Compliance_Security Assessment
On this page, you able to find answers to trending questions and cases about different aspects of work, interactions, processes and procedures related to our products. In case of further questions, feel free to contact the Products team at support@appfire.com .
Overview
Name:Â Appfire
Website:Â https://apps.appf.re/PSJ/support
Email:Â support@appfire.com
Support and Compliance
Questions | Answer |
Implementation & Support | |
Who will perform implementation services with your applications? | We as Appfire release new artifacts to the Atlassian Marketplace, then you can download new atifacts from the marketplace |
How is the rollout approached so as to drive adoption, and retire old assets? | Old assets are stored on MP |
Proactive monitoring and alerting of system uptime and performance | Yes |
What hours does your company provide service and support? | Mon - Fri 7:00AM - 6:00PM PDT |
How many support centers do you have and where are they located? | One, North America |
Does your hosting solution include a guaranteed level of system performance, such as sub-second response time? | No |
Do you support previous versions of the software? | Yes |
Do you provide operational transparency? | On demand |
Compliance | |
Describe the change management process and procedure (i.e. how are changes tested, peer reviews of code prior to deploying change in production) | Work of every change is performed on a dedicated branch. After a developers smoke-testing Push Request is revised, it is merged to master. QA performs end-to-end tests of RC from master branch, than build is published to Marketplace. |
Is your test environment separate from your production environment? | Yes |
 Do developers have access to deploy into production? If so, what controls do you have in place to prevent developers pushing their change into production without any review? | No |
How do you track any change that is pushed into production? | Through VCS branches (Bitbucket) |
What is your source code repository and how is access managed? | Bitbucket |
Describe your patch management process. | Any patch is just another release accordingly to Atlassian Marketplace rules. |
How often do you push updates and how is Box notified of the updates? | 1-2 times per 3 months, New version appears in UPM section |
Is any portion of the development process outsourced to third party developers? If so, where and how is their access managed? | No |
General Requirements
Questions | Responses |
Risk Management | |
Will your application, service or any personnel be accessing, storing, processing, or transmitting client's company Non-Public Information (NPI) such as PII, PHI, regulated data, intellectual property? If so, what kinds (i.e. PII, PHI...)? | No |
Will your application, service, or any personnel process or store data outside the United States? If yes, please describe what processes are completed by location (Outside the US). | No |
Will your application, service, or any personnel be accessing client's company systems, infrastructure or facilities? | No |
Is your risk assessment process governed by a formal framework/policy? Please provide details. | Yes, we leverage NIST, and CoBIT to build out our framework |
What risk management policies and practices do you have in place to ensure adherence to applicable laws, regulations, supervisory guidance, monitoring, testing and employee training? | Client dependent. We do maintain datamanagement, confidentiality, ethics/conduct, and technical standards to assure clients are protected |
Does your company perform internal and external vulnerability assessments on recurring basis? Please describe.  | No, these are done at client requests. Internal audits are performed internally. External can be performed at request, but may have additional costs |
Are external penetration tests performed? Who performs these tests? Is this test performed annually? Please provide a copy of the most recent results summary. | This is a new task for us, internal are performed by our teams. This is the first year we are performing these. |
Vendor Management | |
Are there additional vendor parties that have access to client's company Non-Public Information (NPI) through your access? | No |
Will your company host client's company data? If so, where will the data be stored? | No |
Has your company experienced a data breach within the past 12 months? | No |
HR & Legal compliance | |
Is your company required to perform background checks for new hires? | Yes |
Does your company have any attestation of compliance (ie. PCI, HIPAA), regulatory certification or SOC 2 assessment results (SOC2TypeII, ISO27001 SoA)? If so, please provide supporting documents. | Not certified |
Are employees aware of their responsibilities with respect to the non-disclosure agreement (NDA)? | Yes |
Do you employee, or do business with any persons, entities, or countries named in any part under the US OVAC sanctions program, UN sanctions program, or sanctions programs of any other country? | No |
Do we have legal physical access rights to the offsite storage/backup facility, and our data, in the event the ASP becomes suddenly inoperative, or if a legal dispute arises? | Yes |
How does client's company technical support staff (e.g., security, network, data management etc.) communicate with ASP? | Dependent on services - email, Service Desk Portal |
Has the company been subject to any Lawsuits?  | No |
Do you have a process in place to report code of ethics concerns or conflicts of interest? | Yes, informal to an extent |
Does your company, or any partner, shareholder, member, employee or any person or entity affiliated with your company, have an ownership interest (direct or indirect) with a subcontractor you utilize for this service you are providing client's company? | No |
Please describe your procedures for adhering with recordkeeping requirements (both regulatory and internal policy) | These are assisted by a 3rd party service (e.g. salesforce)Â |
Are you creating any data records for client's company? | No |
Business Continuity | |
Does your firm have a documented Business Continuity Plan (BCP) or Program? Â | Yes. |
When was the last time your firm's BCP(s) was tested? | It's reviewed at least bi-annually, but actively tested. |
Who is responsible for managing the Business Continuity Plan/Program in your firm? | Security Committee |
What are your firm's Recovery Time Objectives (RTO) for each for the function/service provided, or potentially provided to client's company? | 24hrs for RPO and RTO by default |
Does your firm have a documented Crisis Management or Emergency Response Plan(s) or Program? How often What are is the timing when reviewsisions performedare updated to the document? | Yes, reviewed at least annually |
How far (in miles) is your staff relocation site from your primary facility? | We are a distributed operation |
How long will it take to be fully functional after an adverse event? | 24hrs is planned time |
Are any critical business processes/functions you provide to our company outsourced? | No |
How will client's company be informed of any service or application outage? | Defined by customer, by default email to PoC |
Technical Requirements
Questions | Responses |
Technical Extensibility | |
What technology is used in extending the functionality of your application? Â How easy is it to customize? Â Do you have customer examples of how they extended the application to meet their needs? Â | Jira plugin is an Atlassian Jira extension itself |
Will you be providing a mobile application ? | No |
Does the solution provide or receive bulk transactions or data feeds? | No |
Does the solution wrap the database with a service or does the solution access the database directly? | No |
Auth mechanism - Basic, OAuth, etc. | Atlassian Jira authentication |
Protocols supported for read/write - HTTP (REST/SOAP), FTP, JDBC/ODBC, etc. | HTTP/HTTPS |
API documentation | No |
Architecture & Security | |
Describe the logical and physical segregation of client's company data. | Each handler for calls is a separate docker container dedicated |
How will client's company be informed of any Cybersecurity event or incident? | This is defined by client's company. We have a notification that will typically be sent via email at minimal. |
Do you have procedures for maintaining asset inventories? | This is handled by a single person for internal assets. The rest is maintained via AWS tools |
Describe the application function provided to end-users. | This is defined by client's company. We have a notification that will typically be sent via email at minimal. |
How is application data transmitted from client's company to the ASP? | Via TLS encrypted calls |
How often are application audit logs reviewed? | Alerts are configured for anomalies |
Does your security staff have any industry certifications? Please describe | CEH, CHFI, ITILv3 |
Is your external network design managed by internal staff? Please describe | Yes, we provide hosting and architectural designs internally |
Is your external network design managed by an ISP located outside of the USA? If so, where are the Network Management resources located? | No |
Do you have a Firewall? Please describe the setup. | Yes, depends on solution. AWS FW at minimal |
Is your external architecture multi-tiered DMZ? Please describe. | No, Depends on solution |
Describe the redundancy that is in place for the firewalls. | AWS provided |
Describe the redundancy that is in place for the critical network equipment. | AWS provided |
Describe the redundancy that is in place for the Hardware and infrastructure for application web servers. | AWS provided |
Describe the redundancy that is in place for the Hardware and infrastructure for application database servers and business logic servers. | AWS provided |
Describe the load balancing services that are in place for the firewalls. | AWS provided |
Describe the load balancing services that are in place for the critical network equipment. | AWS provided |
Describe the load balancing services that are in place for the Hardware and infrastructure for application web servers | AWS provided |
Is intrusion detection software used? What is the product? | At client request, may have additional costs |
Describe the protocols that are allowed to traverse the firewall from the Internet – describe what ports are open | TCP only. Ports are dependent on solution |
Describe the firewall rules and router filters required for client's company to enable your application | Depends on solution |
Is malware control in place on the network perimeter? | At client request, may have additional costs |
Is malware control in place on the servers? | At client request, may have additional costs |
Is malware control in place on the desktops? | Yes, not centrally managed |
How is a current virus control configuration ensured? | Key workstations have agents validating configuration |
Is anti-spyware in place? | At client request, may have additional costs |
Describe what web servers are used and their respective versions? (i.e. Apache, IIS) | httpd is our default what we use, may vary based on customer requirements |
Describe who can perform database access | Hosting staff, client requested users |
Describe the process for requesting access to the database | Submit a ticket to our service desk |
How is the number of server/database administrators controlled? | Only hosting is provided any access |
What documentation is produced as an audit trail for changes made to the database and to individual records? | CloudTrail/Cloudwatch is leveraged |
Describe how user IDs and passwords are granted to your company's staff. | We use a managed directory service for OS level access |
Are password resets required on initial use? | Yes |
Are password resets required after administrative resets? | Yes |
Are password resets required periodically? | Yes, 90d |
Can your staff reset their password at will? | No |
Is production data used for testing and development purposes? | No |
Describe the syntax rules for your staff's passwords. Are maximum lengths and alphanumeric characters required? | We recommend a minimum of 14 characters in your password. In addition, we highly encourage the use of passphrases, passwords made up of multiple words first characters. |
Are vendor default security settings changed on production systems before taking the system into production? | Yes |
Are vendor default accounts and passwords disabled or changed on production systems before putting a system into production? | Yes, solution dependent |
Is the border firewall configured to translate (hide) internal IP addresses, using network address translation (NAT)? | Yes |
Are there application audit logs? How frequently are application audit logs analyzed? | Most cases, Solution dependent though |
Is there granularity when granting permissions for data access? | Yes, we typically use RBAC, but at minimal practice least privileges |
Does each mobile computer with direct connectivity to the Internet have a personal firewall and anti-virus software installed? | Yes |
Data Center & Ops | |
Describe the physical security of the data center(s). | AWS provided |
Describe the fire protection system and environmental controls in use. | AWS provided |
Do you have external direct connections into your network? Â If so, please describe the requirements and audit procedures used to ensure that other ASP customers will not compromise the ASP backbone. | Client dependent, these are into the client's dedicated AWS account and VPC |
Are disaster recovery plans in place? | Yes |
Are the DR plans tested periodically? Please describe and confirm the timing when testing occurs. | By client request |
What is the frequency of back-up/recovery? Please describe | Daily snapshot, weekly full, maintained for a month |
Are disaster recovery sites located outside the USA? If yes, where? | Only by request |
Describe change control processes that are used for application software | Solution dependent |
Describe processes in place to continually evaluate OS and application vendor security alerts | Solution dependent |
Describe the cadence and process used to remediate vulnerabilities (patching) | Monthly at minimum |
Do you require the use of two-factor authentication for all administrative duties | Yes, where solutions allow |
Do you support 256-bit encryption and two-factor authentication for the connection from the Internet to the production backbone? | Yes, TLS 1.1 or better |
Data Handling | |
Do you require the encryption of sensitive information being transmitted? | Yes |
Do you require the encryption of sensitive information being stored? | Yes |
Are backup tapes (or other copies of data files) encrypted prior to transporting the media off-site (e.g., for DR purposes)? | Yes |