Versions Compared

Version Old Version 43 New Version Current
Changes made by

Roxy Sanchez

Benjy Meyer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Expand
titleDoes your organisation keep an up-to-date inventory of all IT assets with assigned owners?

Does your organisation keep an up-to-date inventory of all IT assets with assigned owners?

Yes, we hold a device register for all assets.

More information: https://commonplace.atlassian.net/l/cp/T932Q17u

Expand
Does your organisation keep an up-to-date inventory of all data repositories (such as databases) with assigned owners?
titleDoes your organisation keep an up-to-date inventory of all data repositories (such as databases) with assigned owners?

Yes.

More information: https://commonplace.atlassian.net/l/cp/mREyzmQk

Expand
Does your organisation have a formal process to ensure that employees, contractors and third party users return all IT assets when they leave the organisation?
titleDoes your organisation have a formal process to ensure that employees, contractors and third party users return all IT assets when they leave the organisation?

Yes. We have an offboarding process for all leavers which includes the return of all IT assets.

More information: https://commonplace.atlassian.net/l/cp/TkH6cH18

Expand
Does your organisation have a process for editing or removing employee access to systems and information (whether digital or physical) when they are changing role or leaving the organisation?
titleDoes your organisation have a process for editing or removing employee access to systems and information (whether digital or physical) when they are changing role or leaving the organisation?

Yes. We have an offboarding process for all leavers which includes removing access to systems and information when they leave. When an employee changes role, we also review their access rights.

More information: https://commonplace.atlassian.net/l/cp/h1Jccs9A

Expand
titleDoes your organisation have a documented process for provisioning user accounts for all of your IT services that includes appropriate authorisation and secure account creation with unique user IDs?

Does your organisation have a documented process for provisioning user accounts for all of your IT services that includes appropriate authorisation and secure account creation with unique user IDs?

We have an access control procedure that requires all requests to be submitted via a centralised channel that is overseen by the CEO, CPTO and InfoSec Officer. Approval for account creation is given by one of these roles (typically CPTO) and actioned by an appropriately authorised individual.

More information: https://commonplace.atlassian.net/l/cp/epDzN51a

Does your organisation enforce multi-factor authentication (aka MFA and sometimes referred to two factor authentication, 2FA) on all remotely accessible services (both within your internal IT systems and on third party services)?

Where available, MFA is in use for our systems and enforced on all critical systems such as AWS. If MFA is unavailable, we will always seek to use Single Sign On via Google. If neither MFA nor Single Sign On is available, employees are required to store unique and complex passwords in their 1Password application.

For the Commonplace product, two factor authentication is in place for account creation via a personalised link in invitation email, but not on login. A new multi-factor authentication solution is on the roadmap and will be developed in the future.
Expand
titleDoes your organisation enforce multi-factor authentication (aka MFA and sometimes referred to two factor authentication, 2FA) on all remotely accessible services (both within your internal IT systems and on third party services)?

More information: https://commonplace.atlassian.net/l/cp/DvBykkLj

For employees, all access requests require approval before account creation, which also applies to privileged and sensitive accounts. Approval will only be granted to appropriate employees. Regular training on both information security and data protection is delivered as eLearning with tests to ensure understanding. Further resources are provided via our intranet service.
Expand
Are privileged access accounts, and accounts of a sensitive nature, subject to a higher level of authorisation than user accounts before being provisioned?
titleAre privileged access accounts, and accounts of a sensitive nature, subject to a higher level of authorisation than user accounts before being provisioned?

For customers, all access requests require an invitation by their Commonplace Customer Success Manager or by an existing Admin or Lead Admin on the customer account.

More information: https://commonplace.atlassian.net/l/cp/1JgqZr1m

Does your organisation regularly audit employee access rights for all IT services (whether internal or third party based)?

Yes. Each service is on an automated schedule for access rights reviews. Depending on the level of risk associated with each service, these are 1x, 2x or 4x per year.
Expand
title Does your organisation regularly audit employee access rights for all IT services (whether internal or third party based)?

Services like AWS are reviewed quarterly, and services like Adobe (that holds no confidential or personal information) are reviewed annually.

More information: https://commonplace.atlassian.net/l/cp/6MA9BJ9F

Expand
titleDoes your organisation use Privileged Access Management controls to securely manage the use of privileged accounts for system administration?

Does your organisation use Privileged Access Management controls to securely manage the use of privileged accounts for system administration?

Only IT admins have administrative access on employee machines. Employees may sometimes be granted permission to perform advanced tasks as an admin but the access is revoked automatically after a given time.

More information: https://commonplace.atlassian.net/l/cp/18dzFfeE

Expand
Do all of your organisations systems automatically lock after a short period of inactivity (requiring re-authentication)?
titleDo all of your organisations systems automatically lock after a short period of inactivity (requiring re-authentication)?

Not all systems do this. However critical systems such as AWS and Google Workspace do.

The Commonplace platform does not currently do this for users, but it is on our short term roadmap.

More information: https://commonplace.atlassian.net/l/cp/urN201PV

1password is used by all employees and contractors. It provides a place for users to store various passwords, software licenses, and other sensitive information in a virtual vault that is locked with a PBKDF2-guarded master password.
Expand
Does your organisation use/provision a password manager to ensure passwords are of the required complexity and only used once?
titleDoes your organisation use/provision a password manager to ensure passwords are of the required complexity and only used once?

Browser based (Chrome, Safari etc) password saving is disabled for employees.

More information: https://commonplace.atlassian.net/l/cp/aUR8cA2h

Expand
Has your organisation disabled auto-run on all of its Microsoft Windows based IT systems?
titleHas your organisation disabled auto-run on all of its Microsoft Windows based IT systems?

We do not use Windows devices, we only use Apple Macs / iPads.

More information: https://commonplace.atlassian.net/l/cp/oCCUquHU

Expand
titleHas your organisation removed local administrator rights on all end point devices for all employees that do not require it?

Has your organisation removed local administrator rights on all end point devices for all employees that do not require it?

Yes. This is managed and enforced via Mobile Device Management, JamfPro.

More information: https://commonplace.atlassian.net/l/cp/p1JHM9Wu

Yes, XXXXX
Expand
Does your organisation operate a secure configuration process to reduce any unnecessary vulnerabilities in your IT systems including servers, endpoints, network devices and systems hosted in a cloud environment?
titleDoes your organisation operate a secure configuration process to reduce any unnecessary vulnerabilities in your IT systems including servers, endpoints, network devices and systems hosted in a cloud environment?

More information: https://commonplace.atlassian.net/l/cp/3AxhbHXt

Expand
title Do all systems (such as network devices) have their default credentials changed on installation or provision?

Do all systems (such as network devices) have their default credentials changed on installation or provision?

Yes. This is managed by external third parties who take care of our office network and cloud hosting.

More information: https://commonplace.atlassian.net/l/cp/M59XmU0d

Expand
titleDoes your organisation have a formal change management process that gives consideration to information security?

Does your organisation have a formal change management process that gives consideration to information security?

As part of ISO 27001 certified ISMS we have a documented Change Management Policy that incorporates information security and data protection elements (including DPIAs, etc), including the appointment of new suppliers. A standardised template record is used for operational changes.

The Development of the Commonplace platform is managed through the development lifecycle. When the need for a change is identified that may impact on information security or data protection, we engage our Information Security Officer who reviews the scope and objectives of the change and completes our Change Management review, including a DPIA triage to identify if this is required.

Where this process identifies items that impact information security or data protection, implementation planning and testing steps are put into place and worked through by a team consisting of internal stakeholders relevant to the change.

Any new risks are added to the risk register with appropriate controls implemented where required.
Appointment of suppliers is included in this process with applicable due diligence being completed via our Supplier Selection procedure.

As part of our Change Management procedure, where new processing activity requiring an appropriate lawful basis is identified and Legitimate Interests is the selected basis, a Legitimate Interests Assessment is incorporated as part of the procedure to ensure it is completed and recorded along with the DPIA and other change records.

A copy of our Change Management Policy is available upon request from customers@commonplace.is

More information: https://commonplace.atlassian.net/l/cp/biUCVqVS

Expand
Does your organisation use anti-malware controls, such as an Endpoint Detection and Response (EDR) solution, to protect all of its endpoints and internal IT infrastructure?
titleDoes your organisation use anti-malware controls, such as an Endpoint Detection and Response (EDR) solution, to protect all of its endpoints and internal IT infrastructure?

Due to the nature of the service architecture (use of AWS, etc) we operate a hybrid of service administration via bastion hosts and direct service administration. The service is only accessible by authorised staff using secured VPN and SSH and utilising AWS IAM provisioning.

This is done on devices also used for other general working purposes. These devices are all monitored via JamfPro and have up to date anti-malware software in place along with other controls such as FileVault, GateKeeper and XProtect. Device users have standard profiles by default with permissions elevated for fixed time periods upon request and authorisation.

More information: https://commonplace.atlassian.net/l/cp/0mAsv0gH

Expand
Does your organisation have procedures in place to control the installation of software on IT production systems (such as servers)?
titleDoes your organisation have procedures in place to control the installation of software on IT production systems (such as servers)?

Due to the nature of the service architecture (use of AWS, etc), this is handled by third parties. XXXXX

More information: https://commonplace.atlassian.net/l/cp/0CARWvTN

Expand
title Does your organisation have procedures in place to control the installation of software on user endpoint systems?

Does your organisation have procedures in place to control the installation of software on user endpoint systems?

Yes, via our Mobile Device Management solution JamfPro.

More information: https://commonplace.atlassian.net/l/cp/orSKMh3F

Does your organisation use laptop devices?

Yes, each employee is given a company owned Mac Book, provisioned via Apple Business Manager and monitored via JamfPro.
Expand
title Does your organisation use laptop devices?

More information: https://commonplace.atlassian.net/l/cp/iMn3S555

Yes.
Expand
Are all company owned laptop hard drives encrypted?
titleAre all company owned laptop hard drives encrypted?

More information: https://commonplace.atlassian.net/l/cp/tJ6Pqgms

Yes.
Expand
Can your organisation remotely wipe company data on laptop devices?
title Can your organisation remotely wipe company data on laptop devices?

More information: https://commonplace.atlassian.net/l/cp/B4d4Sj8v

Expand
titleDoes your organisation allow employees to access company data or services through mobile phones or tablets?

Does your organisation allow employees to access company data or services through mobile phones or tablets?

Our Mobile & Teleworking Policy provides base level requirements for devices to access our systems. Company owned iPads are used to access our systems, which are monitored via JamfPro Mobile Device Management software and Avast antivirus / malware.

Employee and contractors may access company systems via their own mobile devices, with the same access restrictions and privelege levels as they have on company owned machines. All devices used to access our core services via a Google Workspace are registered and monitored in Google’s Mobile Device Management service. This allows us to monitor devices and operating systems for any vulnerabilities.

More information: https://commonplace.atlassian.net/l/cp/jLc1uDWh

Expand
titleCan your organisation remotely wipe company data on employee / contractor personal mobile phones and tablets?

Can your organisation remotely wipe company data on employee / contractor personal mobile phones and tablets?

Yes. We are able to delete all connectivity to our company Google Workspace. Our mobile & teleworking policy prohibits employees from storing data on their personal devices.

More information: https://commonplace.atlassian.net/l/cp/PAUimccf

Yes. The Commonplace platform is hosted in AWS. The database is MongoDB Atlas, also hosted in AWS. In both cases, this is within the AWS London, UK region. AWS facilities comply with ISO 9001, ISO27001, ISO 27017 and ISO 28018 among others.

Within our MongoDB Atlas database, all data is encrypted at rest using MongoDB’s inbuilt services through encrypted storage volumes.

Within the Commonplace infrastructure, the following measures are in place:
firewalls, private network (VPC), private sub-networks, passwords use key derivation function PBKDF2, all data encrypted in transit and at rest.
Expand
Does your organisation encrypt customer data on its IT systems?
title Does your organisation encrypt customer data on its IT systems?

More information: https://commonplace.atlassian.net/l/cp/Kg3bXMZm

Expand
Does your organisation ensure that all IT systems are regularly patched with security patches in line with vendor recommendations, including end point devices, servers, network devices, and applications?
titleDoes your organisation ensure that all IT systems are regularly patched with security patches in line with vendor recommendations, including end point devices, servers, network devices, and applications?

Yes. We use a number of automated security testing and patching tools to ensure we stay up to date with latest security updates to mitigate vulnerabilities and to validate any new code against a set of security standards. Additionally, our use of AWS ensures that the infrastructure underpinning the platform benefits from the world leading expertise and innovation delivered by AWS and significantly simplifies the process of maintaining a secure environment.

Our CPTO, Head of Technology and Information Security Officer monitor new technologies and our Information Security Working Group meet monthly to discuss any emerging threats and technologies to understand where there may be risk or benefit to us and our customers.

More information: https://commonplace.atlassian.net/l/cp/gSdyGXKg

Expand
titleDoes your organisation run any applications or systems that are no longer supported and no longer receive security updates?

Does your organisation run any applications or systems that are no longer supported and no longer receive security updates?

No.

More information: https://commonplace.atlassian.net/l/cp/T0a1NJT5

Expand
titleDoes your organisation ensure that all used digital media (that may have stored data) is disposed of securely and are certificates of destruction obtained?

Does your organisation ensure that all used digital media (that may have stored data) is disposed of securely and are certificates of destruction obtained?

Media storage devices used to store customer data are classified by AWS as critical and treated accordingly, as high impact, throughout their life-cycles. AWS has exacting standards on how to install, service, and eventually destroy the devices when they are no longer useful. When a storage device has reached the end of its useful life, AWS decommissions media using techniques detailed in NIST 800-88. Media that stored customer data is not removed from AWS control until it has been securely decommissioned.

More information: https://commonplace.atlassian.net/l/cp/GfC6f8mE

Does your organisation take regular backups of its digital production data in line with current best practise guidelines?

Commonplace performs regular backups of all our data, and therefore if the worst happened and all of our data were lost, the worst case scenario would be that we would restore the backup.
These backups are tested on a monthly basis XXXXX. All data in the backups is encrypted.
Backup schedule:

Every 4 hours, retained for a week
Expand
titleDoes your organisation take regular backups of its digital production data in line with current best practise guidelines?

  • Every day, retained for a week

  • Every week, retained for a month,

  • Every month, retained for a year

    • More information: https://commonplace.atlassian.net/wiki/spaces/IDP/pages/1998815339/Back-ups+of+Digital+Production+Data?atlOrigin=eyJpIjoiMDFkNTA1NmM2OThhNDFkMDk1ZThmYTczMGUzMzVhOGMiLCJwIjoiYyJ9

    Expand
    title Has your organisation configured its email services to use enforced TLS?

    Has your organisation configured its email services to use enforced TLS?

    We utilise Google Workspace for email which will always attempt to use a secure TLS connection when sending email. However, a secure TLS connection requires that both the sender and recipient use TLS. If the receiving server doesn't use TLS, Gmail still delivers messages, but the connection isn't secure.

    More information: https://commonplace.atlassian.net/l/cp/vBk5czvP

    Expand
    titleHas your organisation implemented SPF, DMARC, and DKIM for all of its email services?

    Has your organisation implemented SPF, DMARC, and DKIM for all of its email services?

    XXXXXhttps://commonplace.atlassian.net/l/cp/JLAPG55J

    Expand
    titleDoes your organisation prevent unauthorised transfer of data via email, web browsers, or other data transfer mechanisms?

    Does your organisation prevent unauthorised transfer of data via email, web browsers, or other data transfer mechanisms?

    We have rules internally about how information should be transferred. As a small team, we have not implemented technical controls

    More information: https://commonplace.atlassian.net/l/cp/WMZhveSN

    Yes.
    Expand
    Are any components of the system (hardware, applications, software) outsourced or subcontracted to a third party?
    titleAre any components of the system (hardware, applications, software) outsourced or subcontracted to a third party?

    Sites are cloud hosted by Commonplace. 

    • Our service is hosted with 

      • Amazon Web Services (AWS) located in London, UK. 

      •  Cloudinary for  images. 

      • Sendgrid for Email relay

    • Security Information

      • AWS facilities comply with ISO 9001, ISO27001, ISO 27017 and ISO 27018 among others.

        • See here for more information

      • Cloudinary is ISO 27001, ISO 27017, ISO 27018 and ISO 27701 certified.

        • See here for more information

      • Sendgrid use various hosting facilities all with SOC type 2 reports. 

        • See here for more information

    More information: https://commonplace.atlassian.net/l/cp/zNF6JF9X

    Are any supporting services (for e.g. system support, service desk, remote administration etc.) outsourced or subcontracted to a third party?

    Yes, we use a suite of SaaS solutions, which all must comply with our supplier security policy.

    Our list of sub-processors used within our platform is on our website. The way we deal with sub-processors is covered in our standard license agreement.
    Expand
    titleAre any supporting services (for e.g. system support, service desk, remote administration etc.) outsourced or subcontracted to a third party?

    More information: https://commonplace.atlassian.net/l/cp/NBMjBmiC

    What are your ‘patch deployment cycles’ and maintenance windows?

    We deploy code multiple times per day using Continuous Integration and Continuous Deployment. We have never required any planned downtime and do not expect to do so. Should this change, we will inform our customers with a 14 day advanced notification of the change and keep any interruptions to off peak hours.
    Expand
    titleWhat are your ‘patch deployment cycles’ and maintenance windows?

    More information: https://commonplace.atlassian.net/l/cp/Q1omZezA

    Expand
    titleDoes your organisation have an enforceable password policy?

    Does your organisation have an enforceable password policy?

    Yes.

    In accordance with Cyber Essentials we have a password policy for our internal team users when using our various cloud services. This includes definitions around the generation and storing of passwords, which we enforce via the 1Password application and the use of MFA wherever it is available.

    Commonplace application users are subject to minimum password length and a strength indicator when creating or changing a password.https://commonplace.atlassian.net/l/cp/CaCP1ZEU