Achieve Effective Security Controls
View the list of frequently asked questions to learn how CaseWare reduces risk, secures proprietary information, and meets regulatory requirements.
Application & Interface Security
Our Software Development Life Cycle (SDLC) ensures that our applications and programming interfaces (APIs) are designed, deployed, and tested in accordance with leading industry standards - such as OWASP, ISO, and SOC - and adhere to legal, statutory, or regulatory compliance obligations.
You will be onboarded once all agreements and policies are accepted for usage of the service. You are responsible for ensuring your usage of CaseWare Cloud is in compliance with applicable laws and regulations.
Legal specifics can be found in the Cloud Services Agreement here: https://docs.caseware.com/latest/webapps/en/Setup/Licenses/CaseWare-Cloud-Services-Agreement.htm.
Our certifications and 3rd party attestations can be found here: https://www.caseware.com/cloud-security-compliance.
Our policies and procedures have been established and are maintained in support of data security to include confidentiality, integrity, and availability across multiple system interfaces, jurisdictions, and business functions to prevent improper disclosure, alteration, or destruction.
Our certifications and 3rd party attestations can be found here: https://www.caseware.com/cloud-security-compliance.
Audit Assurance and Compliance
Independent audits are conducted by registered 3rd parties as part of our compliance program for ISO 27001 and SOC 2 for our Cloud services. Our certifications and 3rd party attestations can be found here: https://www.caseware.com/cloud-security-compliance.
We also have an internal audit program, external penetration testing and regularly scheduled internal vulnerability testing. Vulnerability test results are shared with customers as outlined in the Client Initiated Testing Policy. The results of these processes are tracked through our improvements process.
The methodology and tools used to conduct penetration testing is tailored to each assessment for specific targets and attacker profiles.
SOC 2 reports are provided under NDA to clients.
Production data is stored on Amazon Web Services (AWS). The application handles logical separation of client data through database isolation. Data that is transferred to and from our service (including backups) is 100% encrypted over an SSL connection (AES-256-bit - the same strength used in online banking). Data transmission occurs between client and server, and databases. Controls are in place for secure and encrypted bulk data transfers. There are no email transmissions.
For more information on security, see: https://www.casewarecloud.com/security.html.
Our legal team monitors our regulatory obligations. Please refer to our Cloud Services agreement for legal requirements: https://docs.caseware.com/latest/webapps/en/Setup/Licenses/CaseWare-Cloud-Services-Agreement.htm.
Business Continuity Management and Operational Resilience
CaseWare has a consistent unified framework for business continuity planning and has established, documented, and adopted this to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements.
Requirements for business continuity plans include the following:
- Defined purpose and scope, aligned with relevant dependencies
- Accessible to and understood by those who will use them
- Owned by a named person(s) who is responsible for their review, update, and approval
- Defined lines of communication, roles, and responsibilities
- Detailed recovery procedures, manual work-around, and reference information
- Method for plan invocation.
Our business continuity and security incident response plans are tested at planned intervals or upon significant organizational or environmental changes. Incident response plans involve impacted customers (tenant) and other business relationships that represent critical intra-supply chain business process dependencies.
Our service is hosted on Amazon’s AWS and utilities services and environmental conditions (for example, water, power, temperature and humidity controls, telecommunications, and internet connectivity) are secured, monitored, maintained, and tested for continual effectiveness at planned intervals to ensure protection from unauthorized interception or damage, and are designed with automated failover or other redundancies in the event of planned or unplanned disruptions.
Our cloud service is completely virtual and hosted on Amazon Web Services (AWS). Amazon is also ISO and SOC2 compliant and responsible for restricting access to facilities housing the productions systems to authorized individuals. AWS is also responsible for environmental protection and preventative maintenance over production systems. AWS has published further details here: https://aws.amazon.com/compliance/data-center/controls.
These certifications address physical security, system availability, network and IP backbone access, customer provisioning and problem management. Physical access and environmental controls are managed and controlled by AWS. AWS physical protection assurance information can be found at: https://aws.amazon.com/compliance.
CaseWare has aligned our security program to ISO 27001 and we have business continuity processes in place to address disruptions to critical services. We monitor all cloud instances for performance and availability and incorporate the following:
- Identify critical products and services
- Identify all dependencies, including processes, applications, business partners, and third party service providers
- Understand threats to critical products and services
- Determine impacts resulting from planned or unplanned disruptions and how these vary over time
- Establish the maximum tolerable period for disruption
- Establish priorities for recovery
- Establish recovery time objectives for resumption of critical products and services within their maximum tolerable period of disruption
- Estimate the resources required for resumption
Customers can see our real-time operational status at our status page here: https://caseware.statuspage.io/.
We maintain a central system for documentation and train all staff on processes. Procedures include change management, security processes, roles and responsibilities of internal users. Our procedures are updated on an as needed basis and revision histories are logged. Additionally, policies and procedures shall include defined roles and responsibilities supported by regular workforce training.
CaseWare maintains a records and retention policy for Cloud services. The retention policy is not client specific. Backup and recovery procedures are documented and daily alerts are sent to operations staff through automated alerts. Backup and recovery measures have been incorporated as part of business continuity planning and tested accordingly for effectiveness.
Change Control and Configuration Management
Change management controls have been established for any new development and/or acquisition of new data, physical or virtual applications, infrastructure network and systems components, or any corporate, operations and/or data center facilities have been pre-authorized by the organization’s business leadership or other accountable business role or function.
Our SDLC has a defined quality change control and testing process with established baselines, testing, and release standards which focus on system availability, confidentiality and integrity of systems and services.
Data Security and Information Lifecycle Management
CaseWare has policies and procedures and supporting business processes and technical measures in place to inventory and maintain data flows within the SaaS network and systems for each geographic location.
Controls are in place to ensure that data is placed in the geographic area determined by the client.
Subscriber data within the production cloud environment resides on two-tier architecture and is not directly accessible from the internet.
Data center Security
Our production infrastructure is completely hosted within Amazon’s AWS. AWS has SOC 2 reports, which are reviewed annually.
AWS governance processes can be found here: https://aws.amazon.com/compliance/.
Encryption and Key Management
Our cryptography policies and procedures are designed to support business process. Technical measures have been implemented based on business requirements for protection of data at rest and data in transit as per applicable legal, statutory, and regulatory compliance obligations.
Our cryptography policy requires all encryption keys to have identifiable owners within the organization. The cryptographic key lifecycle management ensures access controls are in place for secure key generation, exchange and storage, including segregation of keys used for encrypted data or sessions.
AWS is used as our key management platform.
Data stored at the server level (data-at-rest) is encrypted using the industry standard AES-256 algorithm. Data that is transferred to and from our service (data-in-transit) is encrypted via TLS with ephemeral key exchange and use industry-accepted strong cipher suites. Certificates use a minimum of 2048-bit key strength with SHA-2 or stronger signature algorithm.
Private keys are generated and stored in our secrets management systems. They are deployed and used on production systems as needed via our change control process.
Certificates are obtained through a reputable vendor and follow the built-in and industry standard renewal/rotation process based on expiry or revocation as needed.
Governance and Risk Management
Security risk assessments are completed at least annually and consider the following:
- Awareness of where sensitive data is stored and transmitted across applications, databases, servers, and network infrastructure
- Compliance with defined retention periods
- Data classification and protection from unauthorized use, access, loss, destruction, and falsification
We have implemented an Information Security Management System based on ISO 27001 and SOC 2 controls. Our ISMS includes the following areas insofar as they relate to the characteristics of the business:
- Information Security Policy (this document)
- Access Control Policy
- Availability Management
- Clean Desk Policy
- Cryptography Policy
- IS Supplier Management Policy
- Logging and Monitoring Policy
- Mobile Device Policy
- Network Security Policy
- Password Management Policy
- Patch Management Policy
- Software Policy
- Technical Vulnerability Management Policy
- Risk Assessment Methodology
- Malware, Email and ISMS Policy
- Internet Acceptable Use Policy
- Penetration Testing Policy
- Teleworking Policy
- Records Retention and Protection.
Department managers are responsible for maintaining awareness of, and complying with, security policies, procedures, and standards that are relevant to their area of responsibility.
Risk acceptance levels have been defined within the risk management methodology and all risks are mitigated to an acceptable level with reasonable resolution time frames and stakeholder approval.
Our information security policies and procedures are posted and available for review by all impacted staff and external business relationships. The Information Security Steering Committee is responsible for developing, maintaining, and enforcing our service’s information security policies. The information security policy is reviewed annually and approved by the Information Security Steering Committee.
Executive and line management provide support for information security through clearly documented direction and commitment, and shall ensure action has been assigned.
There is a senior member of management who is responsible for information security governance and operations, including protection of customer data - this role reports to the CFO.
Policy reviews are conducted annually by the Information Security Steering Committee or as a result of changes to the organization to ensure its continuing alignment with the security strategy, effectiveness, accuracy, relevance, and applicability to legal, statutory, or regulatory compliance obligations.
Formal risk assessments are performed annually and in conjunction with any changes to information systems to determine the likelihood and impact of all identified risks. The likelihood and impact associated with inherent and residual risk is determined independently, considering all risk categories based on audit results, threat and vulnerability analysis, and regulatory compliance.
Risk assessment results can include updates to security policies, procedures, standards, and controls to ensure that they remain relevant and effective.
The results of risk assessments are:
- Reported to senior management who then partake in a risk treatment process
- Updated in a risk register
- Prioritized based on possible impact to production systems
Our HR has a defined screening process for all staff. Background checks are performed on all staff who perform operational roles within the production cloud environment.
All staff are required to sign a confidentiality agreement prior to employment to ensure protection of client information for the protection of data.
Information security awareness training is provided during employee onboarding. Specific training is provided for developers on secure coding practices. Formal records are maintained for completion of internal staff training.
Employee terminations and position changes are initiated by department managers. Our HR team reviews these requests and submits the request through our ticketing system for de-provisioning and provisioning requirements.
Our HR team has an employee departure process to ensure all equipment is returned and accounts terminated to ensure that access to production environments is removed.
A security awareness training program has been established for all contractors, third-party users, and employees and is mandated. All individuals with access to confidential and restricted data receive appropriate awareness training and regular updates in organizational procedures, processes, and policies relating to their job function relative to the organization.
Roles and responsibilities of contractors, employees, and third-party users are documented as they relate to information assets and security.
User responsibilities are defined within job descriptions for all staff and they are made aware of their roles and responsibilities for:
- Maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations
- Maintaining a safe and secure working environment
- Report any suspicious activity if detected
We have a clear screen policy which requires that unattended workspaces do not have openly visible sensitive documents and user computing sessions had been disabled after an established period of inactivity.
Identity and Access Management
Infrastructure and Virtualization Security
CaseWare Cloud deploys a SaaS-based endpoint detection and response security endpoint to all hosts within our infrastructure. All user, process, and network activity is collected and stored in the tamper-proof central location and analyzed in near real-time for suspicious behaviors as well as for manual forensics. Protection, retention, and lifecycle management of audit logs, adhere to applicable legal, statutory, or regulatory compliance obligations and provide unique user access accountability to detect potentially suspicious network behaviors and/or file integrity anomalies, that are required to support forensic investigative capabilities in the event of a security breach.
Our tools have the capability to detect/prevent unauthorized or anomalous behavior based on network traffic or host activity. All authentication events, successful and failed, are logged.
Our production system and network environment is protected by centrally managed firewalls, including web application firewalls and ensures separation of production and non-production environments. Our production environment is designed, developed, deployed, and configured to ensure our operations team and clients user access is appropriately segmented from other client users, based on the following considerations:
- Established policies and procedures
- Isolation of business critical assets and/or sensitive user data and sessions that mandate stronger internal controls and high levels of assurance
- Compliance with legal, statutory, and regulatory compliance obligations
The production cloud infrastructure has a reliable and mutually agreed upon external time source that is used to synchronize the system clocks of all relevant information processing systems to facilitate tracing and reconstitution of activity timelines.
Supply Chain Management, Transparency, and Accountability
Policies and procedures have been implemented to ensure the consistent review of service agreements between providers and customers across the relevant supply chain. Reviews performed at least annually and identify non-conformance to established agreements. Any non-conformances are identified as actions to address service-level conflicts or inconsistencies.
Threat and Vulnerability Management
Policies and procedures have been established, and supporting business processes and technical measures implemented, to prevent the execution of malware within the production cloud environment or end user devices and IT infrastructure network and system components.
Policies and procedures have been established, and supporting processes and technical measures implemented, for timely detection of vulnerabilities within organizationally-owned or managed applications, infrastructure network and system components.
Our security test team performs on-going network vulnerability scans of both internal and external infrastructure using an industry-leading vulnerability scanner. We also perform ongoing application and code vulnerability evaluations of our products and have dual peer reviews of all code changes to ensure the efficiency of implemented security controls. Our risk management methodology is used for prioritizing remediation of identified vulnerabilities.
Changes are managed through our defined change management process for all vendor-supplied patches, configuration changes, or changes to our applications.
Our anti-malware solution is centrally managed and runs on all systems. The anti-malware solution includes mechanisms for detecting or preventing phishing. Malware signature updates are deployed within 1 day of release.
Make a selection to display content