risk3sixty, LLC shall maintain reasonable security measures appropriate to the nature of Client and User Data, including, without limitation, electronic, physical, administrative, and organizational controls in accordance with the Companies information security policies.
Please read about our ISO 27001 (Security), ISO 27701 (Privacy), and ISO 22301 (Business Continuity) certifications here.
Leadership Commitment. The Company shall maintain an appropriate leadership, governance, and oversight functions to meet information security objectives as determined by management and outlined by the information security policy and information risk council charter.
Risk Assessment. The Company shall implement a risk management process to identify, categorize, classify, prioritize, treat, and document information security risk as outlined in the information security policy and information risk management policy.
Security Policy. This Information Security Policy shall document the policies and some procedures of the Company’s Information System Management System. This Information Security Policy is established to provide a holistic and comprehensive approach to the Company’s overall information security posture. The high-level objective of the Information Security Policy is to ensure the confidentiality, integrity and availability of information. The Information Security Policy and updates shall be communicated to all staff and employees of the organization, and relevant third parties annually.
Mobile Device and Teleworking. Users of company issued or personal mobile devices that access or store company information, or connect to the company network must adhere to the information security policy guidelines in conjunction with the Acceptable Use Policy.
Human Resources Security. The Company shall implement human resource controls such as pre-employment, onboarding, and offboarding tasks in accordance with the Company’s information security policy.
Asset Management. All critical Company assets shall be identified and maintained in an asset inventory listing. This includes company issued laptops, drives, mobile devices, virtual machines, physical servers, software assets, etc. The asset inventory listing shall include an owner for each asset.
Access Control. The Company shall establish and enforce access control procedures. The Company shall develop role definitions for all employees with access to critical systems and Restricted information. IT shall map role definitions to system access controls and authorizations. Authorizations shall be granted on a need-to-know basis and in accordance with the Information Classification specifications. The Company shall implement appropriate technical safeguards to prohibit all access to Company information, networks, and systems unless specifically authorized through a formal process that validates the business need and is appropriately approved.
Encryption shall be used to secure data while it is stored at rest or being transmitted. All restricted information must be encrypted in transit and at rest in accordance with the specifications outlined in the Company’s information security policy.
Physical and Environmental Security. Physical access control to the Company facilities shall be in place to detect, prevent, and minimized the effects of unauthorized or unintended access to these areas. Authorization is based on the principle of least privilege according to job responsibilities.
Operations Security. The Company shall implement appropriate Standard Operating Procedures (SOPs) to manage and operate all information processing facilities in a secure manner and in accordance with the Information Security Policy.
Communications Security. The company shall implement controls and procedures to manage and control networks and safeguard the confidentiality and integrity of data passing over the network and residing on systems connected to the network. Responsibility for management of networking equipment shall be established. Operational responsibility for networks should be segregated from end users of the Information Systems. Roles with responsibility for the management of networking equipment and the Information System shall be clearly defined by management. Systems connected to the network should be authenticated and the connection of systems to the network should be restricted and controlled. Logging and monitoring of networking equipment should be implemented to enable recording and detection of events relevant to information security.
System Acquisition, Development, and Maintenance. The Company shall implement and follow defined system development life cycle and change management policies and procedures in accordance with the Company’s policies.
Supplier Relationships. The Company shall implement supplier relationship practices to consider information security risks and practices of suppliers in accordance with the information security policy.
Information Security Incident Management. The Company shall implement measures to detect, respond, and communicate security incidents to impacted parties without undue delay in accordance with the information security policy.
Business Continuity. The Company shall implement measures to ensure appropriate an appropriate business continuity posture in accordance with the information security policy.
Compliance. The Company shall implement measures to identify, review, and comply with legal and regulatory requirements as applicable to the organization.