Compliance

ISO 27001 Information Security Management Systems

 

Clause Control Objective Application Description
Information security policies
5.1 Management direction for information security
5.1.1 Policies for information security Yes Inbenta’s set of policies are the structure to manage information security, among others: Acceptable Use of Assets Policy; Access Control Policy; Backup Policy; Change Management Policy; Code of Professional Conduct on Security and Privacy Information; Cryptographic Policy; Internal and External Regulatory Compliance Privacy Information Policy; Privacy Information Policy (HR); Quality Management Policy; Secure Development Policy; Security and Privacy in Projects Policy; Security Information Policy; Supplier Security Policy; Telecommuting Policy.
5.1.2 Review of the policies for information security Yes All these policies are periodically reviewed by our Information Security Management System Team (ISMS Team) to ensure their suitability.
Organization of information security
6.1 Internal organization
6.1.1 Information security roles and responsibilities Yes Inbenta establishes an Information Security Management System Team (ISMS Team) to manage security and privacy, its members are our COO, CISO, Compliance Manager, Human Resources Manager and Office Manager.
6.1.2 Segregation of duties Yes Access and management of Inbenta’s information security and privacy assets are segregated through our access policy and definitions of responsibilities through job descriptions.
6.1.3 Contact with authorities Yes Since Inbenta data processing is located in Spain we follow the procedure of the Spanish Data Protection Agency that acts as the Supervisory Authority in terms of data breaches and GDPR compliance. Protocol description here: https://www.aepd.es/media/guias/Guide-on-personal-data-breach.pdf
6.1.4 Contact with special interest groups Yes In order to keep our ISMS updated we have contact with different groups of interest in security and privacy issues, among them, our specialized suppliers on these topics such as cybersecurity and law consultants as well as international and national organizations through RSS and forums, among them: AWS; CERTSI; Cloud Security Alliance; ENISA; European Data Protection Supervisor; Spanish Data Protection Agency; Spanish National Cryptologic Centre; USA NIST Vulnerability Database;
6.1.5 Information security in project management Yes Inbenta keeps a mandatory Security and Privacy in Projects Policy to address security and privacy in the whole cycle of a project, regardless their area (from product development to professional services). Its procedures are supervised by the ISMS Team.
6.2 Mobile devices and teleworking
6.2.1 Mobile device policy Yes Inbenta only allows the use of corporate laptops and corporate mobile phones that complies with our security and privacy requirements. For laptops: antivirus (Windows) disk encryption, access and screensaver locked with password. Access and management of confidential information such as corporate email, communication management applications and files are prohibited in mobile phones and prohibited in laptops unless secure connection to Inbenta’s VPN. All these issues are addressed in our Professional Code of Conduct, a contract of adhesion for employees.
6.2.2 Teleworking Yes Telecommuting is only possible if accessing a secure internet connection and Inbenta’s VPN and requirements from control 6.2.1 are applied. Connection to public Wi-Fi is prohibited. All these issues are addressed in our Professional Code of Conduct, a contract of adhesion for employees.
CLD.6.3 Relationship between cloud service customer and cloud service provider
CLD.6.3.1 Shared roles and responsibilities within a cloud computing environment Yes Inbenta makes use of Amazon Web Services cloud server and has signed an Enterprise Agreement with AWS to delimit our rights and responsibilities in terms of security and privacy, as well as we address these issues in our Subscription Agreement with our clients through responsibilities clauses, Data Processing Agreement and Acceptable use of assets Policy.
Human resource security
7.1 Prior to employment
7.1.1 Screening Partially Prior to employ a professional, Inbenta runs a screening according to local laws and educational and training requirements.
7.1.2 Terms and conditions of employment Yes Inbenta’s contractual agreement with employees includes accepting the following agreements: intellectual property agreement; information confidentiality agreement; Professional Code of Conduct on Information Security and Privacy.
7.2 During employment
7.2.1 Management responsibilities Yes Adherence and appliance of Inbenta’s security and privacy policies are mandatory and are regularly supervised by the ISMS Team with the collaboration of managers and chiefs.
7.2.2 Information security awareness, education and training Yes Inbenta establishes a mandatory Security Training for all employees that addresses all issues from the Professional Conduct Code and practical do’s and don’ts. Sanctions accepted in the collective bargaining agreement.
7.2.3 Disciplinary process Yes Disciplinary processes and sanctions are carried out according to local laws and contractual regulations to preserve both Inbenta’s and employees’ rights.
A.7.3 Termination and change of employment
A.7.3.1 Termination or change of employment responsibilities Yes Our employee’s Confidentiality Agreement establishes the obligation to keep professional secrecy even after the termination of the employment relationship.
Asset management
8.1 Responsibility for assets
8.1.1 Inventory of assets Yes Inbenta holds an updated inventory of all type of assets, classified by their confidentiality, integrity and availability relevance.
8.1.2 Ownership of assets Yes Each asset is assigned to a responsible according to their job responsibility suitability.
8.1.3 Acceptable use of assets Yes Inbenta establishes an Acceptable Use of Assets Policy mandatory for employees, clients and suppliers.
8.1.4 Return of assets Yes Return of assets is established in contractual clauses for all employees, clients and suppliers.
CLD.8.1.5 Removal of cloud service customer assets Yes Inbenta stores in its AWS server raw logs, kept for a 100-day window, and also logs backups kept until the contract with the client finishes. When this happens, all data will be erased within two (2) months.
8.2 Information classification
8.2.1 Classification of information Yes Inbenta classifies information according to its CIA relevance, in 3 levels: confidential, restricted for internal use only or supervised authorization and public.
8.2.2 Labelling of information Yes All information is labelled according to 8.2.1 classification.
8.2.3 Handling of assets Yes Handling of assets is managed according to their CIA relevance.
8.3 Media handling
8.3.1 Management of removable media Yes Removable media is prohibited except for laptops.
8.3.2 Disposal of media Yes Disposal of disks and laptops is done in two phases: first, we check all information has been removed, hard disks are destructed, then a specialized disposal supplier is hired to take care of it.
8.3.3 Physical media transfer Yes Media transfer (only laptops) must have the disk encrypted, a strong password in access and screensaver activation in 3 minutes.
Access control
9.1 Business requirements of access control
9.1.1 Access control policy Yes Inbenta establishes an Access Control Policy to access all Inbenta’s assets, it’s responsible and supervisor is our CISO and is only managed by System Administrators. Inbenta uses role-based security architecture and requires users of the system to be identified and authenticated prior to the use of any system resources. Production resources and all administrative actions are recorded and stored for at least 2 years with an immutable checksum in order to prevent audit logs being modified.
9.1.2 Access to networks and network services Yes All production resources are managed in the asset inventory system and each asset is assigned an owner. Owners are responsible for approving access to the resource and for performing periodic reviews of access by role.
9.2 User access management
9.2.1 User registration and de-registration Yes Access to any Inbenta Production administration network or subsystem is restricted by an explicit need-to-know basis as controlled by the ISO27001 and 27017 controls. All is controlled and monitored by our Operations Team with discretional and specific roles per employee. Employees accessing the Inbenta Production Network administration are required to use multiple factors of authentication and both factors and credentials expire with low TTLs, forcing to be rotated eventually.”
9.2.2 User access provisioning Yes Except for specific accounts to manage Systems Administration, all accesses are nominal to properly identify who accesses assets. Access to data and products within Inbenta Backstage and CM/Chat is governed by access rights and can be configured to define discretional access privileges. Inbenta has various permission levels for users (owner, admin, agent, end-user, etc.) and a per group roles discretionarily. Access to data for the API/SDK is governed by API keys, tokens and secrets as well as many identificatory headers in both tiers for authentication and authorization.
9.2.3 Management of privileged access rights Yes Inbenta establishes a procedure for employees and SaaS user’s registration and de-registration in its systems.
9.2.4 Management of secret authentication information of users Yes User access provisioning is properly managed by Systems Administrators through a specific method unifying type of accounts and privileges.
9.2.5 Review of user access rights Yes Privileges rights are managed according to job responsibilities and assets CIA values.
9.2.6 Removal or adjustment of access rights Yes Secret authentication information is properly managed in the same way as access to assets.
9.3 User responsibilities
9.3.1 Use of secret authentication information Yes Responsible of assets periodically review access to them and ask for changes to Systems Administrator.
9.4 System and application access control
9.4.1 Information access restriction Yes Access rights are subject to its revocation after termination of the relationship between Inbenta and its employees, suppliers and clients.
9.4.2 Secure log-on procedures Yes Users are required through our different policies and contractual elements to comply with Inbenta’s security procedures regarding secret authentication information.
9.4.3 Password management system Yes Information access is delimited in accordance to access control policy and access rights to assets.
9.4.4 Use of privileged utility programs Yes All access to systems and applications requires a secure log-on procedure with user identification and secure password, including in most of them 2FA.
9.4.5 Access control to program source code Yes Passwords can only be reset by the end user with an active email address (username are the same email address), and temporary reset password URL can be generated by admins of the groups, but never a systems administration can set or reset directly any password (only its own password). Password policies are enforcing the latest known best minimum requirements and additional anti-bot detection measures are triggered on all user/password management screens. Password management is interactive and ensures quality passwords: a minimum of 8 characters, a minimum of 1 uppercase letter and a minimum of 1 special character.
CLD.9.5 Access control of cloud service customer data in shared virtual environment
CLD.9.5.1 Segregation in virtual computing environments Yes Use of privilege utility programs is restricted to Systems Administration only.
CLD.9.5.2 Virtual machine hardening Yes Access to program source code is restricted following our access control policy and administration rights.
Cryptography
10.1 Cryptographic controls
10.1.1 Policy on the use of cryptographic controls Yes Policy of use and implementation guide on cryptographic controls. Inbenta follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash over databases filesystem or no-SQL platforms with encryption at rest as well as all in-transit operations to the backend.
10.1.2 Key management Yes Cryptographic keys management in accordance with AWS ACM. For information at rest, encryption keys are managed by AWS-KMS and uses at least an AES256.
Physical and environmental security
11.1 Secure areas
11.1.1 Physical security perimeter Yes Office access protected with fingerprint/ passwords and alarm, restriction of keys to office managers and authorized employees.
11.1.2 Physical entry controls Yes Only authorized personnel access our facilities through fingerprint/password identification.
11.1.3 Securing offices, rooms and facilities Yes
We keep an updated Occupational and Physical Security Risks Prevention Plan and get audited annually.
11.1.4 Protecting against external and environmental threats Yes
11.1.5 Working in secure areas Yes
11.1.6 Delivery and loading areas NO NOT APPLICABLE. We don’t have delivery and loading areas, our buildings are 3 offices with only one access door custodied by employees and locked with password.
11.2 Equipment
11.2.1 Equipment siting and protection Yes Mandatory policy of blocked access and screensaver 3 minutes with secure password and disk encryption.
11.2.2 Supporting utilities Yes All terminals are laptops with battery.
11.2.3 Cabling security Yes Offices Networking Plan; LAN standard; VLAN Segregated port rosettes.
11.2.4 Equipment maintenance Yes Equipment is considered an individual asset and we keep detailed track of its handling.
11.2.5 Removal of assets Yes Removal of assets is only authorized in terms and conditions stated in the Access Control Policy; Code of Professional Conduct on Security and Privacy Information and Telecommuting Policy.
11.2.6 Security of equipment and assets off-premises Yes Off-site assets are protected in terms and conditions in our Access Control Policy; Code of Professional Conduct on Security and Privacy Information and Telecommuting Policy.
11.2.7 Secure disposal or reuse of equipment Yes Disposal of disks and laptops is done in two phases: first, we check all information has been removed, hard disks are destructed, then a specialized disposal supplier is hired to take care of it.
11.2.8 Unattended user equipment Yes Mandatory policy of blocked access and screensaver 3 minutes with secure password.
11.2.9 Clear desk and clear screen policy Yes Clear desk and screen policy (as in 11.2.8) to avoid unauthorized access to confidential information.
Operations security
12.1 Operational procedures and responsibilities
12.1.1 Documented operating procedures Yes
We follow ITIL methodology for changes in management procedure.
12.1.2 Change management Yes
12.1.3 Capacity management Yes Our Capacity Management procedure includes to make sure that current and future IT capacity needs are covered; to control the output of the IT infrastructure; to develop capacity plans depending on agreed service levels and to manage and streamline demand for IT services.
12.1.4 Separation of development, testing and operational environments Yes Testing, development and staging environments are separated physically and logically from the Production environment via network isolation, firewalls and NACL. No actual production Data is used in the development or test environment, mock and random data may be generated in order to simulate high data volumes.
CLD.12.1.5 Administrator’s operational security Yes Event logging and administrator and operator logs for AWS cloud servers.
12.2 Protection from malware
12.2.1 Controls against malware Yes Malware control and prevention regularly by the ISMS Team and included in security training and Code of Professional Conduct.
12.3 Backup
12.3.1 Information backup Yes Information backup policy and specified in our Subscription Agreement for clients. Periods every 4; 12 and 24 hours according to information priority.
12.4 Logging and monitoring
12.4.1 Event logging Yes Production resources and all administrative actions are recorded and stored for at least 2 years with an immutable checksum in order to prevent audit logs being modified.
12.4.2 Protection of log information Yes Logging facilities are controlled according to section A11 on physical security and log information access is controlled according to section A9 access controls.
12.4.3 Administrator and operator logs Yes Systems Administration activity is monitored, logged and its logs are protected according to control 12.4.1
12.4.4 Clock synchronisation Yes ntpdate “Network Time Protocol (NTP) synchronized with https://www.pool.ntp.org/zone/es
CLD.12.4.5 Monitoring of Cloud Services Yes AWS cloud server operation monitoring.
12.5 Control of operational software
12.5.1 Installation of software on operational systems Yes Rules on the installation of software on operational systems are written down in our Professionals Code of Conduct of mandatory compliance.
12.6 Technical vulnerability management
12.6.1 Management of technical vulnerabilities Yes We manage technical vulnerabilities through a specific procedure and dedicated team receiving inputs from end-users, clients and employees.
12.6.2 Restrictions on software installation Yes Rules on the installation of software are written down in our Professionals Code of Conduct of mandatory compliance.
12.7 Information systems audit considerations
12.7.1 Information systems audit controls Yes Our audit requirements and activities are supervised and coordinated by our Systems Administrators to minimize disruptions.
Communications security
13.1 Network security management
13.1.1 Network controls Yes
Our network is protected and isolated by firewalls, NACL (network access control list), secure HTTPS transport over public networks, DMZ monitorization, regular audits, and network Intrusion Detection and/or Prevention technologies (IDS/IPS) which monitor and/or block malicious traffic and network attacks, DDoS active protection and DNS spoofing monitoring.
13.1.2 Security of network services Yes
13.1.3 Segregation in networks Yes
CLD.13.1.4 Alignment of security management for virtual and physical networks NO Inbenta Holdings Inc. – AWS Enterprise Agreement.
13.2 Information transfer
13.2.1 Information transfer policies and procedures Yes Communications to systems, servers and web applications through DigiCert Multidomain SSL Certificate. information confidentiality agreement; Professional Code of Conduct on Information Security and Privacy; NDA contracts with suppliers and collaborators.
13.2.2 Agreements on information transfer Yes Subscription agreements, supplier agreements and Non-disclosure Agreements addresses.
13.2.3 Electronic messaging Yes Google email delivery service with secure and encrypted connection TLS.
13.2.4 Confidentiality or nondisclosure agreements Yes We keep our policies and documents updated according to the different information security requirements in terms of confidentiality for all stakeholders and parties involved.
14.1 Security requirements of information systems
14.1.1 Information security requirements analysis and specification Yes We keep our systems updated according to the different information security requirements from both our company and our clients.
14.1.2 Securing application services on public networks Yes
Communications are encrypted via industry best-practices HTTPS and Transport Layer Security (TLS) over public networks. TLS is also supported for encryption of emails.
14.1.3 Protecting application services transactions Yes
14.2 Security in development and support processes
14.2.1 Secure development policy Yes We support a secure development policy in all our SaaS and with our suppliers.
14.2.2 System change control procedures Yes Changes in our Systems are controlled through a specific procedure and following ITIL methodology.
14.2.3 Technical review of applications after operating platform changes Yes Our SaaS makes no use of operating platforms, in any case we keep all systems updated and makes use of a technical incident procedure for our clients and obligation of operating systems update for employees.
14.2.4 Restrictions on changes to software packages Yes Modification on software packages is prohibited according to our Code of Professional Conduct and in any case, petitions are controlled by Systems Administration.
14.2.5 Secure system engineering principles Yes Inbenta Support utilizes all OWASP top security known rules. These include inherent controls that reduce our exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi), among others running in real-time-active WAFs (web application firewall) rules in front of any HTTP listener.
14.2.6 Secure development environment Yes In our QA pipeline, a code reviews and tests occur. Several manual and automated tests are performed and integrated with the CI/CD pipelines in order to deploy only tested and secure code, our QA team participate actively in the end-application security as well from the development process in the release pipeline/flow.
14.2.7 Outsourced development NO Development environment is separated physically and logically from other environments according to control 12.1.4 and SDLC is fully supported on GitLab (supplier).
14.2.8 System security testing Yes NOT APPLICABLE. All software is developed internally without any supplier’s intervention.
14.2.9 System acceptance testing Yes Security tastings are carried out during product development phase and according to our ITIL methodology on changes control.
14.3 Test data
14.3.1 Protection of test data Yes System accepting testing is supervised by administration systems.
Supplier relationships
15.1 Information security in supplier relationships
15.1.1 Information security policy for supplier relationships Yes Inbenta establishes a Supplier Security Policy to address security and privacy issues regarding the information Inbenta shares with suppliers and their responsibilities.
15.1.2 Addressing security within supplier agreements Yes Security terms and conditions are addressed in contractual agreements.
15.1.3 Information and communication technology supply chain Yes Security terms and conditions include all parties involved in the whole supply change.
15.2 Supplier service delivery management
15.2.1 Monitoring and review of supplier services Yes Procedures to assess the level of security of our suppliers is based on a dynamic risk assessment by classifying our risk of non-compliant behavior according to our verification of our vendor’s compliance with international standards of security and privacy by verifying their standards’ certifications. In case of not providing a valid certification, we asked them for a detail description of mandatory ISMS records and controls, assessing the risk as higher than those suppliers that are certified.
15.2.2 Managing changes to supplier services Yes Risk assessment and terms and conditions when working with suppliers are continually updated to meet our security standards.
Information security incident management
16.1 Management of information security incidents and improvements
16.1.1 Responsibilities and procedures Yes Incidents are managed by the ISMS Team and the Security Board. A first level of the Security Board includes two members of the ISMS Team: The Chief Information and Systems Officer (CISO) who also is the Vice-president of Technology, and the Compliance Manager. A second level of the Security Board includes the Chief Operations Officer (COO) who also leads the ISMS, the Chief of Technologies Officer (CTO) and the Chief Executive Officer (CEO).
16.1.2 Reporting information security events Yes We manage security incidents following the procedure from the Spanish Data Protection Agency that dictates that within a maximum period of 72 hours, we must report the Agency and all person and parties affected on the nature, scope and consequences of the incident. Our employees are trained on our internal procedure when finding and reporting security events.
16.1.3 Reporting information security weaknesses Yes In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes as controlled on both ISO 9001 and 27001.
16.1.4 Assessment of and decision on information security events Yes Our ISMS Team assesses security events following its classification in vulnerabilities and incidents and following ISO 27007 on security risk assessment.
16.1.5 Response to information security incidents Yes Idem as 16.1.2
16.1.6 Learning from information security incidents Yes Knowledge gained from secure events is taking into account following ISO methodology Plan Do Check Adjust and risks assessment to avoid future likelihood and impact.
16.1.7 Collection of evidence Yes Our Security Incident Event Management (SIEM) system gathers extensive logs from important network devices and host systems. The SIEM alerts on triggers which notify the Security team based on correlated events for investigation and response. Employees are also trained on collecting and preserving evidence on security and privacy events.
Information security aspects of business continuity management
17.1 Information security continuity
17.1.1 Planning information security continuity Yes Our Business Continuity Plan (BCP) consists of 3 sections: physical security and offices emergency plan, IT Infrastructure and IT Infrastructure Disaster Recovery Plan (DRP).
17.1.2 Implementing information security continuity Yes
All our BCP is annually reviewed through internal audit by the ISMS Team to meet international standards and client’s expectations.
17.1.3 Verify, review and evaluate information security continuity Yes
17.2 Redundancies
17.2.1 Availability of information processing facilities Yes We comply with data redundancy by implementing different availability zones in our cloud server.
Compliance
18.1 Compliance with legal and contractual requirements
18.1.1 Identification of applicable legislation and contractual requirements Yes Inbenta’s Internal and External Regulatory Compliance Policy establishes a Compliance Manager to identify, document and keep updating regulatory compliance requirements.
18.1.2 Intellectual property rights Yes Inbenta’s intellectual property rights are delimited on contractual clauses for both employees and clients. Regarding intellectual property rights of external software, we utilize, regulatory compliance is supervised by our ISMS team.
18.1.3 Protection of records Yes Protection of records are supervised by the ISMS Team and internally audited annually.
18.1.4 Privacy and protection of personally identifiable information Yes Inbenta products and services are operated within European Union’s territory and therefore, to comply with EU GDPR our Non-HR Privacy Policy establishes a Data Processing Agreement is mandatory if applicable by law or at client’s will.
18.1.5 Regulation of cryptographic controls Yes Cryptographic controls must be under supervision of regulatory compliance.
18.2 Information security reviews
18.2.1 Independent review of information security Yes Annually external audits in security and privacy.
18.2.2 Compliance with security policies and standards Yes Inbenta’s code of professional conduct includes information security and privacy supervision by managers.
18.2.3 Technical compliance review Yes Annually internal audit following ISO 27007 to certify information systems comply with Inbenta’s security and privacy policies.