I. Overview

The security-related technical and organizational measures (TOMs) provided below apply to all product and technology services provided by ChannelEngine internally, and externally. Those TOMs demonstrate the security measures and controls taken to protect ChannelEngine’s data. Evidence of the security measures implemented and maintained by ChannelEngine shall be proved in terms of up-to-date attestations, reports, or external and internal audits.

II. Information Security Management System (ISMS)

ChannelEngine’s Information Security Management System (ISMS) consists of 5 security domains which cover all the required policies, processes, guidelines, best practices, and controls that ChannelEngine has identified as essential to develop, implement, and adopt. Some of the policies in the domains are:

All domains, including their controls, sub-controls, and their implementation plans are explicitly described in ChannelEngine’s ISMS, and Information Security Program.

1. Security and Risk Management

Risk Management is the foundation and trigger of the entire security activities within ChannelEngine, security risks are actively addressed, controlled, and mitigated in timely manner. In addition, technical measures like password management and organizational controls like acceptable use and clean desk policies are strictly implemented.

2. Asset Management

Asset management oversees the management and classification of ChannelEngine’s information assets such as infrastructure assets, endpoints, and mobile devices.

3. Security Engineering

ChannelEngine maintains a secure and well designed system structure, setting proper privacy and security by design principles, and properly managing cryptography controls.

4. Communication and Network Security

ChannelEngine has been implementing multiple security measures to cover various network security aspects including but not limited to: Network, endpoints, firewalls, email systems, hardening, cloud platform, data security, and patching controls.

5. Identity and Access Management

The Access Management controls cover the logical access activities in terms of granting, revocation, and alteration, according to internally set RBAC matrix.

6. Security Testing

Security testing activities in ChannelEngine includes vulnerability scanning, penetration testing, code reviews, and compliance attestations (e.g. ISO27001).

7. Security Operations

ChannelEngine implements multiple controls to ensure secure and smooth operation of its application and internal systems, including logging and monitoring, incident management, change and configuration management, and backup.

8. Software Development Security

ChannelEngine adopts secure software development methodologies, OWASP checks, and open source software usage measures.

9. Security Awareness and Training

Awareness is a key activity in ChannelEngine, we provide regular security training during employees onboarding side by side with continuous awareness to the current employees.

10. Business Continuity and Disaster Recovery

ChannelEngine ensures its business continuity when a crisis leads to a partial/total stoppage of ChannelEngine’s operations.

11. Legal and Privacy

Organizational controls that cover DPA, DPIA, NDAs, contracts security, and regulatory requirements fulfilment.

12. Audit and Reporting

This domain covers the basic organizational controls required to ensure the effectiveness of ChannelEngine’s ISMS and management oversight on the ongoing security activities.