Pok a i n f osec tea m ca n b e r ea ch ed v i a e- ma i l ... · PDF filePoka Responses to Cloud Security Alliance Consensus Assessments Initiative Questionnaire 2 Introduction T

Poka infosec team can be reached via e-mail at: [email protected]

240-214 Av. St-Sacrement, Québec QC, Canada G1N 3X6 1 844 310 POKA

mailto:[email protected]

Poka Responses to Cloud Security Alliance Consensus Assessments Initiative Questionnaire 1

Introduction 2

Poka Responses to CSA CAIQ V3.0.1 3 Application and Interface Security: Controls AIS-01 through AIS-04 3 Audit Assurance and Compliance: Controls AAC-01 through AAC-03 6 Business Continuity Management and Operational Resilience: Controls BCR-01 through BCR-11 9 Change Control and Configuration Management: Controls CCC-01 through CCC-05 13 Data Security: Controls DSI-01 through DSI-07 16 Encryption and Key Management: Controls EKM-01 through EKM-05 23 Governance and Risk Management: Controls GRM-01 through GRM-11 25 Human Ressources: Controls HRS-01 through HRS-11 29 Identity and Access Management: Controls IAM-01 through IAM-13 34 Infrastructure and Virtualization: Controls IVS-01 through IVS-13 40 Interoperability and Portability: Controls IPY-01 through IPY-05 46 Mobile Security: Controls MOS-01 through MOS-20 47 Security Incident Management: Controls SEF-01 through SEF-05 51 Supply Chain Management: Controls STA-01 through STA-09 54 Threat and Vulnerability Management: Controls TVM-01 through TVM-03 57



Introduction The Cloud Security Alliance (CSA) is a nonprofit organization led by a broad coalition of industry practitioners, corporations, and other important stakeholders. It is dedicated to defining best practices to help ensure a more secure cloud computing environment, and to helping potential cloud customers make informed decisions when selecting a cloud vendor. The CSA Consensus Assessments Initiative Questionnaire (CAIQ) v3.0.1 provides a comprehensive set of questions that customers can use to evaluate the depth / breadth of cloud vendors’’ security, privacy, and compliance processes. Poka infosec team has compiled responses to all 294 questions in the questionnaire. This document will be a valuable resource for understanding how Poka meets and exceeds the requirements set forth by CSA.

If you require any further information, feel free to contact us.

In this document, Salesforce provides detailed information about how the Company helps fulfill the applicable security, privacy, compliance, and risk management requirements defined by the Cloud Security Alliance’s (CSA) Cloud Control Matrix (CCM). The CSA is a not-for-profit, member-driven organization of leading industry practitioners,with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. CSA is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders.

The CSA CCM is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security and privacy concepts and principles that are aligned to the Cloud Security Alliance guidance in 16 domains. It also serves to provide a mapping of Salesforce’s controls to industry-accepted security standards, regulations, and controls frameworks that we comply with such as ISO 27001/27002, PCI, and NIST.



Poka Responses to CSA CAIQ V3.0.1 Application and Interface Security: Controls AIS-01 through AIS-04

Control Group

CID Consensus Assessment Questions

Poka Response

Application & Interface Security Application Security

AIS-01.1 Do you use industry standards (Build Security in Maturity Model [BSIMM] benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc.) to build in security for your Systems/Software Development Lifecycle (SDLC)?

The Poka Secure Development Lifecycle (PSDL) was designed to ensure that security and privacy is an integral part of the development and delivery process. Here’s an overview of some the security and quality assurance practices: requirements identification (including security, privacy, compliance requirements), requirements review, design reviews , development controls (i.e. static analysis, code reviews), automated and manual testing, automated vulnerability scans, and deployment controls.

AIS-01.2 Do you use an automated source code analysis tool to detect security defects in code prior to production?

Automated source code analysis performed on the code prior to release in production to detect security defects and improve the code quality.

AIS-01.3 Do you use manual source-code analysis to detect security defects in code prior to production?

Both automated and manual strategies are employed. We utilize a peer review process combined with secure development training to ensure code entering the review cycle is of a high quality.

AIS-01.4 Do you verify that all of your software suppliers adhere to industry standards for Systems/Software Development Lifecycle (SDLC) security?

Poka does not outsource software development of its SaaS Application. We review all software supplier to determine whether the vendor meets requirements for security, availability, and confidentiality.

AIS-01.5 (SaaS only) Do you review At Poka, we conduct automated



your applications for security vulnerabilities and address any issues prior to deployment to production?

vulnerability scans of the infrastructure, operating systems, applications, application dependencies on an ongoing basis (weekly) and manual scans to validate vulnerabilities reported by the automated scans. We have a weekly process to review any reported vulnerabilities and take action against them.

Application & Interface Security Customer Access Requirements

AIS-02.1 Are all identified security, contractual, and regulatory requirements for customer access contractually addressed and remediated prior to granting customers access to data, assets, and information systems?

Poka uses a wide variety of security controls (administrative, technical and physical) to avoid, detect, counteract or minimize the security risks to our service and our customer data. Customer data submitted to Poka SaaS by Poka’s customers (“Customer Data”) is managed by the customer in their use of the Poka SaaS.

As such, Poka customers retain responsibility to ensure their use of our services is in compliance with applicable laws and regulations. More details on our terms of services and policies are available upon request.

AIS-02.2 Are all requirements and trust levels for customers’ access defined and documented?

Customers manage their organization's own access privileges within their Poka instance.

The organization administrators are appointed by the customer and are responsible for managing users, assets and permissions.

Application & Interface Security Data Integrity

AIS-03.1 Are data input and output integrity routines (i.e., reconciliation and edit checks) implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data?

Data integrity controls are in place to prevent manual or systematic processing errors, corruption of data or misuse. Backups are available if and when required for restoring data in the event of data corruption.



Application & Interface Security Data Security / Integrity

AIS-04.1 Is your Data Security Architecture designed using an industry standard (e.g., CDSA, MULITSAFE, CSA Trusted Cloud Architectural Standard, FedRAMP, CAESARS)?

The Poka Data Security Architecture was designed to incorporate the industry best practices. The Architecture is designed to balance the need for flexibility and agility with the need for robust controls ensuring the confidentiality, integrity, and availability of our customers' data.



Audit Assurance and Compliance: Controls AAC-01 through AAC-03

Audit Assurance & Compliance Audit Planning

AAC-01.1 Do you produce audit assertions using a structured, industry accepted format (e.g., CloudAudit/A6 URI Ontology, CloudTrust, SCAP/CYBEX, GRC XML, ISACA's Cloud Computing Management Audit/Assurance Program, etc.)?

Poka does not currently use any of the listed assertion formats.

Audit Assurance & Compliance Independent Audits

AAC-02.1 Do you allow tenants to view your SOC2/ISO 27001 or similar third-party audit or certification reports?

Our ISMS is based on the ISO 27001 standard. However, we are not currently pursuing ISO 27001 or SOC 2 certifications. Our goal at Poka is to remain focus on securing our SaaS and protecting our customers data.

Our IaaS provider (Amazon Web Services) provides third-party attestations, certifications, Service Organization Controls (SOC) reports and other relevant compliance reports under NDA.

The AWS ISO 27001 certification can be downloaded here.

The AWS SOC reports can be downloaded here.

AAC-02.2 Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance?

Poka's Security Team uses a combination of automated and manual vulnerability scanning/exploitation tools to evaluate our SaaS infrastructure and application on an ongoing basis. Poka mandates a third-party security firm to perform authenticated and non-authenticated penetration testing against Poka SaaS infrastructure and application. The third party penetration testing is performed annually and an

AAC-02.3 Do you conduct application penetration tests of your cloud infrastructure regularly as prescribed by industry best practices and guidance?


https://d0.awsstatic.com/whitepapers/compliance/soc3_amazon_web_services.pdf

http://d0.awsstatic.com/certifications/iso_27001_global_certification.pdf


attestation of completion is available upon request.

AAC-02.4 Do you conduct internal audits regularly as prescribed by industry best practices and guidance?

Poka's Audit Program is under development.

AAC-02.5 Do you conduct external audits regularly as prescribed by industry best practices and guidance?


AAC-02.6 Are the results of the penetration tests available to tenants at their request?

The third party penetration testing is performed annually and an attestation of completion is available upon request.

AAC-02.7 Are the results of internal and external audits available to tenants at their request?


AAC-02.8 Do you have an internal audit program that allows for cross-functional audit of assessments?


Audit Assurance & Compliance Information System Regulatory Mapping

AAC-03.1 Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data?

Data is encrypted in transit using Transport Layer Security (TLS) Data is encrypted at rest using 256-bit AES, one of the strongest block ciphers available. Furthermore, to ensure a strong customer data and process isolation, each customer gets a dedicated instance of the Poka application, a segregated database and data stores.

AAC-03.2 Do you have capability to recover data for a specific customer in the case of a failure or data loss?

Data snapshots or backups can be recovered for a specific customer. Poka's DevOps team can restore or recover data on a per-customer basis.

AAC-03.3 Do you have the capability to restrict the storage of customer data to specific countries or geographic locations?

We are currently hosting Poka SaaS along with our customer data in data centers of Amazon Web Services (AWS) in the United States, the leading Infrastructure as a Service (IaaS) provider.



We understand that you may have restrictions on where your data may be processed, hosted. Our SaaS infrastructure was designed to address these restrictions, we plan on hosting Poka SaaS in other countries in the near future. If your organization is based in the EU/EEA, we are able to process the personal data of your employees in compliance with EU Directive 95/46/EC for the transfer of personal data to processors established in third countries. Poka offers customers EU Standard Contractual Clauses that provide specific contractual guarantees around transfers of personal data to our Poka SaaS.

AAC-03.4 Do you have a program in place that includes the ability to monitor changes to the regulatory requirements in relevant jurisdictions, adjust your security program for changes to legal requirements, and ensure compliance with relevant regulatory requirements?

We at Poka continuously monitor our legal and regulatory obligations to make sure that we remain in compliance.



Business Continuity Management and Operational Resilience: Controls BCR-01 through BCR-11

Business Continuity Management & Operational Resilience Business Continuity Planning

BCR-01.1 Do you provide tenants with geographically resilient hosting options?

Poka SaaS infrastructure leverages for resiliency, three availability zones within the AWS US-East region (Virginia) and three availability zones within AWS US-West 2 region (Oregon). AMAZON AWS Availability Zones are several independent data centers distributed in a geographical region.

BCR-01.2 Do you provide tenants with infrastructure service failover capability to other providers?

N/A

Business Continuity Management & Operational Resilience Business Continuity Testing

BCR-02.1 Are business continuity plans subject to test at planned intervals or upon significant organizational or environmental changes to ensure continuing effectiveness?

Poka's business continuity plan is focused on the continuation of our corporate and customer success functions. From a Poka SaaS perspective: Every aspect of the Poka SaaS is managed as code (app. code, inf. code, configuration), this enables us to easily instantiate a new Poka SaaS when required. We test on a regular basis our ability to recover the Production environment in our DR site.

Business Continuity Management & Operational Resilience Power / Telecommunications

BCR-03.1 Do you provide tenants with documentation showing the transport route of their data between your systems?

Customer data is always transported between customer’s corporate network and their instance of Poka over secure communication channels using Transport Layer Security (TLS).

BCR-03.2 Can tenants define how their data is transported and through which legal jurisdictions?

Detailed Internal Data flow are documented and maintained by our DevOps and Security teams and general data flow (functional level details) are available to customers upon request. We at Poka continuously monitor our legal, regulatory and contractual obligations to make sure that we remain in compliance.



Business Continuity Management & Operational Resilience Documentation

BCR-04.1 Are information system documents (e.g., administrator and user guides, architecture diagrams, etc.) made available to authorized personnel to ensure configuration, installation and operation of the information system?

Poka maintains information system and configuration documentation and make it available to the authorized personnel.

Business Continuity Management & Operational Resilience Environmental Risks

BCR-05.1 Is physical protection against damage (e.g., natural causes, natural disasters, deliberate attacks) anticipated and designed with countermeasures applied?

Our IaaS provider (Amazon Web Services) implements a wide variety of countermeasures and controls to mitigate these risks. More information can be found at: https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf

Business Continuity Management & Operational Resilience Equipment Location

BCR-06.1 Are any of your data centers located in places that have a high probability/occurrence of high-impact environmental risks (floods, tornadoes, earthquakes, hurricanes, etc.)?


Business Continuity Management & Operational Resilience Equipment Maintenance

BCR-07.1 If using virtual infrastructure, does your cloud solution include independent hardware restore and recovery capabilities?

Not applicable. (Poka is a Software as a Service)

BCR-07.2 If using virtual infrastructure, do you provide tenants with a capability to restore a Virtual Machine to a previous state in time?

BCR-07.3 If using virtual infrastructure, do you allow virtual machine images to be downloaded and ported to a new cloud provider?



BCR-07.4 If using virtual infrastructure, are machine images made available to the customer in a way that would allow the customer to replicate those images in their own off-site storage location?

BCR-07.5 Does your cloud solution include software/provider independent restore and recovery capabilities?

BCR-08.1 Are security mechanisms and redundancies implemented to protect equipment from utility service outages (e.g., power failures, network disruptions, etc.)?


Business Continuity Management & Operational Resilience Impact Analysis

BCR-09.1 Do you provide tenants with ongoing visibility and reporting of your operational Service Level Agreement (SLA) performance?

We monitor all customer instances of Poka and we do provide a monthly SLA report to the customers with whom we have enhanced performance targets. Poka does not currently report security metrics to customers. However, we will provide to our customer upon request an attestation of the penetration test conducted by a third party security firm.

BCR-09.2 Do you make standards-based information security metrics (CSA, CAMM, etc.) available to your tenants?

BCR-09.3 Do you provide customers with ongoing visibility and reporting of your SLA performance?

Business Continuity Management & Operational Resilience Policy

BCR-10.1 Are policies and procedures established and made available for all personnel to adequately support services operations’ roles?

Policies, procedures and work instructions are maintained by Poka to ensure that consistent processes are followed in the management and support of the Poka Services. These documents are available to all authorized personnel required to perform Operations functions.

Business Continuity Management

BCR-11.1 Do you have technical control capabilities to

Retention: Customer data is retained as long as your



& Operational Resilience Retention Policy

enforce tenant data retention policies?

organization subscription is maintained. Poka will make your data accessible for retrieval for a period of 60 days after the end of your subscription to give you time to retrieve your data. After this 60 days period, Poka will disable the account and all copies of your data will securely deleted.

BCR-11.2 Do you have a documented procedure for responding to requests for tenant data from governments or third parties?

Poka will not disclose customer data to law enforcement unless required by law. Should law enforcement contact Poka with a demand for customer data, Poka will attempt to redirect the law enforcement agency to request that data directly from our customer. If compelled to disclose customer data to law enforcement, then Poka will promptly notify our customer and provide a copy of the demand, unless legally prohibited from doing so.

BCR-11.4 Have you implemented backup or redundancy mechanisms to ensure compliance with regulatory, statutory, contractual or business requirements?

Customer data is backed up every hour and also replicated in near-real time at the designated secondary Amazon AWS Region. Backups are performed without stopping access to the application. Customer data is always transmitted over a secure communication channel and encrypted at rest.

BCR-11.5 Do you test your backup or redundancy mechanisms at least annually?

Restores are also done on a periodic basis for testing purposes.



Change Control and Configuration Management: Controls CCC-01 through CCC-05

Change Control & Configuration Management New Development / Acquisition

CCC-01.1 Are policies and procedures established for management authorization for development or acquisition of new applications, systems, databases, infrastructure, services, operations and facilities?

POKA has defined policies for formal authorisation of new development and software purchase and acquisition. Development or acquisition of new applications, systems, databases, infrastructure, services, operations and facilities is reviewed and authorized by the management team.

CCC-01.2 Is documentation available that describes the installation, configuration and use of products/services/features?

Poka has detailed change control and configuration management processes, and procedures in place which are documented. These documents are updated on an as-needed basis and revision histories are maintained.

Change Control & Configuration Management Outsourced Development

CCC-02.1 Do you have controls in place to ensure that standards of quality are being met for all software development?

Poka has standard processes in place for internal software development, testing, quality assurance and release. We also maintain a peer review system where multiple senior or lead developers review all pull requests to master repos. Vulnerability tests are also performed on the infrastructure and the application weekly basis.

CCC-02.2 Do you have controls in place to detect source code security defects for any outsourced software development activities?

Poka does not outsource software development of its SaaS Application.

Change Control & Configuration Management Quality Testing

CCC-03.1 Do you provide your tenants with documentation that describes your quality assurance process?

Poka has standard processes in place for internal software development, testing, quality assurance and release. These documents are deemed confidential. The full contents of the policy can be reviewed during an onsite visit as appropriate.



CCC-03.2 Is documentation describing known issues with certain products/services available?

Known issues are documented in our Issue Tracking system.

CCC-03.3 Are there policies and procedures in place to triage and remedy reported bugs and security vulnerabilities for product and service offerings?

Poka identifies, reports, and corrects bugs and vulnerabilities through its quality assurance, incident response, vulnerability management and configuration management processes. Software updates to correct flaws are tested throughout the Poka Secure Development Lifecycle (PSDL) and release management processes.

CCC-03.4 Are mechanisms in place to ensure that all debugging and test code elements are removed from released software versions?

Prior to release to production, software code is inspected and reviewed during the quality assurance phase to ensure it is consistent with the approved build release. We are also employing automated code scanning and vulnerability scanners to identify flaws and weaknesses in software. The identified flaws and vulnerabilities are formally tracked and remediated.

Change Control & Configuration Management Unauthorized Software Installations

CCC-04.1 Do you have controls in place to restrict and monitor the installation of unauthorized software onto your systems?

The deployment of infrastructure resources, application code, third party packages, libraries or software are all managed as code. All updates are reviewed for unauthorized changes through our Secure Software Development Lifecycle (SSDL) change and release management processes. We never install software in the production environment once they are deployed, everything is managed through the Poka Secure Development Lifecycle (PSDL) . Our servers are built at deploy time and never altered afterwards, they are decommissioned and replaced by a new one through our PSDL.

Change Control &

CCC-05.1 Do you provide tenants with documentation that

We have documented Poka production change management



Configuration Management Production Changes

describes your production change management procedures and their roles/rights/responsibilities within it?

procedures. However, these documents are deemed confidential.



Data Security: Controls DSI-01 through DSI-07

Data Security & Information Lifecycle Management Classification

DSI-01.1 Do you provide a capability to identify virtual machines via policy tags/metadata (e.g., tags can be used to limit guest operating systems from booting/instantiating/transporting data in the wrong country)?

All Poka customer instances and their associated data storage are tracked, and can only be live in their designated location.

DSI-01.2 Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (e.g., TXT/TPM, VN-Tag, etc.)?

Poka maintains an inventory of all production assets. Our Amazon AWS systems are not tracked at a hardware level due to the nature of the service.

DSI-01.3 Do you have a capability to use system geographic location as an authentication factor?

Restrictions based on IP addresses (reflecting geographic locations) have been implemented. GeoIP rules can be broad or specific to as single user.

DSI-01.4 Can you provide the physical location/geography of storage of a tenant’s data upon request?

Yes, Poka's IaaS partner (Amazon Web Services) data centres and services are located in two US States (Oregon and Virginia). We plan on expanding to other regions and countries in the near future.

DSI-01.5 Can you provide the physical location/geography of storage of a tenant's data in advance?

Yes, Poka's IaaS partner (Amazon Web Services) data centres and services are located in two US States (Oregon and Virginia). We plan on expanding to other regions and countries in the near future.

DSI-01.6 Do you follow a structured data-labeling standard (e.g., ISO 15489, Oasis XML Catalog Specification, CSA data type guidance)?

Poka has a data classification policy in place. Data is classified into four general categories: Public, Internal, Highly Confidential, and Restricted Customer data.

DSI-01.7 Do you allow tenants to define acceptable geographical locations for

Yes, Poka understands that your organization may have restrictions on where your data can be processed and stored.



data routing or resource instantiation?

Poka offers only US-based data residency at this time. However, we plan on expanding to other regions and countries in the near future to address our customers data residency requirements.

Data Security & Information Lifecycle Management Data Inventory / Flows

DSI-02.1 Do you inventory, document, and maintain data flows for data that is resident (permanent or temporary) within the services' applications and infrastructure network and systems?

Internally, Poka tracks data flows and network connectivity among its SaaS infrastructure.

DSI-02.2 Can you ensure that data does not migrate beyond a defined geographical residency?

Poka offers only US-based data residency at this time. However, we plan on expanding to other regions and countries in the near future to address our customers data residency requirements.

Data Security & Information Lifecycle Management

DSI-03.1 Do you provide open encryption methodologies (3.4ES, AES, etc.) to tenants in order for them to protect their data if it is required to move through public networks (e.g., the Internet)?

All data for our services is encrypted in transit using TLS to protect it from unauthorised disclosure or modification. Poka We enforce the use of strong ciphers for the TLS as per AWS recommendation. The list of authorized ciphers are updated on a regular basis.

DSI-03.2 Do you utilize open encryption methodologies any time your infrastructure components need to communicate with each other via public networks (e.g., Internet-based replication of data from one environment to another)?

All data for our services is encrypted in transit using TLS and IPSec to protect it from unauthorised disclosure or modification.


DSI-04.1 Are policies and procedures established for labeling, handling and the security of data and objects that contain data?

Poka has a data classification policy in place. Data is classified into four general categories: Public, Internal, Highly Confidential, and Restricted Customer Data. All customer data falls in the Restricted Customer Data category. Poka has a Customer Data



handling work instruction that governs how the customer data can be accessed be accessed and handled.

DSI-04.2 Are mechanisms for label inheritance implemented for objects that act as aggregate containers for data?

Data is classified in line with the Information Classification Policy, and controls implemented based on that. Label inheritance is implied through the controls being effectively applied.


DSI-05.1 Do you have procedures in place to ensure production data shall not be replicated or used in non-production environments?

Poka has information security policies prohibiting the use of production data in non-production environments.

Data Security & Information Lifecycle Management Ownership / Stewardship

DSI-06.1 Are the responsibilities regarding data stewardship defined, assigned, documented and communicated?

Poka SaaS assets have a designated owner who is responsible for asset classification and protection in accordance with classification.

Data Security & Information Lifecycle Management Secure Disposal

DSI-07.1 Do you support secure deletion (e.g., degaussing/cryptographic wiping) of archived and backed-up data as determined by the tenant?

Poka has a procedure for the secure deletion of customer data. A Poka DevOps team member will be assigned the task and will delete all your data: your database, file storage, backups, encryption keys and deprovisioning your instance of Poka. Poka will also provide you with a data destruction report signed by the system administrator who was responsible for the deletion, the report will be cosigned by the Head of Information Security who will ensure that the procedure was followed and confirm that all the data was deleted in accordance with the procedure. Our IaaS provider (Amazon Web Services) has a process for secure deletion and secure disposal of end of life equipment for our Poka



SaaS. AWS Security is detailed at https://aws.amazon.com/security/

DSI-07.2 Can you provide a published procedure for exiting the service arrangement, including assurance to sanitize all computing resources of tenant data once a customer has exited your environment or has vacated a resource?

When approved for deletion, the procedure outlined in DSI-07.1 is followed to delete customer data.



Datacenter Security: Controls DCS-01 through DCS-09

Datacenter Security Asset Management

DCS-01.1 Do you maintain a complete inventory of all of your critical assets that includes ownership of the asset?

Poka has implemented a formal policy that requires assets used to provide Poka services to be accounted for and have a designated asset owner. Asset owners are responsible for maintaining up-to-date information regarding their assets.

DCS-01.1 Do you maintain a complete inventory of all of your critical supplier relationships?

All critical supplier relationships are documented and reviewed at least annually or as changes occur to the relationship.

Datacenter Security Controlled Access Points

DCS-02.1 Are physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols) implemented?

Our IaaS provider (Amazon Web Services) implements a wide variety physical and environmental controls. More information can be found at: https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf

Datacenter Security Equipment Identification

DCS-03.1 Is automated equipment identification used as a method to validate connection authentication integrity based on known equipment location?

Not applicable. (Poka provides a SaaS model based on an infrastructure provided by Amazon AWS.)

Datacenter Security Offsite Authorization

DCS-04.1 Do you provide tenants with documentation that describes scenarios in which data may be moved from one physical location to another? (e.g., offsite backups, business continuity failovers, replication)

Yes, we are totally transparent regarding data location and transfer. All Poka customer instances and their associated data storage are tracked, and can only live in their designated location (AWS Regions).

Datacenter Security Offsite equipment

DCS-05.1 Can you provide tenants with evidence documenting your policies and procedures governing asset management and repurposing of equipment?

Poka has a procedure for the secure deletion of customer data. A Poka system administrator will be assigned the task and will delete all your data: your database, file storage, backups, encryption keys and deprovisioning your instance of Poka. Poka will also provide you with a data destruction report signed by the system administrator who was



responsible for the deletion, the report will be cosigned by the Head of Information Security who will ensure that the procedure was followed and confirm that all the data was deleted in accordance with the procedure. Our IaaS provider (Amazon Web Services) has a process for secure deletion and secure disposal of end of life equipment for our Poka SaaS. AWS Security is detailed at https://aws.amazon.com/security/

Datacenter Security Policy

DCS-06.1 Can you provide evidence that policies, standards and procedures have been established for maintaining a safe and secure working environment in offices, rooms, facilities and secure areas?

Our Poka offices are guided by our Physical and Environmental Security Policy. Our IaaS provider (Amazon Web Services) has a policies, standards and procedures for secure offices, rooms, facilities and secure areas, AWS Security is detailed at https://aws.amazon.com/security/

DCS-06.2 Can you provide evidence that your personnel and involved third parties have been trained regarding your documented policies, standards and procedures?

All Poka employees take part in a security-training program, and are recipients of periodic security awareness updates. Security education is an on-going process and is conducted regularly in order to minimize risks. Poka also has nondisclosure provisions in our employee contracts.

Datacenter Security Secure Area Authorization

DCS-07.1 Do you allow tenants to specify which of your geographic locations their data is allowed to move into/out of (to address legal jurisdictional considerations based on where data is stored vs. accessed)?

We understand that you may have restrictions on where your data may be transferred, processed and stored. Our infrastructure was designed to address these restrictions, we plan on hosting Poka SaaS in other countries in the near future.

Datacenter Security Unauthorized Persons Entr

DCS-08.1 Are ingress and egress points, such as service areas and other points where unauthorized personnel may enter the premises, monitored, controlled and

Non Applicable. Poka doesn’t operate datacenters. Our IaaS provider (Amazon Web Services) implements a wide variety of controls to mitigate these risks.



isolated from data storage and process?

More information can be found at: https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf

Datacenter Security User Access

DCS-09.1 Do you restrict physical access to information assets and functions by users and support personnel?

Non Applicable. Poka doesn’t operate datacenters. Our IaaS provider (Amazon Web Services) implements a wide variety of controls to mitigate these risks. More information can be found at: https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf



Encryption and Key Management: Controls EKM-01 through EKM-05

Encryption & Key Management Entitlement

EKM-01.1 Do you have key management policies binding keys to identifiable owners?

Poka has a key management policy for effective key management to support encryption of data in storage and in transmission for the key components of the Poka SaaS. Currently, Poka manages all encryption keys for our customers. Poka use the Key Management Service from our IaaS provider (Amazon AWS)

Encryption & Key Management Key Generation

EKM-02.1 Do you have a capability to allow creation of unique encryption keys per tenant?

EKM-02.2 Do you have a capability to manage encryption keys on behalf of tenants?

EKM-02.3 Do you maintain key management procedures?

EKM-02.4 Do you have documented ownership for each stage of the lifecycle of encryption keys?

EKM-02.5 Do you utilize any third party/open source/proprietary frameworks to manage encryption keys?

Encryption & Key Management Encryption

EKM-03.1 Do you encrypt tenant data at rest (on disk/storage) within your environment?

Poka encrypts your data at rest using 256-bit AES, one of the strongest block ciphers available.

EKM-03.2 Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances?

Poka encrypts data in transit using Transport Layer Security (TLS).

EKM-03.3 Do you support tenant-generated encryption keys or permit tenants to encrypt data to an identity without access to a public key certificate (e.g., identity-based encryption)?

Poka does not currently allow customers to generate their own keys.

EKM-03.4 Do you have documentation establishing and defining your encryption

Poka has established Encryption Policy which defines Poka's encryption standards.



management policies, procedures and guidelines?

Encryption & Key Management Storage and Access

EKM-04.1 Do you have platform and data appropriate encryption that uses open/validated formats and standard algorithms?

All encryption used in Poka SaaS is based on open, validated and industry standard algorithms.

EKM-04.2 Are your encryption keys maintained by the cloud consumer or a trusted key management provider?

Poka takes care of the key management for its customers.

EKM-04.3 Do you store encryption keys in the cloud?

Poka use the Key Management Service from our IaaS provider (Amazon AWS)

EKM-04.4 Do you have separate key management and key usage duties?

Poka is responsible for the management of the keys. The keys are not exposed to customers, and therefore segregation does not apply.



Governance and Risk Management: Controls GRM-01 through GRM-11

Governance and Risk Management Baseline Requirements

GRM-01.1 Do you have documented information security baselines for every component of your infrastructure (e.g., hypervisors, operating systems, routers, DNS servers, etc.)?

Poka production servers and containers are validated, tested, scanned for vulnerabilities prior to deployment in the production environment.

GRM-01.2 Do you have a capability to continuously monitor and report the compliance of your infrastructure against your information security baselines?

The Poka SaaS Infrastructure is completely managed as code, we can query, audit and report anytime

GRM-01.3 Do you allow your clients to provide their own trusted virtual machine image to ensure conformance to their own internal standards?

Not applicable. (Poka is a Software as a Service based on an infrastructure provided by Amazon AWS.)

Governance and Risk Management Risk Assessments

GRM-02.1 Do you provide security control health data in order to allow tenants to implement industry standard Continuous Monitoring (which allows continual tenant validation of your physical and logical control status)?

Not applicable. (Poka provides a SaaS model based on an infrastructure provided by Amazon AWS.)

GRM-02.2 Do you conduct risk assessments associated with data governance requirements at least once a year?

Poka has performed risk assessments against our SaaS to evaluate risks associated with customer data. Poka does not currently provide this for external consumption.

Governance and Risk Management Management Oversight

GRM-03.1 Are your technical, business, and executive managers responsible for maintaining awareness of and compliance with security policies, procedures, and standards for both themselves and their employees as they pertain to the manager and

Poka provides periodic security security awareness training for all employees.



employees' area of responsibility?

Governance and Risk Management Management Program

GRM-04.1 Do you provide tenants with documentation describing your Information Security Management Program (ISMP)?

Poka can provide documentation describing the ISMP, which is aligned with ISO 27001, upon written request.

GRM-04.2 Do you review your Information Security Management Program (ISMP) least once a year?

We review our Information Security Management Program (ISMP) on an annual basis.

Governance and Risk Management Management Support / Involvement

GRM-05.1 Do you ensure your providers adhere to your information security and privacy policies?

Poka has a Vendor Management Program which requires recurring assessments, whether onsite or through a review of the vendor's compliance reports, dependent on their risk level.

Governance and Risk Management Policy

GRM-06.1 Do your information security and privacy policies align with industry standards (ISO-27001, ISO-22307, CoBIT, etc.)?

At Poka, our information security and privacy program is aligned to a number of industry 'best practice' information security and privacy standards: ISO-27001, 27017, 27018 standards, Cloud Security Alliance Controls, OWASP Best Practices

GRM-06.2 Do you have agreements to ensure your providers adhere to your information security and privacy policies?

Poka has contractual agreements in place with providers which requires them to adhere to certain security standards, set forth by Poka, which meet Poka's policies, where applicable.

GRM-06.3 Can you provide evidence of due diligence mapping of your controls, architecture and processes to regulations and/or standards?

Poka can provide upon request an overview of the our controls implemented, standards, certifications and regulations we comply with.

GRM-06.4 Do you disclose which controls, standards, certifications and/or regulations you comply with?

Poka can provide upon request an overview of the our controls implemented, standards, certifications and regulations we comply with.

Governance and Risk Management

GRM-07.1 Is a formal disciplinary or sanction policy established for employees who have

There is a disciplinary section included in our Poka HR Policy.



Policy Enforcement

violated security policies and procedures?

GRM-07.2 Are employees made aware of what actions could be taken in the event of a violation via their policies and procedures?

Poka's management team, and the head of HR reviews any policy or procedure violations in order to determine appropriate disciplinary actions pertaining to an incident.

Governance and Risk Management Business / Policy Change Impacts

GRM-08.1 Do risk assessment results include updates to security policies, procedures, standards and controls to ensure they remain relevant and effective?

Poka uses risk assessments as a method of understanding our unique threat profile. Where threats need to be addressed through controls, we revisit and update policies and procedures accordingly.

Governance and Risk Management Policy Reviews

GRM-09.1 Do you notify your tenants when you make material changes to your information security and/or privacy policies?

Poka's security policies are continuously reviewed and updated as necessary to address risks and/or changes in our environment. These changes are communicated to our customer as required.

GRM-09.1 Do you perform, at minimum, annual reviews to your privacy and security policies?

This is conducted as part of the annual security policy review.

Governance and Risk Management Assessments

GRM-10.1 Are formal risk assessments aligned with the enterprise-wide framework and performed at least annually, or at planned intervals, determining the likelihood and impact of all identified risks, using qualitative and quantitative methods?

Poka's Enterprise Risk Management (ERM) Program performs an annual risk assessment which incorporates likelihood and impact of identified risks using a qualitative method.

GRM-10.2 Is the likelihood and impact associated with inherent and residual risk determined independently, considering all risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance)?

Poka's Enterprise Risk Management (ERM) Program performs an annual risk assessment which incorporates likelihood and impact of identified risks using a qualitative method.

Governance and Risk Management

GRM-11.1 Do you have a documented, organization-wide program in place to manage risk?

Yes, our ERM is documented.



Program

GRM-11.2 Do you make available documentation of your organization-wide risk management program?

Poka does not make our enterprise risk management program documentation available publicly.



Human Ressources: Controls HRS-01 through HRS-11

Human Resources Asset Returns

HRS-01.1 Are systems in place to monitor for privacy breaches and notify tenants expeditiously if a privacy event may have impacted their data?

We have processes in place to ensure that all equipment is returned and accounts terminated, In addition, our DevOps and Security team have systems and processes in place to monitor for data breaches and notify tenants in the event that such a breach may have impacted their data. Our incident response plan includes specific procedures to notify affected customers of confirmed data breaches. If a privacy breach is identify in our incident management process. We will notify our customer without undue delay. We will also notify the authorities when required (where breach notification requirement exist in a jurisdiction)

HRS-01.2 Is your Privacy Policy aligned with industry standards?

Privacy Policy aligns with relevant statutory, regulatory and contractual requirements identified by Poka.

Human Resources Background Screening

HRS-02.1 Pursuant to local laws, regulations, ethics and contractual constraints, are all employment candidates, contractors and involved third parties subject to background verification?

All Poka employees are required to successfully complete a standard background check as part of the hiring process. Background checks may include but are not limited to review of information relating to a candidate's education, employment, and criminal history.

Human Resources Background Screening Human Resources Employment Agreements

HRS-03.1 Do you specifically train your employees regarding their specific role and the information security controls they must fulfill?

Poka provides information security and privacy training for new hires, and on an ongoing basis to all employees. In addition to this general information security and privacy training, more targeted training is provided for our DevOps, Support, Customer Success and



Professional Services teams.

HRS-03.2 Do you document employee acknowledgment of training they have completed?

Yes, we maintain formal records of completion of internal employee training.

HRS-03.3 Are all personnel required to sign NDA or Confidentiality Agreements as a condition of employment to protect customer/tenant information?

All Poka employees are required to sign an NDA.

HRS-03.4 Is successful and timed completion of the training program considered a prerequisite for acquiring and maintaining access to sensitive systems?

Employees must complete the security awareness training during their new hire orientation in order to obtain their access to sensitive systems.

HRS-03.5 Are personnel trained and provided with awareness programs at least once a year?

Poka maintains a 'continuous improvement' approach to information security awareness. We release new security awareness content on a least a bimonthly basis or in response to external and internal events to reinforce and highlight the importance of information security.

Human Resources Employment Termination

HRS-04.1 Are documented policies, procedures and guidelines in place to govern change in employment and/or termination?

Poka HR defines internal management responsibilities to be followed for termination and role change of employees.

HRS-04.2 Do the above procedures and guidelines account for timely revocation of access and return of assets?

HR will send notification to the security team for access revocation and company assets will be collected during the exit interview.

Human Resources Portable / Mobile Devices

HRS-05.1 Are policies and procedures established and measures implemented to strictly limit access to your sensitive data and tenant data from portable and mobile devices (e.g., laptops, cell phones and personal digital assistants (PDAs)), which are generally higher-risk than non-portable devices (e.g.,

Customers retain the control and responsibility of their data. It is the responsibility of the customer to manage mobile security devices and the access to the their data. We have a Customer Data handling work instruction that governs how the customer data can be accessed and handled by authorized Poka employees.



desktop computers at the provider organization’s facilities)?

Poka employees are provided laptops/iPads during onboarding. Access to the production environment is only permitted with corporate-owned devices. We also have a variety of controls in place to ensure the security of our customer’s data.

Human Resources Nondisclosure Agreements

HRS-06.1 Are requirements for non-disclosure or confidentiality agreements reflecting the organization's needs for the protection of data and operational details identified, documented and reviewed at planned intervals?

Poka assisted by our legal counsel manages and periodically revises the Poka NDA to reflect Poka business needs.

Human Resources Roles / Responsibilities

HRS-07.1 Do you provide tenants with a role definition document clarifying your administrative responsibilities versus those of the tenant?

Poka is available in a SaaS model. As such there is a clear delineation between the administrative responsibilities of Poka and our customers (in using the service including administering their organisational users and data). The administrative responsibilities of both parties are explained in detailed during the training and deployment.

Human Resources Acceptable Use

HRS-08.1 Do you provide documentation regarding how you may or access tenant data and metadata?

The operation of the Poka services requires that some authorized employees have access to the systems which process or store your data. However, these employees are prohibited from accessing your data unless it is necessary to do so. For example, in order to reproduce or diagnose a problem you are having with the Poka services, we may need to view your data. We have a customer data handling policy and associated work instruction that limit and control the access to your data. Furthermore, we have technical

HRS-08.2 Do you collect or create metadata about tenant data usage through inspection technologies (search engines, etc.)?

HRS-08.3 Do you allow tenants to opt out of having their data/metadata accessed via inspection technologies?



controls and audit policies in place to ensure that any access to your data is logged. All of our employees and contract personnel were screened prior their employment and bound to our policies regarding Customer Data.

Human Resources Training / Awareness

HRS-09.1 Do you provide a formal, role-based, security awareness training program for cloud-related access and data management issues (e.g., multi-tenancy, nationality, cloud delivery model segregation of duties implications and conflicts of interest) for all persons with access to tenant data?

Security awareness training which requires an acknowledgement to complete. It is provided to all employees at both onboarding and on an ongoing basis. Access issues related to the protection of customer data, and cloud security topics, are covered in this training.

HRS-09.2 Are administrators and data stewards properly educated on their legal responsibilities with regard to security and data integrity?

All devops, support, security employees are made aware of their responsibilities for maintaining the security, confidentiality, integrity and availability of customer data.

Human Resources User Responsibility

HRS-10.1 Are users made aware of their responsibilities for maintaining awareness and compliance with published security policies, procedures, standards and applicable regulatory requirements?

Poka has implemented various methods of internal communication to help employees understand their individual roles and responsibilities and to communicate significant events in a timely manner. HRS-10.2 Are users made aware of

their responsibilities for maintaining a safe and secure working environment?

HRS-10.3 Are users made aware of their responsibilities for leaving unattended equipment in a secure manner?

Human Resources Workspace

HRS-11.1 Do your data management policies and procedures address tenant and service level conflicts of interests?

Poka's policies and procedures have been created in support of customer service level requirements.



HRS-11.2 Do your data management policies and procedures include a tamper audit or software integrity function for unauthorized access to tenant data?

Poka's policies include provisioning access according to least privilege and monitoring production systems access for an unauthorized access to systems and/or data.

HRS-11.3 Does the virtual machine management infrastructure include a tamper audit or software integrity function to detect changes to the build/configuration of the virtual machine?

Poka images and containers are built via version controlled software repositories and are 'read only' preventing tampering. Once deployed in an environment no changes are allowed. We use an IDS to detect unauthorized changes to key files and folders.



Identity and Access Management: Controls IAM-01 through IAM-13

Identity & Access Management Audit Tools Access

IAM-01.1 Do you restrict, log and monitor access to your information security management systems? (E.g., hypervisors, firewalls, vulnerability scanners, network sniffers, APIs, etc.)

Poka restricts, logs and monitors access to our information security management systems. Logs are stored in a logically separate system and and are read only. Alerts are sent to the Security Team when specific actions or events are identified within the logs.

IAM-01.2 Do you monitor and log privileged access (administrator level) to information security management systems?

Poka restricts, logs and monitors privileged access to our security information and event management systems. Logs are stored in a logically separate system and and are read only. Alerts are sent to the Security Team when specific actions or events are identified within the logs.

Identity & Access Management User Access Policy

IAM-02.1 Do you have controls in place ensuring timely removal of systems access that is no longer required for business purposes?

Poka HR defines internal management responsibilities to be followed for termination and role change of employees to ensure system access is removed when no longer required for business purposes.

IAM-02.2 Do you provide metrics to track the speed with which you are able to remove systems access that is no longer required for business purposes?

Poka uses Active Directory (AD) to manage user accounts. Procedures are in place to disable AD accounts upon termination. The processes also covers access granted directly by other systems (not using our identity store.)

Identity & Access Management Diagnostic / Configuration Ports Access

IAM-03.1 Do you use dedicated secure networks to provide management access to your cloud service infrastructure?

Management access to our SaaS infrastructure is restricted to authorised individuals and connections through the use of dedicated site to site to IPSec VPN from our corporate network to our infrastructure on Amazon AWS.

Identity & Access Management

IAM-04.1 Do you manage and store the identity of all personnel who have access to the IT

At Poka, we maintain separate identity stores for our corporate system and our SaaS infrastructure.



Policies and Procedures

infrastructure, including their level of access?

Poka uses AWS IAM to manage user identities and access policies for our SaaS infrastructure. IAM-04.2 Do you manage and store

the user identity of all personnel who have network access, including their level of access?

Identity & Access Management Segregation of Duties

IAM-05.1 Do you provide tenants with documentation on how you maintain segregation of duties within your cloud service offering?

Poka enforces segregation of duties through user defined groups and access policies to minimize the risk of unintentional or unauthorized access or change to production systems. System access is restricted based on the user's job responsibilities.

Identity & Access Management Source Code Access Restriction

IAM-06.1 Are controls in place to prevent unauthorized access to your application, program or object source code, and assure it is restricted to authorized personnel only?

Access to our application, program or object source code is restricted to our devops and security teams. At Poka, we have a robust peer review system to ensure changes to source code are always reviewed.

IAM-06.2 Are controls in place to prevent unauthorized access to tenant application, program or object source code, and assure it is restricted to authorized personnel only?


Identity & Access Management Third Party Access

IAM-07.1 Do you provide multi-failure disaster recovery capability?

Our SaaS infrastructure was designed and optimized specifically to host our Poka application and has multiple levels of redundancy and disaster recovery capability built in.

IAM-07.2 Do you monitor service continuity with upstream providers in the event of provider failure?

We monitor our IaaS provider (Amazon AWS) to ensure service continuity.

IAM-07.3 Do you have more than one provider for each service you depend on?

Our critical dependency is limited to our IaaS provider (Amazon AWS). We follow AWS best practices to ensure the availability our our SaaS infrastructure. We also have the capability to recover in another AWS regions in the



event of a major outage. We also assessed the Amazon AWS own resilience and fault tolerance practices to ensure they meet our overall service delivery and continuity requirements.

IAM-07.4 Do you provide access to operational redundancy and continuity summaries, including the services you depend on?

Details of our operational continuity performance is available to customer with specific SLA objectives.

IAM-07.5 Do you provide the tenant the ability to declare a disaster?

Poka Disaster Recovery Plan requires authorized members of the Poka Disaster Recovery Team to declare a disaster. Customers do not have the ability to declare a disaster, customers may communicate service downtime to customer service.

IAM-07.6 Do you provided a tenant-triggered failover option?


IAM-07.7 Do you share your business continuity and redundancy plans with your tenants?

Poka’s DR/BCP documents are considered internal. However, Poka can provide a Business Continuity Overview and results of the most recent BC/DR exercises with customers, upon request.

Identity & Access Management User Access Restriction / Authorization

IAM-08.1 Do you document how you grant and approve access to tenant data?

Poka has established and documented a formal user provisioning processes within the Access Management Policy.

IAM-08.2 Do you have a method of aligning provider and tenant data classification methodologies for access control purposes?

Poka has established and defined a data classification methodologies and Poka classifies data into four categories: Public, Internal, Highly Confidential, and Restricted Customer data. Poka classifies all customer data into its most sensitive category "Restricted Customer Data". We wrote a data handling work instruction that governs how the customer data can be accessed be accessed and handled.



Identity & Access Management User Access Authorization

IAM-09.1 Does your management provision the authorization and restrictions for user access (e.g., employees, contractors, customers (tenants), business partners and/or suppliers) prior to their access to data and any owned or managed (physical and virtual) applications, infrastructure systems and network components?

Access to Poka’s assets are granted based on business justification, with the asset owner's authorization and limited based on "need-to- know" and "least-privilege" principles.

IAM-09.2 Do your provide upon request user access (e.g., employees, contractors, customers (tenants), business partners and/or suppliers) to data and any owned or managed (physical and virtual) applications, infrastructure systems and network components?

Poka uses a "need-to- know" and "least-privilege" approach to access provisioning.

Identity & Access Management User Access Reviews

IAM-10.1 Do you require at least annual certification of entitlements for all system users and administrators (exclusive of users maintained by your tenants)?

Poka performs periodic reviews of access permissions, the reviews include administrative accounts to development systems and tools and all our SaaS infrastructures including the production. These periodic access reviews carried out by Poka’s security team.

IAM-10.2 If users are found to have inappropriate entitlements, are all remediation and certification actions recorded?

Remediation activities will be captured through our incident management system. Our access provisioning systems also retains logs of access changes.

IAM-10.3 Will you share user entitlement remediation and certification reports with your tenants, if inappropriate access may have been allowed to tenant data?

Inappropriate access to customer data is treated as a security incident and managed through our incident management process, which includes customer notification provisions.

Identity & Access Management

IAM-11.1 Is timely deprovisioning, revocation or modification of user access to the organizations systems, information assets and data

We have processes in place to ensure that all equipment is returned and accounts terminated without undue delay.



User Access Revocation

implemented upon any change in status of employees, contractors, customers, business partners or involved third parties?

Poka uses Active Directory (AD) to manage user accounts. Procedures are in place to disable AD accounts upon termination. The processes also covers access granted directly by other systems (not using our identity store.) IAM-11.2 Is any change in user access

status intended to include termination of employment, contract or agreement, change of employment or transfer within the organization?

Identity & Access Management User ID Credentials

IAM-12.1 Do you support use of, or integration with, existing customer-based Single Sign On (SSO) solutions to your service?

Yes, Poka supports Federated authentication using the Security Assertion Markup Language (SAML v2.0)

IAM-12.2 Do you use open standards to delegate authentication capabilities to your tenants?

IAM-12.3 Do you support identity federation standards (SAML, SPML, WS-Federation, etc.) as a means of authenticating/authorizing users?

IAM-12.4 Do you have a Policy Enforcement Point capability (e.g., XACML) to enforce regional legal and policy constraints on user access?

IAM-12.5 Do you have an identity management system (enabling classification of data for a tenant) in place to enable both role-based and context-based entitlement to data?

Our customers are responsible for managing user-level access control to their data.

IAM-12.6 Do you provide tenants with strong (multifactor) authentication options (digital certs, tokens, biometrics, etc.) for user access?

Multi-factor authentication is not currently available.



IAM-12.7 Do you allow tenants to use third-party identity assurance services?

No

IAM-12.8 Do you support password (minimum length, age, history, complexity) and account lockout (lockout threshold, lockout duration) policy enforcement?

Poka supports the enforcement of password complexity requirements. This is configurable by our customers in the administration section of their Poka instance.

IAM-12.9 Do you allow tenants/customers to define password and account lockout policies for their accounts?

No, we monitor suspicious login attempts and we will notify our customer of suspicious activities.

IAM-12.10 Do you support the ability to force password changes upon first logon?

Yes

IAM-12.11 Do you have mechanisms in place for unlocking accounts that have been locked out (e.g., self-service via email, defined challenge questions, manual unlock)?

Yes, requires a user with administrative privilege to reactivate a user account.

Identity & Access Management Utility Programs Access

IAM-13.1 Are utilities that can significantly manage virtualized partitions (e.g., shutdown, clone, etc.) appropriately restricted and monitored?

Access control to the Poka SaaS infrastructure is strictly controlled and monitored.

IAM-13.2 Do you have a capability to detect attacks that target the virtual infrastructure directly (e.g., shimming, Blue Pill, Hyper jumping, etc.)?

Not applicable. (Poka is a Software as a Service) Our IaaS provider (Amazon AWS) implements controls to mitigate these risks. For more information: http://aws.amazon.com/security. IAM-13.3 Are attacks that target the

virtual infrastructure prevented with technical controls?



Infrastructure and Virtualization: Controls IVS-01 through IVS-13

Infrastructure & Virtualization Security Audit Logging / Intrusion Detection

IVS-01.1 Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents?

For the Poka SaaS infrastructure, we use an IDS to detect unauthorized changes to key files and folders of servers and containers. We also forward all the logs to a our security information and event management.

IVS-01.2 Is physical and logical user access to audit logs restricted to authorized personnel?

Poka restricts ability to access audit logs to a limited number of authorized personnel.

IVS-01.3 Can you provide evidence that due diligence mapping of regulations and standards to your controls/architecture/processes has been done?

Poka evaluates pertinent regulations, standards and best practices for our operations on a regular basis. Our architecture, processes and controls follow a continuous improvement model.

IVS-01.4 Are audit logs centrally stored and retained?

We also forward all the logs to a our security information and event management.

IVS-01.5 Are audit logs reviewed on a regular basis for security events (e.g., with automated tools)?

Our security information and event management monitors audit log events for suspicious activities and alert the devops and security team for analysis and response. The raw audit logs are also used for post-incident investigation.

Infrastructure & Virtualization Security Change Detection

IVS-02.1 Do you log and alert any changes made to virtual machine images regardless of their running state (e.g., dormant, off or running)?

In the Poka SaaS infrastructure, individual containers don't have an image, when the container is initiated, an image is picked from a standard repository. We maintain on-going auditing for each of the images and provide for re-application of the images by our configuration tools when necessary. As a result, changes are not made to the virtual machine images.

IVS-02.2 Are changes made to virtual machines, or moving of an image and subsequent validation of the image's integrity, made immediately available to customers through electronic methods (e.g., portals or alerts)?



Infrastructure & Virtualization Security Clock Synchronization

IVS-03.1 Do you use a synchronized time-service protocol (e.g., NTP) to ensure all systems have a common time reference?

Poka uses standard internet time services.

Infrastructure & Virtualization Security Capacity / Resource Planning

IVS-04.1 Do you provide documentation regarding what levels of system (network, storage, memory, I/O, etc.) oversubscription you maintain and under what circumstances/scenarios?


IVS-04.2 Do you restrict use of the memory oversubscription capabilities present in the hypervisor?


IVS-04.3 Do your system capacity requirements take into account current, projected and anticipated capacity needs for all systems used to provide services to the tenants?

We monitor our Poka SaaS infrastructure on an ongoing basis and alerts are set up when metrics exceed predefined thresholds. Extra capacity can be provisioned in a matter of minutes.

IVS-04.4 Is system performance monitored and tuned in order to continuously meet regulatory, contractual and business requirements for all the systems used to provide services to the tenants?

Infrastructure & Virtualization Security Management - Vulnerability Management

IVS-05.1 Do security vulnerability assessment tools or services accommodate the virtualization technologies being used (e.g., virtualization aware)?

Not applicable. (Poka is a Software as a Service) The virtualization technologies are transparent to the Vulnerability tools that we utilize.

Infrastructure & Virtualization Security

IVS-06.1 For your IaaS offering, do you provide customers with guidance on how to create a layered security architecture




Network Security

equivalence using your virtualized solution?

IVS-06.2 Do you regularly update network architecture diagrams that include data flows between security domains/zones?

The Poka SaaS infrastructure is fully documented and managed as code. The zones (subnets), firewall rules, load balancers, IP restrictions, etc. are all managed and deployed using Amazon AWS Cloud formation. We are not able to share the detailed network architecture since this is proprietary information. We can however assure you that the data flows and network architecture was designed and align with industry best practices, including Amazon AWS security best practices.

IVS-06.3 Do you regularly review for appropriateness the allowed access/connectivity (e.g., firewall rules) between security domains/zones within the network?

Our Poka SaaS infrastructure has very little surface area that is exposed through the firewalls. We review firewall rules on a periodic basis. The performance of our load balancers, firewalls and other associated controls are also assessed regularly through our penetration testing program.

IVS-06.4 Are all firewall access control lists documented with business justification?

Every firewall rules are documented and reviewed as per our secure SDLC.

Infrastructure & Virtualization Security OS Hardening and Base Controls

IVS-07.1 Are operating systems hardened to provide only the necessary ports, protocols and services to meet business needs using technical controls (i.e. antivirus, file integrity monitoring and logging) as part of their baseline build standard or template?

Poka server images and containers are built with only the necessary ports, protocols and services and include logging, IDS. The build template are managed via version controlled software repositories.

Infrastructure & Virtualization Security

IVS-08.1 For your SaaS or PaaS offering, do you provide tenants with separate environments for production and test processes?

Typically, only the production environment is provided to our customers. However, a test environment can be made available to customer when required.



Production / Nonproduction Environments

IVS-08.2 For your IaaS offering, do you provide tenants with guidance on how to create suitable production and test environments?


IVS-08.3 Do you logically and physically segregate production and non-production environments?

Poka's non-production environments (corporate, development, demo, Pen Test, Test, Staging) are logically and/or physically separate from Poka's production environment.

Infrastructure & Virtualization Security Segmentation

IVS-09.1 Are system and network environments protected by a firewall or virtual firewall to ensure business and customer security requirements?

The Poka SaaS infrastructure a variety of controls to ensure the protection and isolation of the environments, servers, containers, subnets. The logical firewall, the Load Balancers, the network ACL, application routers all work together. This ensure that only authorized traffic from the internet, our corporate network and between servers are allowed.

IVS-09.2 Are system and network environments protected by a firewall or virtual firewall to ensure compliance with legislative, regulatory and contractual requirements?

IVS-09.3 Are system and network environments protected by a firewall or virtual firewall to ensure separation of production and non-production environments?

IVS-09.4 Are system and network environments protected by a firewall or virtual firewall to ensure protection and isolation of sensitive data?

Infrastructure & Virtualization Security VM Security - Data Protection

IVS-10.1 Are secured and encrypted communication channels used when migrating physical servers, applications or data to virtual servers?

Not applicable. (Poka is a Software as a Service) No physical-to-virtual migrations are undertaken.

IVS-10.2 Do you use a network segregated from production-level networks when migrating physical servers, applications or data to virtual servers?

Not applicable. (Poka is a Software as a Service) No physical-to-virtual migrations are undertaken.



Infrastructure & Virtualization Security VMM Security - Hypervisor Hardening

IVS-11.1 Do you restrict personnel access to all hypervisor management functions or administrative consoles for systems hosting virtualized systems based on the principle of least privilege and supported through technical controls (e.g., two-factor authentication, audit trails, IP address filtering, firewalls and TLS-encapsulated communications to the administrative consoles)?

Poka employs the concept of least privilege, allowing only the necessary access for authorized users to accomplish their job function. When user accounts are created, user accounts are created to have minimal access. Access above these least privileges requires an elevation of privileges. All accounts require two-factor authentication, management access is done over TLS or SSH on a site to site IPSec VPN connexion (Poka to AWS) and all access are logged in an audit trail.

Infrastructure & Virtualization Security Wireless Security

IVS-12.1 Are policies and procedures established and mechanisms configured and implemented to protect the wireless network environment perimeter and to restrict unauthorized wireless traffic?

Poka maintains a secure wireless network utilizing username and password authentication WPA2 Enterprise (802.1x with Radius authentication) that is tied to our corporate identity store. Guest and BYOD wireless network are isolated from the corporate network.

IVS-12.2 Are policies and procedures established and mechanisms implemented to ensure wireless security settings are enabled with strong encryption for authentication and transmission, replacing vendor default settings? (e.g., encryption keys, passwords, SNMP community strings)

Poka secure wireless network is configured with WPA2 Enterprise (802.1x with Radius authentication) and AES/CCMP encryption. The management server has be secured and all the logs are forward to a our security information and event management.

IVS-12.3 Are policies and procedures established and mechanisms implemented to protect wireless network environments and detect the presence of unauthorized (rogue) network devices for a timely disconnect from the network?

Infrastructure &

IVS-13.1 Do your network architecture diagrams clearly identify high-risk environments and data

Network architecture is documented clearly define boundaries and data flows between zones having different



Virtualization Security Network Architecture

flows that may have legal compliance impacts?

data classification, trust levels or compliance and regulatory requirements.

IVS-13.2 Do you implement technical measures and apply defense-in-depth techniques (e.g., deep packet analysis, traffic throttling and black-holing) for detection and timely response to network-based attacks associated with anomalous ingress or egress traffic patterns (e.g., MAC spoofing and ARP poisoning attacks) and/or distributed denial-of-service (DDoS) attacks?

Poka uses firewall rules, ip whitelisting, ip geolocation, network ACLs, Web Application Firewalls, load balancers to prevent spoofed traffic and restrict incoming and outgoing traffic to our Poka SaaS infrastructure. The Poka network is segregated to separate customer traffic from management traffic.

Additionally, Poka has established automated controls to monitor and detect certain types of attacks.

DDoS capabilities are provided by our IaaS Provider (Amazon AWS)



Interoperability and Portability: Controls IPY-01 through IPY-05

Interoperability & Portability APIs

IPY-01 Do you publish a list of all APIs available in the service and indicate which are standard and which are customized?

Poka will make available upon request the documentation and access to its Restful API.

Interoperability & Portability Data Request

IPY-02 Is unstructured customer data available on request in an industry-standard format (e.g., .doc, .xls, or .pdf)?

Any data our customers upload to our Poka SaaS platform can be exported either in JSON or in a standard format (images, videos)

Interoperability & Portability Policy & Legal

IPY-03.1 Do you provide policies and procedures (i.e. service level agreements) governing the use of APIs for interoperability between your service and third-party applications?

Refer to the documentation of our Restful API..

IPY-03.2 Do you provide policies and procedures (i.e. service level agreements) governing the migration of application data to and from your service?

Customer will be able to retrieve their data using the Poka Restful API and a command line tool for your photos and videos.

Interoperability & Portability Standardized Network Protocols

IPY-04.1 Can data import, data export and service management be conducted over secure (e.g., non-clear text and authenticated), industry accepted standardized network protocols?

All communication are encrypted in transit using Transport Layer Security (TLS).

IPY-04.2 Do you have documented custom changes made to any hypervisor in use, and all solution-specific virtualization hooks available for customer review?




Mobile Security: Controls MOS-01 through MOS-20

Mobile Security Anti-Malware

MOS-01 Do you provide anti-malware training specific to mobile devices as part of your information security awareness training?

Anti-malware training related to mobile devices is specifically included in our security awareness training program.

Mobile Security Application Stores

MOS-02 Do you document and make available lists of approved application stores for mobile devices accessing or storing company data and/or company systems?

Poka has established a Bring Your Own Device Policy which addresses security and acceptable use of mobile devices (phones, tablets, etc.). Poka employees must adhere to the terms and conditions set forth our BYOD Policy in order to connect their devices to the company network. Employee BYOD devices can be used to access corporate resources such as: email, calendars, contacts, and documents. Employees can install applications as needed for business and personal uses. BYOD devices are prohibited from accessing Poka's production environment. We operate a heavily cloud based IT environment and as such provide a suite of cloud-based applications to our employees. All corporate owned device are managed by a Mobile Device Management Solution. BYOD devices are required to have encrypted block-level storage encryption and a lock screen password. All devices accessing Poka’s SaaS infrastructure are managed through corporate directory.

Mobile Security Approved Applications

MOS-03 Do you have a policy enforcement capability (e.g., XACML) to ensure that only approved applications and those from approved application stores be loaded onto a mobile device?

Mobile Security Approved Software for BYOD

MOS-04 Does your BYOD policy and training clearly state which applications and applications stores are approved for use on BYOD devices?

Mobile Security Awareness and Training

MOS-05 Do you have a documented mobile device policy in your employee training that clearly defines mobile devices and the accepted usage and requirements for mobile devices?

Mobile Security Cloud Based Services

MOS-06 Do you have a documented list of pre-approved cloud based services that are allowed to be used for use and storage of company business data via a mobile device?

Mobile Security Compatibility

MOS-07 Do you have a documented application validation process for testing device, operating system and application compatibility issues?



Mobile Security Device Eligibility

MOS-08 Do you have a BYOD policy that defines the device(s) and eligibility requirements allowed for BYOD usage?

Mobile Security Device Inventory

MOS-09 Do you maintain an inventory of all mobile devices storing and accessing company data which includes device status (os system and patch levels, lost or decommissioned, device assignee)?

Mobile Security Device Management

MOS-10 Do you have a centralized mobile device management solution deployed to all mobile devices that are permitted to store, transmit, or process company data?

Mobile Security Encryption

MOS-11 Does your mobile device policy require the use of encryption for either the entire device or for data identified as sensitive enforceable through technology controls for all mobile devices?

Yes, we enforce encryption on all corporate owned devices.

Mobile Security Jailbreaking and Rooting

MOS-12.1 Does your mobile device policy prohibit the circumvention of built-in security controls on mobile devices (e.g., jailbreaking or rooting)?

Our Policies forbids jailbroken or rooted devices.

MOS-12.2 Do you have detective and preventative controls on the device or via a centralized device management system which prohibit the circumvention of built-in security controls?

Poka has a sanctions policy which addresses obligations to comply with company policy (including security policies). At a technical level, all corporate owned device are managed by a Mobile Device Management Solution.

Mobile Security Legal

MOS-13.1 Does your BYOD policy clearly define the expectation of privacy, requirements for litigation, e-discovery and legal holds?

Not applicable. e-Discovery and legal holds can be performed directly on our cloud services.



MOS-13.2 Do you have detective and preventative controls on the device or via a centralized device management system which prohibit the circumvention of built-in security controls?

Poka has a sanctions policy which addresses obligations to comply with company policy (including security policies). At a technical level, all corporate owned device are managed by a Mobile Device Management Solution.

Mobile Security Lockout Screen

MOS-14 Do you require and enforce via technical controls an automatic lockout screen for BYOD and company owned devices?

We have detailed the requirement in policy and It is enforced for all corporate owned devices and BYOD devices are managed by a Mobile Device Management Solution.

Mobile Security Operating Systems

MOS-15 Do you manage all changes to mobile device operating systems, patch levels and applications via your company's change management processes?

BYOD devices are managed by the end-users. All corporate owned device are managed by a Mobile Device Management Solution and updates are applied either by the employees or by our MDM.

Mobile Security Passwords

MOS-16.1 Do you have password policies for enterprise issued mobile devices and/or BYOD mobile devices?

Password policies are detailed in our Password policy documentation.

MOS-16.2 Are your password policies enforced through technical controls (i.e. MDM)?

Poka has a sanctions policy which addresses obligations to comply with company policy. All corporate owned devices and BYOD devices are managed by a Mobile Device Management Solution and password policies are enforced.

MOS-16.3 Do your password policies prohibit the changing of authentication requirements (i.e. password/PIN length) via a mobile device?

Mobile Security Policy

MOS-17.1 Do you have a policy that requires BYOD users to perform backups of specified corporate data?

Poka's BYOD Policy addresses the responsibility of employees to backup their devices. Corporate data, within corporate applications, is backed up, where applicable, by Poka’s IT team.

MOS-17.2 Do you have a policy that requires BYOD users to prohibit the usage of

Our BYOD policy recommends the use of known / approved application stores.



unapproved application stores?

MOS-17.3 Do you have a policy that requires BYOD users to use anti-malware software (where supported)?

We recommend that BYOD users install anti-malware software when applicable.

Mobile Security Remote Wipe

MOS-18.1 Does your IT provide remote wipe or corporate data wipe for all company-accepted BYOD devices?

All corporate owned devices and BYOD devices are managed by a Mobile Device Management Solution and support remote wipe.

MOS-18.2 Does your IT provide remote wipe or corporate data wipe for all company-assigned mobile devices?

Mobile Security Security Patches

MOS-19.1 Do your mobile devices have the latest available security-related patches installed upon general release by the device manufacturer or carrier?

Company-owned devices are updated via MDM. Ou policy requires that BYOD devices are kept upto date on security-related patches.

MOS-19.2 Do your mobile devices allow for remote validation to download the latest security patches by company IT personnel?

All corporate owned devices are managed by a Mobile Device Management Solution and support remote installation of security patches.

Mobile Security Users

MOS-20.1 Does your BYOD policy clarify the systems and servers allowed for use or access on the BYOD-enabled device?

Poka's BYOD Policy addresses the corporate services that can be accessed with a BYOD device.

MOS-20.2 Does your BYOD policy specify the user roles that are allowed access via a BYOD-enabled device?

User roles are defined at the our corporate services level and access to corporate data is enforced there.



Security Incident Management: Controls SEF-01 through SEF-05

Security Incident Management, E-Discovery & Cloud Forensics Contact / Authority Maintenance

SEF-01.1 Do you maintain liaisons and points of contact with local authorities in accordance with contracts and appropriate regulations?

Poka liaises with external counsel, security and privacy organizations, and industry associations where appropriate to help ensure security and privacy compliance.

Poka cooperates with local authorities in all jurisdictions in which it operates as required by law or contract.

Security Incident Management, E-Discovery & Cloud Forensics Incident Management

SEF-02.1 Do you have a documented security incident response plan?

Poka has developed robust processes to facilitate a coordinated response to incidents if one was to occur (in alignment to the ISO 27001 standard). A security event may include, among other things loss of availability, unauthorized access resulting in loss, disclosure or alteration of data. The process follows the following phases: Identification of declaration of a potential incident Assign an incident severity Investigation and diagnosis Containment Eradication Recovery Collection of evidence (as required) Communication Lessons Learned

SEF-02.2 Do you integrate customized tenant requirements into your security incident response plans?

Poka will promptly notify the customer in the event of any security breach of the service resulting in an actual or reasonably suspected unauthorized disclosure of customer data.



SEF-02.3 Do you publish a roles and responsibilities document specifying what you vs. your tenants are responsible for during security incidents?

Poka makes available a responsibilities document for security incidents.

SEF-02.4 Have you tested your security incident response plans in the last year?

We have exercised our incident management process via live incident activity. We maintain a continuous improvement approach to optimising our response capabilities. After a high severity incident has been resolved, the original incident ticket is closed and a post-incident review process is initiated. Poka performs a root cause analysis and proposes potential improvements to the system and/or handling of the event.

Security Incident Management, E-Discovery & Cloud Forensics Incident Reporting

SEF-03.1 Does your security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting?

Logs are all merged in our security information and event management (SIEM) where we are able perform alerting and analysis.

SEF-03.2 Does your logging and monitoring framework allow isolation of an incident to specific tenants?

Yes, our security information and event management enable us to perform the analysis of an event specific to a customer.

Security Incident Management, E-Discovery & Cloud Forensics Incident Response Legal Preparation

SEF-04.1 Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?

In the event of a security incident, proper forensic procedures including chain of custody will be performed for collection, retention, and presentation of evidence in alignment to the ISO 27001 standard.

SEF-04.2 Does your incident response capability include the use of legally admissible forensic data collection and analysis techniques?

SEF-04.3 Are you capable of supporting litigation holds (freeze of data from a specific point in time) for a

Yes, Poka can provide data from a single customer from a single point in time, on request.



specific tenant without freezing other tenant data?

SEF-04.4 Do you enforce and attest to tenant data separation when producing data in response to legal subpoenas?

Poka can provide single customer data snapshot/backup to support any litigation or law enforcement requests.

Security Incident Management, E-Discovery & Cloud Forensics Incident Response Metrics

SEF-05.1 Do you monitor and quantify the types, volumes and impacts on all information security incidents?

The Poka follows an incident management process, which includes the process for monitoring reports and alerts and responding to security incidents. Incident analysis includes data for response process improvement on an ongoing basis.

SEF-05.2 Will you share statistical information for security incident data with your tenants upon request?

Poka does not currently share statistical information with our customers.



Supply Chain Management: Controls STA-01 through STA-09

Supply Chain Management, Transparency and Accountability Data Quality and Integrity

STA-01.1 Do you inspect and account for data quality errors and associated risks, and work with your cloud supply-chain partners to correct them?

Not applicable. Poka does not outsource development of Poka SaaS services to subcontractors.

STA-01.2 Do you design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privileged access for all personnel within your supply chain?

Supply Chain Management, Transparency and Accountability Incident Reporting

STA-02.1

Do you make security incident information available to all affected customers and providers periodically through electronic methods (e.g. portals)?

Poka will promptly notify the customer in the event of any security incident of the Service resulting in an actual or reasonably suspected unauthorized disclosure of Customer Data. The Information may be provided directly to the customer via channels such as email, phone, etc.

Supply Chain Management, Transparency and Accountability Network / Infrastructure Services

STA-03.1 Do you collect capacity and use data for all relevant components of your cloud service offering?

Capacity and use data for our Poka SaaS is collected and monitored for performance and capacity planning.

STA-03.2 Do you provide tenants with capacity planning and use reports?

We do not currently share capacity or user reports with customers.

Supply Chain Management, Transparency and Accountability Provider Internal Assessments

STA-04.1 Do you perform annual internal assessments of conformance and effectiveness of your policies, procedures, and supporting measures and metrics?

Poka's Internal Audit Program is currently under development and will include assessment of conformance to and effectiveness of policies, procedures, and supporting measures and metrics.

Supply Chain Management, Transparency

STA-05.1 Do you select and monitor outsourced providers in compliance with laws in the

Third party security and privacy requirements are established through vendor due-diligence



and Accountability Third Party Agreements

country where the data is processed, stored and transmitted?

reviews, conducted by Poka Security Team. The engaging team within Poka is responsible for managing their third party relationships, including contract management, monitoring of metrics such as service level agreements.

STA-05.2 Do you select and monitor outsourced providers in compliance with laws in the country where the data originates?

Poka SaaS can be used from a large number of countries. We select and monitor outsourced providers to ensure compliance with laws including data protection laws and contractual obligation with our customers. Customers retain the obligation of ensuring that their data is managed in compliance with relevant laws and regulations applicable to them.

STA-05.3 Does legal counsel review all third-party agreements?

Third-party agreements are reviewed by our external legal counsel (based on the on a risk analysis of the third party) as required but are always reviewed by Poka’s legal and security team.

STA-05.4 Do third-party agreements include provision for the security and protection of information and assets?

Yes, our Poka Third-Party Agreements include security and privacy provisions as applicable.

STA-05.5 Do you provide the client with a list and copies of all subprocessing agreements and keep this updated?

Poka will provide a list of subcontractors with access to customer data upon request. However, it does not provide copies of agreements to customers due to their confidentiality.

Supply Chain Management, Transparency and Accountability Supply Chain Governance Reviews

STA-06.1 Do you review the risk management and governanced processes of partners to account for risks inherited from other members of that partner's supply chain?

Poka has implemented a formal Vendor Management Program which includes the review of contracts, SLAs, and vendor internal policies to determine whether the vendor meets requirements for security, availability, and confidentiality



based on the type of service provided. Our critical third-party provider is Amazon AWS. Amazon AWS holds a SOC 2 certification which is validated by a third party. This assessment include consideration of supply chain management and governance for those organisations. AWS risk management and governance processes are detailed: http://aws.amazon.com/compliance

Supply Chain Management, Transparency and Accountability Supply Chain Metrics

STA-07.1 Are policies and procedures established, and supporting business processes and technical measures implemented, for maintaining complete, accurate and relevant agreements (e.g., SLAs) between providers and customers (tenants)?

All supplier SLAs are reviewed and considered in the context maintaining the quality, performance and availability of our Poka SaaS.

STA-07.2 Do you have the ability to measure and address non-conformance of provisions and/or terms across the entire supply chain (upstream/downstream)?

STA-07.3 Can you manage service-level conflicts or inconsistencies resulting from disparate supplier relationships?

Poka mitigates this risk by limiting our dependencies on critical providers and by using a variety of other controls. Amazon AWS is our most important supplier, it provides the necessary infrastructure (IaaS) to host our Poka SaaS. In order to mitigate the risks to our service level, we leverage Amazon AWS Availability Zones, Regions to implement a highly available architecture to support continued availability of Poka SaaS in accordance with Poka’s availability targets.



STA-07.4 Do you review all agreements, policies and processes at least annually?

The Poka review process requires that agreements, policies and processes be reviewed annually or when material change occurs.

Supply Chain Management, Transparency and Accountability Third Party Assessment

STA-08.1 Do you assure reasonable information security across your information supply chain by performing an annual review?

The Poka review process includes all partners and third party providers considered critical to the delivery of the Poka SaaS.

STA-08.2 Does your annual review include all partners/third-party providers upon which your information supply chain depends?

Supply Chain Management, Transparency and Accountability Third Party Audits

STA-09.1 Do you permit tenants to perform independent vulnerability assessments?

Poka contracts a specialized security firm to conduct vulnerability scans and penetration testing of Poka SaaS (applications and infrastructure) on at least an annual basis. We will provide to our customer upon request an attestation of the penetration test conducted by the third party security firm. Poka allows penetration testing initiated by the customer at customer’s expense. Customer testing may only be run against a test instance of the Poka SaaS that is a copy of production so that the test does not impact other customers. Poka must be provided advanced notice before such testing. Customers initiate this process by contacting Poka support.

STA-09.2 Do you have external third party services conduct vulnerability scans and periodic penetration tests on your applications and networks?

Threat and Vulnerability Management: Controls TVM-01 through TVM-03

Threat and Vulnerability Management Antivirus / Malicious Software

TVM-01.1 Do you have anti-malware programs that support or connect to your cloud service offerings installed on all of your systems?

At Poka, we have implemented industry leading antivirus and antimalware software on all Windows, OS X endpoints and Windows Servers. For the Poka SaaS infrastructure, we use an IDS to detect unauthorized changes to key files

TVM-01.2 Do you ensure that security threat detection systems using signatures, lists or



behavioral patterns are updated across all infrastructure components within industry accepted time frames?

and folders of servers and containers. We also forward all the logs to our security information and event management for analysis and monitoring. Our Security Team regularly monitors our infrastructure for indications of malware infection.

Threat and Vulnerability Management Vulnerability / Patch Management

TVM-02.1 Do you conduct network-layer vulnerability scans regularly as prescribed by industry best practices?

At Poka, we conduct automated vulnerability scans of the infrastructure, operating systems, application, application dependencies on an ongoing basis (weekly) and manual scans to validate vulnerabilities reported by the automated scans. We have a weekly process to review any reported vulnerabilities and take action against them. Third party penetration test are carried out annually.

TVM-02.2 Do you conduct application-layer vulnerability scans regularly as prescribed by industry best practices?

TVM-02.3 Do you conduct local operating system-layer vulnerability scans regularly as prescribed by industry best practices?

TVM-02.4 Will you make the results of vulnerability scans available to tenants at their request?

We will provide to our customer upon request an attestation of the penetration test conducted by a third party security firm.

TVM-02.5 Do you have a capability to rapidly patch vulnerabilities across all of your computing devices, applications and systems?

Poka has implemented a daily release process and patches high-risk or critical security patches within a timely manner. The patches or fixes are prioritised based on the risk associated to the respective vulnerabilities.We will provide a patching time frame to our customer as required.

TVM-02.6 Will you provide your risk-based systems patching time frames to your tenants upon request?

Threat and Vulnerability Management Mobile Code

TVM-03.1 Is mobile code authorized before its installation and use, and the code configuration checked, to ensure that the authorized mobile code operates according to a clearly defined security policy?

Mobile code is authorized before installation and configuration checked to ensure operates to defined security policies and permissions, unauthorized code is prevented from executing.



TVM-03.2 Is all unauthorized mobile code prevented from executing?


Documents

Pok a i n f osec tea m ca n b e r ea ch ed v i a e- ma i l ... · PDF filePoka Responses to Cloud Security Alliance Consensus Assessments Initiative Questionnaire 2 Introduction T