- Created by Benjy Meyer , last modified by Roxy Sanchez on Dec 09, 2022
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 27 Next »
Does your organisation conduct an annual independent information security review and act upon the findings?
Yes, our ISMS is audited annually both internally and externally. Along with other review mechanisms as part of our ISO 27001 requirements.
More information: https://commonplace.atlassian.net/l/cp/f9aW1Qpj
Do you have a formally documented information security management system (ISMS)?
Yes, we operate a ISO 27001 certified information security management system.
More information: https://commonplace.atlassian.net/l/cp/ArZfB1RN
Does your organisation have an appointed person responsible for information security, such as a CISO?
An Information Security Working Group meets monthly to review information security requirements and issues:
Mike Saunders (CEO) | Leigh Gordine (Information & Security Officer), Benjy Meyer (Chief Product & Technology Officer), Denica Hristova (People Lead)
More information: https://commonplace.atlassian.net/l/cp/u8vA3JXN
Does your organisation have a documented Cybersecurity Policy or Information Security Policy?
Yes, here is the board approved Information Security Policy.
Does your organisation have a formal policy on the use of mobile devices?
Yes, you may request a copy of our Mobile & Teleworking Policy from customers@commonplace.is
More information: https://commonplace.atlassian.net/l/cp/dWy3mBzn
Does your organisation have a formal policy for remote working that includes security?
Yes, you may request a copy of our Mobile & Teleworking Policy from customers@commonplace.is
More information: https://commonplace.atlassian.net/l/cp/oVj6u2MH
Does your organisation have a documented Acceptable Use Policy that outlines the rules for the acceptable use of company IT assets and information?
Yes, our Asset Management Policy contains this information and is available on request from customers@commonplace.is
In addition an Acceptable Use Policy for platform users is available https://www.commonplace.is/acceptable-use
More information: https://commonplace.atlassian.net/l/cp/QB3eUX7P
Does your organisation have a documented Information Classification Policy?
Yes, as part of our ISMS we have a fully documented information classification policy.
This consists of 4 categories: Public, Internal, Confidential and Personally Identifiable Information. All systems and information are assigned to 1 of these 4 categories
More information: https://commonplace.atlassian.net/l/cp/bY0m2XtM
Does your organisation have a documented Access Control Policy? How are administrator accounts authorised and managed?
Yes, you may request a copy of our Access Control Policy from customers@commonplace.is
We conduct access reviews quarterly, biannually or annually depending on the system.
More information: https://commonplace.atlassian.net/l/cp/FCfVRgLG
Does your organisation have a Password Policy that is technically enforced throughout its IT estate?
Yes, for both employees and users, in accordance with Cyber Essentials
More information: https://commonplace.atlassian.net/l/cp/4ALmsaj0
Does your organisation have a documented Backup Policy?
Yes, this is documented in our Operating Procedures for Information and Communication Technology, which is available on request from customers@commonplace.is
More information: https://commonplace.atlassian.net/l/cp/1BfZH75h
Does your organisation enforce a Clear Desk and Screen Policy?
Yes, you may request a copy of our Clear Screen & Desk Policy from customers@commonplace.is
More information: https://commonplace.atlassian.net/l/cp/wy0EzmZN
Does your organisation prevent the use of removable media, and is this enforced technically?
Yes, enforced via mobile device management software.
More information: https://commonplace.atlassian.net/l/cp/R2dg1YSW
Are your organisation's information security policies accessible to all employees?
Yes, available via our intranet.
More information: https://commonplace.atlassian.net/l/cp/ucnpB1zM
Are your organisation's information security policies reviewed and approved by senior management at least annually?
Yes.
More information: https://commonplace.atlassian.net/l/cp/4XK3av1E
Has your organisation documented senior management roles and responsibilities for security within your organisation?
Yes. An Information Security Working Group meets monthly to review information security requirements and issues:
Mike Saunders (CEO) | Leigh Gordine (Information & Security Officer), Benjy Meyer (Chief Product & Technology Officer), Denica Hristova (People Lead)
Here is the board approved Information Security Policy.
More information: https://commonplace.atlassian.net/l/cp/Y71ES0yG
Does your organisation include information security during the planning and delivery of projects?
Yes, Jira tickets require a security risk level
More information: https://commonplace.atlassian.net/l/cp/GrfPb1z6
Does your organisation restrict employee access to business information based upon the principle of least privilege?
Yes.
Employees are granted access only to systems and resources required to complete their job functions. Administrative or other elevated permissions are strictly controlled and only granted when absolutely required. Generally, this is privileged access is only granted to those in more senior roles. eg. admin access to Commonplace platform infrastructure is only granted to the CPTO, Head of Technology and Tech Leads.
All access is recorded and reviewed on a regular basis (frequency is dependent on the criticality and sensitivity of the system and data) to ensure access remains in line with the restricted approach.
More information: https://commonplace.atlassian.net/l/cp/StpXL2W4
Does your organisation have an internal audit function that ensures information security requirements are being met by the business?
Yes. Our ISMS is audited annually both internally and externally. along with other review mechanisms as part of our ISO27001 requirements.
More information: https://commonplace.atlassian.net/l/cp/3HgecJNc
Does your organisation conduct security risk assessments for your full IT estate at least annually? Do you have a formally documented and board level approved risk management framework? Do you conduct regular risk and control assessments taking into account the latest vulnerabilities and changes to the threat landscape?
Yes, as part of ISMS we have a fully documented risk assessment and treatment process, which is reviewed regularly and at least annually. We maintain an organisation-wide risk register for IT and data security issues.
Does your organisation have a formal confidentiality or non disclosure agreement in place for all staff, contractors and third parties?
Yes.
Does your organisation segregate duties to prevent unauthorised disclosure or access to information?
Employees are granted access only to systems and resources required to complete their job functions. Administrative or other elevated permissions are strictly controlled and only granted when absolutely required. Generally, this is privileged access is only granted to those in more senior roles. eg. admin access to Commonplace platform infrastructure is only granted to the CPTO, Head of Technology and Tech Leads.
All access is recorded and reviewed on a regular basis (frequency is dependent on the criticality and sensitivity of the system and data) to ensure access remains in line with the restricted approach.
Only customer users with an admin login to Commonplace have access to any personal information about respondents:
Email addresses are not available in the current dashboard.
Personally identifiable information is not included in downloads.
Does your organisation have a defined process that is followed when a client contract is terminated that includes the secure destruction of client data?
Yes. Two years after the license ends at the latest, each project is archived and the responses are pseudonomised.
Does your organisation use threat intelligence to inform decisions about information security?
Yes. We are subscribed to a number of newsletters from our vendors and other sources (inc UK NCSC) to maintain an overview of the security landscape across our application and network. All risks are logged in our risk register
- No labels