Control Description. The Company’s views on personal and corporate integrity and ethical values, along with guidelines for employee conduct are contained within the Code of Conduct. The Code of Conduct provides a framework for how employees conduct business and perform their duties. The Company maintains a Contractor Agreement, which outlines the Company's associated standards of conduct. Third-party contractors working on behalf of the Company are required to read, accept, and abide by the Agreement before commencing work. Background checks are performed on all new employees using a third-party service. The results are reviewed by HR for appropriateness and appropriate action is taken, as deemed necessary. According to the Code of Conduct, Company personnel witnessing any improper behavior should report such incidents promptly to management and/or HR. On an annual basis, all relevant employees are subject to a formal performance review to assess the employee’s performance in their current roles and to identify opportunities for growth and job performance improvement. The Code of Conduct reiterates that employees who violate company policies are subject to appropriate disciplinary action up to and including termination. The Company is managed by a Board comprised of key investors who are independent of day-to-day management of the Company and the founders/executives. The Board is governed by a charter, meets in executive session on a quarterly basis, and retains full and free access to officers, employees, and the books and records of the Company. The Board and its committees have authority to hire independent legal, financial, or other advisors as deemed necessary or appropriate in the discharge of their duties, including oversight of the development and performance of internal control. Quarterly, the Board meets with members of executive management to discuss operational and financial results and significant matters, risks, and issues facing the Company. HR maintains formal organizational charts to clearly identify positions of authority and the lines of communication and escalation. Employee duties and responsibilities are defined and communicated through job descriptions and policies and procedures. Job descriptions exist for common positions and are periodically reviewed by HR and management for accuracy and updated as needed. The Company maintains an internal control policy which outlines management's responsibility regarding internal controls, frameworks, audit observat...
Control Description. The Company has a dedicated technology support team, consisting of development, IT, and Quality Assurance personnel, which is focused on maintaining the quality of internal information systems. In support of Company initiatives (e.g., SOC), the Company has designed, documented, and implemented IT General Controls (change management; logical and physical access and security; and computer operations) over its relevant information systems to support automated control activities and the quality of information captured, generated, processed, and/or stored therein. The Company maintains a master list of all relevant spreadsheets and system-generated reports/information from internal and external sources used in support of the performance of internal control (IT-dependent manual controls) related to the PRM Application System. The master list is updated as needed, but formally reviewed by applicable department management on an annual basis to ensure completeness and accuracy. On the list, management also specifies how it obtains reasonable assurance that the information being used is sufficiently reliable (e.g., completeness, accuracy, level of detail, change-control) for its intended purpose.
Control Description. The Company maintains an information security incident management policy. The policy defines the protocols for identifying, reporting, investigating, responding to, mitigating, communicating, and documenting suspected or known security incidents and is made available to relevant internal users in the Company's Xxx.xxx site. The Company maintains documentation of system and service descriptions outlining relevant aspects of the design and operation of the system, its boundaries, and components. Documentation is available to relevant internal and/or external users through PRM support pages, the Company's xxx.xxx site, master IT system asset listings, and system/network diagrams. Changes that may affect the Company's security and/or availability commitments and requirements and/or the related responsibilities of internal or external users are communicated directly to the relevant users (via means such as PRM messages, support pages, and user guides; broadcast emails; direct outreach by Project Managers; department meetings; and/or educational events). For user story requests, authorization is given by the Product Owner or management to ensure they meet user needs and the PRM design vision. For reported bugs, authorization occurs once the bugs are verified by internal personnel or automation processes. The Company communicates its security and availability commitments regarding the system to external users via the Subscription Agreement (Terms of Use) and Privacy Policy, which are posted on the Company's website. External user roles and responsibilities are communicated via several mediums, including the Subscription Agreement (Terms of Use) and Privacy Policy, which are posted on the Company’s website. Support contact information is readily available to customers through the Company's website and other Company-provided documentation (e.g., training documentation, Subscription Agreement (Terms of Use)). Customers and/or associated users are encouraged to contact appropriate Company personnel if they become aware of items such as operational or security failures, incidents, system problems, concerns, or other complaints.
Control Description. The Executive Team maintains a strategic plan, which includes department objectives and goals for the coming year. Consideration is given to operational, reporting (external financial, external non-financial, and internal), and compliance objectives. At least quarterly, the Executive Team meets to monitor progress against the Company objectives/goals and to discuss specific business developments, department results, and various risks and opportunities facing the Company. Management communicates business objectives and goals to all team members through various means, including quarterly Company-wide meetings, Company-wide emails, and other messaging systems, as appropriate. The Company has established a Security Council, consisting of members of the IT Operations, Development, Dev/Ops, and Security teams. The Security Council meets regularly to evaluate whether the Company's security initiatives are aligned with operational risks, objectives, and goals. The Company maintains master lists of IT system components (e.g., servers, software, network devices) supporting PRM. The lists are reviewed and updated as needed, but at least annually, for completeness and accuracy. At least annually, the Company performs a formal risk assessment, which includes the identification of relevant internal and external threats (including those arising from customers and the use of vendors/third parties) to system components, an analysis of the risks associated with the identified threats, the determination of appropriate risk mitigation strategies (including procedures over assessing and monitoring vendors/third parties), and the development or modification and deployment of controls consistent with the risk mitigation strategy. As part of the Company's formal risk assessment, management identifies fraud risks and assesses the likelihood of occurrence and potential impact on the Company's operational, reporting, and compliance objectives. Several mediums, such as the formal risk assessment process, quarterly Board of Directors meetings, weekly Executive management team meetings, industry (including security) news feeds/resources, and customer security questionnaires (in RFPs), assist Company personnel in identifying relevant changes (e.g., environmental, regulatory, technology) that could impact business objectives; commitments and requirements to security and availability; and internal and external operations. In response to relevant changes, the risk assessment and related mi...
Control Description. All new requests for access to the colocation facilities must be approved by a member of IT senior management. Upon notification of an applicable employee termination, the Sr. Director of IT or other authorized Company account administrator updates the master access list at the colocation facilities to disable the employees associated physical access rights. On a semi-annual basis, the list of personnel with physical access rights to the colocation facilities are reviewed by a member of IT senior management to validate the ongoing appropriateness of access.
Control Description. The Information Security team maintains an End of Life Policy, which outlines the policies governing the disposition of obsolete or unwanted IT assets and any accompanying software and data stored therein. IT maintains a master list of relevant IT hardware assets. As IT assets containing sensitive software and/or data are deemed end-of-life and ready for sale or disposal, the storage media is removed and securely wiped. The master list is updated to reflect the actions taken on disposed assets.
Control Description. The Sr. Director of IT reviews configured firewall rules on a semi-annual basis for appropriateness and adherence to Company standards. Requests for changes, if any, are documented and submitted to appropriate network personnel for implementation. The Company maintains policies relating to data transmission and storage, which prohibit the transmission of sensitive information over the Internet or other public communication paths (for example, e-mail), unless it is encrypted. In addition, these policies prohibit the storage of customer information on removable media, mobile devices, or other unencrypted end-user storage media. Endpoint security software has been implemented to assist Company personnel in preventing, detecting, and analyzing security-related events, including the introduction of potentially malicious software, on end-user systems and production servers. Endpoints are configured to receive updated threat and virus signatures from the vendor continuously. The software sends a consolidated report to IT at least daily outlining threats detected on relevant endpoints, action taken, etc. Relevant issues are appropriately investigated and, if needed, resolved. The Company maintains a patch management policy, which establishes internal standards for identifying, evaluating, and implementing patches to remediate relevant vulnerabilities. The policy is reviewed and approved by the Sr. Director of IT on an annual basis. IT monitors the availability of patches to network devices and PRM supporting systems (web, database, and support services servers) on a daily basis. Relevant patches are applied in a timely manner, in a phased approach starting with non-production network devices and servers to assess the potential for service disruptions before application to the production servers. For security events deemed to be an "incident," as defined in the Incident Response Policy, the Security Incident Response Team is activated and executes the incident response program, which includes analysis, containment, eradication, recovery, communication to affected parties (internal and external), and post-incident activity, as appropriate. Details of key information gathered and actions performed relating to the incident and associated response are documented in an Incident ticket. The Company’s IT team performs periodic tabletop incident response simulations to test the Company’s Security Incident Response Plan, taking into account the threat, likelihood, magnitude...
Control Description. The front panel has 3 LED’s (light emitting diodes). A yellow ‘CHARGE’ LED indicates when the charger is charging. A yellow ‘80%’ LED indicates when the battery has reached 80% state of charge. A multi-color ‘STATUS’ LED indicates charger status. The front panel has a 2 button keypad that is used to manually stop the charge cycle, and to manually select an equalize cycle. A charge can be stopped by pressing the ‘STOP’ button. An equalize charge can be requested by pressing the ‘=’ button and turned off by pressing it again. DAILY CHARGE CONNECT BATTERY - CHARGER AUTOMATICALLY STARTS AND STOPS WHEN BATTERY IS CHARGED.
Control Description. The front panel has a 3-digit light-emitting-diode (LED) display which normally shows charging amps. This display also shows battery volts per cell when connected. A yellow ‘CHARGE’ LED indicates when the charger is charging. A yellow ‘80%’ LED indicates when the battery has reached 80% state of charge. A multi-color ‘STATUS’ LED indicates charger status. The front panel has a 2 button keypad that is used to manually stop the charge cycle, and to manually select an equalize cycle. A charge can be stopped by pressing the ‘STOP’ button. An equalize charge can be requested by pressing the ‘=’ button and turned off by pressing it again.
