The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established and used to support operational risk decisions (formerly ID.RM)
GV.RM-01:
Cybersecurity risk management objectives are established and agreed to by organizational stakeholders (formerly ID.RM-1)
Yes, a risk management strategy (RMS) is established and agreed upon by our leadership team. Also, we have added an RMS review to our Quarterly All Hands meeting so the entire organization gets a refresher, and it covers the following:
- Cybersecurity Internally and Hosted
- Social Engineering
- Bad Actor Awareness
- User Account Awareness
- Architecture Review (Changes)
- Vendor Conformity
- Disaster Awareness
- Hurricane (most probable)
- Power and Communication Outages
- On-Premise Physical Security
- Physical and Card Key Management
- CCTV Awareness and Usage
- Parameter Threat Awareness
- Human Resources
- Right People in the Right Seats Awareness
- State of our Industry
- Vendor Awareness
- Inventory Controls
- Technology Life Cycles
GV.RM-02:
Cybersecurity supply chain risk management strategy is established, agreed to by organizational stakeholders, and managed (formerly ID.SC-1)
How are we connected with our supply chain vendor base with access to or managing our PII data? What accesses do they have? Does the leadership team agree with them?
Veonics Portal
Manages badge holder data and photos for our customer's ID badge programs. The aggregation of data along with photos increases the PII sensitivity.
Our Veonics Portal is a third-party-developed application. As developers, our contractors are provided Super User access to the entire QA instance of the Veonics Portal managed on AWS, and contracted Product Managers are granted access to the Production Site as needed. Vendor Terms and Policies state that under regular software development work, and when Super User rights are not required, all work is done under a user account that does not have access to live Portal instance customer data.
QuickBooks Enterprise
Stores all PCI Compliant and Customer Data. Only during technical support remote sessions is our data exposed to Intuit's technical support staff, who can only see what is posted on the screen as computer-based software.
HubSpot
Our CRM and related data are hosted on HubSpot.com. We are unaware that HubSpot can access our or our customers' data. We feel our data is managed security regarding their DPA found here: https://legal.hubspot.com/dpa
PirateShip.com
Contain ID card and badge recipient mailing addresses.
Any addresses or private data provided to Pirate Ship is only used to purchase USPS® labels at the deepest discounts available and UPS® labels at pre-negotiated rates. Pirate Ship respects customer privacy and will never sell or share any information provided.
Stamps.com
From: https://www.stamps.com/privacy-policy/
"We take the privacy of our customers and their downstream customers very seriously. We never share the information of our Customer’s customers under any circumstances unless it is required to complete the transaction contracted with our Customer. In addition, we require our Customers, where applicable, to undertake to respect all relevant data protection laws, including the European Union General Data Protection Regulation (“GDPR”), the California Consumer Privacy Rights Act of 2018 (“CCPA”) and the state and federal law of the United States. This Policy applies to all personal data we collect, process and store in relation to our staff, suppliers and service recipients in the course of its activities, as defined in GDPR and CCPA, and other relevant laws. We make no distinction between the rights of EU Data Subjects who are employees, and those who are not. All are treated equally under this policy."
Avalara
It is a SOC II-compliant software that reports and pays eXpress badging's applicable sales tax throughout the US.
Reliable
Our cloud-based platform helps your business operate when and where you need it most.
- Our cloud services are hosted on the global AWS platform. The native redundancy and failover capabilities help keep your business running smoothly.
- Global engineering operation centers actively monitor our cloud services
Secure
The Avalara Compliance Cloud and Avalara Tax Compliance Suite are committed to security to keep your data safe and help reduce potential risks.
- 24/7 security operations center
- Dedicated security programs
- Application security
- IT security
- Security Incident Response Team (SIRT)
- Security risk and compliance
- Red team
- Cloud Security
Scalable
A scalable solution built to grow with the success of your business.
The Avalara Platform is built to be your scalable solution for sales tax compliance services. We’re focused on ensuring our cloud services can handle increased traffic as your business grows year over year.
- Horizontally scalable architecture
- Data-driven analytics
- Asynchronous processing
GV.RM-03:
Risk appetite and risk tolerance statements are determined and communicated based on the organization’s business environment (formerly ID.RM-2 and ID.RM-3)
GV.RM-04:
Cybersecurity risk management is considered part of enterprise risk management (formerly ID.GV-4)
GV.RM-05:
Strategic direction describing appropriate risk response options, including cybersecurity risk transfer mechanisms (e.g., insurance, outsourcing), investment in mitigations, and risk acceptance is established and communicated
GV.RM-06:
Responsibility and accountability are determined and communicated to ensure that the risk management strategy and program are resourced, implemented, assessed, and maintained
GV.RM-07:
Risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks
GV.RM-08:
The effectiveness and adequacy of cybersecurity risk management strategy and results are assessed and reviewed by organizational leaders