The purpose of this page is to provide transparency into the safeguards that have been implemented to protect ProcessUnity GRX’s application and our Customers’ data. This is a summary, intended to address the most common questions that we receive from external stakeholders who are interested in the maturity and effectiveness of our security program. For more detailed information you may wish to request a copy of our completed, validated assessment via the GRX platform.
Q: Does ProcessUnity GRX have a team that is dedicated and responsible for the protection of Customer data?
A: Yes. The GRX Security Operations (SecOps) Team is tasked with the implementation of a comprehensive and effective risk management program that covers both our enterprise corporate environment and the GRX platform environment.
Q: Does ProcessUnity GRX have a dedicated security officer?
A: Yes. The GRX has an assigned and dedicated Chief Information Security Officer (CISO) who is responsible for the GRX security program and the management of the SecOps Team.
Q: Is the GRX security program based on industry-standard security best practices and control frameworks?
A: Yes. The GRX security program leverages concepts and security and privacy controls from a number of global standards such as the NIST Special Publication 800 series, ISO 27001/2, OWASP, GDPR, CCPA, etc.
Q: Has ProcessUnity GRX developed a security policy framework?
A: Yes. The GRX has developed, and continually refines, a library of security policies, standards, and plans. These documents are accessible by all the GRX staff and cover standard security domains such as: identity and access management, configuration and change management, personnel security, and incident response. Policies and plans are approved by the GRX Chief Executive Officer (CEO) and standards are approved by the CISO.
Q: What are the core elements of the GRX security program?
A: ProcessUnity GRX’s security program is based on an understanding of our assets, their criticality to both the GRX and our Customers, the internal and external threats to those assets, and the effectiveness of our controls in response to those threats. We utilize a risk-based approach where strategic planning and the prioritization of corrective actions is based on a qualitative and quantitative understanding of risks that impact our organization and our Customers.
Q: Has the implementation and effectiveness of the GRX’s security program been assessed or audited by an independent Third Party?
A: Yes. The GRX platform undergoes penetration testing on an annual basis at minimum. The tests are conducted by an independent security contractor. In addition, the results of our ProcessUnity GRX Tier 1 assessment on the GRX platform are validated by Deloitte.
Q: What type of internal security risk or vulnerability assessments does ProcessUnity GRX perform?
A: The GRX uses multiple methods and techniques to evaluate our environments for security weaknesses or vulnerabilities. These methods include, but are not limited to:
- Automated, scheduled vulnerability scanning of operating systems, firmware, middleware, etc.
- Static and dynamic scanning of code repositories.
- Security-focused systems testing as part of the GRX platform’s system development. lifecycle (SDLC).
- Manual audits/tests of security control implementation and effectiveness.
- Security-focused interviews with ProcessUnity GRX teams and individual personnel.
- Annual, at minimum, independent penetration testing.
- Ongoing updates of the GRX Tier 1 assessment, including evidence validation by Deloitte and KPMG.
Q: Are the GRX employees subject to a background screening prior to being provided access to any Customer data?
A: Yes. All employees must successfully pass a background check before finalizing the job offer and onboarding process. New hires are not given access to any ProcessUnity GRX systems or data until the background screening process is complete.
Q: Has the GRX implemented a security awareness and training program?
A: Yes. The GRX leverages an industry-standard tool to plan, develop, execute, and track security-focused training. All new hires are required to complete training within five days of onboarding. All employees are required to complete quarterly security training. In addition, employees may be asked to complete unscheduled training based on the outcome of internal testing (e.g. phishing campaigns) or violations of security policy.
Q: Does the GRX process, transmit, or store any Customers’ personally identifiable information (PII)?
A: Yes, but this is limited to business contact information only. Specifically, we collect an individual’s name, along with their business email address and business phone number.
Q: What physical security controls has ProcessUnity GRX put in place to protect Customer data?
A: The GRX Exchange platform is hosted by Amazon Web Services (AWS) in U.S. datacenters. All physical security controls directly associated with the platform are inherited from AWS. For more information about AWS’s physical security program please visit: https://aws.amazon.com/compliance/data-center/controls/. The GRX headquarters is located in Denver, Colorado. This facility is protected by safeguards that include electronic locks, badge readers, CCTV surveillance at all ingress and egress points, access logging and audits, and a centralized fire detection and suppression system.
Q: Has the GRX implemented multi-factor authentication (MFA) as a means to access the GRX platform?
A: Yes. All ProcessUntiy GRX users can enable MFA for access to the platform. Users leverage an authenticator application of their choice to provide a one-time passcode (OTP) combined with their username and password for authentication.
Q: How does ProcessUnity GRX encrypt data in transit and at rest?
A: All Customer data (name, business email, business phone, assessment answers, etc.) is encrypted in transit using TLS 1.2 or better. Customer data is encrypted at rest via AES-256 strength encryption.
Q: Does the GRX have a policy regarding the use of removable storage media?
A: Yes. The use of removable media to transmit or store Customer data is strictly forbidden by policy. Any exceptions to this policy must be approved by the CISO.
Q: How often does the GRX backup Customer data, and are data backups ever tested?
A: The GRX performs full, daily backups of the platform’s production database. Backups are tested on a monthly basis, at minimum.
Q: Has the GRX defined a recovery time objective (RTO) or recovery point objective (RPO)?
A: Yes. Our RTO is defined as 48 hours and our RPO is 24 hours.
Q: How does the GRX ensure that their application code is free of vulnerabilities or flaws?
A: ProcessUnity GRX’s application follows a defined system development lifecycle (SDLC). All code changes must be approved by a product manager, a peer developer, and a tester before being deployed to the production environment. The SDLC process includes submitting all updated code repositories for code vulnerability scanning. We deploy application code by using a staged deployment process. The changes are applied first in the staging environment, where they are tested, before they are applied to the demo environment for additional testing, and finally on to the production environment. In addition, the GRX platform is dynamically scanned by our code vulnerability scanning solution and is pen tested on an annual basis, at minimum.
Q: Does ProcessUnity GRX have an incident response program in place?
A: Yes. Our incident response program is documented in the GRX Incident Response Plan and a library of incident playbooks that are focused on response procedures for specific types of incidents. We utilize a suite of industry- standard tools to assist in the identification, verification, containment, analysis, and removal of threats from our computing environments.
Q: Does the GRX have an incident notification process in place?
A: Yes. Per our legal agreements with Customers we are required to notify any potentially affected Customers within 24 hours of verification of a security incident.
Comments
0 comments
Please sign in to leave a comment.