Q: How are system administrators monitored for their access to customer data?
A: Access control are in place to limit personnel administrator to access to customer data.
Q: How often do you scan for vulnerabilities within your internal network? What is your vulnerability remediation process (how often are the reports reviewed and what actions are taken)?
A: AskCody comes as a Software as a Service is built on Microsoft Azure and hosted in the Microsoft Azure cloud. The vulnerability assessment in Azure Security Center is part of the Security Center recommendations. If Security Center doesn't find a vulnerability assessment solution installed on your VM or network, it recommends that you install one. A partner agent, after being deployed, starts reporting vulnerability data to the partner’s management platform. In turn, the partner's management platform provides vulnerability and health monitoring data back to Security Center.
The Security Center Recommendations are monitored on a daily basis, and action are taken immediately if vulnerabilities are found.
Q: How frequently do you do penetration testing?
A: All the infrastructure on the Microsoft Azure Cloud is taken care of by the Microsoft Azure platform services. Microsoft performs penetration testing of the Azure environment. This helps improve the platform and guides actions in terms of improving security controls, introducing new security controls, and improving our security processes.
Q: Please describe your patch management process.
A: AskCody is built on Microsoft Azure Platform as a Service. Microsoft takes care of the infrastructure health by keeping the infrastructure updated against all the known vulnerabilities for which fixes have been distributed. Since this process is opaque to the developers and is automatic, the risk of information breach resulting from the known vulnerabilities is significantly reduced. Patch management and upgrades are no longer needed to be part of the runbook for operating PaaS hosted applications since Microsoft Azure operates the Platform.
Q: How are employees trained and educated with respect to privacy and security?
A: All co-workers and third-party users are informed or trained in Information Security Policy, Rules and procedures relevant to their job function. All employees are governed by documented strict security policies covering acceptable use, customer data, and encryption standards. If you would like to request a copy of these policies, please contact your account manager.
Q: Does the Supplier include the management team in the information security awareness education of all employees? If so, how is this done?
A: Senior executives and Board of Directors receive continuous training on legal compliance at the same terms as all employees. Security Officer & Coordinator, responsible for ensuring that Information Security is understood, communicated and implemented accordingly at the right level in the organization and that Information Security rules and standards are consistently implemented for AskCody, reports directly to CEO, Allan Mørch and the Board of Directors.