Questions

Answer

Implementation & Support

Who will perform implementation services with your applications?

We as Cprime release new artifacts to the Atlassian Marketplace, then you can download new atifacts from the marketplace

How is the rollout approached so as to drive adoption, and retire old assets?

Old assets are stored on MP

Proactive monitoring and alerting  of system uptime and performance

Yes

What hours does your company provide service and support? 

Mon - Fri 7:00AM - 6:00PM PDT

How many support centers do you have and where are they located?

One, North America

Does your hosting solution include a guaranteed level of system performance, such as sub-second response time?

No

Do you support previous versions of the software? 

Yes

Do you provide operational transparency? 

On demand

Compliance 

Describe the change management process and procedure (i.e. how are changes tested, peer reviews of code prior to deploying change in production)

Work of every change is performed on a dedicated branch. After a developers smoke-testing Push Request is revised, it is merged to master. QA performs end-to-end tests of RC from master branch, than build is published to Marketplace.

Is your test environment separate from your production environment? 

Yes

 Do developers have access to deploy into production? If so, what controls do you have in place to prevent developers pushing their change into production without any review? 

No

How do you track any change that is pushed into production? 

Through VCS branches (Bitbucket)

What is your source code repository and how is access managed? 

Bitbucket

Describe your patch management process. 

Any patch is just another release accordingly to Atlassian Marketplace rules.

How often do you push updates and how is Box notified of the updates? 

1-2 times per 3 months, New version appears in UPM section

Is any portion of the development process outsourced to third party developers? If so, where and how is their access managed? 

No

Questions

Responses

Risk Management

Will your application, service or any personnel be accessing, storing, processing, or transmitting client's company Non-Public Information (NPI) such as PII, PHI, regulated data, intellectual property?  If so, what kinds (i.e. PII, PHI...)?

No

Will your application, service, or any personnel process or store data outside the United States? If yes, please describe what processes are completed by location (Outside the US).

No

Will your application, service, or any personnel be accessing client's company systems, infrastructure or facilities?

No

Is your risk assessment process governed by a formal framework/policy? Please provide details.

Yes, we leverage NIST, and CoBIT to build out our framework

What risk management policies and practices do you have in place to ensure adherence to applicable laws, regulations, supervisory guidance, monitoring, testing and employee training?

Client dependent. We do maintain datamanagement, confidentiality, ethics/conduct, and technical standards to assure clients are protected

Does your company perform internal and external vulnerability assessments on recurring basis?  Please describe.  

No, these are done at client requests. Internal audits are performed internally. External can be performed at request, but may have additional costs

Are external penetration tests performed? Who performs these tests?  Is this test performed annually? Please provide a copy of the most recent results summary. 

This is a new task for us, internal are performed by our teams. This is the first year we are performing these. 

Vendor Management

Are there additional vendor parties that have access to client's company Non-Public Information (NPI) through your access? 

No

Will your company host client's company data?  If so, where will the data be stored?

No

Has your company experienced a data breach within the past 12 months?

No

HR & Legal compliance

Is your company required to perform background checks for new hires?

Yes 

Does your company have any attestation of compliance (ie. PCI, HIPAA), regulatory certification or SOC 2 assessment results (SOC2TypeII, ISO27001 SoA)?  If so, please provide supporting documents.

Not certified

Are employees aware of their responsibilities with respect to the non-disclosure agreement (NDA)?

Yes

Do you employee, or do business with any persons, entities, or countries named in any part under the US OVAC sanctions program, UN sanctions program, or sanctions programs of any other country?

No

Do we have legal physical access rights to the offsite storage/backup facility, and our data, in the event the ASP becomes suddenly inoperative, or if a legal dispute arises?

Yes

How does client's company technical support staff (e.g., security, network, data management etc.) communicate with ASP?

Dependent on services - email, Service Desk Portal

Has the company been subject to any Lawsuits?   

No

Do you have a process in place to report code of ethics concerns or conflicts of interest?

Yes, informal to an extent 

Does your company, or any partner, shareholder, member, employee or any person or entity affiliated with your company, have an ownership interest (direct or indirect) with a  subcontractor you utilize for this service you are providing client's company?

No

Please describe your procedures for adhering with recordkeeping requirements (both regulatory and internal policy)

These are assisted by a 3rd party service (e.g. salesforce) 

Are you creating any data records for client's company?

No

Business Continuity

Does your firm have a documented Business Continuity Plan (BCP) or Program?  

Yes.

When was the last time your firm's BCP(s) was tested? 

It's reviewed at least bi-annually, but actively tested.

Who is responsible for managing the Business Continuity Plan/Program in your firm? 

Security Committee

What are your firm's Recovery Time Objectives (RTO) for each for the function/service provided, or potentially provided to client's company?

24hrs for RPO and RTO by default

Does your firm have a documented Crisis Management or Emergency Response Plan(s) or Program? How often What are is the timing when reviewsisions performedare updated to the document? 

Yes, reviewed at least annually

How far (in miles) is your staff relocation site from your primary facility?

We are a distributed operation

How long will it take to be fully functional after an adverse event?

24hrs is planned time

Are any critical business processes/functions you provide to our company outsourced?

No

How will client's company be informed of any service or application outage?

Defined by customer, by default email to PoC

Questions

Responses

Technical Extensibility

What technology is used in extending the functionality of your application?   How easy is it to customize?   Do you have customer examples of how they extended the application to meet their needs?  

Jira plugin is an Atlassian Jira extension itself

Will you be providing a mobile application ? 

No

Does the solution provide or receive bulk transactions or data feeds?

No

Does the solution wrap the database with a service or does the solution access the database directly?

No

Auth mechanism - Basic, OAuth, etc.

Atlassian Jira authentication

Protocols supported for read/write - HTTP (REST/SOAP), FTP, JDBC/ODBC, etc.

HTTP/HTTPS

API documentation

No

Architecture & Security

Describe the logical and physical segregation of client's company data.

Each handler for calls is a separate docker container dedicated

How will client's company be informed of any Cybersecurity event or incident? 

This is defined by client's company. We have a notification that will typically be sent via email at minimal. 

Do you have procedures for maintaining asset inventories?

This is handled by a single person for internal assets. The rest is maintained via AWS tools

Describe the application function provided to end-users.

This is defined by client's company. We have a notification that will typically be sent via email at minimal. 

How is application data transmitted from client's company to the ASP?

Via TLS encrypted calls 

How often are application audit logs reviewed?

Alerts are configured for anomalies 

Does your security staff have any industry certifications?  Please describe

CEH, CHFI, ITILv3

Is your external network design managed by internal staff?  Please describe

Yes, we provide hosting and architectural designs internally

Is your external network design managed by an ISP located outside of the USA?  If so, where are the Network Management resources located?

No

Do you have a Firewall?  Please describe the setup.

Yes, depends on solution. AWS FW at minimal 

Is your external architecture multi-tiered DMZ?  Please describe.

No, Depends on solution

Describe the redundancy that is in place for the firewalls.

AWS provided

Describe the redundancy that is in place for the critical network equipment.

AWS provided

Describe the redundancy that is in place for the Hardware and infrastructure for application web servers.

AWS provided

Describe the redundancy that is in place for the Hardware and infrastructure for application database servers and business logic servers.

AWS provided

Describe the load balancing services that are in place for the firewalls.

AWS provided

Describe the load balancing services that are in place for the critical network equipment.

AWS provided

Describe the load balancing services that are in place for the Hardware and infrastructure for application web servers

AWS provided

Is intrusion detection software used?  What is the product?

At client request, may have additional costs

Describe the protocols that are allowed to traverse the firewall from the Internet – describe what ports are open

TCP only. Ports are dependent on solution

Describe the firewall rules and router filters required for client's company to enable your application

Depends on solution

Is malware control in place on the network perimeter? 

At client request, may have additional costs

Is malware control in place on the servers? 

At client request, may have additional costs

Is malware control in place on the desktops? 

Yes, not centrally managed

How is a current virus control configuration ensured? 

Key workstations have agents validating configuration

Is anti-spyware in place? 

At client request, may have additional costs

Describe what web servers are used and their respective versions?  (i.e. Apache, IIS)

httpd is our default what we use, may vary based on customer requirements

Describe who can perform database access

Hosting staff, client requested users

Describe the process for requesting access to the database

Submit a ticket to our service desk

How is the number of server/database administrators controlled?

Only hosting is provided any access

What documentation is produced as an audit trail for changes made to the database and to individual records?

CloudTrail/Cloudwatch is leveraged

Describe how user IDs and passwords are granted to your company's staff.

We use a managed directory service for OS level access

Are password resets required on initial use? 

Yes

Are password resets required after administrative resets? 

Yes

Are password resets required periodically? 

Yes, 90d

Can your staff reset their password at will?

No

Is production data used for testing and development purposes?

No

Describe the syntax rules for your staff's passwords.  Are maximum lengths and alphanumeric characters required?

We recommend a minimum of 14 characters in your password.  In addition, we highly encourage the use of passphrases, passwords made up of multiple words first characters. 

Are vendor default security settings changed on production systems before taking the system into production?

Yes

Are vendor default accounts and passwords disabled or changed on production systems before putting a system into production?

Yes, solution dependent

Is the border firewall configured to translate (hide) internal IP addresses, using network address translation (NAT)?

Yes

Are there application audit logs?  How frequently are application audit logs analyzed?

Most cases, Solution dependent though

Is there granularity when granting permissions for data access? 

Yes, we typically use RBAC, but at minimal practice least privileges

Does each mobile computer with direct connectivity to the Internet have a personal firewall and anti-virus software installed?

Yes

Data Center & Ops

Describe the physical security of the data center(s).

AWS provided

Describe the fire protection system and environmental controls in use.

AWS provided

Do you have external direct connections into your network?   If so, please describe the requirements and audit procedures used to ensure that other ASP customers will not compromise the ASP backbone.

Client dependent, these are into the client's dedicated AWS account and VPC

Are disaster recovery plans in place?

Yes

Are the DR plans tested periodically?  Please describe and confirm the timing when testing occurs. 

By client request

What is the frequency of back-up/recovery?  Please describe

Daily snapshot, weekly full, maintained for a month

Are disaster recovery sites located outside the USA?  If yes, where?

Only by request

Describe change control processes that are used for application software

Solution dependent

Describe processes in place to continually evaluate OS and application vendor security alerts

Solution dependent

Describe the cadence and process used to remediate vulnerabilities (patching)

Monthly at minimum 

Do you require the use of two-factor authentication for all administrative duties

Yes, where solutions allow

Do you support 256-bit encryption and two-factor authentication for the connection from the Internet to the production backbone? 

Yes, TLS 1.1 or better

Data Handling

Do you require the encryption of sensitive information being transmitted?

Yes

Do you require the encryption of sensitive information being stored?

Yes

Are backup tapes (or other copies of data files) encrypted prior to transporting the media off-site (e.g., for DR purposes)?

Yes