Control Description. The Company’s views on personal and corporate integrity and ethical values, along with guidelines for employee conduct are contained within the Code of Conduct. The Code of Conduct provides a framework for how employees conduct business and perform their duties. The Company maintains a Contractor Agreement, which outlines the Company's associated standards of conduct. Third-party contractors working on behalf of the Company are required to read, accept, and abide by the Agreement before commencing work. Background checks are performed on all new employees using a third-party service. The results are reviewed by HR for appropriateness and appropriate action is taken, as deemed necessary. According to the Code of Conduct, Company personnel witnessing any improper behavior should report such incidents promptly to management and/or HR. On an annual basis, all relevant employees are subject to a formal performance review to assess the employee’s performance in their current roles and to identify opportunities for growth and job performance improvement. The Code of Conduct reiterates that employees who violate company policies are subject to appropriate disciplinary action up to and including termination. Board oversite and development of controls Control Description The Company is managed by a Board comprised of key investors who are independent of day-to-day management of the Company and the founders/executives. The Board is governed by a charter, meets in executive session on a quarterly basis, and retains full and free access to officers, employees, and the books and records of the Company. The Board and its committees have authority to hire independent legal, financial, or other advisors as deemed necessary or appropriate in the discharge of their duties, including oversight of the development and performance of internal control. Quarterly, the Board meets with members of executive management to discuss operational and financial results and significant matters, risks, and issues facing the Company. Management reporting lines & responsibility over objectives Control Description HR maintains formal organizational charts to clearly identify positions of authority and the lines of communication and escalation. Employee duties and responsibilities are defined and communicated through job descriptions and policies and procedures. Job descriptions exist for common positions and are periodically reviewed by HR and management for accuracy and updated as needed. The ...
Control Description. The Company has a dedicated technology support team, consisting of development, IT, and Quality Assurance personnel, which is focused on maintaining the quality of internal information systems. In support of Company initiatives (e.g., SOC), the Company has designed, documented, and implemented IT General Controls (change management; logical and physical access and security; and computer operations) over its relevant information systems to support automated control activities and the quality of information captured, generated, processed, and/or stored therein. The Company maintains a master list of all relevant spreadsheets and system-generated reports/information from internal and external sources used in support of the performance of internal control (IT-dependent manual controls) related to the PRM Application System. The master list is updated as needed, but formally reviewed by applicable department management on an annual basis to ensure completeness and accuracy. On the list, management also specifies how it obtains reasonable assurance that the information being used is sufficiently reliable (e.g., completeness, accuracy, level of detail, change-control) for its intended purpose. Internal communication of objectives & responsibilities
Control Description. The Company maintains an information security incident management policy. The policy defines the protocols for identifying, reporting, investigating, responding to, mitigating, communicating, and documenting suspected or known security incidents and is made available to relevant internal users in the Company's Xxx.xxx site. The Company maintains documentation of system and service descriptions outlining relevant aspects of the design and operation of the system, its boundaries, and components. Documentation is available to relevant internal and/or external users through PRM support pages, the Company's xxx.xxx site, master IT system asset listings, and system/network diagrams. Changes that may affect the Company's security and/or availability commitments and requirements and/or the related responsibilities of internal or external users are communicated directly to the relevant users (via means such as PRM messages, support pages, and user guides; broadcast emails; direct outreach by Project Managers; department meetings; and/or educational events). For user story requests, authorization is given by the Product Owner or management to ensure they meet user needs and the PRM design vision. For reported bugs, authorization occurs once the bugs are verified by internal personnel or automation processes. External communication of internal controls Control Description The Company communicates its security and availability commitments regarding the system to external users via the Subscription Agreement (Terms of Use) and Privacy Policy, which are posted on the Company's website. External user roles and responsibilities are communicated via several mediums, including the Subscription Agreement (Terms of Use) and Privacy Policy, which are posted on the Company’s website. Support contact information is readily available to customers through the Company's website and other Company-provided documentation (e.g., training documentation, Subscription Agreement (Terms of Use)). Customers and/or associated users are encouraged to contact appropriate Company personnel if they become aware of items such as operational or security failures, incidents, system problems, concerns, or other complaints. Identification and assessment of risks
Control Description. The Executive Team maintains a strategic plan, which includes department objectives and goals for the coming year. Consideration is given to operational, reporting (external financial, external non-financial, and internal), and compliance objectives. At least quarterly, the Executive Team meets to monitor progress against the Company objectives/goals and to discuss specific business developments, department results, and various risks and opportunities facing the Company. Management communicates business objectives and goals to all team members through various means, including quarterly Company-wide meetings, Company-wide emails, and other messaging systems, as appropriate. The Company has established a Security Council, consisting of members of the IT Operations, Development, Dev/Ops, and Security teams. The Security Council meets regularly to evaluate whether the Company's security initiatives are aligned with operational risks, objectives, and goals. Risk analysis and management Control Description The Company maintains master lists of IT system components (e.g., servers, software, network devices) supporting PRM. The lists are reviewed and updated as needed, but at least annually, for completeness and accuracy. At least annually, the Company performs a formal risk assessment, which includes the identification of relevant internal and external threats (including those arising from customers and the use of vendors/third parties) to system components, an analysis of the risks associated with the identified threats, the determination of appropriate risk mitigation strategies (including procedures over assessing and monitoring vendors/third parties), and the development or modification and deployment of controls consistent with the risk mitigation strategy. Fraud assessment Control Description As part of the Company's formal risk assessment, management identifies fraud risks and assesses the likelihood of occurrence and potential impact on the Company's operational, reporting, and compliance objectives. Identification of changes that impact the system Control Description Several mediums, such as the formal risk assessment process, quarterly Board of Directors meetings, weekly Executive management team meetings, industry (including security) news feeds/resources, and customer security questionnaires (in RFPs), assist Company personnel in identifying relevant changes (e.g., environmental, regulatory, technology) that could impact business objectives; commitmen...
Control Description. All new requests for access to the colocation facilities must be approved by a member of IT senior management. Upon notification of an applicable employee termination, the Sr. Director of IT or other authorized Company account administrator updates the master access list at the colocation facilities to disable the employees associated physical access rights. On a semi-annual basis, the list of personnel with physical access rights to the colocation facilities are reviewed by a member of IT senior management to validate the ongoing appropriateness of access. Asset management
Control Description. The Information Security team maintains an End of Life Policy, which outlines the policies governing the disposition of obsolete or unwanted IT assets and any accompanying software and data stored therein. IT maintains a master list of relevant IT hardware assets. As IT assets containing sensitive software and/or data are deemed end-of-life and ready for sale or disposal, the storage media is removed and securely wiped. The master list is updated to reflect the actions taken on disposed assets. Logical access
Control Description. The Sr. Director of IT reviews configured firewall rules on a semi-annual basis for appropriateness and adherence to Company standards. Requests for changes, if any, are documented and submitted to appropriate network personnel for implementation. Data movement Control Description The Company maintains policies relating to data transmission and storage, which prohibit the transmission of sensitive information over the Internet or other public communication paths (for example, e-mail), unless it is encrypted. In addition, these policies prohibit the storage of customer information on removable media, mobile devices, or other unencrypted end-user storage media. Unauthorized or malicious software Control Description Endpoint security software has been implemented to assist Company personnel in preventing, detecting, and analyzing security-related events, including the introduction of potentially malicious software, on end-user systems and production servers. Endpoints are configured to receive updated threat and virus signatures from the vendor continuously. The software sends a consolidated report to IT at least daily outlining threats detected on relevant endpoints, action taken, etc. Relevant issues are appropriately investigated and, if needed, resolved. Patch management Control Description The Company maintains a patch management policy, which establishes internal standards for identifying, evaluating, and implementing patches to remediate relevant vulnerabilities. The policy is reviewed and approved by the Sr. Director of IT on an annual basis. IT monitors the availability of patches to network devices and PRM supporting systems (web, database, and support services servers) on a daily basis. Relevant patches are applied in a timely manner, in a phased approach starting with non-production network devices and servers to assess the potential for service disruptions before application to the production servers. Incident management Control Description For security events deemed to be an "incident," as defined in the Incident Response Policy, the Security Incident Response Team is activated and executes the incident response program, which includes analysis, containment, eradication, recovery, communication to affected parties (internal and external), and post-incident activity, as appropriate. Details of key information gathered and actions performed relating to the incident and associated response are documented in an Incident ticket. The Company’s IT team...
Control Description. The front panel has 3 LED’s (light emitting diodes). A yellow ‘CHARGE’ LED indicates when the charger is charging. A yellow ‘80%’ LED indicates when the battery has reached 80% state of charge. A multi-color ‘STATUS’ LED indicates charger status. The front panel has a 2 button keypad that is used to manually stop the charge cycle, and to manually select an equalize cycle. A charge can be stopped by pressing the ‘STOP’ button. An equalize charge can be requested by pressing the ‘=’ button and turned off by pressing it again. CHARGE 80% STATUS EMERGENCY STOP PRESS THE STOP BUTTON BEFORE DISCONNECTING THE BATTERY. STOP DAILY CHARGE CONNECT BATTERY - CHARGER AUTOMATICALLY STARTS AND STOPS WHEN BATTERY IS CHARGED. = 046-0266 Control
Control Description. The front panel has a 3-digit light-emitting-diode (LED) display which normally shows charging amps. This display also shows battery volts per cell when connected. A yellow ‘CHARGE’ LED indicates when the charger is charging. A yellow ‘80%’ LED indicates when the battery has reached 80% state of charge. A multi-color ‘STATUS’ LED indicates charger status. The front panel has a 2 button keypad that is used to manually stop the charge cycle, and to manually select an equalize cycle. A charge can be stopped by pressing the ‘STOP’ button. An equalize charge can be requested by pressing the ‘=’ button and turned off by pressing it again. CHARGE 80% STATUS EMERGENCY STOP PRESS THE STOP BUTTON BEFORE DISCONNECTING THE BATTERY. = STOP 046-0267 Control
