| A | B | C | D | E | F | |
|---|---|---|---|---|---|---|
1 | Higher Education Community Vendor Assessment Tool (HECVAT) - Lite | Version 3.01 | ||||
2 | HEISC Shared Assessments Working Group | |||||
3 | DATE-01 | Date | 3/1/2022 | |||
4 | General Information | |||||
5 | In order to protect the institution and its systems, vendors whose products and/or services will access and/or host institutional data must complete the Higher Education Community Vendor Assessment Toolkit. Throughout this tool, anywhere where the term data is used, this is an all-encompassing term including at least data and metadata. Answers will be reviewed by institution security analysts upon submittal. This process will assist the institution in preventing breaches of protected information and comply with institution policy, state, and federal law. This is intended for use by vendors participating in a Third Party Security Assessment and should be completed by a vendor. | |||||
6 | GNRL-01 | Vendor Name | Localist | |||
7 | GNRL-02 | Product Name | Localist | |||
8 | GNRL-03 | Product Description | Enterprise SaaS Event Management | |||
9 | GNRL-04 | Web Link to Product Privacy Notice | https://www.localist.com/legal/privacy-policy | |||
10 | GNRL-05 | Web Link to Accessibility Statement or VPAT | https://docs.google.com/document/d/1uDPMyT6siAr1hvtN2gHqRFwNFukJUrI_67oCAvoP4HM/edit | |||
11 | GNRL-06 | Vendor Contact Name | Jason Finney | |||
12 | GNRL-07 | Vendor Contact Title | VP of Revenue | |||
13 | GNRL-08 | Vendor Contact Email | jason@localist.com | |||
14 | GNRL-09 | Vendor Contact Phone Number | 202-386-6942 | |||
15 | GNRL-10 | Vendor Accessibility Contact Name | Gavin Potts | |||
16 | GNRL-11 | Vendor Accessibility Contact Title | VP of Product | |||
17 | GNRL-12 | Vendor Accessibility Contact Email | gavin@localist.com | |||
18 | GNRL-13 | Vendor Accessibility Contact Phone Number | 505-366-3476 | |||
19 | GNRL-14 | Vendor Hosting Regions | US-East | |||
20 | GNRL-15 | Vendor Work Locations | USA (Distributed, remote) | |||
21 | Instructions | |||||
22 | Step 1: Complete each section answering each set of questions in order from top to bottom; the built-in formatting logic relies on this order. Step 2: Submit the completed Higher Education Community Vendor Assessment Toolkit - Lite to the institution according to institutional procedures. | |||||
23 | Company Overview | Vendor Answers | Additional Information | Guidance | Analyst Notes | |
24 | COMP-01 | Describe your organization’s business background and ownership structure, including all parent and subsidiary relationships. | C Corp, Privately Owned | N/A | ||
25 | COMP-02 | Have you had an unplanned disruption to this product/service in the last 12 months? | No. There has been no unplanned disruption to the product or service in the past 12 months. This can be verified at https://status.localist.com | N/A | ||
26 | COMP-03 | Do you have a dedicated Information Security staff or office? | Yes | We are a small team of 19 people, but our technical team is all highly versed in Information Security. The original architect of our security policies and posture is a founder of the company, and remains on staff. | Describe your Information Security Office, including size, talents, resources, etc. | |
27 | COMP-04 | Do you have a dedicated Software and System Development team(s)? (e.g. Customer Support, Implementation, Product Management, etc.) | Yes | An org chart of our Customer Experience, Engineering, and DevOps teams can be found at: https://drive.google.com/file/d/1ZDsXygtgZI_Es5VpBeXW50YMfi98SKsw/view?usp=sharing | Describe the structure and size of your Software and System Development teams. (e.g. Customer Support, Implementation, Product Management, etc.) | |
28 | COMP-05 | Does your product process protected health information (PHI) or any data covered by the Health Insurance Portability and Accountability Act? | No | |||
29 | COMP-06 | Will data regulated by PCI DSS reside in the vended product? | No | |||
30 | COMP-07 | Use this area to share information about your environment that will assist those who are assessing your company data security program. | The high-level notes that describe our infrastructure and information security policies and procedures are as follows: Infrastructure Security - Hosted on a leading cloud infrastructure provider (Azure) - Network and Perimeter Protection Customer Data Protection - Logical Tenant Separation - Encryption In-Transit (TLS 1.2, TLS 1.3) - Encryption At-Rest (AES-256) Application Protection - Web Application Firewall (WAF) - Distributed Denial of Service (DDoS) Protections - Regular Vulnerability Scanning - Annual Penetration Testing Organizational Security - Security Education & Awareness Training - 24/7 Monitoring and Incident Response - Vendor Risk Management - Compliance & Privacy - GDPR Compliance Features | N/A | ||
31 | Documentation | Vendor Answers | Additional Information | Guidance | Analyst Notes | |
32 | DOCU-01 | Have you undergone a SSAE 18 / SOC 2 audit? | Yes | Localist itself has not undergone an independent SOC 2 audit, however Azure, our primary data center, has: https://docs.microsoft.com/en-us/azure/compliance/offerings/offering-soc-2 Separately, we adhere to all of the defined best practices that would be required to pass a SOC 2 audit. | Provide the date of assessment and include a SOC 2 Type 2 (preferred) or SOC 3 report. If you have a SOC2 or SOC3 report, state how to obtain a copy. Indicate if your hosting provider was the subject of the audit. | |
33 | DOCU-02 | Have you completed the Cloud Security Alliance (CSA) CAIQ? | Yes | We have a completed CAIQ self-evaluation, version 4.0.2. Viewable here: https://docs.google.com/spreadsheets/d/1v7TITGz_BD43gl0NA8VMwqutISV3aoOHW333QeT0lQ0/edit?usp=sharing | Please include a copy with your response and include a URL for the published assessment. | |
34 | DOCU-03 | Have you received the Cloud Security Alliance STAR certification? | No | While we performed the self-evaluation to ensure compliance, we do not have plans to formally pursue a STAR certification | Describe any plans to obtain CSA STAR certification. | |
35 | DOCU-04 | Localist aligns with NIST SP 800-171 best practices a lightweight version of the 800-53 standard, which assumes more sensitive information storage. We also employ best practices around the OWASP Top 10. A more thorough overview is available at https://docs.google.com/document/d/1wLtZt1bEIThzhqTbBV9v_QxHk1Iv_pjrTE8x4wxMnoc/edit | Yes | Localist aligns with NIST SP 800-171 best practices a lightweight version of the 800-53 standard, which assumes more sensitive information storage. We also employ best practices around the OWASP Top 10. A more thorough overview is available at https://docs.google.com/document/d/1wLtZt1bEIThzhqTbBV9v_QxHk1Iv_pjrTE8x4wxMnoc/edit | Provide documentation on how your organization conforms to your chosen framework and indicate current certification levels, where appropriate. | |
36 | DOCU-05 | Can the systems that hold the institution's data be compliant with NIST SP 800-171 and/or CMMC Level 3 standards? | Yes | As noted above, Localist complies with NIST SP 800-171 standards. A self-assessment is performed annually, and is accessible here: https://docs.google.com/spreadsheets/d/17TEFUCcDtxxm6m0yXwPJHlpVdfvV8wwvfUzcm6yH078/edit?usp=sharing | Indicate level, Supplier Performance Risk System ('SPRS') Score or certification information. | |
37 | DOCU-06 | Can you provide overall system and/or application architecture diagrams including a full description of the data flow for all components of the system? | Yes | We have a redacted form of this document available here: https://docs.google.com/presentation/d/1Gwn2votBWckdkCFqwe7esE5U5-V5udbwfUylq42FT2M/edit#slide=id.g258076c6c5_0_3 | Provide your diagrams (or a valid link to it) upon submission. | |
38 | DOCU-07 | Does your organization have a data privacy policy? | Yes | https://www.localist.com/legal/privacy-policy | Provide your data privacy document (or a valid link to it) upon submission. | |
39 | DOCU-08 | Do you have a documented, and currently implemented, employee onboarding and offboarding policy? | Yes | A high-level overview of employee on/offboarding procedures are in this document: https://docs.google.com/document/d/1wLtZt1bEIThzhqTbBV9v_QxHk1Iv_pjrTE8x4wxMnoc/edit We cannot share specific details of the process for security purposes. | Provide a reference to your employee onboarding and offboarding policy and supporting documentation or submit it along with this fully-populated HECVAT. | |
40 | DOCU-09 | Do you have a well documented Business Continuity Plan (BCP) that is tested annually? | Yes | A high-level overview of our BCP is available here: https://docs.google.com/document/d/1u3UfJu63WgY4DVmfKqbukGXAd8L8jZ3l3ZtL-HjTEMo/edit?usp=sharing | Provide a reference to your BCP and supporting documentation or submit it along with this fully-populated HECVAT. | |
41 | DOCU-10 | Do you have a well documented Disaster Recovery Plan (DRP) that is tested annually? | Yes | Our Disaster Recovery Policy is available here: https://docs.google.com/document/d/195oUH5M0-CAiybVtXzCX9g03x4WiTolUawbxWm3-Kjw/edit We cannot directly share our DRPlan, as it exposes too much proprietary infrastructure information | Provide a reference to your DRP and supporting documentation or submit it along with this fully-populated HECVAT. | |
42 | DOCU-11 | Do you have a documented change management process? | Yes | A summary of our change management process is here: https://docs.google.com/document/d/1mfx3adXn44zxzhkRyf3Ue-pThHKBwk6IVJwuF2wXums/edit | Summarize your current change management process. | |
43 | DOCU-12 | Has a VPAT or ACR been created or updated for the product and version under consideration within the past year? | Yes | Here is a link to our VPAT results and audit: https://docs.google.com/document/d/129LEwxiX3n_8u9Kg8ItU77rOnfHOVukNsXBonPzw8VA/edit#heading=h.3rdcrjn | State the date the VPAT was completed. Include this VPAT in your submission and/or link to its web location. | |
44 | DOCU-13 | Do you have documentation to support the accessibility features of your product? | Yes | Here is a link to our Accessibility Compliance policy: https://docs.google.com/document/d/1uDPMyT6siAr1hvtN2gHqRFwNFukJUrI_67oCAvoP4HM/edit We also have Github repositories that document all changes to view files, allowing customers to see exactly which accessibility improvements were made, and when. These are available at: https://github.com/lclst/localist-theme-emphasis | Provide examples with links where possible. | |
45 | IT Accessibility | Vendor Answers | Additional Information | Guidance | Analyst Notes | |
46 | ITAC-01 | Has a third party expert conducted an accessibility audit of the most recent version of your product? | Yes | This assessment was performed by a 3rd party accessibility consultant, Deque, in Localist’s production environment on 12/3/2021, which resulted in Localist being WCAG 2.0 AA compliant. That said, we still implemented over 100 changes to our view files to improve accessibility even further. The VPAT assessment is here: https://docs.google.com/document/d/129LEwxiX3n_8u9Kg8ItU77rOnfHOVukNsXBonPzw8VA/edit#heading=h.3rdcrjn | State when the audit was conducted and by whom? Include the results in your submission and/or link to its web location. | |
47 | ITAC-02 | Do you have a documented and implemented process for verifying accessibility conformance? | Yes | Yes. Our Accessibility Compliance Policy, out lined here: https://docs.google.com/document/d/1uDPMyT6siAr1hvtN2gHqRFwNFukJUrI_67oCAvoP4HM/edit States the process of verifying conformance | Describe your processes and methodologies for validating accessibility conformance. | |
48 | ITAC-03 | Have you adopted a technical or legal accessibility standard of conformance for the product in question? | Yes | WCAG 2.0 AA | Indicate which primary standards and comment upon any additional standards the product meets. | |
49 | ITAC-04 | Can you provide a current, detailed accessibility roadmap with delivery timelines? | Yes | Here is a link to a snapshot from our ticketing system, but we cannot grant access to this internal tool: https://docs.google.com/spreadsheets/d/11HAqEFRjnQDR5DyRcxKieZF8bEa1JFu6WP1aWUiAE_s/edit#gid=591637241 | Comment upon how far into the future the roadmap extends. Provide evidence (including links) of having delivered upon the accessibility roadmap in the past. | |
50 | ITAC-05 | Do you expect your staff to maintain a current skill set in IT accessibility? | Yes | Provide any further relevant information about how expertise is maintained; include any accessibility certifications staff may hold (e.g., IAAP WAS <https://www.accessibilityassociation.org/certifications> or DHS Trusted Tester <https://section508.gov/test/trusted-tester>. | ||
51 | ITAC-06 | Do you have a documented and implemented process for reporting and tracking accessibility issues? | Yes | We have an ongoing roadmap for any newly identified accessibility issues in our ticketing system, along with severity and status. A link to an example of the processing of these issues is linked above | Describe the process and any recent examples of fixes as a result of the process. | |
52 | ITAC-07 | Do you have documented processes and procedures for implementing accessibility into your development lifecycle? | Yes | Our Accessibility Compliance Policy outlines how implementing accessibility is incorporated into our SDLC: https://docs.google.com/document/d/1uDPMyT6siAr1hvtN2gHqRFwNFukJUrI_67oCAvoP4HM/edit | Provide further details or multiple means in Additional Information. | |
53 | ITAC-08 | Can all functions of the application or service be performed using only the keyboard? | Yes | This was last performed on 12/3/2021, in the following environment: Windows with Chrome browser and NVDA screen reader Automated testing using axe-core rules; Manual testing and Keyboard-only navigation testing | State when and on which platform this was verified. | |
54 | ITAC-09 | Does your product rely on activating a special ‘accessibility mode,’ a ‘lite version’ or accessing an alternate interface for accessibility purposes? | No | |||
55 | Application/Service Security | Vendor Answers | Additional Information | Guidance | Analyst Notes | |
56 | HLAP-01 | Are access controls for institutional accounts based on structured rules, such as role-based access control (RBAC), attribute-based access control (ABAC) or policy-based access control (PBAC)? | Yes | Localist generally employs RBAC policies for our customers. Because customers own their own data and are wholly responsible for its consistency, we provide standard roles in the platform, but each customer may integrate their SSO system into Localist, which allows them to further refine who has access to which features. For a deeper overview of our access controls, read the Localist Security Overview here: https://docs.google.com/document/d/1wLtZt1bEIThzhqTbBV9v_QxHk1Iv_pjrTE8x4wxMnoc/edit#heading=h.9rsh4j2rtbkc | Describe available roles. | |
57 | HLAP-02 | Are access controls for staff within your organization based on structured rules, such as RBAC, ABAC, or PBAC? | Yes | |||
58 | HLAP-03 | Do you have a documented and currently implemented strategy for securing employee workstations when they work remotely? (i.e. not in a trusted computing environment) | Yes | Yes, this is outlined in our Localist Security Overview here: https://docs.google.com/document/d/1wLtZt1bEIThzhqTbBV9v_QxHk1Iv_pjrTE8x4wxMnoc/edit#heading=h.9rsh4j2rtbkc | Provide supporting documentation of your strategy. | |
59 | HLAP-04 | Does the system provide data input validation and error messages? | Yes | All untrusted input is escaped before being inserted into our databases. Additionally we provide context/content based javascript validation and messages to the end user. Server also validates input according to the same rules as the javascript front-end. | Describe how your system(s) provide data input validation and error messages. | |
60 | HLAP-05 | Are you using a web application firewall (WAF)? | Yes | Yes, this is outlined in our Localist Security Overview here: https://docs.google.com/document/d/1wLtZt1bEIThzhqTbBV9v_QxHk1Iv_pjrTE8x4wxMnoc/edit#heading=h.9rsh4j2rtbkc | Describe the currently implemented WAF. | |
61 | HLAP-06 | Do you have a process and implemented procedures for managing your software supply chain (e.g. libraries, repositories, frameworks, etc) | Yes | Yes, this is outlined in our Localist Security Overview here: https://docs.google.com/document/d/1wLtZt1bEIThzhqTbBV9v_QxHk1Iv_pjrTE8x4wxMnoc/edit#heading=h.9rsh4j2rtbkc | Provide supporting documentation of your processes. | |
62 | Authentication, Authorization, and Accounting | Vendor Answers | Additional Information | Guidance | Analyst Notes | |
63 | HLAA-01 | Does your solution support single sign-on (SSO) protocols for user and administrator authentication (Yes, No, Both modes available, Not Applicable)? | Both | N/A | ||
64 | HLAA-02 | Does your organization participate in InCommon or another eduGAIN affiliated trust federation? | No | Describe plans to participate in InCommon or another eduGAIN affiliated trust federation. | ||
65 | HLAA-03 | Does your application support integration with other authentication and authorization systems? | Yes | Active Directory, LDAP, OIDC, CAS, SAML2, Facebook, Google, Twitter | List which systems and versions supported (such as Active Directory, Kerberos, or other LDAP compatible directory) in Additional Info. | |
66 | HLAA-04 | Does your solution support any of the following Web SSO standards? [e.g., SAML2 (with redirect flow), OIDC, CAS, or other] | Yes | SAML2, OIDC, CAS | State the Web SSO standards supported by your solution and provide additional details about your support, including framework(s) in use, how information is exchanged securely, etc. | |
67 | HLAA-05 | Do you support differentiation between email address and user identifier? | Yes | |||
68 | HLAA-06 | Do you allow the customer to specify attribute mappings for any needed information beyond a user identifier? [e.g., Reference eduPerson, ePPA/ePPN/ePE ] | Yes | |||
69 | HLAA-07 | Are audit logs available to the institution that include AT LEAST all of the following; login, logout, actions performed, timestamp, and source IP address? | Yes | They are available to the appropriate Localist staff, but we do not share them with our customers (barring any legal investigation), as it introduces security and intellectual property risk. | ||
70 | HLAA-08 | If you don't support SSO, does your application and/or user-frontend/portal support multi-factor authentication? (e.g. Duo, Google Authenticator, OTP, etc.) | ||||
71 | HLAA-09 | Does your application automatically lock the session or log-out an account after a period of inactivity? | Yes | Because Localist integrates with each customer's single-sign-on infrastructure, session locks and logout policies are inherited from that system. This is to align with each customer's preferred policy automatically. | Describe the default behavior of this capability. | |
72 | Systems Management | Vendor Answers | Additional Information | Guidance | Analyst Notes | |
73 | HLSY-01 | Do you have a systems management and configuration strategy that encompasses servers, appliances, cloud services, applications, and mobile devices (company and employee owned)? | Yes | Automation drives Localist’s ability to scale with our customers’ needs. The product infrastructure is a highly automated environment that flexibly expands capacity and capability as needed. Server instances are provisioned via Kubernetes, meaning that any server’s configuration is tightly controlled from birth through deprovisioning. More information is available at: https://docs.google.com/document/d/1wLtZt1bEIThzhqTbBV9v_QxHk1Iv_pjrTE8x4wxMnoc/edit# | Summarize your systems management and configuration strategy. | |
74 | HLSY-02 | Will the institution be notified of major changes to your environment that could impact the institution's security posture? | Yes | Where applicable, Localist maintains a list of emergency contacts for communicating service-related information, such as service interruptions or scheduled maintenance activities that may cause downtime based on SLA and other agreements. More information is available here: https://docs.google.com/document/d/1u3UfJu63WgY4DVmfKqbukGXAd8L8jZ3l3ZtL-HjTEMo/edit# | State how and when the institution will be notified of major changes to your environment. | |
75 | HLSY-03 | Are your systems and applications scanned for vulnerabilities [that are then remediated] prior to new releases? | Yes | The entire technical team bi-annually spends time targeting all parts of the application, looking for vulnerabilities. We focus on account isolation, token unicity, unauthenticated paths, etc. We use the browser web console, curl, and 3rd party tools such as Zap (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) to perform these inspections. More information is available at these links: https://docs.google.com/document/d/1rNZAoBbs4sEAY2Ni051_UDuY4zXgjTDKehNZ4wKRzz8/edit https://docs.google.com/document/d/1wLtZt1bEIThzhqTbBV9v_QxHk1Iv_pjrTE8x4wxMnoc/edit https://docs.google.com/document/d/1dosPXJxquB2Oj9lCd_sY138aHXHTuSForkpJO-sEODw/edit | Provide a brief description. | |
76 | HLSY-04 | Have your systems and applications had a third party security assessment completed in the last year? | Yes | Our last security assessment was performed on 8-9-21, with results here: https://docs.google.com/document/d/1dosPXJxquB2Oj9lCd_sY138aHXHTuSForkpJO-sEODw/edit | Provide the results with this document (link or attached), if possible. State the date of the last completed third party security assessment. | |
77 | HLSY-05 | Do you have policy and procedure, currently implemented, guiding how security risks are mitigated until patches can be applied? | Yes | Yes, this is outlined here: https://docs.google.com/document/d/1wLtZt1bEIThzhqTbBV9v_QxHk1Iv_pjrTE8x4wxMnoc/edit#heading=h.9rsh4j2rtbkc in section 4.2 | Summarize the policy and procedure(s) guiding risk mitigation practices before critical patches can be applied. | |
78 | Data | Vendor Answers | Additional Information | Guidance | Analyst Notes | |
79 | HLDA-01 | Does the environment provide for dedicated single-tenant capabilities? If not, describe how your product or environment separates data from different customers (e.g., logically, physically, single tenancy, multi-tenancy). | No | Logically, multi-tenancy, all data can be associated back to one platform and all queries are built with this logic | Describe your plan to separate institution data from other customers. | |
80 | HLDA-02 | Is sensitive data encrypted, using secure protocols/algorithms, in transport? (e.g. system-to-client) | Yes | Yes, this is outlined here: https://docs.google.com/document/d/1wLtZt1bEIThzhqTbBV9v_QxHk1Iv_pjrTE8x4wxMnoc/edit#heading=h.a1s4ectqoop2 In section 4.3 | Summarize your transport encryption strategy | |
81 | HLDA-03 | Is sensitive data encrypted, using secure protocols/algorithms, in storage? (e.g. disk encryption, at-rest, files, and within a running database) | Yes | Yes, this is outlined here: https://docs.google.com/document/d/1wLtZt1bEIThzhqTbBV9v_QxHk1Iv_pjrTE8x4wxMnoc/edit#heading=h.a1s4ectqoop2 in section 4.3 | Summarize your data encryption strategy and state what encryption options are available. | |
82 | HLDA-04 | Are involatile backup copies made according to pre-defined schedules and securely stored and protected? | Yes | Yes, this is outlined here: https://docs.google.com/document/d/1u3UfJu63WgY4DVmfKqbukGXAd8L8jZ3l3ZtL-HjTEMo/edit in section 9.g and here: https://docs.google.com/document/d/195oUH5M0-CAiybVtXzCX9g03x4WiTolUawbxWm3-Kjw/edit | If your strategy uses different processes for services and data, ensure that all strategies are clearly stated and supported. | |
83 | HLDA-05 | Can the Institution extract a full or partial backup of data? | Yes | We can provide backups of institution data on an as-needed basis. Smaller data sets can be exported from the admin system directly. | Provide a general summary of how full and partial backups of data can be extracted. | |
84 | HLDA-06 | Do you have a media handling process, that is documented and currently implemented that meets established business needs and regulatory requirements, including end-of-life, repurposing, and data sanitization procedures? | Yes | yes, this is outlined here: https://docs.google.com/document/d/1wLtZt1bEIThzhqTbBV9v_QxHk1Iv_pjrTE8x4wxMnoc/edit#heading=h.eio5kzhe1vc8 In section 4.4.1 | Provide documented details of this process (link or attached). | |
85 | HLDA-07 | Does your staff (or third party) have access to Institutional data (e.g., financial, PHI or other sensitive information) within the application/system? | No | The only information we _must_ store is email address, which allows users to login to the platform. All other information (including password) is not stored by Localist if integrated with your SSO | ||
86 | Datacenter | Vendor Answers | Additional Information | Guidance | Analyst Notes | |
87 | HLDC-01 | Does your company manage the physical data center where the institution's data will reside? | No | This is outlined here: https://docs.google.com/document/d/1wLtZt1bEIThzhqTbBV9v_QxHk1Iv_pjrTE8x4wxMnoc/edit# In section 4 | Provide a detailed description of where the institution's data will reside. | |
88 | HLDC-02 | Are you generally able to accomodate storing each institution's data within their geographic region? | No | Our primary hosting environment is in the US-East region of Azure, so if the customer is primarily in the US-West region, it would technically be in a separate region. That said, the end-user experience is the same, regardless of region. | Under what circumstances would institutional data leave a designated region or regions? | |
89 | HLDC-03 | Does the hosting provider have a SOC 2 Type 2 report available? | Yes | https://docs.microsoft.com/en-us/azure/compliance/offerings/offering-soc-2 Localist itself has not formally pursued a SOC2 audit, however our practices align with SOC2 principles | Obtain the report if possible and add it to your submission. | |
90 | HLDC-04 | Does your organization have physical security controls and policies in place? | Yes | Yes, this is outlined in our Security Overview, section 4: https://docs.google.com/document/d/1wLtZt1bEIThzhqTbBV9v_QxHk1Iv_pjrTE8x4wxMnoc/edit# | Describe your physical security strategy. | |
91 | HLDC-05 | Do you have physical access control and video surveillance to prevent/detect unauthorized access to your data center? | Yes | Our data center is managed by Azure, which is outlined here: https://docs.google.com/document/d/1u3UfJu63WgY4DVmfKqbukGXAd8L8jZ3l3ZtL-HjTEMo/edit | Describe how you prevent and detect unauthorized access to your data center. | |
92 | Networking | Vendor Answers | Additional Information | Guidance | Analyst Notes | |
93 | HLNT-01 | Do you enforce network segmentation between trusted and untrusted networks (i.e., Internet, DMZ, Extranet, etc.)? | Yes | Azure VNET is the trusted network, the only points of ingress are the web end points. Azure denies all incoming traffic except for web traffic. | Provide a brief summary of how trusted and untrusted networks are segmented. | |
94 | HLNT-02 | Are you utilizing a stateful packet inspection (SPI) firewall? | Yes | We utilize Azure's standard firewall features | Describe the currently implemented SPI firewall. | |
95 | HLNT-03 | Do you use an automated IDS/IPS system to monitor for intrusions? | Yes | We employ Azure's built-in intrusion detection services which are best-in-class. | Describe the currently implemented IDS/IPS. | |
96 | HLNT-04 | Are you employing any next-generation persistent threat (NGPT) monitoring? | Yes | Yes, we use Azure Monitor for continuous NGPT monitoring. It is built into our stack. | Describe your NGPT monitoring strategy. | |
97 | HLNT-05 | Do you require connectivity to the Institution's network for support/administration or access into any existing systems for integration purposes? | No | |||
98 | Incident Handling | Vendor Answers | Additional Information | Guidance | Analyst Notes | |
99 | HLIH-01 | Do you have a formal incident response plan? | Yes | The Localist Incident Management Plan has been developed to provide direction and focus to the handling of information security incidents that adversely affect Localist Information Resources. The Localist Incident Management Plan applies to any person or entity charged by the Localist Incident Response Commander with a response to information security related incidents at the organization, and specifically those incidents that affect Localist Information Resources. The purpose of the Incident Management Plan is to allow Localist to respond quickly and appropriately to information security incidents. It is available here: https://docs.google.com/document/d/10aqNH61OIfavObLzu-PmDkViwTjmwWvEVtws_B2Lrss/edit# | Summarize or provide a link to your formal incident response plan. | |
100 | HLIH-02 | Do you have an incident response process and reporting in place to investigate any potential incidents and report actual incidents? | Yes | Yes, this is outlined here: https://docs.google.com/document/d/10aqNH61OIfavObLzu-PmDkViwTjmwWvEVtws_B2Lrss/edit# | Summarize your incident response and reporting processes. | |