| Do you have 3rd Party attestation certificates like ISO 27001 and SOC2 certifications of cloud service provider (Single selection allowed)? | Yes - We have third party security certificates | |
| Is Client data used in development and testing environments? | No | |
| Are development, test and production environments separated from operational IT environments to protect applications from inadvertent changes or disruption? (Single selection allowed) | Yes | |
| Is Client data stored in a physically or logically separate format from other clients' data to ensure that data can be identified at all times and will not be implicated when other clients' data is accessed? | Yes | |
| Is data at rest encrypted? | Yes | |
| What encryption technology is used to encrypt Client data at rest? on the server, back-up media, laptops, flash drives and mobile devices? | We use Microsoft Azure uses and their encryption method is TDE. | |
| Is data in Transit encrypted? | Yes | |
| For data in transit, what is the encryption used, example: HTTPS, SFTP, TLS 1.2, etc. | The encryption used is TTPS, TLS 1.3 | |
| Do we carry out security threat modelling, secure coding practice, security architecture review and penetration testing of products/services provided? | Yes, we have static code analysis and also yearly pentesting | |
| Do Subcontractors (e.g., backup vendors, service providers, equipment support maintenance, software maintenance vendors, data recovery vendors, hosting providers, etc.) have access to scoped systems and data or processing facilities? | We do not have servers or services on Prem, Backups and facilities are managed by Microsoft. | |
| Is there an asset management program approved by management, communicated to constituents and an owner to maintain and review? | Yes, we have a asset management policy and procedure regarding machines used by employees. | |
| Is Information classified according to legal or regulatory requirements, business value, and sensitivity to unauthorized disclosure or modification? | From the Client perspective all the data inserted on the applications is responsibility of the client. Internal documentents are classified and store with security measures based on tier classification | |
| Are Human Resource policies approved by management, communicated to Constituents and an owner to maintain and review? | All resources at Skills Workflow are approved by several responsible people, from HR, Department, to board. | |
| Do Human Resource policies include Constituent background screening criteria? | The HR department has in their hiring process a screening phase. | |
| Are Constituents required to attend security awareness training? (Single selection allowed) (Justification allowed) | Yes. Upon entry all employees must do a cybersecurity course and througout the year they have worshops in order to update knowledge. | |
| Are there physical security controls for all secured facilities e.g., data centers, office buildings? (Single selection allowed) (Justification allowed) | Skillsworkflow only has na office for collaboration, regarding critical assets all are stored and managed on cloud. | |
| Are there physical access controls that include restricted access and logs kept of all access? (Single selection allowed) (Justification allowed) | In order to enter into the building every person must pass physical security guard and in ordr to enter into the office they must have their biometrics in the loging system. | |
| Do changes to the production environment including network, systems, application updates, and code changes subject to the change control process? (Single selection allowed) (Justification allowed) | Yes, however, the changes to production only include Skills Workflow's code base and all configurations are made by the client.Every new feature must be turned on by the client, by default every new feature is turned off. Any other changes (e.g., O.S., upgrades) are managed by Microsoft Azure. | |
| Is there a password policy for systems that transmit, process or store data that has been approved by management, communicated to constituents, and enforced on all platforms and network devices? If no, please explain in the Additional Information field. (Single selection allowed) (Justification allowed) | Yes , SkillsWorkflow has a Password policy that enforces in every system used internally | |
| Does the password policy define specific length and complexity requirements for passwords? (Single selection allowed) (Justification allowed) | Yes, this is defined in the Password Policy | |
| Does the password policy define requirements for provisioning and resetting passwords? (Single selection allowed) (Justification allowed) | Yes, this is defined in the Password Policy | |
| Are user access rights reviewed periodically? (Single selection allowed) | Yes, this is defined in the Password Policy | |
| Is there a formal Software Development Life Cycle (SDLC) process? (Single selection allowed) | Yes, Skillsworkflow has a SDLC process implemented | |
| Are applications evaluated from a security perspective prior to promotion to production? (Single selection allowed) | Yes, this is a part of the SDLC Process | |
| Is a Secure Code Review performed regularly? (Single selection allowed) | Yes, Skillworkflow does static code analysis and yearly pentesting | |
| Are identified security vulnerabilities remediated prior to promotion to production? (Single selection allowed) | In case of finding any critical or high vulnerabilities the promotion to production is aborted. | |