Third-Party Service Provider Due Diligence FAQ

As a customer, it’s important for you to have peace of mind regarding your valuable data and workflows. It’s critical to your business that the service provider you choose can is secure, highly-available, focuses on your privacy and confidentiality, and maintains integrity through its processes.

Here are some of the most frequently asked questions our customers ask:

Category

Question

Response

Category

Question

Response

Risk

Has your organization implemented a formal risk assessment program to proactively and routinely identify information security and business continuity risks?

Yes, PSIGEN Software, Inc. is a SOC 2 Type II certified service provider.

Risk

Does your organization’s formal risk assessment program identify internal and external risks to the confidentiality, integrity, and availability of client data processed or stored by your organization?

Yes, PSIGEN Software, Inc. regularly and critically evaluates risks to ongoing operations to ensure the highest levels of trust are maintained.

Risk

Does your organization conduct routine penetration and/or vulnerability assessments? Are discovered vulnerabilities tracked and remediated?

Yes, PSIGEN Software, Inc. performs routine tests to assess its security posture. Discovered vulnerabilities are tracked and remediation steps implemented based on the findings.

Risk

Does your organization conduct risk assessments of your third-party providers?

Yes, PSIGEN Software, Inc. considers risks to its service providers during its risk assessment process. Further, PSIGEN works with certified providers that provide similar compliance assessments (e.g. SOC reporting, etc.).

Risk

How does your organization monitor cyber threats and analyze known distributed denial of service (DDoS) attacks to determine the likelihood of--as well as impact of--the attacks to your business and clients?

PSIGEN Software, Inc. performs regular corporate risk assessments, daily monitoring of network traffic, daily threat-vector review, and monthly management security reviews. Each of these inform management as to appropriate actions to mitigate threats.

Risk

Does your organization have a formal business continuity plan?

Yes, PSIGEN Software, Inc. has a formal plan for ensuring ongoing operations. This covers Account Management, IT, Engineering, Operations, and Accounting.

Security

Does your organization have a written information security policy that aligns to recognized industry standards or published information security frameworks?

Yes, PSIGEN Software, Inc. has a written policy that adheres to current standards.

Security

Does you organization have an information security oversight function? Are there dedicated information security resources in your organization? What is the responsible position?

Yes, PSIGEN Software, Inc. has a dedicated Information Technology Operations team. The Senior Director of Operations & Engineering oversees IT Operations.

Security

Does your organization have a data classification policy and procedures placing controls around situations whereby clients' personal or other sensitive information may be stored, accessed, or transported outside of your organization’s business premises?

Yes, clients' personal and sensitive information is strictly prohibited from transport out of the hosting center(s) provisioned except in such cases where the client is directly involved in initial seeding or exit of the business relationship.

Security

Does your organization have technical controls to augment, and procedures to support, your information security policies?

Yes, as a SOC 2 Type II certified organization, PSIGEN Software, Inc. has a number of controls and processes in place to ensure information security is maintained throughout the program.

Security

Has your executive management defined information security goals and dos it have a commitment to information security?

Yes, as a SOC 2 Type II certified organization, management is highly committed to information assurance and security.

Security

Are non-disclosure agreements (NDAs) required to be signed by employees, contractors, third-party service providers, and others?

Yes, PSIGEN Software, Inc. requires each employee and contracting entity to have in place a non-disclosure agreement. Additional legal requirements are put in place for service provider entities that further instill accountability.

Security

Does your company limit access to client information to only those that require it in order to support said client?

Yes, PSIGEN Software, Inc. practices the principle of least privilege, which is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work.

Security

Are antivirus and malware technologies installed on all team member workstations?

Yes, PSIGEN Software, Inc. maintains active defense software on all team member workstations.

Security

Are antivirus and malware technologies installed on all production servers?

Yes, PSIGEN Software, Inc. maintains active defense software on all production servers.

Security

How often are IPS/IDS (firewall) device rules reviewed? Is the default security posture to deny all unless explicitly authorized?

Yes, PSIGEN Software, Inc. denies all traffic unless otherwise allowed. IPS/IDS device logs are reviewed regularly, notifications are sent for exceptions to notify staff of alerts, and remediations are performed as necessary. All security postures are reviewed at least annually, and usually more often due to the ever-changing nature of attack vectors.

Security

Is a removable media policy in place for production servers hosting client data? Are USB and CD drives disabled from copying client data to a portable device?

Yes, PSIGEN Software, Inc. physically restricts access to any production device and disallows access to removable media as standard policy.

Security

Are wireless networks in place at production facilities?

No, PSIGEN Software, Inc. only allows physical network cable connections to all production devices. No wireless networks are allowed to mingle with production networks.

Security

Is the database tier accessible from the internet?

For PSIsafe, SQL is currently available on a non-standard, high port number and requires point-to-point encryption (via SSL certificate).

Security

Does your organization allow telnet, rlogin, FTP, SMTP, RSH/RCP or any other unsecured protocol into or out of your network?

No, PSIGEN Software, Inc. takes steps to ensure any unsecured services are either disabled or require a VPN to facilitate connection. All connections are required to be encrypted as standard practice.

Security

Do websites and/or applications that store or process client data use encryption at rest as well as in transit?

Yes, PSIGEN Software, Inc. ensures that every customer endpoint and data repository is encrypted in its cloud. TLS encryption is required. The level of encryption is determined via client-server negotiation, where PSIGEN servers maintain the latest level of encryption commercially available.

Security

Do all administrator-level accounts have unique login IDs? Are shared IDs prohibited?

Yes, all privileged accounts require unique identification, and shared IDs are expressly prohibited.

Security

Are user accounts locked after a certain number of failed attempts?

Yes, all accounts are locked after a preset number of unsuccessful login attempts have been made.

Security

Are all authentication credentials encrypted during transmission and storage?

Yes, PSIGEN Software, Inc. ensures authentication credentials are secured using current best practices. In cases where exceptions are noted, those methods are refactored.

Security

Does your organization have a formal password policy?

Yes, PSIGEN Software, Inc. enforces strong password policies.

Security

Are session timeouts configured for applications?

Yes, PSIGEN Software, Inc. enforces session timeouts to ensure a secure, stable hosting environment.

Security

Is two-factor authentication required for remote access to your hosting center(s)

Yes, all access to hosting centers require multiple authentications.

Physical Security

Does your organization have a physical security policy that has been documented, approved, communicated, implemented, and reviewed by auditors on an annual basis?

Yes, PSIGEN Software, Inc. partners with leading data center firms that are also certified and support a rigorous physical security policy.

Physical Security

Are entries and exits secured, alarmed, and monitored?

Yes, PSIGEN Software, Inc. has partners that are required to provide robust physical security.

Physical Security

Is entry into your data centers stored and processed restricted to only those parties that require access? Is data center access secured by additional key, key card, or biometric measures?

Yes, PSIGEN Software, Inc. practices the principle of least privilege, which is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. All physical access is secured appropriately.

Physical Security

Is there a generator present within the data centers?

Yes, all data centers have robust power failover during power loss.

Asset Management

Does your organization have a formal, documented asset management program that tracks the treatment, handling, disposal, destruction, and reuse of all assets that contain or process client information?

Yes, PSIGEN Software, Inc. has a formal policy for asset disposition that considers personal data as well as intellectual property rights.

Asset Management

Does your organization have an acceptable use policy that governs how employees can access and use company-supplied assets, such as email, computers, and mobile devices that will prevent them from exploiting confidential information?

Yes, PSIGEN Software, Inc. has a published acceptable use policy and regularly coaches employees on use of corporate assets on and off company time.

Asset Management

Has your organization implemented a formal, documented policy to obtain the return of company-owned assets from employees no longer working at your organization?

Yes, PSIGEN Software, Inc. has very specific guidelines in place for return of company property which stipulates that former team members may face criminal charges if violated.

Asset Management

Are employees permitted to install unauthorized or unapproved applications on corporate workstations, servers and mobile devices?

No, PSIGEN Software, Inc. are not permitted to install unauthorized software on corporate assets. Company assets are managed using centralized, corporate management tools.

Asset Management

Are controls in place to lock devices when unattended?

Yes, PSIGEN Software, Inc. configures all systems to lock after a predefined time when unattended.

Human Resources

Do job descriptions include security roles and responsibilities? How are security responsibilities communicated to the job candidates prior to employment and after hire?

Yes, PSIGEN Software, Inc. provides details to each candidate and/or team member before and during employment. This is accomplished via published success profiles / job descriptions, policy review, training, and coaching. Each role has a unique--and important--role to play in our security posture!

Human Resources

Does your organization perform background checks on employees include criminal, credit, professional/academic, references, and/or drug screening?

PSIGEN Software, Inc. holds its team members to the highest standards. In addition to our thorough hiring process, we perform professional reference checks as well as criminal background checks during the hiring process.

Human Resources

Are employees required to attend security awareness training? If so, how often is the training refreshed? Does the training include the proper handling of personal information?

Yes, all PSIGEN Software, Inc. team member are required to review company polices and attend information awareness training at least annually. The training is reviewed annually and refreshed as needed. Training specifically focuses on the handling of personal information.

Human Resources

Does your organization impose disciplinary measures for violations of company policies, including information security policies?

Yes. PSIGEN Software, Inc. ensures associates are trained in information security best practices on a regular basis. Violations of company policy are addressed based on human resources guidelines.

Human Resources

Does your organization update user access controls when job roles change or people are terminated?

Yes, PSIGEN Software, Inc. immediately alters user access upon employment status changes. This is normally performed at the time of departure or termination.

Change Management

Do you have any automated tools to support the change management process including requesting and approving changes?

Yes, PSIGEN Software, Inc. utilizes cloud-based tools to submit, manage, remediate, and report on changes to the system.

Change Management

Are all changes made by third-party to network services, such as routers, firewalls, or IDS/IPS equipment approved prior to change?

All configuration changes are approved by IT Operations. Major changes are evaluated by management based on risk assessment practices. Given the accelerated pace of attack vectors, software, firmware, and blacklist updates are generally evaluated and applied continuously.

Change Management

Is there segregation of duties between those requesting, approving, and implementing a change?

Yes, PSIGEN Software, Inc. requires either external or executive stakeholder for major configuration changes. Patch management is handled by IT Operations during normal maintenance windows.

Operations

Please confirm only the application platform components, libraries, modules, APIs, files and objects required to execute your application are installed on the production application platform?

Yes, PSIGEN Software, Inc. has made significant investment in architecting its cloud platform. Each production server has dedicated function in the production system and no unnecessary applications are permitted on these systems.

Operations

Are backups or replication of important data performed? Does a documented procedure exist detailing how often backups (daily/incremental/full) are performed, how the backups are encrypted, when the backup media and restoration procedures are tested, and that the backups are stored offsite?

Yes, PSIGEN Software, Inc. takes protection of its customers data very seriously. IT Operations utilizes a layered approach to backups, ensuring that backups are taken frequently, transported offsite regularly, and replicated geographically to ensure regional disasters' impact are mitigated.

Operations

Is network traffic monitored 24x7x365? Are alerts sent to centrally managed?

Yes, PSIGEN Software, Inc. actively monitors and manages all of its network traffic. Events are regularly reviewed by IT Operations, and executives are made aware of any anomalous activities requiring remediation.

Operations

Are all inbound/outbound email communications scanned for virus, spam, and malware?

Yes, PSIGEN Software, Inc. subscribes to monitoring of all inbound and outbound email traffic.

Operations

Do IPS/IDS devices proactively alert staff of issues in realtime?

Yes, all security devices alert IT Operations of events in realtime.

Operations

Are your default service accounts changed when deployed in cloud?

Yes, PSIGEN Software, Inc. changes all default security settings as part of its hardened security posture.

Operations

Does your organization have an official incident response policy that requires employees to report all potential incidents, notify clients, or other affected persons or parties in the event of a breach? Further, does your organization practice post incident reviews and remediation to implement corrective actions?

Yes, PSIGEN Software, Inc. has an incident response policy by which team members are trained and actively participate. PSIGEN Software, Inc. makes a practice of reviewing incidents after they occur to evaluate impact and implement new practices to further harden its security posture and strengthen its privacy practices.

Operations

Is there an incident response team?

Yes, typically this involves IT Operations, executive stakeholders as first responders. This may require additional expertise from Engineering to remediate and test adjustments to posture.

Operations

What monitoring tools, procedures, etc. are in place to detect incidents?

PSIGEN Software, Inc. utilizes a layered approach to monitoring and detection, including node and perimeter defense systems, and regularly meets to discuss any anomalies.

Operations

Is there an alternative site available for continued data center operations as well as corporate operations to support its customers?

Yes, PSIGEN Software, Inc. is a fully virtual company, meaning that assets and team members are geographically dispersed. Additionally, data is geo-replicated to ensure maximum availability should a disaster our outage occur.