This Data Management and Security exhibit describes the controls Oversight has implemented and maintains to protect Client Data that Oversight has access to in connection with the provision of the Services. This exhibit may be updated by Oversight from time to time but only in a manner that retains or increases the stringency of Oversight’s security obligations; such updates will be posted at http://www.oversightsystems.com/exhibit-2.
Oversight complies with:
Oversight complies with applicable portions of the following standards:
Oversight’s primary and DR colocation data facilities are:
2. DISASTER RECOVERY.
Oversight has implemented and maintains a comprehensive Disaster Recovery Plan (“DRP”). The DRP addresses the policies and procedures in the event of a disaster event which affects the ability of Oversight to provide the Service in accordance with this Agreement. A “Disaster” is defined as the loss of the primary production facility for an extended period of time. Non-Disaster events that impact the Service are handled by industry standard practices including backups, snapshots, virtualization, and other appropriate technologies. In the event of a Disaster or other event affecting Client’s access to the Service, Oversight will provide Client with an email notice verifying activation of the Oversight DRP procedures as necessary for addressing the impact of a non-Disaster on the Service and the plan for reestablishing Service. Following a Disaster, Oversight will use all reasonable efforts to reinstate access to the Service within five (5) business days.
3. SECURITY MEASURES.
Oversight has implemented physical, technical, and organizational measures and safeguards with respect to Data and the Processing of the same against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosures or access, and against all other unlawful forms of Processing, consistent with this exhibit and with the Data Protection Laws. Oversight will provide Client with information regarding Oversight’s security measures upon request. Oversight limits access to Data to those personnel who have a business need to access the Data in the provision of services under the applicable services agreement.
Oversight follows industry standards and this exhibit which include the following minimum controls:
Personnel. Background checks that cover criminal, financial and work history are completed before a person is allowed to start work. Each employee and contractor is required to sign a Non-Disclosure Agreement and an Acceptable Use policy before starting work.
Encryption. Transmissions of Data shall use a minimum of industry standard 128-bit encryption.
Portable Media. Transfers or transmissions of Data on recordable or portable media is prohibited. Portable media includes thumb drives, portable disc drives, CDs or DVDs, or any other portable device used to store and transfer electronic information.
E-mail Transmission of Data Prohibited. Data transferred by or on behalf of any Client or by or on behalf of Oversight will not be sent by e-mail. All such Data must be transferred using a secured file transfer mechanism.
Encrypted Storage. All Data at rest shall be encrypted using a minimum of industry standard 256-bit.
Passwords. Privileged user passwords will meet the following complexity and age requirements:
Minimum 15 characters including 2 upper, 2 lower, 2 numbers, 2 special characters
Expire every 30 days.
Access Control. Oversight implements role-based access control such that the permissions each individual is granted are based on what is required for them to perform the role(s) they are assigned by management. Exceptions require management approval.
Workstations. Workstations used by Oversight to access Data use the following or similar minimum security controls:
Encrypted hard drives; and
Regularly updated antivirus and other anti-malicious software and programs and firewalls; and
Weekly Operating System patching; and
Password and screensaver controls with automatic lock of workstation upon idleness.
Hosting. Oversight operates a cloud-based Software as a Service platform:
The primary production is located at an Atlanta GA data center.
The disaster recovery location is located at a US-based data center located in a different geographic area.
Only SSAE-18-certified colocation data centers are used for primary and disaster recovery sites.
Servers. Servers used by Oversight to process Data use the following or similar minimum security controls.
Regularly updated antivirus and other anti-malicious software and programs and firewalls; and
Monthly patching of Operating System, Database, and Application; and
Encrypted management access.
Backups. Backups are taken regularly to facilitate business continuity and disaster recovery.
Daily snapshots are stored locally
Weekly backups are securely copied via network to the disaster recovery site
Network Security. Oversight’s network security has the following or equivalent minimum capabilities:
Access control lists;
All Network traffic passes through firewalls. Oversight has implemented intrusion prevention systems that allow traffic flowing through firewalls to be protected 24x7;
Access to network devices for administration require a minimum of 256-bit, industry standard encryption;
Network, application, and server authentication passwords meet minimum complexity guidelines;
Firewalls are deployed to protect the perimeter Oversight network;
Web Application Firewalls (“WAF”) are deployed to protect the Oversight Service;
Virtual Private Networks (“VPN”) are required for the remote access to the Oversight client data environment, which include (i) connections with a minimum of 256-bit encryption; and (ii) split tunneling is disabled; and
Regular patches and updates.
Physical Security. For all Oversight locations where Data is processed, Oversight has the following minimum physical security requirements in place:
A clean desk policy requiring that personnel do not leave Data exposed at the end of their workday;
Access to the facility or areas where Data is stored or accessible are controlled through key card and/or appropriate sign-in procedures;
All Personnel with access to the facility or areas where Data is stored or accessed will be required to have appropriate identification;
All Personnel are required to lock PCs with access to Data when not in use;
All monitors for such PCs are equipped with a privacy screen as necessary;
Oversight employees or contractors appropriately secure all third-party assets in their possession. This includes use of laptop locks (whether in the office, at home, or traveling) and storing secure access tokens in locked location; and
Roles and Responsibilities. Oversight maintains separation of duties in security, compliance, and audit operations:
Operational Security – operational security is the responsibility of the IT team.
Information Security, Risk and Compliance – information security policy, audit, and compliance are the responsibility of the Information Security team.
Privacy – personal data privacy is the responsibility of the privacy team.
Governance – Oversight maintains a Risk and Information Security Steering Committee to govern its Risk Management and Information Security initiatives. The Oversight Board of Directors is regularly briefed on security and risk issues.
Operations – operation of production systems is the responsibility of the IT and operations teams.
Development – development and quality assurance of the Oversight solution is performed by development team members.
Client Segmentation. Oversight processes information from multiple Clients in its Software as a Service platform. Each Client’s data is logically separated from other Client’s data but is processed on shared infrastructure. Client users only have access to their company’s information.
4. AUDIT AND VERIFICATION.
At least once each calendar year, Oversight will retain a third-party auditor of national reputation (a) to perform audits of the Oversight’s Information Security Management System that include Oversight’s Data management systems and (b) to produce audit reports. Oversight will provide a summary copy of such reports to its Clients upon request.
Oversight performs internal scans, audits, and compliance checks and will provide an Executive Summary upon request.
Oversight will make available a simulated, sample Client scan target upon request.
Clients who require audits of Oversight’s colocation facilities must pay any costs or fees those vendors charge for participating in Client-requested security evaluations, scans, or security evaluations.
5. VULNERABILITY MANAGEMENT.
Oversight maintains a Vulnerability Management Program, as part of the greater Risk Management program. Vulnerability Management includes systems hardening, patching, internal scanning, external scanning, and penetration testing.
6. SUPPLIER AND SUBCONTRACTOR SECURITY.
Oversight maintains a comprehensive Vendor Management Program that includes evaluating the security posture of suppliers and subcontractors before work is performed and then annually based on risk assessment by Oversight.
7. SYSTEMS DEVELOPMENT LIFECYCLE.
Oversight’s Systems Development Lifecycle process utilizes control standards related to various aspects of the development process such as securing the development environment, source code control, as well as standards around requirements definition, release and deployment, testing and training according to SSAE-18 requirements. Oversight uses test systems that exactly duplicate production for the most efficient problem resolution and highest quality testing.