Skip to content
English
Sign in
Go to expressbadging.com
  • There are no suggestions because the search field is empty.

What is Risk Management Strategy (GV.RM)?

Emphasizes establishing priorities, constraints, risk tolerances, and assumptions to support operational risk decisions. This ensures that processes are integrated into the organization's overall governance and decision-making frameworks.

GV.RM-01:

Cybersecurity risk management objectives are established and agreed to by organizational stakeholders (formerly ID.RM-1)

 Yes, a risk management strategy (RMS) is established and agreed upon by our leadership team.  Also, we have added an RMS review to our Quarterly All Hands meeting so the entire organization gets a refresher, and it covers the following:

  • Cybersecurity Internally and Hosted
    • Social Engineering 
    • Bad Actor Awareness
    • User Account Awareness
    • Architecture Review (Changes)
    • Vendor Conformity
  • Disaster Awareness
    • Hurricane (most probable)
    • Power and Communication Outages
  • On-Premise Physical Security
    • Physical and Card Key Management
    • CCTV Awareness and Usage
    • Parameter Threat Awareness 
  • Human Resources
    • Right People in the Right Seats Awareness
  • State of our Industry
    • Vendor Awareness
    • Inventory Controls
    • Technology Life Cycles

GV.RM-02:

Cybersecurity supply chain risk management strategy is established, agreed to by organizational stakeholders, and managed (formerly ID.SC-1)  


How are we connected to our supply chain vendors regarding their access to or management of our Personally Identifiable Information (PII)? What specific access privileges do they hold? Has the leadership team reviewed and approved these arrangements?

AT&T's SOC 2 Compliance Overview

AT&T's services, including its Office@Hand platform, undergo annual third-party SOC 2 Type II audits. These audits assess the design and operational effectiveness of AT&T's controls relevant to security, availability, confidentiality, and privacy, assuring that AT&T maintains robust controls to protect customer data. ​

eXpress badging Alignment with AT&T's SOC 2 Protocols

eXpress badging leverages AT&T's SOC 2-compliant infrastructure to support its internet and telecommunications needs, ensuring that data security measures are in place throughout the supply chain. Key practices include:​

  • Data Encryption: Utilizing AT&T's services that support encryption of data in transit, safeguarding sensitive information against unauthorized access.​

  • Access Controls: Implementing strict access controls and authentication mechanisms to ensure that only authorized personnel can access sensitive systems and data.​

  • Monitoring and Logging: Employing AT&T's Security Operations Center (SOC) services to monitor system activity, enabling the detection of anomalous behavior and facilitating timely responses to potential security incidents. ​AT&T Business

  • Regular Audits: Conducting periodic reviews and audits of AT&T service configurations and access logs to ensure ongoing compliance with SOC 2 requirements.​

Shared Responsibility Model

While AT&T manages the security of its telecommunications infrastructure, eXpress badging is responsible for securing its data and applications that utilize these services. This shared responsibility model necessitates that eXpress badging implements appropriate security measures, such as configuring secure network settings, managing user access, and ensuring application-level security.​

By adhering to AT&T's SOC 2 compliance protocols and implementing robust security measures within its own operations, eXpress badging demonstrates a commitment to maintaining a secure supply chain, thereby aligning with the objectives of NIST CSF Subcategory GV.RM-02.

AWS SOC 2 Compliance Overview

AWS undergoes independent third-party audits to produce System and Organization Controls (SOC) reports, including SOC 2, which evaluates the design and operational effectiveness of AWS's controls relevant to security, availability, confidentiality, and privacy. These reports provide assurance that AWS maintains robust controls to protect customer data.

eXpress badging's Alignment with AWS SOC 2 Protocols

eXpress badging leverages AWS's SOC 2-compliant infrastructure to host its services, ensuring data security measures are in place throughout the supply chain. Key practices include:​

  • Data Encryption: Utilizing AWS Key Management Service (KMS) to encrypt data at rest and in transit, safeguarding sensitive information against unauthorized access.​

  • Access Controls: Implementing AWS Identity and Access Management (IAM) to enforce the principle of least privilege, ensuring that users have only the permissions necessary to perform their roles.​

  • Monitoring and Logging: Employing AWS CloudTrail and Amazon CloudWatch to monitor system activity, enabling the detection of anomalous behavior and facilitating timely responses to potential security incidents.​

  • Regular Audits: Conducting periodic reviews and audits of AWS configurations and access logs to ensure ongoing compliance with SOC 2 requirements.​

Shared Responsibility Model

While AWS manages the security of the cloud infrastructure, eXpress badging is responsible for securing its data and applications within the cloud. This shared responsibility model necessitates that eXpress badging implements appropriate security measures, such as configuring security groups, managing user access, and ensuring application-level security.​

By adhering to AWS's SOC 2 compliance protocols and implementing robust security measures within its operations, eXpress badging demonstrates a commitment to maintaining a secure supply chain, thereby aligning with the objectives of NIST CSF Subcategory GV.RM-02.

Veonics Portal

The Veonics Portal is a third-party application designed to manage badge holder data and photographs for our customers' ID badge programs. The combination of this data with images heightens the sensitivity of Personally Identifiable Information (PII).

To ensure security, our contractors, who develop the Veonics Portal, are granted Super User access solely to the Quality Assurance (QA) environment, which is hosted on AWS. Access to the production environment is limited to contracted Product Managers on a need-to-know basis. According to our Vendor Terms and Policies, all software development activities, when Super User access is not necessary, are conducted using user accounts that do not have access to live customer data within the Portal.

QuickBooks Enterprise

QuickBooks Enterprise is a robust accounting software solution designed to cater to the needs of medium to large-sized businesses. It securely stores all data in compliance with the Payment Card Industry Data Security Standard (PCI DSS), ensuring that sensitive customer information, including payment details and personal identification, is protected against unauthorized access. This compliance not only demonstrates a commitment to maintaining high security standards but also fosters trust among users who rely on QuickBooks for their financial management needs.

During remote technical support sessions, there may be instances where data is temporarily visible to Intuit's support staff. However, it's important to note that access is strictly controlled and limited to what is displayed on the screen at that moment. This means that sensitive information, such as full credit card numbers or customer financial details, remains protected and is not accessible to support personnel beyond what is necessary to assist with the issue at hand.

Furthermore, QuickBooks Enterprise incorporates advanced encryption protocols and secure data transmission methods, ensuring that any information exchanged during support sessions is safeguarded against interception or unauthorized viewing. Intuit also employs rigorous internal policies and training for their support staff to ensure they handle customer data with the utmost care and in accordance with best practices for data protection.

By leveraging these security measures, QuickBooks Enterprise not only provides a reliable platform for financial management but also prioritizes the safety and confidentiality of its users' data, reinforcing its reputation as a trusted solution in the market.

HubSpot

Our Customer Relationship Management (CRM) system and associated data are securely hosted on HubSpot.com, a platform widely recognized for its robust security measures and commitment to data protection. We maintain a strong belief that HubSpot does not have direct access to our sensitive data or that of our customers. This confidence is bolstered by our thorough review of their Data Processing Agreement (DPA), which outlines their responsibilities regarding data handling and privacy protections. According to the DPA, HubSpot adheres to strict protocols to ensure the confidentiality and integrity of customer data, preventing unauthorized access and maintaining compliance with applicable data protection regulations.

Additionally, we routinely monitor and assess the security measures implemented by HubSpot to ensure they align with our organizational standards for data protection. This includes evaluating their security certifications, such as ISO 27001, and their compliance with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). By leveraging HubSpot's secure infrastructure, we aim to enhance our customer relationship management processes while prioritizing the privacy and security of our data. For more detailed information on how HubSpot safeguards our data, please refer to their DPA at the following link: https://legal.hubspot.com/dpa.

PirateShip.com

Pirate Ship is an online shipping platform that provides businesses with a cost-effective solution for purchasing shipping labels. One of the key features of the platform is its ability to manage ID card and badge recipient mailing addresses securely.

When users input addresses or any private data into the Pirate Ship system, this information is exclusively utilized for the purpose of purchasing United States Postal Service (USPS®) labels at the most competitive prices available, as well as UPS® labels at pre-negotiated rates. This targeted use of data ensures that customers receive significant savings on their shipping costs without compromising their privacy.

Pirate Ship is deeply committed to maintaining the confidentiality of its customers' information. The platform adheres to stringent privacy policies and practices, ensuring that any data shared is not sold, rented, or disclosed to third parties under any circumstances, except as necessary to fulfill the specific shipping transaction. This commitment to privacy is vital for fostering trust among users, knowing that their personal and sensitive information is handled with the utmost care and respect.

In addition to its privacy practices, Pirate Ship complies with relevant data protection regulations, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). This ensures that all personal data collected, processed, and stored is managed in a manner consistent with legal standards, providing users with further assurance regarding the security of their information.

By prioritizing customer privacy and implementing robust data protection measures, Pirate Ship enhances the overall user experience, allowing businesses to focus on their operations while ensuring that their mailing addresses and private information are kept safe and secure.

Stamps.com

From: https://www.stamps.com/privacy-policy/

"We take the privacy of our customers and their downstream customers very seriously. We never share the information of our Customer’s customers under any circumstances unless it is required to complete the transaction contracted with our Customer. This commitment to confidentiality is integral to our business model and helps foster trust between us and our clients. We understand that our customers rely on us to handle their sensitive information with the utmost care, and we prioritize this responsibility in all our operations.

In addition, we require our Customers, where applicable, to undertake to respect all relevant data protection laws, including the European Union General Data Protection Regulation (“GDPR”), the California Consumer Privacy Rights Act of 2018 (“CCPA”), and the state and federal law of the United States. Our compliance with these regulations demonstrates our dedication to upholding the highest standards of data privacy and protection. We work diligently to ensure that our practices align with legal requirements, thereby safeguarding the rights of individuals whose data we process.

This Policy applies to all personal data we collect, process, and store in relation to our staff, suppliers, and service recipients in the course of our activities, as defined in GDPR and CCPA, and other relevant laws. We adhere to principles of transparency, purpose limitation, and data minimization, ensuring that personal data is used solely for the purposes for which it was collected. Furthermore, we maintain robust security measures to protect this data from unauthorized access, alteration, or disclosure.

We make no distinction between the rights of EU Data Subjects who are employees and those who are not. All are treated equally under this policy. This means that individuals have the same rights to access, correct, and delete their personal information, regardless of their status. By reinforcing these principles, we aim to empower our customers and their stakeholders, ensuring they have control over their personal data and reinforcing our commitment to ethical data handling practices."

Avalara

Avalara is a software solution that complies with SOC II standards and is designed to manage and remit applicable sales tax for eXpress badging across the United States.

Reliable

Our cloud-based platform ensures that your business operates efficiently from any location. Hosted on the global AWS infrastructure, our cloud services benefit from built-in redundancy and failover capabilities, which help maintain seamless business operations. Additionally, our global engineering operation centers continuously monitor the performance and reliability of our cloud services.

Secure

The Avalara Compliance Cloud and Avalara Tax Compliance Suite prioritize security to protect your data and mitigate potential risks. Our security measures include:

- 24/7 Security Operations Center

- Dedicated security programs

- Application security protocols

- IT security safeguards

- Security Incident Response Team (SIRT)

- Ongoing security risk and compliance assessments

- Red team exercises to identify vulnerabilities

- Comprehensive cloud security practices

Scalable

Avalara is designed to be a scalable solution that grows alongside your business. Our platform adapts to increasing demands, ensuring that our sales tax compliance services can accommodate higher traffic as your operations expand year after year. Key features of our scalability include:

- Horizontally scalable architecture

- Data-driven analytics for informed decision-making

- Asynchronous processing to enhance performance

GV.RM-03:

Risk appetite and risk tolerance statements are determined and communicated based on the organization’s business environment (formerly ID.RM-2 and ID.RM-3) 

eXpress badging Risk Appetite and Tolerance Statement

1. Data Security and Privacy

  • Risk Appetite: eXpress badging maintains a low risk appetite for any threats that could compromise the confidentiality, integrity, or availability of customer and employee data.​

  • Risk Tolerance: We tolerate zero incidents involving unauthorized access to Personally Identifiable Information (PII) or Protected Health Information (PHI). Any such incident triggers immediate incident response protocols and notification procedures.​

2. Operational Continuity

  • Risk Appetite: We accept a moderate risk appetite for operational disruptions, recognizing that minor interruptions may occur but should not impede critical service delivery.​

  • Risk Tolerance: System downtimes for the Veonics Portal or other critical services should not exceed 4 hours per incident or 12 hours cumulatively per quarter. Exceeding these thresholds necessitates a review of business continuity and disaster recovery plans.​

3. Compliance and Legal Obligations

  • Risk Appetite: eXpress badging has a zero risk appetite for non-compliance with legal, regulatory, and contractual obligations, including but not limited to PCI DSS, GDPR, and relevant state and federal data protection laws.​

  • Risk Tolerance: No instances of regulatory non-compliance are acceptable. Any identified compliance gaps must be addressed within 30 days of discovery.​

4. Financial Risk

  • Risk Appetite: We maintain a moderate risk appetite for financial investments that support innovation and growth, provided they do not jeopardize the organization's financial stability.​Metricstream

  • Risk Tolerance: Financial losses from strategic investments should not exceed 5% of the annual budget allocated for such initiatives.​

5. Reputational Risk

  • Risk Appetite: eXpress badging has a low risk appetite for actions that could negatively impact its reputation and stakeholder trust.​

  • Risk Tolerance: We aim to maintain a customer satisfaction score of 90% or higher. Any significant decline prompts an immediate review of customer service practices and stakeholder engagement strategies.​

These risk appetite and tolerance statements are integral to our governance framework and are reviewed annually or as needed to ensure alignment with our strategic objectives and the evolving risk landscape.

GV.RM-04:

Cybersecurity risk management is considered part of enterprise risk management (formerly ID.GV-4)  

Integration of Cybersecurity Risk Management into Enterprise Risk Management

Strategic Alignment

eXpress badging recognizes cybersecurity risk as a critical component of its overall risk landscape. Therefore, cybersecurity risk management is integrated into the organization's ERM processes to ensure a holistic approach to risk assessment and mitigation.​

Risk Response Options

The organization has established and communicated strategic directions for appropriate risk responses, including:​

  • Risk Acceptance: For low-impact risks, the organization may choose to accept the risk after thorough evaluation.​

  • Risk Mitigation: Implementing security controls and procedures to reduce the likelihood or impact of identified risks.​

  • Risk Transfer: Utilizing cybersecurity insurance policies to transfer certain risks, thereby minimizing potential financial impact.​

  • Risk Avoidance: Discontinuing activities or processes that introduce unacceptable levels of risk.​

Shared Responsibility Models

eXpress badging employs shared responsibility models when engaging third-party vendors, such as cloud service providers. Responsibilities for cybersecurity controls are clearly delineated between eXpress badging and its vendors, ensuring that all aspects of security are adequately addressed.​

Communication and Documentation

All risk response strategies and responsibilities are documented and communicated across relevant stakeholders within the organization. Regular reviews are conducted to update these strategies in response to evolving threats and business objectives.​NIST

By embedding cybersecurity risk management into its ERM framework, eXpress badging ensures that cybersecurity considerations are integral to its strategic decision-making processes, thereby enhancing its overall risk posture and resilience.

GV.RM-05:

Strategic direction describing appropriate risk response options, including cybersecurity risk transfer mechanisms (e.g., insurance, outsourcing), investment in mitigations, and risk acceptance is established and communicated 

eXpress badging has established a strategic direction that outlines appropriate risk response options, including:​

  • Risk Acceptance: For low-impact risks that do not significantly affect operations or data security, we may choose to accept the risk after thorough evaluation.​

  • Risk Mitigation: Implementing security controls and procedures to reduce the likelihood or impact of identified risks.​

  • Risk Transfer: Utilizing cybersecurity insurance policies to transfer certain risks, thereby minimizing potential financial impact.​

  • Risk Avoidance: Discontinuing activities or processes that introduce unacceptable levels of risk.​

These options are communicated across the organization to ensure consistent understanding and application.

GV.RM-06:

Responsibility and accountability are determined and communicated to ensure that the risk management strategy and program are resourced, implemented, assessed, and maintained  

Responsibility and accountability for cybersecurity risk management at eXpress badging are clearly defined and communicated:​

  • Leadership: Senior leadership is responsible for establishing the risk management strategy and ensuring it aligns with organizational objectives.​

  • Information Security Team: Tasked with implementing the risk management program, conducting assessments, and maintaining security controls.​

  • All Employees and Contractors: Expected to adhere to cybersecurity policies and report any security incidents promptly.​

Regular training and clear documentation support these roles, ensuring the risk management strategy is effectively resourced, implemented, assessed, and maintained.

GV.RM-07:

Risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks

eXpress badging conducts regular reviews of its risk management strategy to ensure it remains effective and aligned with organizational requirements:​

  • Periodic Assessments: Scheduled evaluations to assess the effectiveness of current risk management practices.​

  • Feedback Mechanisms: Incorporating insights from incident reports, audits, and stakeholder feedback to inform adjustments.​

  • Adaptation to Change: Modifying strategies in response to changes in the threat landscape, business operations, or regulatory requirements.​

These practices ensure that our risk management strategy evolves to meet emerging challenges and organizational needs.

GV.RM-08:

The effectiveness and adequacy of cybersecurity risk management strategy and results are assessed and reviewed by organizational leaders 

The effectiveness and adequacy of eXpress badging's cybersecurity risk management strategy are regularly assessed and reviewed by organizational leaders:​

  • Executive Oversight: Senior leadership reviews risk management outcomes to ensure alignment with business objectives.​

  • Performance Metrics: Utilizing key performance indicators to measure the success of risk management initiatives.​

  • Continuous Improvement: Identifying areas for enhancement and implementing changes to strengthen the risk management program.​

This top-down approach ensures that cybersecurity risk management remains a priority and is continuously refined to protect the organization's assets and stakeholders.​

By adhering to these practices, eXpress badging demonstrates a commitment to robust cybersecurity risk management, aligning with the standards set forth in the NIST Cybersecurity Framework.