Platform Security Requirements

 

Truework Platform Security Requirements

 

Last updated: July 18, 2024

 

The security requirements outlined in this document detail Truework’s minimum security expectations of any third party (e.g., any supplier, reseller, service provider, customer, partner, etc.) (“Third Party”) accessing, using or otherwise interacting with any systems or services accessed through platforms hosted, provided by or otherwise managed by Truework (“Truework Platform”) to ensure that such Third Party has appropriate controls in place to properly safeguard the Truework Platform, including any information that is stored, processed, transmitted, received, or otherwise accessed through the Truework Platform (“Platform Data”).

DEFINITIONS

 

“Resource” means all Third Party devices, including but not limited to user Endpoints such as desktop computers or laptop computers, mobile devices, routers, servers, and/or any other digital systems that store, process, transmit, receive, or otherwise access Truework Platform and Platform Data.

 

Information Security Programs and Governance

 

●       Third Party will maintain and employ information security policies, practices and procedures aligned with an industry standard, such as ISO27001, AICPA Trust Service Criterias or NIST 800 series standards as issued.

 

Vulnerability Testing and Patch Management

 

●       Third Party will ensure that all Resources managed by the Third Party are kept current with the Resource applicable security patches and most up to date secure configurations available.

●       Third Party will engage in regular penetration testing to assess the security posture of its systems and Resources.

●       Third Party will also employ and maintain endpoint security solutions to detect, assess, mitigate and inventory vulnerabilities as they occur.

 

Cyber Resiliency Controls and Governance

 

a)     Logging, Monitoring and Observability

●       Third Party will ensure that logging, monitoring and observability mechanisms are in place to sufficiently detect and respond to security incidents.

●       Third Party will ensure that aforementioned mechanisms are also able to establish attribution for detections, and reconstruct incidents and events within.

 

b)     Network Security and Hardening

●       Third Party will employ security measures, including but not limited to firewalls, endpoint detection and response or anti-virus software in efforts to reduce the risks associated with network and systems infiltration, data exfiltration and data exposure to unauthorized third parties.

●       Third Party will ensure that all remote access to its Resources requires authentication and authorization access controls with use of Multi-Factor Authentication (MFA). Such access must use secure protocols such as VPN (Virtual Private Networking).

 

c)     Data Protection

●       Third Party will employ security measures designed to protect sensitive data and personally identifiable information (“PII”). Such measures include, but are not limited to encryption at rest and in transit, tokenization at rest and in transit and segregation of environments and data stores to limit exposure of sensitive data and PII internally, and to unauthorized parties.

 

Incident Response and Notification

 

●       Third Party will establish, test and maintain processes and procedures to service responding to security incidents and unusual or suspicious activities.

●       Third Party will report any confirmed security incident or security breach of material impact to the Truework Platform or Truework Data without delay or within forty-eight (48) hours of such Third Party confirming such incidents.

●       Third Party will supply named individuals responsible for notifications to Truework as well as contact information for information security related escalations.

 

Authentication, Authorization and Audit

 

●       Third Party will ensure that individual users of any resource are uniquely assigned identifiers which enable for and allow individual authentication, audit and attribution.

●       Third Party will apply the principles of least privilege as outlined in NIST SP 800-171 when considering granting access to privileged information to ensure that access to privileged information and accounts is restricted to individuals who are required such access as part of their daily duties or responsibilities.

●       Third Party will review its users' access and privileges on a periodic basis and as needed following a change in role, or termination of employment.

 

Passwords and Accounts

 

●       Third Party will ensure that all passwords remain confidential and well protected.

●       Third Party will ensure that all passwords meet basic requirements as defined within NIST 800-63b:

○       Password Length: 8 to 64 characters are recommended

○       Character Types: Nonstandard characters, such as emoticons, are allowed when possible

○       Multifactor/Second Factors: Encouraged in all applications

○       Password Resets: Required only if the password is compromised or forgotten, in cases where MFA is in place

●       Where MFA is not in place, Third Party will ensure that passwords expire after a maximum of 90 calendar days and that accounts will lock out after 10 consecutive failed login attempts.

 

Security Training and Awareness

 

●       Third Party will require all Third Party’s personnel to participate in information security training and awareness sessions at least annually and establish proof of learning for all personnel.

 

 

Contacting Truework Security and Trust

 

If you believe your password or account has been breached or accessed without authorization promptly notify any of the following support teams:

 

Truework Information Security

Email: security@truework.com

Phone: (404) 578-9876

 

Truework Information Security

Phone: (404) 578-9876

Email:   admin@truework.com