|---|---|
| ||
Does your organisation take regular backups of its digital production data in line with current best practise guidelines? Commonplace performs regular backups of all our data, and therefore if the worst happened and all of our data were lost, the worst case scenario would be that we would restore the backup.
| ||
Expand | ||
---|---|---|
| ||
Has your organisation configured its email services to use enforced TLS? We utilise Google Workspace for email which will always attempt to use a secure TLS connection when sending email. However, a secure TLS connection requires that both the sender and recipient use TLS. If the receiving server doesn't use TLS, Gmail still delivers messages, but the connection isn't secure.https://commonplace.atlassian.net/l/cp/vBk5czvP |
Expand | ||
---|---|---|
| ||
Has your organisation implemented SPF, DMARC, and DKIM for all of its email services? XXXXX | ||
Expand | ||
---|---|---|
| ||
Does your organisation prevent unauthorised transfer of data via email, web browsers, or other data transfer mechanisms? We have rules internally about how information should be transferred. As a small team, we have not implemented technical controlshttps://commonplace.atlassian.net/l/cp/WMZhveSN |
Expand | ||
---|---|---|
| ||
Are any components of the system (hardware, applications, software) outsourced or subcontracted to a third party? Yes. Sites are cloud hosted by Commonplace. Our service is hosted with
Security Information AWS facilities comply with ISO 9001, ISO27001, ISO 27017 and ISO 27018 among others.
Cloudinary is ISO 27001, ISO 27017, ISO 27018 and ISO 27701 certified.
Sendgrid use various hosting facilities all with SOC type 2 reports. See here for more information |
Expand | ||
---|---|---|
| ||
Are any supporting services (for e.g. system support, service desk, remote administration etc.) outsourced or subcontracted to a third party? Yes, we use a suite of SaaS solutions, which all must comply with our supplier security policy. Our list of sub-processors used within our platform is on our website. The way we deal with sub-processors is covered in our standard license agreement. | ||
Expand | ||
---|---|---|
| ||
What are your ‘patch deployment cycles’ and maintenance windows? We deploy code multiple times per day using Continuous Integration and Continuous Deployment. We have never required any planned downtime and do not expect to do so. Should this change, we will inform our customers with a 14 day advanced notification of the change and keep any interruptions to off peak hours.https://commonplace.atlassian.net/l/cp/Q1omZezA |
Expand | ||
---|---|---|
| ||
Does your organisation have an enforceable password policy? Yes. In accordance with Cyber Essentials we have a password policy for our internal team users when using our various cloud services. This includes definitions around the generation and storing of passwords, which we enforce via the 1Password application and the use of MFA wherever it is available. Commonplace application users are subject to minimum password length and a strength indicator when creating or changing a password.https://commonplace.atlassian.net/l/cp/CaCP1ZEU |