General Security
| GS1 | Describe your security incident response process (data breach, malware/viruses, unauthorized access, etc.) | instant backup of: database logs change of passwords |
| GS2 | Does security incident response process include appropriate notifications to affected clients/users? | Yes |
| GS3 | Describe employee security awareness, training and certification process | For security reasons we do not share such information outside the company |
| GS4 | Are documented security policies issued, updated and acknowledged by all employees? | No |
| GS5 | Do you have documented vulnerability management process and procedures? | No on application level on OS level our infrastructure provider Amazon EC2 has defined vunerability process please read: https://aws.amazon.com/security/ |
| GS6 | Do you have a documented Privacy Policy? Is there internal monitoring for compliance with Privacy Policies and procedures? | Yes privacy policy is documented. Privacy policy on OS level:https://www.redhat.com/en/about/privacy-policy Privacy poolicy in application level:https://www.atlassian.com/legal/privacy-policy No currently there is no need to monitor compliance with security policy on application level. On OS level our server provider OpenShift does monitoring please read more about that: https://www.openshift.com/policy/security.html |
| GS7 | If you are based in the U.S. and collect, use or retain personal data from European Union member countries or Switzerland, do you comply with the U.S. - E.U. Safe Harbor Framework and the U.S. - Swiss Safe Harbor Framework? Have you certified that you adhere to the Safe Harbor Privacy Principles of notice, | We do not collect any personal data or information |
| GS8 | Does your infrastructure or your data centers have current security controls certifications, such as SSAE16/SOC1, SOC2, ISO 27001? Upon request can you provide a recent audit report? | We use as infrastructure provider Amazon's EC2 through RedHat OpenShift. Please read about Amazon EC2 security |
Corporate Security
| CS1 | What physical security controls are implemented to protect unauthorized access to systems and data? | We use external infrastructure provide Amazon EC2 (via RedHat OpenShift) please read more about security on Amazon Security Page |
| CS2 | What network security controls are implemented to protect unauthorized access to systems and data? | Amazon EC2 security |
| CS3 | Do you have a process for periodic scanning, identifying and remediating security vulnerabilities on servers, workstations, network equipment and applications? | Amazon EC2 security |
| CS4 | Do you conduct regular network and application penetration testing? Upon request can you provide penetration test results or other independent security review results? | Amazon EC2 security |
| CS5 | Does your infrastructure or your data centers have current security controls certifications, such as SSAE16/SOC1, SOC2, ISO 27001? Upon request can you provide a recent audit report? | Amazon EC2 security |
| CS6 | Describe your password policy to include complexity, expiration, reuse and lockout. | Password policy conforms to high security standards we do not share such information. |
| CS7 | Describe standard employee issued device security configuration/features. (Login Password, Anti-Virus, Full/Whole Disk Encryption, Administrative Privileges, Firewall, etc.) | We do not share security information outside company |
| CS8 | Do you have a policy that requires implementing reasonable access security to lock devices (desktop, laptop, mobile)? (i.e. device inactivity auto lock, failed login attempts lockout, screensaver lock, etc.) | Yes |
| CS9 | Do you expire user sessions after a period of inactivity? | Yes |
| CS10 | What is your mobile device security policy? How is it enforced? | We do not allow to use mobile devices to access infrastructure. |
| CS11 | What is your personal device security policy? How is it enforced? | |
| CS12 | What is your external storage media security policy? How is it enforced? | We use external data storage mLab. Please read more about mLab Privacy Policy |
| CS13 | Is there a formal process to add, delete or modify user accounts, access and access levels? | Yes |
| CS14 | Does employee termination result in access termination within 24 hours? | Yes |
| CS15 | Do you implement network security solutions for network monitoring, internet filtering, and intrusion detection? Please describe. | ? |
| CS16 | Do employees have ability to remotely connect to your protected network? (i.e. VPN) | We do not allow to remotely connect to our intranet. |
| CS17 | Do you use multiple factors for employee user authentication to access your network (local or remote)? | ? |
Production Infrastructure
| PS1 | What physical security controls are implemented to protect unauthorized access to systems and data? | Amazon EC2 security |
| PS2 | What network security controls are implemented to protect unauthorized access to systems and data? | Amazon EC2 security |
| PS3 | Do you have a process for periodic scanning, identifying and remediating security vulnerabilities on servers, workstations, network equipment and applications? | Amazon EC2 security |
| PS4 | Do you implement network security solutions for network monitoring, internet filtering, and intrusion detection? Please describe. | Amazon EC2 security |
| PS5 | Do you conduct regular network and application penetration testing? Upon request can you provide penetration test results or other independent security review results? | Amazon EC2 security |
| PS6 | Describe Encryption Policy (rest and transport) | |
| PS7 | Describe Encryption Key handling policy | |
| PS8 | Who has access to the Production Encryption Keys | |
| PS9 | How is access granted to Production Encryption Keys | |
| PS10 | Are systems with access to NerdWallet data segregated from other network zones logically and physically? | We do not hve access to NerdWallet data |
| PS11 | Do you implement network security solutions for network monitoring, internet filtering, and intrusion detection? Please describe. | Amazon EC2 security |
| PS12 | Are audit trails and logs kept for systems and applications with access to NerdWallet data? | No. We do not have access to NerdWallet data |
| PS13 | Do you use multiple factors for employee user authentication to access your network (local or remote)? | ? |
| PS14 | Describe your password policy to include complexity, expiration, reuse and lockout. | We do not share such information for security reasons. We can only make statement that our passwords policy complies to industry standard. |
| PS15 | Are systems with access to NerdWallet data segregated from other network zones logically and physically? | No |