I. Overview

The security-related technical and organizational measures (TOMS) provided below apply to all product and technology services provided by ChannelEngine internally and externally. 

II. Information Security Management System (ISMS)

ChannelEngine’s Information Security Management System (ISMS) consists of 5 security domains which cover all the required policies, processes, guidelines, best practices, and controls that ChannelEngine has identified as essential to develop, implement and adopt. The policies in the domains encompass the following areas:

• Identity and access management (IAM) policies
• Security & Risk management policies 
• Security engineering and operational policies
• Software development policies
• Security assessment, testing and audit policies
• Security awareness and education policies
• BCM & DR policies
• Contractual, legal & privacy policies

All domains, including their controls, sub-controls and their implementation plans are explicitly described in ChannelEngine’s ISMS and security baseline.

1. Identity and access management

The identity and access management controls cover the logical and physical access activities regarding granting, revocation and alteration of access in accordance with the internally set access control matrix and access management principles including least privilege and role-based access control.

2. Security and risk management

Risk management is the foundation and trigger of the entire security activities within ChannelEngine, security risks are actively addressed, controlled and mitigated in a timely manner in accordance with the risk treatment plan and the statement of applicability.

3. Security engineering and operations

ChannelEngine maintains a secure and well designed system structure, setting proper privacy and security-by-design principles, properly managing cryptography assets and implementing controls to ensure secure and smooth operations of the application and internal systems. The operations include logging and monitoring, incident management, change and configuration management and backup processes.

4. Software development security

ChannelEngine adopts secure software development methodologies, OWASP checks, secure development training, and secure open source software usage measures. 

5. Security assessment, testing, auditing and reporting 

ChannelEngine implements various control groups to ensure effectiveness of the ISMS and management oversight. Besides that, the company implements testing activities including vulnerability scanning, penetration testing, code reviews and compliance attestation (e.g. iso 27001:2022). 

6. Security awareness and education

Employee awareness and continuous education are key activities in ChannelEngine. General Security awareness training and awareness is provided to employees during onboarding and at regular intervals. Specialised security awareness is also proved whenever need arises. Human resource security development is facilitated in the form of an annual developmental budget.

7. Business continuity & Disaster recovery policies

ChannelEngine implements organizational and technological controls and measures to ensure prompt recovery and business continuity in the event that an incident leads to partial or total stoppage of operations that would hinder delivery of services and fulfillment of obligations and requirements to various stakeholders.

8. Contractual, legal & privacy policies

ChannelEngine implements organizational controls that cover data processing activities    , contractual obligations and privacy. The controls include DPA, DPIA, NDA’s and A.I. security measures.

ChannelEngine implements organizational controls required to ensure effectiveness of the company’s ISMS.