AODA, Customer Service Standard (CSS) Policy, Commitment Statement & Multi Year Plan

Our Software Development Life Cycle (SDLC) ensures that our applications and programming interfaces (APIs) are designed, deployed, and tested in accordance with leading industry standards – such as OWASP, ISO, and SOC – and adhere to legal, statutory, or regulatory compliance obligations.

You will be onboarded once all agreements and policies are accepted for usage of the service. You are responsible for ensuring your usage of Caseware Cloud is in compliance with applicable laws and regulations.

Legal specifics can be found in the Cloud Services Agreement here.

Our policies and procedures have been established and are maintained in support of data security to include confidentiality, integrity, and availability across multiple system interfaces, jurisdictions, and business functions to prevent improper disclosure, alteration, or destruction.

Independent audits are conducted by registered 3rd parties as part of our compliance program for ISO 27001 and SOC 2 for our Cloud services. We also have an internal audit program, external penetration testing and regularly scheduled internal vulnerability testing. Vulnerability test results are shared with customers as outlined in the Client Initiated Testing Policy. The results of these processes are tracked through our improvements process. The methodology and tools used to conduct penetration testing is tailored to each assessment for specific targets and attacker profiles. SOC 2 reports are provided under NDA to clients. Our SOC 3 Report is available in PDF format here.

Production data is stored on Amazon Web Services (AWS). The application handles logical separation of client data through database isolation. Data that is transferred to and from our service (including backups) is 100% encrypted over an SSL connection (AES-256-bit – the same strength used in online banking). Data transmission occurs between client and server, and databases. Controls are in place for secure and encrypted bulk data transfers. There are no email transmissions. For more information on security, see: https://www.casewarecloud.com/security.html. Our legal team monitors our regulatory obligations. Please refer to our Cloud Services agreement for legal requirements here.

Caseware has a consistent unified framework for business continuity planning and has established, documented, and adopted this to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements.

Requirements for business continuity plans include the following:

• Defined purpose and scope, aligned with relevant dependencies
• Accessible to and understood by those who will use them
• Owned by a named person(s) who is responsible for their review, update, and approval
• Defined lines of communication, roles, and responsibilities
• Detailed recovery procedures, manual work-around, and reference information
• Method for plan invocation

Our business continuity and security incident response plans are tested at planned intervals or upon significant organizational or environmental changes. Incident response plans involve impacted customers (tenant) and other business relationships that represent critical intra-supply chain business process dependencies.

Our service is hosted on Amazon’s AWS and utilities services and environmental conditions (for example, water, power, temperature and humidity controls, telecommunications, and internet connectivity) are secured, monitored, maintained, and tested for continual effectiveness at planned intervals to ensure protection from unauthorized interception or damage, and are designed with automated failover or other redundancies in the event of planned or unplanned disruptions.

Our cloud service is completely virtual and hosted on Amazon Web Services (AWS). Amazon is also ISO and SOC2 compliant and responsible for restricting access to facilities housing the productions systems to authorized individuals. AWS is also responsible for environmental protection and preventative maintenance over production systems. AWS has published further details here: https://aws.amazon.com/compliance/data-center/controls. These certifications address physical security, system availability, network and IP backbone access, customer provisioning and problem management. Physical access and environmental controls are managed and controlled by AWS. AWS physical protection assurance information can be found at: https://aws.amazon.com/compliance.

Caseware has aligned our security program to ISO 27001 and we have business continuity processes in place to address disruptions to critical services. We monitor all cloud instances for performance and availability and incorporate the following:

• Identify critical products and services
• Identify all dependencies, including processes, applications, business partners, and third party service providers
• Understand threats to critical products and services
• Determine impacts resulting from planned or unplanned disruptions and how these vary over time
• Establish the maximum tolerable period for disruption
• Establish priorities for recovery
• Establish recovery time objectives for resumption of critical products and services within their maximum tolerable period of disruption
• Estimate the resources required for resumption

Customers can see our real-time operational status at our status page here: https://caseware.statuspage.io/.

We maintain a central system for documentation and train all staff on processes. Procedures include change management, security processes, roles and responsibilities of internal users. Our procedures are updated on an as needed basis and revision histories are logged. Additionally, policies and procedures shall include defined roles and responsibilities supported by regular workforce training.

Caseware maintains a records and retention policy for Cloud services. The retention policy is not client-specific. Backup and recovery procedures are documented and automated alerts are sent daily to operations staff. Backup and recovery measures have been incorporated into business continuity planning and tested accordingly for effectiveness. See the retention policy for each category of records below.

System transaction logs

Description: Database journals and other logs used for database recovery.

Retention period: 30 days.

Reason for retention: Based on backup and recovery strategy.

Allowable storage media: Electronic.

Audit logs

Description: Security logs, for example, records of logon/logoff and permission changes.

Retention period: 30 days.

Reason for retention: Maximum period of delay before forensic investigation.

Allowable storage media: Electronic.

Operational procedures

Description: Records associated with the completion of operational procedures.

Retention period: 2 years.

Reason for retention: Maximum period elapsed regarding dispute.

Allowable storage media: Electronic.

Customer

Description: Customer backups.

Retention period: 90 days.

Reason for retention: Data protection requirement.

Allowable storage media: Electronic.

‍

Change management controls have been established for any new development and/or acquisition of new data, physical or virtual applications, infrastructure network and systems components, or any corporate, operations and/or data center facilities have been pre-authorized by the organization’s business leadership or other accountable business role or function. Our SDLC has a defined quality change control and testing process with established baselines, testing, and release standards which focus on system availability, confidentiality and integrity of systems and services.

Policies and procedures have been established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorized software on organizationally-owned or managed user end-point devices and IT infrastructure network and systems components within the production cloud environment. Our change management policies and procedures include managing the risks associated with applying changes to business-critical or customer impacting applications and system-system interface (API) designs and configurations. Technical measures have also been implemented to provide assurance that all changes directly correspond to a registered change request, business-critical or customer, and/or authorization by, the customer as per agreement prior to deployment.

Caseware has policies and procedures and supporting business processes and technical measures in place to inventory and maintain data flows within the SaaS network and systems for each geographic location. Controls are in place to ensure that data is placed in the geographic area determined by the client. Subscriber data within the production cloud environment resides on two-tier architecture and is not directly accessible from the internet.

Our security policy defines four levels of data classification: confidential, restricted, operational, and public. All data stored within the production cloud infrastructure is considered confidential, which is our highest level of security and only authorized staff have access to this environment. Logical access to the production cloud environment is restricted to the operations team alone.

All subscriber data is stored in the production cloud environment. Use of customer data in non-production environments is controlled through secure data-handling processes, which require explicitly documented approval from the customers whose data is affected, and must comply with legal and regulatory requirements for scrubbing of sensitive data elements.

There is a designated operations team responsible for all operational functions regarding the infrastructure and storage with assigned responsibilities that have been defined, documented, and communicated.

Caseware Cloud is hosted on Amazon web servers around the world. Upon subscribing to the Caseware Cloud Services, CWC informs clients of the jurisdiction in which the server that has been allocated to host your Subscriber Data and Personal Information is located. You may consent to such allocation, or refuse a server so allocated.

For performance reasons, we’ll typically set you up in:

• United States/North Virginia if you’re located in the United States or South America
• Canada/Montreal if you’re located in Canada
• Australia/New South Wales if you’re located in the Asia-Pacific region
• Ireland/Leinster if you’re located in any other region

The production infrastructure is completely hosted within Amazon’s AWS. AWS is responsible for restricting access to facilities housing the production systems to authorized individuals. AWS is also responsible for environmental protection and preventative maintenance over production systems. Physical access is controlled by AWS at the perimeter and at building ingress points. Full details can be found here: https://aws.amazon.com/whitepapers/#security. AWS has published further details here: https://aws.amazon.com/compliance/data-center/controls/.

Our production infrastructure is completely hosted within Amazon’s AWS. AWS has SOC 2 reports, which are reviewed annually. AWS governance processes can be found here: https://aws.amazon.com/compliance/.

Our cryptography policies and procedures are designed to support business process. Technical measures have been implemented based on business requirements for protection of data at rest and data in transit as per applicable legal, statutory, and regulatory compliance obligations.

Our cryptography policy requires all encryption keys to have identifiable owners within the organization. The cryptographic key lifecycle management ensures access controls are in place for secure key generation, exchange and storage, including segregation of keys used for encrypted data or sessions.

Data stored at the server level (data-at-rest) is encrypted using the industry standard AES-256 algorithm. Data that is transferred to and from our service (data-in-transit) is encrypted via TLS with ephemeral key exchange and use industry-accepted strong cipher suites. Certificates use a minimum of 2048-bit key strength with SHA-2 or stronger signature algorithm. Private keys are generated and stored in our secrets management systems. They are deployed and used on production systems as needed via our change control process. Certificates are obtained through a reputable vendor and follow the built-in and industry standard renewal/rotation process based on expiry or revocation as needed.

Security risk assessments are completed at least annually and consider the following:

• Awareness of where sensitive data is stored and transmitted across applications, databases, servers, and network infrastructure
• Compliance with defined retention periods
• Data classification and protection from unauthorized use, access, loss, destruction, and falsification

We have implemented an Information Security Management System based on ISO 27001 and SOC 2 controls. Our ISMS includes the following areas insofar as they relate to the characteristics of the business:

• Information Security Policy (this document)
• Access Control Policy
• Availability Management
• Clean Desk Policy
• Cryptography Policy
• IS Supplier Management Policy
• Logging and Monitoring Policy
• Mobile Device Policy
• Network Security Policy
• Password Management Policy
• Patch Management Policy
• Software Policy
• Technical Vulnerability Management Policy
• Risk Assessment Methodology
• Malware, Email and ISMS Policy
• Internet Acceptable Use Policy
• Penetration Testing Policy
• Teleworking Policy
• Records Retention and Protection

Department managers are responsible for maintaining awareness of, and complying with, security policies, procedures, and standards that are relevant to their area of responsibility.

Risk acceptance levels have been defined within the risk management methodology and all risks are mitigated to an acceptable level with reasonable resolution time frames and stakeholder approval.

Our information security policies and procedures are posted and available for review by all impacted staff and external business relationships. The Information Security Steering Committee is responsible for developing, maintaining, and enforcing our service’s information security policies. The information security policy is reviewed annually and approved by the Information Security Steering Committee. Executive and line management provide support for information security through clearly documented direction and commitment, and shall ensure action has been assigned. There is a senior member of management who is responsible for information security governance and operations, including protection of customer data – this role reports to the CFO.

Policy reviews are conducted annually by the Information Security Steering Committee or as a result of changes to the organization to ensure its continuing alignment with the security strategy, effectiveness, accuracy, relevance, and applicability to legal, statutory, or regulatory compliance obligations.

Formal risk assessments are performed annually and in conjunction with any changes to information systems to determine the likelihood and impact of all identified risks. The likelihood and impact associated with inherent and residual risk is determined independently, considering all risk categories based on audit results, threat and vulnerability analysis, and regulatory compliance. Risk assessment results can include updates to security policies, procedures, standards, and controls to ensure that they remain relevant and effective. The results of risk assessments are:

• Reported to senior management who then partake in a risk treatment process
• Updated in a risk register
• Prioritized based on possible impact to production systems

Our HR has a defined screening process for all staff. Reference checks are obtained with respect to all employees at time of hiring, with criminal and credit background checks for those who perform operational roles with the product cloud environment. All staff are required to sign a confidentiality agreement prior to employment to ensure protection of client information for the protection of data. Information security awareness training is provided during employee onboarding. Specific training is provided for developers on secure coding practices. Formal records are maintained for completion of internal staff training. Employee terminations and position changes are initiated by department managers. Our HR team reviews these requests and submits the request through our ticketing system for de-provisioning and provisioning requirements. Our HR team has an employee departure process to ensure all equipment is returned and accounts terminated to ensure that access to production environments is removed.

A security awareness training program has been established for all contractors, third-party users, and employees and is mandated. All individuals with access to confidential and restricted data receive appropriate awareness training and regular updates in organizational procedures, processes, and policies relating to their job function relative to the organization. Roles and responsibilities of contractors, employees, and third-party users are documented as they relate to information assets and security.

User responsibilities are defined within job descriptions for all staff and they are made aware of their roles and responsibilities for:

• Maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations
• Maintaining a safe and secure working environment
• Report any suspicious activity if detected

We have a clear screen policy which requires that unattended workspaces do not have openly visible sensitive documents and user computing sessions had been disabled after an established period of inactivity.

We have an Access Control policy in place that specifies how to manage access control to all system components and sensitive information in the organization. Policies governing acceptable use or access to subscriber data and metadata is included in the Caseware privacy policy (https://www.caseware.com/privacy-statement/). Caseware collects, uses and discloses information only for the following purposes:

• To verify your identity
• To provide you with the Caseware Cloud Services
• To contact you for the purposes of product information, service updates, billing notifications, or notifications relating to the Caseware Cloud Services
• To monitor and/or improve system usage, server and software performance
• To assist with technical support issues
• To comply with any laws, regulations, court orders, subpoenas or other legal process of investigation and to protect CWC, its Affiliates and other individuals from harm
• To improve and enhance CWC Service offerings

Policies and procedures have been established to store and manage identity information about every person who accesses the production cloud infrastructure and to determine their level of access. Access control policies and procedures have been established, and supporting business processes and technical measures implemented, for restricting user access as per defined segregation of duties to address business risks associated with a user-role conflict of interest. The access control repository is managed by the provider. We use a privileged identity manager and password management system.

Access to, and use of, audit tools that interact with production cloud environment is segmented and restricted to prevent compromise and misuse of log data. User access to diagnostic and configuration ports are restricted to authorized individuals and applications.

Controls are in place to ensure only approved software is installed within the production cloud infrastructure.

Access to the organization’s own developed applications, program, or object source code, or any other form of intellectual property (IP), and use of proprietary software is controlled following the rule of least privilege based on job function as per established user access policies and procedures.

Caseware Cloud Service requires password authentication to access the base system. Once in the system, users must be assigned security roles to perform additional operations and access certain content. With security roles, you can control who has access to what content. Your organization is responsible for developing appropriate security policies around passwords and security roles using the security features provided in Caseware Cloud. Caseware provides access to clients, who then control their own users and administrative accounts, including provisioning and de-provisioning. Two-factor authentication is employed. User access is authorized and revalidated quarterly, to ensure the rule of least privilege based on job function. For identified access violations, remediation activities are followed based on the established user access policies and procedures. Timely de-provisioning (revocation or modification) of user access to data or managed applications, infrastructure systems, and network components, has been implemented as per established policies and procedures and based on user’s change in status such as termination of employment or other business relationship, job change, or transfer. The provider manages service account provisioning and de-provisioning. Service account authentication utilizes multi-factor authentication.

Caseware Cloud deploys a SaaS-based endpoint detection and response security endpoint to all hosts within our infrastructure. All user, process, and network activity is collected and stored in the tamper-proof central location and analyzed in near real-time for suspicious behaviors as well as for manual forensics. Protection, retention, and lifecycle management of audit logs, adhere to applicable legal, statutory, or regulatory compliance obligations and provide unique user access accountability to detect potentially suspicious network behaviors and/or file integrity anomalies, that are required to support forensic investigative capabilities in the event of a security breach. Our tools have the capability to detect/prevent unauthorized or anomalous behavior based on network traffic or host activity. All authentication events, successful and failed, are logged.

Our production and non-production environments are separated to prevent unauthorized access or changes to information assets. Separation of the environments include logical separation and segregation of duties for personnel accessing these environments as part of their job duties.

Our production system and network environment is protected by centrally managed firewalls and ensures separation of production and non-production environments. Our production environment is designed, developed, deployed, and configured to ensure our operations team and clients user access is appropriately segmented from other client users, based on the following considerations:

• Established policies and procedures
• Isolation of business critical assets and/or sensitive user data and sessions that mandate stronger internal controls and high levels of assurance
• Compliance with legal, statutory, and regulatory compliance obligations

The production cloud infrastructure has a reliable and mutually agreed upon external time source that is used to synchronize the system clocks of all relevant information processing systems to facilitate tracing and reconstitution of activity timelines.

Policies and procedures have been implemented to ensure the consistent review of service agreements between providers and customers across the relevant supply chain. Reviews performed at least annually and identify non-conformance to established agreements. Any non-conformances are identified as actions to address service-level conflicts or inconsistencies.

Policies and procedures have been established, and supporting business processes and technical measures implemented, to prevent the execution of malware within the production cloud environment or end user devices and IT infrastructure network and system components. Policies and procedures have been established, and supporting processes and technical measures implemented, for timely detection of vulnerabilities within organizationally-owned or managed applications, infrastructure network and system components. We also perform ongoing application and code vulnerability evaluations of our products and have dual peer reviews of all code changes to ensure the efficiency of implemented security controls. Our risk management methodology is used for prioritizing remediation of identified vulnerabilities. Changes are managed through our defined change management process for all vendor-supplied patches, configuration changes, or changes to our applications. Our anti-malware solution is centrally managed and runs on all systems. The anti-malware solution includes mechanisms for detecting or preventing phishing. Malware signature updates are deployed within 1 day of release.