Technical and Organizational Measures (TOMs)
Information Security | 2023
The security-related technical and organizational measures (TOMs) provided below apply to all product and technology services provided by ChannelEngine internally, and externally. Those TOMs demonstrate the security measures and controls taken to protect ChannelEngine’s data. Evidence of the security measures implemented and maintained by ChannelEngine shall be proved in terms of up-to-date attestations, reports, or external and internal audits.
II. Information Security Management System (ISMS)
ChannelEngine’s Information Security Management System (ISMS) consists of 12 security domains which cover all the required policies, processes, guidelines, best practices, and controls that ChannelEngine has identified as essential to develop, implement, and adopt. These domains are:
|Security & Risk||Network Security||Security Audit||Identity & Access (IAM)|
|Asset Management||Security Testing||BCM & DR||Secure Development|
|Security Engineering||Security Operations||Legal & Privacy||Security Awareness|
All domains, including their controls, sub-controls, and their implementation plans are explicitly described in ChannelEngine’s ISMS, and Information Security Program.
1. Security and Risk Management
Risk Management is the foundation and trigger of the entire security activities within ChannelEngine, security risks are actively addressed, controlled, and mitigated in timely manner. In addition, technical measures like password management and organizational controls like acceptable use and clean desk policies are strictly implemented.
2. Asset Management
Asset management oversees the management and classification of ChannelEngine’s information assets such as infrastructure assets, endpoints, and mobile devices.
3. Security Engineering
ChannelEngine maintains a secure and well designed system structure, setting proper privacy and security by design principles, and properly managing cryptography controls.
4. Communication and Network Security
ChannelEngine has been implementing multiple security measures to cover various network security aspects including but not limited to: Network, endpoints, firewalls, email systems, hardening, cloud platform, data security, and patching controls.
5. Identity and Access Management
The Access Management controls cover the logical access activities in terms of granting, revocation, and alteration, according to internally set RBAC matrix.
6. Security Testing
Security testing activities in ChannelEngine includes vulnerability scanning, penetration testing, code reviews, and compliance attestations (e.g. ISO27001).
7. Security Operations
ChannelEngine implements multiple controls to ensure secure and smooth operation of its application and internal systems, including logging and monitoring, incident management, change and configuration management, and backup.
8. Software Development Security
ChannelEngine adopts secure software development methodologies, OWASP checks, and open source software usage measures.
9. Security Awareness and Training
Awareness is a key activity in ChannelEngine, we provide regular security training during employees onboarding side by side with continuous awareness to the current employees.
10. Business Continuity and Disaster Recovery
ChannelEngine ensures its business continuity when a crisis leads to a partial/total stoppage of ChannelEngine’s operations.
11. Legal and Privacy
Organizational controls that cover DPA, DPIA, NDAs, contracts security, and regulatory requirements fulfilment.
12. Audit and Reporting
This domain covers the basic organizational controls required to ensure the effectiveness of ChannelEngine’s ISMS and management oversight on the ongoing security activities.