Third Party security control evidence is one of the most sensitive datatypes that ProcessUnity GRX processes, transmits, or stores. Securing this data is our top priority. Below are the measures we have taken to protect Third Party evidence.
Evidence Uploaded to the ProcessUnity GRX Platform
- Evidence uploaded to the GRX Exchange is encrypted and stored using AES-256 encryption.
- Evidence uploaded to the GRX Exchange is not accessible for download and can only be viewed within the Platform.
- The Third Party member has full control over which Exchange requestors are granted read-only access.
- By default, Exchange requestors are given 28 days to view evidence, after which access is removed.
- Third party owners of evidence can revoke access at any time.
Evidence Handling Process
- The GRX enforces the principle of Least Privilege, and requires only the access needed be granted. The Analyst assigned to an assessment and Quality Control are granted access to view evidence documents.
- The GRX employees dealing with a Third Party’s evidence adhere to the internal Secure Evidence Handling procedural document.
- Downloading evidence artifacts is strictly prohibited by technical and administrative controls. Cases where there would need to be an exception to this are:
-
- If a Third Party shares evidence via email
- If a Third Party shares evidence via their preferred repository
- Evidence transmitted between a Third Party and ProcessUnity GRX is shared only through encrypted communication channels.
- Once the need for evidence ends, all files shared in the manner above are permanently deleted.
- Evidence in transit is encrypted using TLS 1.2.
Comments
0 comments
Please sign in to leave a comment.