| The ultimate workplace experience conference

The ultimate workplace
experience conference

Data Security Exhibit
Appspace Security Controls and Standards

Last updated on October 1, 2024

Contents Table

Appspace Security Overview

– Overview
– Background
– Security Program

Glossary of Terms
Appspace Information Security Controls and Standards

Appspace Security Overview

Overview

The Appspace platform is a content management workplace experience solution provided to customers in a SaaS model. The platform requires customers to initiate access and interact with the platform through uploading relevant content, data and files to display on their internal network display devices or other devices in their corporate environment.

The following controls identifies security controls Appspace has in place to protect the Confidentiality, Integrity and Availability of customer data; but additionally identifies security controls customers are required to enforce on systems, files, users and data interfacing with the Appspace platform. These controls are referred to a “Complementary User Entity Controls”.

Background

Appspace is currently SOC-2 Type II and ISO 27001:2022 compliant. We additionally have completed our CSA STAR Level 1 recognition; in addition to being Microsoft 365 certified the integration of our platform with specific Microsoft products.

Security Program

In order to maintain our ISO 27001:2022 certifications; we have built an Information Security Management Systems (ISMS) program across the organization. In addition to the ISO controls we adhere to; we additionally follow the NIST 800-53 Rev 4 guidelines to implement controls across our processes, people, systems and services. For additional information; please refer to the ISO/IEC 27001:2022 standard and the NIST 800-53 Rev 4 guidelines for a list of controls we adhere to under our security program. In 2024, Appspace will move to the new ISO 27001:2022 standard.

Appspace is audited by our third-party auditors as part of our security compliance program. For additional information, please refer to our Trust Page.

The controls listed in the security addendum are independently audited by a third party auditing firm to validate compliance across the ISO27xxx standards and SOC-2 Type 2.

Glossary of Terms

TermMeaning
Term ISMSMeaning Information Security Management System
Term PlatformMeaning Appspace Customer Environment
Term ConfidentialityMeaning Protects sensitive information from unauthorized access. It's similar to privacy, and includes methods to protect personal privacy and proprietary information
Term IntegrityMeaning Ensures that data is accurate and unchanged throughout its lifecycle. It also ensures that data is authentic and non-repudiable.
Term AvailabilityMeaning Ensures that authorized users have reliable and timely access to information. It involves maintaining the hardware and systems that store and display information.
Term SAMMMeaning Software Assurance Maturity Model
Term STRIDEMeaning Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege
Term ASVSMeaning Application Security Verification Standard

Appspace Information Security Controls and Standards

Control ObjectiveControl Explanation
Control Objective Information Security PoliciesControl Explanation Under the Appspace ISMS Program; Appspace has implemented a number of internal security policies to cover the security of the following areas:
  • People - Access Controls and Least Privileged Access
  • Systems Controls - These controls cover a broad range of policies and technical controls which are enforced. This will be described through the document
  • Inherited Controls - These controls are controls provided to us by our sub-service cloud provider or physical controls passed to us for our offices. No production data resides within Appspace’s offices.
  • Process Controls: These are controls documented in our Information Security policies which are in turn passed down to the appropriate technology teams to adhere to.
  • These policies and procedures contain confidential information and are only shared with our third-party auditors.
  • These policies are stored in accessible locations for the appropriate employees.
  • All policies are reviewed twice per year. One review is completed prior to our required internal audit and another review is completed prior to our numerous third-party audits.
  • The following control objectives refer to a specific policy and procedure under the ISMS program.

  • Policies are not shared externally.
Control Objective Internal Organization SecurityControl Explanation
  • All potential employees are required to successfully complete an employment, criminal and academic background check prior to commencing employment.
  • All new hire access is reviewed and approved based on their role and seniority. Appspace Security has the ability to deny the request for access to certain systems and create a custom role in order to adhere to our least privilege policy
  • Segregation of duties are enforced through both role-based access controls and least privileged access. An example would be software developers do not have access to make production changes.
  • All personnel employed by Appspace are required to use company owned devices where access is provisioned. If personal mobile devices are used then an MDM policy is enforced on the device.
  • Appspace security controls enable remote management of all devices connected to our systems.
Control Objective Information Security in Program ManagementControl Explanation
  • Appspace implements the Software Assurance Maturity Model as part of the development of our platform along with the STRIDE security model. In addition to these models, Appspace regularly performs internal penetration testing activities which map back to the ASVS standard to ensure we are securely developing, testing, remediating and maintaining the Confidentiality, Integrity and Availability of the platform
Control Objective Mobile Devices and TeleworkingControl Explanation Ensuring the security of mobile devices and teleworking personnel This is managed through policy and MDM enforcement across all devices accessing internal systems. Mobile devices are not permitted to access customer cloud tenants.
Control Objective Mobile Device PolicyControl Explanation This policy covers the management of employees' devices connecting to company internal assets. Mobile devices do not access customer tenant data.
Control Objective Physical securityControl Explanation No customer data is stored or processed through our office locations. Appspace offices are provided as an in-office option for our remote workforce. All employees are provided badges to enter their local office and building management addresses physical security controls like visitor check-in, building security, cameras and fire/safety controls.
Control Objective Human Resource SecurityControl Explanation All prospective employees are required to validate their right to work in the region they are hired in. Their previous work and/or academic experience. If permitted to do so by the country of employment, background checks are performed.
Control Objective Screening/OnboardingControl Explanation Background checks are performed for new hires, acknowledging the company handbook, signing our confidentiality agreement and successfully completing the security awareness training program are required processes to complete an individual's onboarding responsibilities.
Control Objective Terms and conditions of employmentControl Explanation This is handled through our confidentiality agreement, privacy policy and the company employee handbook
Control Objective During EmploymentControl Explanation During employment, employees are required to use company-owned devices to access internal systems. Employees are additionally required to review and sign the Appspace Internal Security Policy, the Appspace Employee Handbook and successfully complete their annual Security Awareness training. Employees in specific roles may be required to complete additional skill-based training like Privacy or OWASP Top 10 testing.
Control Objective Management responsibilitiesControl Explanation Appspace management requires all employees to undertake their assigned security awareness training on an annual basis. In addition, the Engineering teams undertake Secure Development education. The Appspace security team members are required to hold at least one security certification
Control Objective Information security awareness, education and trainingControl Explanation All new hires are required to successfully complete their security awareness training. On an annual basis, employees are required to successfully complete their security awareness training. In line with our ISO 27001 standards; all developers are required to successfully complete secure software development training (OWASP Top Ten). If applicable to their role and job function; employees are required to take additional privacy and other forms of training.
Control Objective Disciplinary processControl Explanation This process and policy is stated in the Appspace Employee handbook which all employees are required to review and agree to on an annual basis
Control Objective Termination or change of employment responsibilitiesControl Explanation As part of Appspace terms of employment and confidentiality agreement in the employee handbook, all ex-employees are required to return Appspace owned equipment which is tracked via an IT ticket and are required to keep Appspace information confidential. The IT ticket includes removing their access from all systems.
1) Access was removed or modified
2) Return company assets in the event of voluntary or involuntary leave.
Control Objective Asset ManagementControl Explanation Our internal asset management tracking system is reviewed on a regular basis and only admins have the ability to register assets.
Control Objective Responsibility for assetsControl Explanation Appspace IT Admins are responsible for ensuring our asset management is kept up to date. An internal audit is performed on these systems and our external audits require us to demonstrate how these systems maintain their integrity and keep up to date.
Control Objective Inventory of assetsControl Explanation Maintained through our asset management system.
Control Objective Ownership of assetsControl Explanation All assets are company owned/managed. Only company-owned assets access customer data. Non-managed devices have restricted access due to our MDM policy
Control Objective Acceptable use of assetsControl Explanation All employees are required to read and sign our Acceptable Use Policy within our Employee Handbook on an annual basis or upon hire.
Control Objective Return of assetsControl Explanation Inventory of assets to demonstrate they were returned to Sean and Jameson documented it before it was reimaged
Control Objective Information classificationControl Explanation Appspace has four levels of data classification where access to data is restricted through role-based access controls and DLP controls.
Control Objective Classification of informationControl Explanation Part of the Data Classification Policy
Control Objective Labeling of informationControl Explanation Managed by our DLP and Data Classification Policy
Control Objective Handling of assetsControl Explanation Data Classification Policy and Data Labels restrict access and use of data depending on its classification level.
Control Objective Management of removable mediaControl Explanation This is blocked for users who do not require it.
Control Objective Disposal of mediaControl Explanation Google Cloud Data Destruction processes are used to securely delete customer data. This is inline with NIST SP 800-88 standards.
Control Objective Access controlControl Explanation Access controls enforces logical and physical controls limiting access to information and resources based on an individual’s role and responsibilities.
Control Objective Business requirements of access controlControl Explanation All submitted IT tickets will include a business requirement and justification to permit an individual’s access to data
Control Objective User access managementControl Explanation Customize workflow and controls to management identity access management to data and systems.
Control Objective User registration and de-registrationControl Explanation Managed through the internal Identity Management System
Control Objective User access provisioningControl Explanation Managed through the internal Identity Management System
Control Objective Management of privileged access rightsControl Explanation Managed through the internal Identity Management System
Control Objective Management of secret authentication information of usersControl Explanation Managed through the internal Identity Management System
Control Objective User access provisioningControl Explanation Managed through the internal Identity Management System
Control Objective Management of privileged access rightsControl Explanation Managed through the internal Identity Management System
Control Objective Management of secret authentication information of usersControl Explanation Managed through the internal Identity Management System
Control Objective Review of user access rightsControl Explanation Managed through the internal Identity Management System and reviewed on a quarterly basis.
Control Objective Removal or adjustment of access rightsControl Explanation Managed through the internal Identity Management System and completed within 24 hours of a termination or an individual’s departure.
Control Objective User ResponsibilitiesControl Explanation Employee’s responsibilities are noted in internal policies and procedures. This information is not available for external distribution.
Control Objective Use of secret authentication informationControl Explanation Employee’s responsibilities are noted in internal policies and procedures. This information is not available for external distribution.
Control Objective System and application access controlControl Explanation Employee’s responsibilities are noted in internal policies and procedures. This information is not available for external distribution.
Control Objective Information access restrictionControl Explanation Managed and reviewed by both the Systems and Security teams
Control Objective Secure log-on proceduresControl Explanation Managed and reviewed by both the Systems and Security teams
Control Objective Password management systemControl Explanation Managed and reviewed by both the Systems and Security teams
Control Objective Access control to program source codeControl Explanation Managed through the internal Identity Management System and reviewed on a quarterly basis.
Control Objective CryptographyControl Explanation Accepted industry practices are used for cryptographic methods and protocols.
Control Objective Key managementControl Explanation A Key Management System is used to store sensitive information like certificates, cipher details and tokens as an example.
Control Objective Physical and environmental securityControl Explanation Key cards and third-party building management services secure office locations. Customer data is not stored or processed in our office locations.
Control Objective Change managementControl Explanation Change Management processes and approvals are in place prior to any data being promoted to production.
Control Objective Separation of development, testing and operational environmentsControl Explanation Separate networks for non-production and production environments. Non-production is segmented from customer environments.
Control Objective Protection from MalwareControl Explanation A globally managed anti-malware software is managed by the security team on all company owned devices.
Control Objective BackupControl Explanation Customer data is backed up at least every 4 hours
Control Objective Event loggingControl Explanation Security and Operational events are monitored and reviewed by our production support teams and security operation centers.
Control Objective Protection of log informationControl Explanation Google protects the logs from deletion
Control Objective Administrator and operator logsControl Explanation Logging is enabled
Control Objective Clock synchronizationControl Explanation Google manages UTC and Logging
Control Objective Management of technical vulnerabilitiesControl Explanation Appspace patches their production systems on a monthly basis. Security vulnerabilities identified with a CVSS of 9.0 or above is patched as soon as a vendor patch is made available.
Control Objective Network controlsControl Explanation Firewall rules in GCP and overview of segregated networks. IPS configuration.
Control Objective Security of network servicesControl Explanation Security controls, business requirements for security controls and risk assessment. Encryption at rest, Encryption in transit and risk assessment plan
Control Objective Agreements on information transferControl Explanation Defined in our Data Processing Addendum
Control Objective Confidentiality or non-disclosure agreementsControl Explanation Appspace NDA and Confidentiality Agreements and https://www.appspace.com/legal/
Control Objective Securing application services on public networksControl Explanation Encrypts data in transit - TLS 1.2 and 1.3
Control Objective Secure development policyControl Explanation Appspace leverages the Software Assurance Maturity Model for secure development and testing practices
Control Objective System change control proceduresControl Explanation Appspace leverages the Software Assurance Maturity Model for secure development and testing practices.
Control Objective Technical review of applications after operating platform changesControl Explanation Appspace leverages the Software Assurance Maturity Model for secure development and testing practices.
Control Objective Restrictions on changes to software packagesControl Explanation Appspace leverages the Software Assurance Maturity Model for secure development and testing practices.
Control Objective Secure system engineering principlesControl Explanation Appspace leverages the Software Assurance Maturity Model for secure development and testing practices.
Control Objective Secure development environmentControl Explanation Appspace leverages the Software Assurance Maturity Model for secure development and testing practices.
Control Objective System security testingControl Explanation Appspace leverages the Software Assurance Maturity Model for secure development and testing practices.
Control Objective System acceptance testingControl Explanation Appspace leverages the Software Assurance Maturity Model for secure development and testing practices.
Control Objective Production DataControl Explanation Production Data is not used or copied to test or development environments.
Control Objective Protection of Production DataControl Explanation Production Data access is protected by a series of role-based access controls for privileged accounts. This is based on a “need to know” principle.
Control Objective Information and communication technology supply chainControl Explanation Security Controls - Suppliers SOC-3 or IS027001 reports is reflective of how well the infrastructure and services are maintained to support the ISMS system
Control Objective Monitoring and review of supplier servicesControl Explanation Annually review the suppliers security audit reports - SOC-3 report
Control Objective Information security aspects of business continuity managementControl Explanation Appspace’ business continuity plan is tested annually to ensure it meets our RTO and SLAs.
Control Objective Management of information security incidents and improvementsControl Explanation Appspace tests its systems through an Incident Response Plan on an annual basis. All Lessons Learned and Action Items are completed within 90 days.
Control Objective Reporting information security eventsControl Explanation Upon discovery of an unauthorized access security event impacting customer data; Appspace will notify impacted parties within 72 hours upon discovery.
Control Objective Reporting information security eventsControl Explanation Communication is sent to Appspace personnel on a yearly basis to report potential security incidents, phishing events, suspicious emails or unauthorized access. The communication is sent to: Security@appspace.com
Control Objective Verify, review and evaluate information security continuityControl Explanation Appspace is audited on an annual basis by its third-party auditors to assure we have completed a Business Continuity Plan Test and a Disaster Recovery Test on an annual basis.
Control Objective Identification of applicable legislation and contractual requirementsControl Explanation Appspace follows legal and regulatory framework as applicable to the platform
Control Objective Privacy and protection of personally identifiable informationControl Explanation Appspace adheres and follows the General Data Protection Regulation standard along with the Data Privacy Framework standard
Control Objective Regulation of cryptographic controlsControl Explanation Appspace stores all data in an encrypted format using AES-256 Data Encryption Keys
Control Objective Independent review of information securityControl Explanation Appspace performs an annual SOC-2 Type II audit and Penetration Test . We have a roadmap of additional audits. We are independently audited by Microsoft as part of our Partner Certification standard.
Control Objective Technical compliance reviewControl Explanation Verify system consistency after a patch is applied or the instance is restarted.