Cloud Security Certifications and Procedures

Cloud Security Certifications and Procedures

Application & Interface Security

1. What software development standards do you follow?

Our Software Development Life Cycle (SDLC) ensures that our applications and programming interfaces (APIs) are designed, deployed, and tested in accordance with leading industry standards- such as OWASP, ISO, and SOC- and adhere to legal, statutory, or regulatory compliance obligations.

2. When will my service be set up and ready to use?

You will be on-boarded once all agreements and policies are accepted for usage of the service. You are responsible for ensuring your usage of CaseWare Cloud is in compliance with applicable laws and regulations. 

Legal specifics can be found in the Cloud Services Agreement here:

Our certifications and 3rd party attestations can be found here: https://www.caseware.com/cloud-security-compliance

3. What measures are in place to secure my data?

Our policies and procedures have been established and are maintained in support of data security to include confidentiality, integrity, and availability across multiple system interfaces, jurisdictions, and business functions to prevent improper disclosure, alteration, or destruction. 

Our certifications and 3rd party attestations can be found here: https://www.caseware.com/cloud-security-compliance


Audit Assurance & Compliance

4. Does your service undergo an audit or review and how frequently?

Independent audits are conducted by registered 3rd parties as part of our compliance program for ISO 27001 and SOC 2 for our Cloud services. This also includes external penetration testing.

We also have an internal audit program and regularly scheduled internal vulnerability testing.

SOC 2 reports are provided under NDA to clients. 

5. Where is my data hosted and how secure is it?

Production data is stored on Amazon Web Services (AWS). The application handles logical separation of client data through database isolation. Data that is transferred to and from our service (including backups) is 100% encrypted over an SSL connection (AES-256-bit- the same strength used in online banking).

We use our own encryption as an added layer of security so Amazon does not have our encryption keys and cannot decrypt our data.

For more information on security, see: https://www.casewarecloud.com/security.html.

Our legal team monitors our regulatory obligations. Please refer to our Cloud Services agreement for legal requirements: https://docs.caseware.com/latest/webapps/en/Setup/Licenses/CaseWare-Cloud-Services-Agreement.htm.


Business Continuity Management & Operational Resilience 

6. What measures are in place to prevent service disruption?

CaseWare has a consistent unified framework for business continuity planning and has established, documented, and adopted this to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements. 

Requirements for business continuity plans include the following:

  1. Defined purpose and scope, aligned with relevant dependencies 
  2. Accessible to and understood by those who will use them
  3. Owned by a named person(s) who is responsible for their review, update, and approval
  4. Defined lines of communication, roles, and responsibilities 
  5. Detailed recovery procedures, manual work-around, and reference information
  6. Method for plan invocation.

7. What happens in the event of an incident?

Our business continuity and security incident response plans are tested at planned intervals or upon significant organisational or environmental changes. Incident response plans involve impacted customers (tenant) and other business relationships that represent critical intra-supply chain business process dependencies. 

8. What happens in the event of a natural disaster?

Our service is hosted on Amazon's AWS and utilities services and environmental conditions (for example, water, power, temperature and humidity controls, telecommunications, and internet connectivity) are secured, monitored, maintained, and tested for continual effectiveness at planned intervals to ensure protection from unauthorised interception or damage, and are designed with automated failover or other redundancies in the event of planned or unplanned disruptions. 

9. Where is your service hosted? What sort of internal controls are there?

Our cloud service is completely virtual and hosted on Amazon Web Services (AWS). Amazon is also ISO and SOC2 compliant and responsible for restricting access to facilities housing the productions systems to authorised individuals. AWS is also responsible for environmental protection and preventative maintenance over production systems. AWS has published further details here: https://aws.amazon.com/compliance/data-center/controls.

These certifications address physical security, system availability, network and IP backbone access, customer provisioning and problem management. Physical access and environmental controls are managed and controlled by AWS. AWS physical protection assurance information can be found at: https://aws.amazon.com/compliance

10. What processes and procedures are in place for change management?

CaseWare has aligned our security program to ISO 27001 and we have business continuity processes in place to address disruptions to critical services. We monitor all cloud instances for performance and availability and incorporate the following:

  1. Identify critical products and services
  2. Identify all dependencies, including processes, applications, business partners, and third party service providers
  3. Understand threats to critical products and services
  4. Determine impacts resulting from planned or unplanned disruptions and how these vary over time
  5. Establish the maximum tolerable period for disruption
  6. Establish priorities for recovery
  7. Establish recovery time objectives for resumption of critical products and services within their maximum tolerable period of disruption
  8. Estimate the resources required for resumption
Customers can see our real-time operational status at our status page here: https://caseware.statuspage.io/.

We maintain a central system for documentation and train all staff on processes. Procedures include change management, security processes, roles and responsibilities of internal users. Our procedures are updated on an as needed basis and revision histories are logged. Additionally, policies and procedures shall include defined roles and responsibilities supported by regular workforce training.

11. What about backup and recovery plans?

CaseWare maintains a records and retention policy for Cloud services. The retention policy is not client specific. Backup and recovery procedures are documented and daily alerts are sent to operations staff through automated alerts. Backup and recovery measures have been incorporated as part of business continuity planning and tested accordingly for effectiveness.


Change Control & Configuration Management

12. Are software changes or other changes managed through a control process?

Change management controls have been established for any new development and/or acquisition of new data, physical or virtual applications, infrastructure network and systems components, or any corporate, operations and/or data centre facilities have been pre-authorised by the organisation's business leadership or other accountable business role or function.

Our SDLC has a defined quality change control and testing process with established baselines, testing, and release standards which focus on system availability, confidentiality and integrity of systems and services.

13. Are there policies or procedures in place for change management?

Policies and procedures have been established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorised software on organisationally-owned or managed user end-point devices and IT infrastructure network and systems components within the production cloud environment.

Our change management policies and procedures include managing the risks associated with applying changes to business-critical or customer impacting applications and system-system interface (API) designs and configurations. Technical measures have also been implemented to provide assurance that all changes directly correspond to a registered change request, business-critical or customer, and/or authorisation by, the customer as per agreement prior to deployment.


Data Security & Information Life cycle Management 

14. What policies are in place to protect my data?

Our security policy defines four levels of data classification: confidential, restricted, operational, and public. All data stored within the production cloud infrastructure is considered confidential, which is our highest level of security and only authorised staff have access to this environment.

Logical access to the production cloud environment is restricted to the operations team alone.

15. Where is my data stored and who can access it?

All subscriber data is stored in the production cloud environment. Use of customer data in non-production environments is controlled through secure data-handling processes, which require explicitly documented approval from the customers whose data is affected, and must comply with legal and regulatory requirements for scrubbing of sensitive data elements.

There is a designated operations team responsible for all operational functions regarding the infrastructure and storage with assigned responsibilities that have been defined, documented, and communicated.


Data centre Security 

16. What physical security is in place for servers?

The production infrastructure is completely hosted within Amazon’s AWS. AWS is responsible for restricting access to facilities housing the production systems to authorised individuals. AWS is also responsible for environmental protection and preventative maintenance over production systems.

Physical access is controlled by AWS at the perimeter and at building ingress points. Full details can be found here: https://aws.amazon.com/whitepapers/#security.

AWS has published further details here: https://aws.amazon.com/compliance/data-center/controls/.

17. Do data centres comply with industry standards for security?

Our production infrastructure is completely hosted within Amazon’s AWS. AWS has SOC 2 reports, which are reviewed annually.

AWS governance processes can be found here: https://aws.amazon.com/compliance/.


Encryption & Key Management

18. What policies are in place for data encryption?

Our cryptography policies and procedures are designed to support business process. Technical measures have been implemented based on business requirements for protection of data at rest and data in transit as per applicable legal, statutory, and regulatory compliance obligations.

19. How are  keys managed?

Our cryptography policy requires all encryption keys to have identifiable owners within the organisation. The cryptographic key life cycle management ensures access controls are in place for secure key generation, exchange and storage, including segregation of keys used for encrypted data or sessions.

20. When is data encrypted and what strength keys do you use?

Data stored at the server level (data-at-rest) is encrypted using the industry standard AES-256 algorithm. Data that is transferred to and from our service (data-in-transit) is encrypted via TLS with ephemeral key exchange and use industry-accepted strong cipher suites. Certificates use a minimum of 2048-bit key strength with SHA-2 or stronger signature algorithm.

Private keys are generated and stored in our secrets management systems. They are deployed and used on production systems as needed via our change control process.

Certificates are obtained through a reputable vendor and follow the built-in and industry standard renewal/rotation process based on expiry or revocation as needed.


Governance & Risk Management

21. How often are security risk assessments done?

Security risk assessments are completed at least annually and consider the following:

  1. Awareness of where sensitive data is stored and transmitted across applications, databases, servers, and network infrastructure
  2. Compliance with defined retention periods
  3. Data classification and protection from unauthorised use, access, loss, destruction, and falsification

22. What policies and systems do you have for managing risk?

We have implemented an Information Security Management System based on ISO 27001 and SOC 2 controls. Our ISMS includes the following areas insofar as they relate to the characteristics of the business:

  1. Information Security Policy (this document)
  2. Access Control Policy
  3. Availability Management
  4. Clean Desk Policy
  5. Cryptography Policy
  6. IS Supplier Management Policy
  7. Logging and Monitoring Policy
  8. Mobile Device Policy
  9. Network Security Policy
  10. Password Management Policy
  11. Patch Management Policy
  12. Software Policy
  13. Technical Vulnerability Management Policy
  14. Risk Assessment Methodology
  15. Malware, Email and ISMS Policy
  16. Internet Acceptable Use Policy
  17. Penetration Testing Policy
  18. Teleworking Policy
  19. Records Retention and Protection.

Department managers are responsible for maintaining awareness of, and complying with, security policies, procedures, and standards that are relevant to their area of responsibility.

Risk acceptance levels have been defined within the risk management methodology and all risks are mitigated to an acceptable level with reasonable resolution time frames and stakeholder approval.

23. Who is responsible for risk policy and procedure?

Our information security policies and procedures posted and available for review by all impacted staff and external business relationships.The Information Security Steering Committee is responsible for developing, maintaining, and enforcing our service’s information security policies. The information security policy is reviewed annually and approved by the Information Security Steering Committee.

Executive and line management provide support for information security through clearly documented direction and commitment, and shall ensure action has been assigned.

24. How often are reviews conducted on policy?

Policy reviews are conducted annually by the Information Security Steering Committee or as a result of changes to the organisation to ensure its continuing alignment with the security strategy, effectiveness, accuracy, relevance, and applicability to legal, statutory, or regulatory compliance obligations.

25. How often are risk assessments done?

Formal risk assessments are performed annually and in conjunction with any changes to information systems to determine the likelihood and impact of all identified risks. The likelihood and impact associated with inherent and residual risk is determined independently, considering all risk categories based on audit results, threat and vulnerability analysis, and regulatory compliance.

Risk assessment results include updates to security policies, procedures, standards, and controls to ensure that they remain relevant and effective.

26. How does risk management apply to staff and employees?

Our HR has a defined screening process for all staff. Background checks are performed on all staff who perform operational roles within the production cloud environment.

All staff are required to sign a confidentiality agreement prior to employment to ensure protection of client information for the protection of data.

Information security awareness training is provided during employee on-boarding. Specific training is provided for developers on secure coding practices. Formal records are maintained for completion of internal staff training. 

Employee terminations and position changes are initiated by department managers. Our HR team reviews these requests and submits the request through our ticketing system for deprovisioning and provisioning requirements.

Our HR team has an employee departure process to ensure all equipment is returned and accounts terminated to ensure that access to production environments is removed.

27. How does risk management apply to contractors or third-parties?

A security awareness training program has been established for all contractors, third-party users, and employees and is mandated. All individuals with access to confidential and restricted data receive appropriate awareness training and regular updates in organisational procedures, processes, and policies relating to their job function relative to the organisation.

Roles and responsibilities of contractors, employees, and third-party users are documented as they relate to information assets and security.

28. How does risk management apply to office place?

User responsibilities are defined within job descriptions for all staff and they are made aware of their roles and responsibilities for:

  1. Maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations
  2. Maintaining a safe and secure working environment

We have a clear screen policy which requires that unattended work spaces do not have openly visible sensitive documents and user computing sessions had been disabled after an established period of inactivity.


Identity & Access Management

29. Who is authorised to access production environments?

Policies and procedures have been established to store and manage identity information about every person who accesses the production cloud infrastructure and to determine their level of access.

Access control policies and procedures have been established, and supporting business processes and technical measures implemented, for restricting user access as per defined segregation of duties to address business risks associated with a user-role conflict of interest.

30. Who is authorised to access peripheral tools, logs, etc?

Access to, and use of, audit tools that interact with production cloud environment is segmented and restricted to prevent compromise and misuse of log data.

User access to diagnostic and configuration ports are restricted to authorised individuals and applications.

31. Who controls what's installed on production environments?

Controls are in place to ensure only approved software is installed within the production cloud infrastructure.

32. Who is authorised to access application code, etc?

Access to the organisation's own developed applications, program, or object source code, or any other form of intellectual property (IP), and use of proprietary software is controlled following the rule of least privilege based on job function as per established user access policies and procedures.

33. What authentication mechanism is there and how often is it evaluated?

CaseWare Cloud Service requires password authentication to access the base system. Once in the system, users must be assigned security roles to perform additional operations and access certain content. With security roles, you can control who has access to what content. Your organisation is responsible for developing appropriate security policies around passwords and security roles using the security features provided in CaseWare Cloud.

User access is authorised and re-validated quarterly, to ensure the rule of least privilege based on job function. For identified access violations, remediation activities are followed based on the established user access policies and procedures.

Timely de-provisioning (revocation or modification) of user access to data or managed applications, infrastructure systems, and network components, has been implemented as per established policies and procedures and based on user's change in status such as termination of employment or other business relationship, job change, or transfer.


Infrastructure & Virtualisation Security 

34. How is network traffic filtered, logged and monitored?

CaseWare Cloud deploys a SaaS-based endpoint detection and response security endpoint to all hosts within our infrastructure. All user, process, and network activity is collected and stored in the tamper-proof central location and analysed in near real-time for suspicious behaviours as well as for manual forensics. Protection, retention, and life cycle management of audit logs, adhere to applicable legal, statutory, or regulatory compliance obligations and provide unique user access accountability to detect potentially suspicious network behaviours and/or file integrity anomalies, that are required to support forensic investigative capabilities in the event of a security breach.

35. Do you use an external time source?

The production cloud infrastructure has a reliable and mutually agreed upon external time source that is used to synchronise the system clocks of all relevant information processing systems to facilitate tracing and reconstitution of activity timelines.


Threat & Vulnerability Management

36. What measures are in place to prevent malware or other potential vulnerabilities? 

Policies and procedures have been established, and supporting business processes and technical measures implemented, to prevent the execution of malware within the production cloud environment or end user devices and IT infrastructure network and system components.

Policies and procedures have been established, and supporting processes and technical measures implemented, for timely detection of vulnerabilities within organisationally-owned or managed applications, infrastructure network and system components.

Our security test team performs on-going network vulnerability scans of both internal and external infrastructure using an industry-leading vulnerability scanner. We also perform ongoing application and code vulnerability evaluations of our products and have dual peer reviews of all code changes to ensure the efficiency of implemented security controls. Our risk management methodology is used for prioritising remediation of identified vulnerabilities.

Changes are managed through our defined change management process for all vendor-supplied patches, configuration changes, or changes to our applications.

    • Related Articles

    • Cloud Security Compliance

      CaseWare Cloud continually undergoes independent security audits to reinforce our commitment to data security, privacy, and compliance controls. Independent auditors examine our entire Information Security Management System (ISMS) to verify our ...
    • Introduction to CaseWare Cloud

      CaseWare Cloud is a web service for managing your organisation and workflows. Its' features and apps combine to provide a convenient centralised solution for management of both your firm and your engagements. Cloud can also integrate with CaseWare ...
    • Onboarding of staff into CaseWare Cloud

      When you're ready to provide staff with accounts in Cloud, you can begin onboarding procedures. Generally, the procedures are the same for all organization sizes:  1. Create groups based on functional roles and access rights. 2. Create accounts for ...
    • Our approach to Cloud security with CaseWare Cloud

      Choosing a cloud service provider can be a complex task given the nature of today’s security concerns. The number of potential threats - both malicious and benign - and the ever-increasing number of attack vectors can cause even security experts to ...
    • Setting staff access levels

      If staff has been added using an imported list, you will need to configure their role settings and app access at either the individual or group level to ensure that they can perform their tasks and view the appropriate organization content. Assigning ...