Step-by-step paths and how-to user guides to turn any novice into an Appspace pro
Check out Appspace’s planned product releases, vote for your favorites, or submit a new feature request
Last updated on October 1, 2024
Contents Table
Appspace Security Overview
– Overview
– Background
– Security Program
Glossary of Terms
Appspace Information Security Controls and Standards
Overview
The Appspace platform is a content management workplace experience solution provided to customers in a SaaS model. The platform requires customers to initiate access and interact with the platform through uploading relevant content, data and files to display on their internal network display devices or other devices in their corporate environment.
The following controls identifies security controls Appspace has in place to protect the Confidentiality, Integrity and Availability of customer data; but additionally identifies security controls customers are required to enforce on systems, files, users and data interfacing with the Appspace platform. These controls are referred to a “Complementary User Entity Controls”.
Background
Appspace is currently SOC-2 Type II and ISO 27001:2022 compliant. We additionally have completed our CSA STAR Level 1 recognition; in addition to being Microsoft 365 certified the integration of our platform with specific Microsoft products.
Security Program
In order to maintain our ISO 27001:2022 certifications; we have built an Information Security Management Systems (ISMS) program across the organization. In addition to the ISO controls we adhere to; we additionally follow the NIST 800-53 Rev 4 guidelines to implement controls across our processes, people, systems and services. For additional information; please refer to the ISO/IEC 27001:2022 standard and the NIST 800-53 Rev 4 guidelines for a list of controls we adhere to under our security program. In 2024, Appspace will move to the new ISO 27001:2022 standard.
Appspace is audited by our third-party auditors as part of our security compliance program. For additional information, please refer to our Trust Page.
The controls listed in the security addendum are independently audited by a third party auditing firm to validate compliance across the ISO27xxx standards and SOC-2 Type 2.
| Term | Meaning |
|---|---|
| ISMS | Information Security Management System |
| Platform | Appspace Customer Environment |
| Confidentiality | Protects sensitive information from unauthorized access. It's similar to privacy, and includes methods to protect personal privacy and proprietary information |
| Integrity | Ensures that data is accurate and unchanged throughout its lifecycle. It also ensures that data is authentic and non-repudiable. |
| Availability | Ensures that authorized users have reliable and timely access to information. It involves maintaining the hardware and systems that store and display information. |
| SAMM | Software Assurance Maturity Model |
| STRIDE | Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege |
| ASVS | Application Security Verification Standard |
| Control Objective | Control Explanation |
|---|---|
| Information Security Policies | Under the Appspace ISMS Program; Appspace has implemented a number of internal security policies to cover the security of the following areas:
Policies are not shared externally. |
| Internal Organization Security |
|
| Information Security in Program Management |
|
| Mobile Devices and Teleworking | Ensuring the security of mobile devices and teleworking personnel This is managed through policy and MDM enforcement across all devices accessing internal systems. Mobile devices are not permitted to access customer cloud tenants. |
| Mobile Device Policy | This policy covers the management of employees' devices connecting to company internal assets. Mobile devices do not access customer tenant data. |
| Physical security | No customer data is stored or processed through our office locations. Appspace offices are provided as an in-office option for our remote workforce. All employees are provided badges to enter their local office and building management addresses physical security controls like visitor check-in, building security, cameras and fire/safety controls. |
| Human Resource Security | All prospective employees are required to validate their right to work in the region they are hired in. Their previous work and/or academic experience. If permitted to do so by the country of employment, background checks are performed. |
| Screening/Onboarding | Background checks are performed for new hires, acknowledging the company handbook, signing our confidentiality agreement and successfully completing the security awareness training program are required processes to complete an individual's onboarding responsibilities. |
| Terms and conditions of employment | This is handled through our confidentiality agreement, privacy policy and the company employee handbook |
| During Employment | During employment, employees are required to use company-owned devices to access internal systems. Employees are additionally required to review and sign the Appspace Internal Security Policy, the Appspace Employee Handbook and successfully complete their annual Security Awareness training. Employees in specific roles may be required to complete additional skill-based training like Privacy or OWASP Top 10 testing. |
| Management responsibilities | Appspace management requires all employees to undertake their assigned security awareness training on an annual basis. In addition, the Engineering teams undertake Secure Development education. The Appspace security team members are required to hold at least one security certification |
| Information security awareness, education and training | All new hires are required to successfully complete their security awareness training. On an annual basis, employees are required to successfully complete their security awareness training. In line with our ISO 27001 standards; all developers are required to successfully complete secure software development training (OWASP Top Ten). If applicable to their role and job function; employees are required to take additional privacy and other forms of training. |
| Disciplinary process | This process and policy is stated in the Appspace Employee handbook which all employees are required to review and agree to on an annual basis |
| Termination or change of employment responsibilities | As part of Appspace terms of employment and confidentiality agreement in the employee handbook, all ex-employees are required to return Appspace owned equipment which is tracked via an IT ticket and are required to keep Appspace information confidential. The IT ticket includes removing their access from all systems. 1) Access was removed or modified 2) Return company assets in the event of voluntary or involuntary leave. |
| Asset Management | Our internal asset management tracking system is reviewed on a regular basis and only admins have the ability to register assets. |
| Responsibility for assets | Appspace IT Admins are responsible for ensuring our asset management is kept up to date. An internal audit is performed on these systems and our external audits require us to demonstrate how these systems maintain their integrity and keep up to date. |
| Inventory of assets | Maintained through our asset management system. |
| Ownership of assets | All assets are company owned/managed. Only company-owned assets access customer data. Non-managed devices have restricted access due to our MDM policy |
| Acceptable use of assets | All employees are required to read and sign our Acceptable Use Policy within our Employee Handbook on an annual basis or upon hire. |
| Return of assets | Inventory of assets to demonstrate they were returned to Sean and Jameson documented it before it was reimaged |
| Information classification | Appspace has four levels of data classification where access to data is restricted through role-based access controls and DLP controls. |
| Classification of information | Part of the Data Classification Policy |
| Labeling of information | Managed by our DLP and Data Classification Policy |
| Handling of assets | Data Classification Policy and Data Labels restrict access and use of data depending on its classification level. |
| Management of removable media | This is blocked for users who do not require it. |
| Disposal of media | Google Cloud Data Destruction processes are used to securely delete customer data. This is inline with NIST SP 800-88 standards. |
| Access control | Access controls enforces logical and physical controls limiting access to information and resources based on an individual’s role and responsibilities. |
| Business requirements of access control | All submitted IT tickets will include a business requirement and justification to permit an individual’s access to data |
| User access management | Customize workflow and controls to management identity access management to data and systems. |
| User registration and de-registration | Managed through the internal Identity Management System |
| User access provisioning | Managed through the internal Identity Management System |
| Management of privileged access rights | Managed through the internal Identity Management System |
| Management of secret authentication information of users | Managed through the internal Identity Management System |
| User access provisioning | Managed through the internal Identity Management System |
| Management of privileged access rights | Managed through the internal Identity Management System |
| Management of secret authentication information of users | Managed through the internal Identity Management System |
| Review of user access rights | Managed through the internal Identity Management System and reviewed on a quarterly basis. |
| Removal or adjustment of access rights | Managed through the internal Identity Management System and completed within 24 hours of a termination or an individual’s departure. |
| User Responsibilities | Employee’s responsibilities are noted in internal policies and procedures. This information is not available for external distribution. |
| Use of secret authentication information | Employee’s responsibilities are noted in internal policies and procedures. This information is not available for external distribution. |
| System and application access control | Employee’s responsibilities are noted in internal policies and procedures. This information is not available for external distribution. |
| Information access restriction | Managed and reviewed by both the Systems and Security teams |
| Secure log-on procedures | Managed and reviewed by both the Systems and Security teams |
| Password management system | Managed and reviewed by both the Systems and Security teams |
| Access control to program source code | Managed through the internal Identity Management System and reviewed on a quarterly basis. |
| Cryptography | Accepted industry practices are used for cryptographic methods and protocols. |
| Key management | A Key Management System is used to store sensitive information like certificates, cipher details and tokens as an example. |
| Physical and environmental security | Key cards and third-party building management services secure office locations. Customer data is not stored or processed in our office locations. |
| Change management | Change Management processes and approvals are in place prior to any data being promoted to production. |
| Separation of development, testing and operational environments | Separate networks for non-production and production environments. Non-production is segmented from customer environments. |
| Protection from Malware | A globally managed anti-malware software is managed by the security team on all company owned devices. |
| Backup | Customer data is backed up at least every 4 hours |
| Event logging | Security and Operational events are monitored and reviewed by our production support teams and security operation centers. |
| Protection of log information | Google protects the logs from deletion |
| Administrator and operator logs | Logging is enabled |
| Clock synchronization | Google manages UTC and Logging |
| Management of technical vulnerabilities | Appspace patches their production systems on a monthly basis. Security vulnerabilities identified with a CVSS of 9.0 or above is patched as soon as a vendor patch is made available. |
| Network controls | Firewall rules in GCP and overview of segregated networks. IPS configuration. |
| Security of network services | Security controls, business requirements for security controls and risk assessment. Encryption at rest, Encryption in transit and risk assessment plan |
| Agreements on information transfer | Defined in our Data Processing Addendum |
| Confidentiality or non-disclosure agreements | Appspace NDA and Confidentiality Agreements and https://www.appspace.com/legal/ |
| Securing application services on public networks | Encrypts data in transit - TLS 1.2 and 1.3 |
| Secure development policy | Appspace leverages the Software Assurance Maturity Model for secure development and testing practices |
| System change control procedures | Appspace leverages the Software Assurance Maturity Model for secure development and testing practices. |
| Technical review of applications after operating platform changes | Appspace leverages the Software Assurance Maturity Model for secure development and testing practices. |
| Restrictions on changes to software packages | Appspace leverages the Software Assurance Maturity Model for secure development and testing practices. |
| Secure system engineering principles | Appspace leverages the Software Assurance Maturity Model for secure development and testing practices. |
| Secure development environment | Appspace leverages the Software Assurance Maturity Model for secure development and testing practices. |
| System security testing | Appspace leverages the Software Assurance Maturity Model for secure development and testing practices. |
| System acceptance testing | Appspace leverages the Software Assurance Maturity Model for secure development and testing practices. |
| Production Data | Production Data is not used or copied to test or development environments. |
| Protection of Production Data | Production Data access is protected by a series of role-based access controls for privileged accounts. This is based on a “need to know” principle. |
| Information and communication technology supply chain | Security Controls - Suppliers SOC-3 or IS027001 reports is reflective of how well the infrastructure and services are maintained to support the ISMS system |
| Monitoring and review of supplier services | Annually review the suppliers security audit reports - SOC-3 report |
| Information security aspects of business continuity management | Appspace’ business continuity plan is tested annually to ensure it meets our RTO and SLAs. |
| Management of information security incidents and improvements | Appspace tests its systems through an Incident Response Plan on an annual basis. All Lessons Learned and Action Items are completed within 90 days. |
| Reporting information security events | Upon discovery of an unauthorized access security event impacting customer data; Appspace will notify impacted parties within 72 hours upon discovery. |
| Reporting information security events | Communication is sent to Appspace personnel on a yearly basis to report potential security incidents, phishing events, suspicious emails or unauthorized access. The communication is sent to: Security@appspace.com |
| Verify, review and evaluate information security continuity | Appspace is audited on an annual basis by its third-party auditors to assure we have completed a Business Continuity Plan Test and a Disaster Recovery Test on an annual basis. |
| Identification of applicable legislation and contractual requirements | Appspace follows legal and regulatory framework as applicable to the platform |
| Privacy and protection of personally identifiable information | Appspace adheres and follows the General Data Protection Regulation standard along with the Data Privacy Framework standard |
| Regulation of cryptographic controls | Appspace stores all data in an encrypted format using AES-256 Data Encryption Keys |
| Independent review of information security | Appspace performs an annual SOC-2 Type II audit and Penetration Test . We have a roadmap of additional audits. We are independently audited by Microsoft as part of our Partner Certification standard. |
| Technical compliance review | Verify system consistency after a patch is applied or the instance is restarted. |
© 2024 Appspace Inc. Appspace is a registered trademark of Appspace Inc. All rights reserved.
