LUCY

User Tools

Site Tools

Trace:
company_application_and_data_security

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
company_application_and_data_security [2019/11/24 17:31] – [Security Policies for LUCY staff] lucycompany_application_and_data_security [2019/11/24 18:02] – [Vulnerability management] lucy
Line 11: Line 11:
 | Is a risk management process implemented dealing with the periodical identification, valuation of risks and the implementation of mitigation controls? | yes | It's in Management Handbook Security Policy. Each employee is encouraged to report risks. This applies in particular to IT and Cyber risks. A risk catalog is kept. At least once a year a risk assessment is carried out. The obligation is with the DPO / Chief Security and Risk Officer. | | Is a risk management process implemented dealing with the periodical identification, valuation of risks and the implementation of mitigation controls? | yes | It's in Management Handbook Security Policy. Each employee is encouraged to report risks. This applies in particular to IT and Cyber risks. A risk catalog is kept. At least once a year a risk assessment is carried out. The obligation is with the DPO / Chief Security and Risk Officer. |
 | Is a periodic assessment conducted of how well the security policies and procedures are respected within the company? | partially | We have two roles DPO & CSRO (chief sec and risk officer). There's a regularity done by the CSRO himself. . | | Is a periodic assessment conducted of how well the security policies and procedures are respected within the company? | partially | We have two roles DPO & CSRO (chief sec and risk officer). There's a regularity done by the CSRO himself. . |
 +| On what standards does LUCY perform Penetration tests? | Yes| OSSTMM https://www.isecom.org/OSSTMM.3.pdf |
 +
 +
 +
  
 ==== Allocation of information security responsibilities ==== ==== Allocation of information security responsibilities ====
Line 133: Line 137:
 ^ Questions ^ Response ^ Comments ^ ^ Questions ^ Response ^ Comments ^
 | Do you inform your customers about vulnerabilities in your products once you had a chance to address them, regardless of whether they were discovered internally, or reported to you? | yes | with a dedicated form and a direct mailing put in place already | | Do you inform your customers about vulnerabilities in your products once you had a chance to address them, regardless of whether they were discovered internally, or reported to you? | yes | with a dedicated form and a direct mailing put in place already |
 +
 +==== Vulnerability Rating====
 +Our vulnerabilities are rated based on CVSS standard (https://www.first.org/cvss/v3-1/cvss-v31-user-guide_r1.pdf)
  
 ===== Operations Management and Security Controls ===== ===== Operations Management and Security Controls =====
company_application_and_data_security.txt · Last modified: 2021/09/01 15:11 by lucy