ABCDEFHIJKLMNOPQRSTUVWXYZ
1
Section HeadingControl HeadingOriginal IDQuestion TextAnswerNotes/Comment
2
Application & Interface SecurityApplication SecurityAIS-01.2Do you use an automated source code analysis tool to detect security defects in code prior to production?YesdotCMS have a formal change management process in place to ensure that any changes to our applications or systems are tested and validated prior to deployment. This process would include testing for security vulnerabilities, as well as other factors such as functionality, performance, and compatibility. dotCMS runs automated application-level security scans on a daily basis, package dependency security advisory scans on a weekly basis, and endpoint scans on a monthly basis.
3
AIS-01.5(SaaS only) Do you review your applications for security vulnerabilities and address any issues prior to deployment to production?YesdotCMS perform third party vulnerability assessments on a regular basis. As part of the software development process, code and configuration changes are thoroughly reviewed. Before being deployed, these changes are tested during the quality assurance process to help ensure a consistent experience across all devices, platforms, and browsers that are supported by our application.
4
Customer Access RequirementsAIS-02.1Are all identified security, contractual, and regulatory requirements for customer access contractually addressed and remediated prior to granting customers access to data, assets, and information systems?YesdotCMS have policies and procedures in place to ensure that any identified security vulnerabilities or risks related to customer access are remediated prior to granting access. This may involve conducting appropriate security testing and risk assessments, implementing appropriate technical and organizational controls, and conducting ongoing monitoring and auditing of customer access. dotCMS conduct appropriate due diligence to identify any contractual or regulatory requirements related to customer access, and then implementing appropriate controls to ensure that those requirements are met.
5
Data IntegrityAIS-03.1Does your data management policies and procedures require audits to verify data input and output integrity routines?YesdotCMS have policies and procedures in place to ensure that data is accurately entered into our systems and that the output is correct. This include data validation checks, data reconciliation processes, and other measures designed to ensure the accuracy and completeness of data. dotCMS undergo regular audits to verify that these policies and procedures are being followed and that data input and output integrity routines are effective. These audits would be performed by a qualified third-party auditor who assesses our controls and processes related to data management and other aspects of our system.
6
Audit Assurance & ComplianceIndependent AuditsAAC-02.1Do you allow tenants to view your SOC 2/ISO 27001 or similar third-party audit or certification reports?YesOur security program aligns with SOC 2 Type 2, TXRAMP and ISO 27001 compliance. dotCMS can provide a copy of SOC 2 report upon request by visiting trust page report at https://security.dotcms.com/ and completing our NDA.
7
AAC-02.2Do you conduct network penetration tests of your cloud service infrastructure at least annually?YesdotCMS hires a third party to conduct an external penetration test on an annual basis. Vulnerabilities are assessed based on the Common Vulnerability Scoring System (CVSS). dotCMS also utilizes a responsible dislcosure program here.
Security researchers can responsibly disclose vulnerabilities by submitting discovered vulnerabilities to security@dotcms.com
Our response and remediation to vulnerabilities depends on the severity and risk rating of the findings. dotCMS have set industry standard SLAs based on the severity of the vulnerabilities. Upon request and execution of an NDA, we can share a summary of the test results.
8
AAC-02.3Do you conduct application penetration tests of your cloud infrastructure regularly as prescribed by industry best practices and guidance?YesdotCMS runs automated application-level security static and dynamic scans on a daily basis, package dependency security advisory scans on a weekly basis, and endpoint scans on a monthly basis. In addition to internal scans, we perform external penetration tests annually.
9
Information System Regulatory MappingAAC-03.1Do you have a program in place that includes the ability to monitor changes to the regulatory requirements in relevant jurisdictions, adjust your security program for changes to legal requirements, and ensure compliance with relevant regulatory requirements?YesdotCMS have a comprehensive program in place to monitor changes to regulatory requirements, adjust our security program accordingly, and ensure ongoing compliance with relevant legal and regulatory requirements. dotCMS works with legal counsel or regulatory bodies to ensure that we remain up-to-date with any changes or developments that may impact our operations.
10
Business Continuity Management & Operational ResilienceBusiness Continuity TestingBCR-02.1Are business continuity plans subject to testing at planned intervals or upon significant organizational or environmental changes to ensure continuing effectiveness?YesdotCMS have developed an effective Business Continuity Plan (BCP) and Disaster Recovery Plan policies. These documents describe high-level strategies for restoring critical business functions by resuming operations from backup locations, establishing communication among core team members, and executing operations playbooks for restoring from backups.
dotCMS tests and review the plans annually. Refer to our policy packet for Business Continuity and Disaster Recovery plans. These policies, process, and procedures are audited as a part of our SOC 2 Type 2 and ISO 27001 certification, and are in compliance with the security standards.
11
PolicyBCR-10.1Are policies and procedures established and made available for all personnel to adequately support services operations’ roles?YesdotCMS maintains an auditable and comprehensive Security Awareness program to help ensure that employees are aware of and understand the security policies and procedures they are required to abide by.
The training consists of information security rules and policies, personal accountability and responsibilities, practical steps such as password security, and contact points for escalating security and privacy-related issues. This training reminds all attendees to uphold the code of conduct, ethics, and compliance. Security and privacy training is required for all employees and on a per role basis for contractors. dotCMS employees are required to participate in annual security awareness training where these concepts are reinforced.
dotCMS also provides role based security awareness training for developers upon onboarding which includes, but is not limited to, training on the OWASP Top 10 and STRIDE threat modeling methodology, as well as phishing and social engineering campaigns.
12
Retention PolicyBCR-11.1Do you have technical capabilities to enforce tenant data retention policies?YesdotCMS maintains explicit policies for data retention and deletion. Data is generally retained indefinitely until a user issues a request via the application to delete the data or provides a request to dotCMS to delete the account or data. dotCMS also maintains backups of the data and a revision history subject to the chosen plan. Upon completion of permanent deletion, the data cannot be recovered unless we are required to retain data by law or legal authority.
13
BCR-11.3Have you implemented backup or recovery mechanisms to ensure compliance with regulatory, statutory, contractual or business requirements?YesdotCMS have policies and procedures in place that address backup and recovery mechanisms. This include defining the scope of the backup and recovery program, identifying the criticality of data and systems, and defining backup and recovery time objectives. dotCMS have implemented appropriate technical and organizational controls to ensure that backup and recovery mechanisms are effective. This include implementing appropriate backup technologies, such as data replication, backup to offsite storage, and other disaster recovery techniques.
14
BCR-11.7Do you test your backup or redundancy mechanisms at least annually?YesdotCMS tests backup and recovery mechanisms at least annually to ensure their effectiveness and to identify any gaps or issues that may need to be addressed. dotCMS ensure that our backup and recovery mechanisms are compliant with relevant regulatory, statutory, contractual, or business requirements. This include ensuring that backups are retained for the appropriate period of time, that backup data is encrypted and secured appropriately, and that backups can be accessed and restored in a timely manner in the event of a disaster or other incident.
15
Change Control & Configuration ManagementUnauthorized Software InstallationsCCC-04.1Do you have controls in place to restrict and monitor the installation of unauthorized software onto your systems?YesdotCMS have a policy that prohibits the installation of unauthorized software, such as personal software or unapproved applications, and requires approval for the installation of new software.
16
Data Security & Information Lifecycle ManagementE-commerce TransactionsDSI-03.1Do you provide standardized (e.g. ISO/IEC) non-proprietary encryption algorithms (3DES, AES, etc.) to tenants in order for them to protect their data if it is required to move through public networks (e.g., the Internet)?YesdotCMS allow TLS 1.2 for data in motion and AES-256 for data at rest.
17
DSI-03.2Do you utilize open encryption methodologies any time your infrastructure components need to communicate with each other via public networks (e.g., Internet-based replication of data from one environment to another)?YesdotCMS use open encryption technologies like TLS v1.2, AES 256, StrongDM and so on to protect our data both at rest and in motion.
18
Non Production DataDSI-05.1Do you have procedures in place to ensure production data shall not be replicated or used in non-production environments?YesWe have policies in place to prevent unauthorized software installations on our systems. Through strict user access controls and continuous monitoring, we enforce adherence to these policies. Regular audits, user training, and an incident response plan further support our efforts to maintain system security and integrity against unauthorized software.
19
Secure DisposalDSI-07.1Do you support the secure deletion (e.g., degaussing/cryptographic wiping) of archived and backed-up data?YesdotCMS use industry-standard data sanitization techniques, such as overwriting data with random patterns of ones and zeros, or physically destroying the storage media. The specific technique used depends on the type of storage media and the sensitivity of the data being deleted.
20
DSI-07.2Can you provide a published procedure for exiting the service arrangement, including assurance to sanitize all computing resources of tenant data once a customer has exited your environment or has vacated a resource?YesdotCMS's procedure for exiting a service arrangement includes the following steps:
Notification - The customer should provide notice of their intent to exit the service arrangement.
Review - dotCMS should review the customer's contract and service agreement to determine the scope of the customer's use of its services and the requirements for exiting.
Termination of Services - dotCMS should terminate the customer's access to its services, and ensure that no further access is allowed.
Data Sanitization - dotCMS should sanitize all computing resources of tenant data once a customer has exited its environment or vacated a resource. This should include ensuring that all customer data has been removed from dotCMS's systems and that all backup and archived data has been securely deleted or sanitized in accordance with data deletion policies and procedures.
Verification - dotCMS should verify that all customer data has been removed and that all computing resources have been sanitized in accordance with its policies and procedures.
Closure - dotCMS should provide written confirmation to the customer that all of their data has been removed, and that all computing resources have been sanitized in accordance with its policies and procedures.
21
Datacenter SecurityAsset ManagementDCS-01.2Do you maintain a complete inventory of all of your critical assets located at all sites/ or geographical locations and their assigned ownership?Not ApplicabledotCMS is a remote-only organization.
22
Controlled Access PointsDCS-02.1Are physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) implemented for all areas housing sensitive data and information systems?Not ApplicabledotCMS is a remote-only organization.
23
User AccessDCS-09.1Do you restrict physical access to information assets and functions by users and support personnel?Not ApplicabledotCMS is a remote-only organization.
24
Encryption & Key ManagementKey GenerationEKM-02.1Do you have a capability to allow creation of unique encryption keys per tenant?YesdotCMS follows tenant-specific encryption approach which involves generating a unique encryption key for each tenant's data, rather than using a single, shared encryption key for all tenants.
25
EncryptionEKM-03.1Do you encrypt tenant data at rest (on disk/storage) within your environment?YesAll data at rest is encrypted using AES 256 algorithm.
26
Governance and Risk ManagementBaseline RequirementsGRM-01.1Do you have documented information security baselines for every component of your infrastructure (e.g., hypervisors, operating systems, routers, DNS servers, etc.)?YesdotCMS have a documented hardening process for all network devices, servers, operating systems and software that adheres to the Center for Internet Security (CIS) benchmark for AWS. All our systems, including cloud systems, are configured according to these standards. When building new servers, we harden the Operating Systems (OS) using steps such as:
• Launching new machines in a protected network environment
• Restricting user accounts and privileges
• Updating packages to receive the latest patches
27
PolicyGRM-06.1Are your information security policies and procedures made available to all impacted personnel and business partners, authorized by accountable business role/function and supported by the information security management program as per industry best practices (e.g. ISO 27001, SOC 2)?YesOur security program aligns with SOC 2 Type 2 and ISO 27001 guidelines. dotCMS is certified SOC 2 and ISO 27001 on annual basis and gets audited during this annual observation period by external CPA auditors. The certificate can be provided upon request by contacting security@dotcms.com.
28
Policy EnforcementGRM-07.1Is a formal disciplinary or sanction policy established for employees who have violated security policies and procedures?YesOur disciplinary policies typically outline the consequences of violating security policies and procedures, which may include verbal or written warnings, suspension, termination, legal action, and other appropriate measures. The severity of the disciplinary action depends on the severity of the violation and the organization's policies.
29
Policy ReviewsGRM-09.1Do you notify your tenants when you make material changes to your information security and/or privacy policies?YesdotCMS updates any changes about our information security and privacy policies in our website. dotCMS also notifies our clients through email. The notice include include information about the changes to the policy, how the changes may affect individuals, and any actions individuals may need to take in response to the changes.
30
GRM-09.2Do you perform, at minimum, annual reviews to your privacy and security policies?YesOur information security and privacy policies are reviewed and updated at least once per year.
31
Human ResourcesAsset ReturnsHRS-01.1Upon termination of contract or business relationship, are employees and business partners adequately informed of their obligations for returning organizationally-owned assets?YesdotCMS have obligations in the contract document outlining what assets must be returned, in what condition they should be returned, and by what deadline. dotCMS also provides guidance on the process for returning the assets, including any relevant contact information or procedures. Furthermore, we conduct exit interview with the employee or business partner to review their obligations.
32
Background ScreeningHRS-02.1Pursuant to local laws, regulations, ethics, and contractual constraints, are all employment candidates, contractors, and involved third parties subject to background verification?YesdotCMS takes a thorough approach of ensuring our organization maintains strict standards as it pertains to hiring and staffing with the right people. As part of dotCMS’s approach to personnel security, employees are required to undergo background checks prior to employment. Additionally, employees are required to sign and comply with a code of conduct and the Acceptable Use Policy as well as understanding and signing our policy packet. dotCMS conducts formal evaluations for employee performance and consistent alignment with company objectives. Employees that do not comply with our policies are subject to sanction procedures and disciplinary actions.
33
Employment AgreementsHRS-03.1Do your employment agreements incorporate provisions and/or terms in adherence to established information governance and security policies?YesdotCMS includes provisions and terms in our employment agreements that require employees to adhere to established information governance and security policies. These provisions and terms include requirements to safeguard confidential information, to comply with relevant laws and regulations, and to follow organizational policies and procedures related to information governance and security. Employment agreements also include clauses that specify the consequences of violating these provisions and terms, such as disciplinary action or termination of employment.
34
Employment TerminationHRS-04.1Are documented policies, procedures, and guidelines in place to govern change in employment and/or termination?YesDocumented policies, procedures, and guidelines are typically in place to govern changes in employment and/or termination. These policies and procedures are designed to ensure that employment changes and terminations are carried out in a fair, consistent, and legally compliant manner. They are included in the employee handbook. They cover a range of topics related to employment changes and terminations, such as job postings, promotions, transfers, performance evaluations, disciplinary action, and termination.
35
Training / AwarenessHRS-09.5Are personnel trained and provided with awareness programs at least once a year?YesdotCMS maintains an auditable and comprehensive Security Awareness program every year to help ensure that employees are aware of and understand the security policies and procedures they are required to abide by.
36
Identity & Access ManagementAudit Tools AccessIAM-01.1Do you restrict, log, and monitor access to your information security management systems (e.g., hypervisors, firewalls, vulnerability scanners, network sniffers, APIs, etc.)?YesAccess restrictions include measures such as requiring multi-factor authentication, using role-based access control, limiting access to specific IP addresses or devices, and restricting access to authorized personnel only. Logging and monitoring access to these systems involves the recording of access attempts and activities, as well as the analysis of this information to detect potential security incidents or violations. This include monitoring for unusual login patterns, attempted access to restricted areas, and changes to system configurations.
37
IAM-01.2Do you monitor and log privileged access (e.g., administrator level) to information security management systems?YesdotCMS monitors and logs privileged access to ensure that only legitimate user is allowed access into the system.
38
User Access PolicyIAM-02.1Do you have controls in place ensuring timely removal of systems access that is no longer required for business purposes?YesAccess is immediately removed within 1 day if not required.
39
Policies and ProceduresIAM-04.1Do you manage and store the identity of all personnel who have access to the IT infrastructure, including their level of access?YesdotCMS maintains records of access to the system and regularly review access logs to identify and mitigate any unauthorized access attempts. Additionally, our organization undergo regular SOC 2 audits to demonstrate compliance with the standard and to provide assurance to customers that their data is being handled in a secure and confidential manner.
40
Source Code Access RestrictionIAM-06.1Are controls in place to prevent unauthorized access to your application, program, or object source code, and assure it is restricted to authorized personnel only?YesdotCMS use role based access control, limit access to certain ip only and require multi-factor authentication in order to assure that authorization is only granted to authorized individual. dotCMS also keep log of every login activity.
41
IAM-06.2Are controls in place to prevent unauthorized access to tenant application, program, or object source code, and assure it is restricted to authorized personnel only?YesdotCMS uses role based access control, limit access to certain ip only and require multi-factor authentication in order to assure that authorization is only granted to authorized individual. dotCMS also keep log of every login activity.
42
User Access Restriction / AuthorizationIAM-08.1Do you document how you grant, approve and enforce access restrictions to tenant/customer credentials following the rules of least privilege?YesdotCMS have proper documentation outlining the process of granting, approving and enforcing access restrictions. Our service is audited by independent auditors every year to ensure its effectiveness.
43
User Access ReviewsIAM-10.1Do you require a periodical authorization and validation (e.g. at least annually) of the entitlements for all system users and administrators (exclusive of users maintained by your tenants), based on the rule of least privilege, by business leadership or other accountable business role or function?YesdotCMS have well documented access control policies and procedures, which include the criteria for granting access, the approval process, and the methods for enforcing access restrictions. dotCMS quarterly reviews and updates its access controls to ensure that they remain effective in mitigating security risks. Our service is audited by third party independent auditor each year.
44
User Access RevocationIAM-11.1Is timely deprovisioning, revocation, or modification of user access to the organizations systems, information assets, and data implemented upon any change in status of employees, contractors, customers, business partners, or involved third parties?YesTo implement timely deprovisioning, revocation, or modification of user access, our organization have a documented access management policy and procedure in place. Our IAM system allow for easy and efficient management of user access, and it is integrated with the organization's HR system to ensure that access changes are automatically triggered by changes in employee status.
45
Infrastructure & Virtualization SecurityAudit Logging / Intrusion DetectionIVS-01.1Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis, and response to incidents?YesdotCMS have deployed file integrity tool to monitor changes to critical system files and configuration files to detect unauthorized changes or modifications. Also, we have implemented mechanism to monitor network traffic for signs of suspicious or malicious activity, such as network scans, port scans, and attempts to exploit vulnerabilities. dotCMS regularly test and review our incident response plans to ensure that they remain effective and up-to-date. This testing may involve simulated incident scenarios, such as tabletop exercises or penetration testing, to identify potential weaknesses in the organization's response capabilities and improve incident response readiness.
46
IVS-01.2Is physical and logical user access to audit logs restricted to authorized personnel?YesAccess to audit logs is restricted to only authorized users to ensure the confidentiality and integrity of the logs.
47
IVS-01.5Are audit logs reviewed on a regular basis for security events (e.g., with automated tools)?YesAudit logs are kept centralized and reviewed each day for any security events.
48
Clock SynchronizationIVS-03.1Do you use a synchronized time-service protocol (e.g., NTP) to ensure all systems have a common time reference?YesdotCMS have a synchronized time across all systems which is important for maintaining accurate logs and timestamps, which are critical for forensic analysis and incident response. dotCMS regularly monitor and review our time synchronization controls to ensure that they remain effective and up-to-date.
49
OS Hardening and Base ControlsIVS-07.1Are operating systems hardened to provide only the necessary ports, protocols, and services to meet business needs using technical controls (e.g., antivirus, file integrity monitoring, and logging) as part of their baseline build standard or template?YesAll unnecessary ports and services are blocked by default. dotCMS have implemented technical controls such as antivirus, file integrity monitoring, and logging that can further enhance the security of the system by providing real-time protection against malware and unauthorized changes to system files and configurations.
50
Production / Non-Production EnvironmentsIVS-08.1For your SaaS or PaaS offering, do you provide tenants with separate environments for production and test processes?YesdotCMS uses separate environment for development, testing and production to reduce the risk of errors or vulnerabilities in the development or testing process affecting the production environment. Each environment is isolated and have its own set of access controls to ensure that only authorized personnel have access. The use of version control and automated deployment tools is used to help reduce the risk of errors or inconsistencies between environments.
51
IVS-08.3Do you logically and physically segregate production and non-production environments?YesThe network topology includes segmented VPCs and access control lists (ACLs). User requests to the dotCMSs web-based systems are encrypted using Transport Layer Security (TLS) 1.2 or higher using certificates from an established third party certificate authority. Remote system administration access to dotCMS web and application servers are available via StrongDM, an infrastructure access platform, which unifies, brokers, and secures all management access. The hardware components that make up the aforementioned system include servers hosted, managed, and protected by AWS. High availability production servers at AWS maintain failover capabilities in the event of physical hardware or logical software failures. This infrastructure is hosted in high availability data centers with multiple availability zones.
52
SegmentationIVS-09.1Are system and network environments protected by a firewall or virtual firewall to ensure business and customer security requirements?YesdotCMS can implement firewall on enterprise cloud service for the customer with special rule and criteria to restrict network traffic and protect against threats like malware.
53
VMM Security - Hypervisor HardeningIVS-11.1Do you restrict personnel access to all hypervisor management functions or administrative consoles for systems hosting virtualized systems based on the principle of least privilege and supported through technical controls (e.g., two-factor authentication, audit trails, IP address filtering, firewalls and TLS-encapsulated communications to the administrative consoles)?YesdotCMS have restricted access to hypervisor management functions or administrative consoles to reduce the risk of unauthorized access or malicious activity that could compromise the security of virtualized systems and data through the principle of least privilege. Technical controls such as two-factor authentication, audit trails, IP address filtering, firewalls, and TLS-encapsulated communications are used to further enhance the security of hypervisor management functions or administrative consoles.
54
Wireless SecurityIVS-12.1Are policies and procedures established and mechanisms configured and implemented to protect the wireless network environment perimeter and to restrict unauthorized wireless traffic?Not ApplicabledotCMS is a remote-only organization.
55
IVS-12.2Are policies and procedures established and mechanisms implemented to ensure wireless security settings are enabled with strong encryption for authentication and transmission, replacing vendor default settings (e.g., encryption keys, passwords, SNMP community strings)?Not ApplicabledotCMS is a remote-only organization.
56
IVS-12.3Are policies and procedures established and mechanisms implemented to protect wireless network environments and detect the presence of unauthorized (rogue) network devices for a timely disconnect from the network?Not ApplicabledotCMS is a remote-only organization.
57
Interoperability & PortabilityAPIsIPY-01.1Do you publish a list of all APIs available in the service and indicate which are standard and which are customized?YesThe dotCMS API can be used to integrate your data in dotCMS with any external system. The API closely follows REST semantics, uses JSON to encode objects, and relies on standard HTTP codes to signal operation outcomes.
Example: https://demo.dotcms.com/api/openapi.json
58
Mobile SecurityApproved ApplicationsMOS-03.1Do you have a policy enforcement capability (e.g., XACML) to ensure that only approved applications and those from approved application stores can be loaded onto a mobile device?YesdotCMS have ticket based control access enforcement.
59
Security Incident Management, E-Discovery, & Cloud ForensicsIncident ManagementSEF-02.1Do you have a documented security incident response plan?YesdotCMS follows a documented Incident Response Plan. The response plan includes steps for initiating the response plan, escalation, engaging external resources, triage and investigation, analysis, mitigation, restoration, and post-mortem. Our Information Security team proactively mitigates vulnerabilities and takes all reports of security-related issues very seriously.
An Incident/Event Response team is available 24x7x365 with a notification process identified with the preferred method (phone, email, text, etc.) available to customers/clients to report incidents.
A customer is also able to communicate a security concern using one of our contact options mainly via security@dotcms.com.
By policy, dotCMS notifies any users affected by a security or privacy incident without undue delay of becoming aware of a data breach. Incidents are classified by severity levels, and there are procedures to collect and maintain a chain of custody for evidence during an incident investigation.
60
SEF-02.4Have you tested your security incident response plans in the last year?YesdotCMS tests incident response plan each year to ensure that it is relevant.
61
Incident ReportingSEF-03.1Are workforce personnel and external business relationships adequately informed of their responsibility, and, if required, consent and/or contractually required to report all information security events in a timely manner?YesWe have contractual agreement with our partners and customers about responsibilities as well as we ask that partners and customers notify us about the security breaches immediately within 24 hours.
62
SEF-03.2Do you have predefined communication channels for workforce personnel and external business partners to report incidents in a timely manner adhering to applicable legal, statutory, or regulatory compliance obligations?YesCommunication channels for incident reporting include a dedicated email address, a hotline, an incident response portal, and other methods such as in-person or by phone.
63
Incident Response Legal PreparationSEF-04.4Do you enforce and attest to tenant data separation when producing data in response to legal subpoenas?YesCustomer's data is only disclosed in accordance with applicable laws and regulations. There are stringent safeguards in place to protect the customer data.
64
Supply Chain Management, Transparency, and AccountabilityIncident ReportingSTA-02.1Do you make security incident information available to all affected customers and providers periodically through electronic methods (e.g., portals)?YesdotCMS have customer portal to communicate information about security incidents to affected customers and providers.
65
Network / Infrastructure ServicesSTA-03.1Do you collect capacity and use data for all relevant components of your cloud service offering?YesdotCMS have established appropriate policies and procedures for collecting and maintaining capacity and use data for our cloud service offerings, and we use this data to inform our capacity planning and optimization activities. This can help to ensure that the cloud service offering is able to meet the needs of customers in a reliable and scalable manner.
66
Third Party AgreementsSTA-05.4Do third-party agreements include provision for the security and protection of information and assets?YesAs part of our policies and procedures, we have provisions in our third-party agreements that require third-party service providers to comply with applicable security and privacy requirements and to take steps to protect the organization's information and assets.
67
STA-05.5Do you have the capability to recover data for a specific customer in the case of a failure or data loss?YesTo be able to recover data for a specific customer in the case of a failure or data loss, we have implemented appropriate backup and recovery processes that ensure that customer data is backed up regularly and can be restored quickly in the event of a failure or data loss. Daily backups are maintained for 7 days, weekly for 4 weeks and monthly for 6 months.
68
Supply Chain MetricsSTA-07.4Do you provide tenants with ongoing visibility and reporting of your operational Service Level Agreement (SLA) performance?YesdotCMS have appropriate policies and procedures for managing SLA performance, including tracking and monitoring of SLA metrics, identification and resolution of SLA breaches, and reporting of SLA performance to customers. This may involve providing customers with regular reports on SLA performance, including metrics such as uptime, response times, and other key performance indicators (KPIs) that are relevant to the customer's business needs. These reports are provided on a regular basis and easily accessible to customers through an online portal or other means.
69
Third Party AuditsSTA-09.1Do you mandate annual information security reviews and audits of your third party providers to ensure that all agreed upon security requirements are met?YesdotCMS conducts annual information security reviews and audits of third-party providers to assess their compliance with security requirements and identify any potential security risks. The scope of these reviews and audits include areas such as access controls, data protection, incident response, and overall security governance.
70
Threat and Vulnerability ManagementAntivirus / Malicious SoftwareTVM-01.1Do you have anti-malware programs that support or connect to your cloud service offerings installed on all of your IT infrastructure network and systems components?YesdotCMS have implemented antivirus in all of our systems such as built in Windows Defender and Mac XProtect. dotCMS ensures that our anti-malware programs are kept up to date with the latest virus definitions and security patches to ensure that they provide maximum protection against emerging threats.
71
Vulnerability / Patch ManagementTVM-02.5Do you have a capability to patch vulnerabilities across all of your computing devices, applications, and systems?YesdotCMS have a process in place for promptly patching vulnerabilities across all systems in its environment to prevent exploitation by attackers. This process includes vulnerability scanning and risk assessments, prioritization of patches based on the severity of the vulnerability and the potential impact on the system or data, testing of patches in a non-production environment before deployment, and monitoring of systems after patching to ensure that the vulnerability has been successfully mitigated.
dotCMS also leverages automated patch management tools to help streamline the patching process and ensure that all systems are up-to-date with the latest security patches.
72
Mobile CodeTVM-03.1Is mobile code authorized before its installation and use, and the code configuration checked, to ensure that the authorized mobile code operates according to a clearly defined security policy?YesdotCMS have developed a clear mobile code security policy that outlines the types of mobile code that are authorized for use and the procedures for their installation and configuration. dotCMS have enforced the use of digital signatures and other security mechanisms to ensure that all mobile code is authorized before installation and use. dotCMS also conduct regular security audits and vulnerability assessments to identify any unauthorized or misconfigured mobile code.
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100