-
Why Keep?
Why Keep
-
Employers
-
Employees
-
- Solutions
- Resources
- About Us
Security & Compliance Report | May 14, 2024
Drata tests Keep Financial's security and IT infrastructure daily to ensure the company maintains a strong security posture. as defined by industry-standard security standards.
In this report. Keep Financial:
This document is updated continuously. As Keep Financial improves its security posture, those efforts will be instantly visible.
Intended Use:
This Keep Financial Report can be used by:
Drata's Approach of Continuous Monitoring:
Drata continuously monitors the company's policies, procedures, and IT infrastructure to ensure the company adheres to industry standards.
To do this, Drata connects directly to the company's infrastructure accounts, version control and developer tools, task trackers, endpoints, hosts, HR tools, and internal policies. Drata then continuously monitors these resources to determine if the company meets defined framework standards.
Keep Financial Management has approved all policies that detail how customer data may be made accessible and should be handled. These policies are accessible to all employees and contractors.
Continuously Monitored via 2 Drata Tests:
Keep Financial authorizes access to information resources, including data and the systems that store or process sensitive data. based on the principle of least privilege.
Continuously Monitored via 1 Drata Test:
Require Encryption of Web-Based Admin Access
Keep Financial uses encryption to protect User authentication and admin sessions of the internal admin tool transmitted over the Internet.
Continuously Monitored via I Drata Test:
Keep Financial authorizes designated member(s) with the autonomy to validate. change. and release critical security patches and bug fixes. outside of the standard change management process. when absolutely necessary to ensure security standards and availability of the systems.
Keep Financial uses a version control system to manage source code, documentation. release labeling. and other change management tasks. Access to the system must be approved by a system admin.
Continuously Monitored via 3 Drata Tests:
When Keep Financial 's application code changes. code reviews and tests are performed by someone other than the person who made the code change.
Continuously Monitored via 3 Drata Tests:
Only authorized Keep Financial personnel can push or make changes to production code.
Continuously Monitored via 1 Drata Test:
Separate environments are used for testing and production for Keep Financial 's application
Keep Financial provides a process to employees for reporting security, confidentiality, integrity, and availability features, incidents, and concerns, and other complaints to company management.
Continuously Monitored via 1 Drata Test:
Keep Financial provides a process to external users for reporting security, confidentiality, integrity, and availability failures, incidents, concerns, and other complaints.
Continuously Monitored via 1 Drata Test:
Keep Financial has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.
Continuously Monitored via 1 Drata Test:
Keep Financial performs annual access control reviews.
Hardening standards are in place to ensure that newly deployed server instances are appropriately secured.
Keep Financial maintains an accurate network diagram that is accessible to the engineering team and is reviewed by management on an annual basis.
Keep Financial conducts a Risk Assessment at least annually.
Keep Financial engages with third-party to conduct vulnerability scans of the production environment at least quarterly. Results are reviewed by management and high priority findings are tracked to resolution.
Annual Penetration Tests
Keep Financial engages with third-party to conduct penetration tests of the production environment at least annually. Results are reviewed by management and high priority findings are tracked to resolution.
Organizational Chart Maintained
Keep Financial reviews its organizational structure, reporting lines, authorities, and responsibilities in terms of information security on an annual basis.
Continuously Monitored via 1 Drata Test:
Keep Financial has a defined Information Security Policy that covers policies and procedures to support the functioning of internal control.
Continuously Monitored via I Drata Test:
Keep Financial identifies. inventories, classifies. and assigns owners to IT assets.
Keep Financial maintains an accurate architectural diagram to document system boundaries to support the functioning of internal control.
Keep Financial has a defined policy that establishes requirements for the proper management and tracking of organizational assets.
Keep Financial has defined a formal risk management process that specifies risk tolerances and the process for evaluating risks based on identified threats and the specified tolerances.
Continuously Monitored via I Drata Test:
Keep Financial 's Management prepares a remediation plan to formally manage the resolution of findings identified in risk assessment activities.
Keep Financial has a defined policy that establishes requirements for vulnerability assessments and reporting.
Keep Financial has a defined process to ensure the secure transfer of information internally and externally.
Keep Financial conducts continuous monitoring of security controls using Drata. and addresses issues in a timely manner.
Keep Financial tracks security deficiencies through internal tools and closes them within an SLA that management has pre-specified.
Continuously Monitored via I Drata Test:
Keep Financial tracks and prioritizes security deficiencies through internal tools according to their severity by an independent technical resource.
Continuously Monitored via 1 Drata Test:
Keep Financial has an established Disaster Recovery Plan that outlines roles and responsibilities and detailed procedures for recovery of systems.
Continuously Monitored via 1 Drata Test:
Keep Financial conducts annual BCP/DR tests and documents according to the BCDR Plan.
Keep Financial utilizes multiple availability zones to replicate production data across different zones.
Continuously Monitored via 1 Drata Test:
Keep Financial has a defined Business Continuity Plan that outlines the proper procedures to respond, recover, resume, and restore operations following a disruption or significant change.
Keep Financial has a Business Impact Analysis process to determine resources and time required to ensure business continuity after a disruptive incident.
Keep Financial has implemented an Incident Response Plan that includes creating, prioritizing, assigning, and tracking follow-ups to completion and lend support to Business Continuity/ Disaster Recovery.
Continuously Monitored via 1 Drata Test:
Keep Financial has identified an incident response team that quantifies and monitors incidents involving security, availability, processing integrity, and confidentiality at the company.
Continuously Monitored via 1 Drata Test:
Keep Financial has implemented an Incident Response Plan that includes documenting "Lessons Learned" and "Root Cause Analysis" after incidents and sharing them with the broader engineering team to support Business Continuity/ Disaster Recovery.
Continuously Monitored via 1 Drata Test:
Keep Financial has an established Incident Response Plan that outlines management responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents and annual testing.
Continuously Monitored via 1 Drata Test:
Keep Financial Management has approved security policies, and all employees accept these procedures when hired. Management also ensures that security policies are accessible to all employees and contractors.
Continuously Monitored via 3 Drata Tests:
Management reviews security policies on an annual basis.
Continuously Monitored via 1 Drata Test:
Keep Financial has developed policies and procedures governing the system development life cycle, including documented policies for tracking, testing, approving, and validating changes.
Continuously Monitored via 1 Drata Test:
Keep Financial has documented security objectives and procedures to achieve those objectives.
Keep Financial has an assigned security team that is responsible for the design implementation, management, and review of the organization's security policies, standards, baselines, procedures, and guidelines.
Continuously Monitored via I Drata Test:
Keep Financial has established training programs for privacy and information security to help employees understand their obligations and responsibilities to comply with Keep Financial 's security policies and procedures, including the identification and reporting of incidents. All full-time employees are required to complete the training upon hire and annually thereafter.
Continuously Monitored via 2 Drata Tests:
The security team communicates important information security events to company management in a timely manner.
Keep Financial maintains documented procedures that describe how to perform activities including controls, methods, and processes to be followed to achieve the company's policies objectives and compliance activities. The procedures are reviewed and updated as needed to address changes in processes, technologies, and business objectives, or at least annually, and are available to all relevant parties.
Keep Financial uses a termination checklist to ensure that an employee's system access, including physical access, is removed within a specified timeframe and all organization assets [physical or electronic) are properly returned.
Continuously Monitored via 1 Drata Test:
Keep Financial has policies and procedures in place to establish acceptable use of information assets approved by management, posted on the company Wiki, and accessible to all employees. All employees must accept the Acceptable Use Policy upon hire.
Continuously Monitored via 2 Drata Tests:
Keep Financial 's new hires are required to pass a background check as a condition of their employment.
Continuously Monitored via 1 Drata Test:
Keep Financial requires its contractors to read and accept the Code of Conduct. read and accept the Acceptable Use Policy, and pass a background check.
Continuously Monitored via 3 Drata Tests:
Keep Financial has a formal Code of Conduct approved by management and accessible to all employees. All employees must acknowledge the Code of Conduct upon hire.
Continuously Monitored via 2 Drata Tests:
Keep Financial has established a Data Protection Policy and requires all employees to accept it upon hire. Management monitors employees' acceptance of the policy.
Continuously Monitored via 3 Drata Tests:
Members of the Board of Directors are independent of management.
Continuously Monitored via 1 Drata Test:
Management has established defined roles and responsibilities to oversee implementation of the information security policy across the organization.
Keep Financial evaluates the performance of all employees through a formal, annual performance evaluation.
Keep Financial 's new hires and/or internal transfers are required to go through an official recruiting process during which their qualifications and experience are screened to ensure that they are competent and capable of fulfilling their responsibilities.
Continuously Monitored via 1 Drata Test:
All Keep Financial positions have a detailed job description that lists qualifications, such as requisite skills and experience, which candidates must meet in order to be hired by Keep Financial .
Continuously Monitored via 2 Drata Tests:
Keep Financial ensures that a password manager is installed on all company-issued laptops.
Continuously Monitored via 2 Drata Tests:
Keep Financial ensures that company-issued laptops have encrypted hard-disks.
Continuously Monitored via 1 Drata Test:
Keep Financial ensures that all company-issued computers use a screensaver lock with a timeout of no more than 15 minutes.
Continuously Monitored via 1 Drata Test:
Keep Financial requires antivirus software to be installed on workstations to protect the network against malware.
Continuously Monitored via 1 Drata Test:
Keep Financial 's workstations operating system COS) security patches are applied automatically.
Continuously Monitored via 1 Drata Test:
Keep Financial ensures that all connections to its web application from its users are encrypted.
Continuously Monitored via 3 Drata Tests:
Keep Financial has an established policy and procedures that governs the use of cryptographic controls.
Continuously Monitored via 1 Drata Test:
Keep Financial stores data in databases that is encrypted at rest.
Continuously Monitored via 2 Drata Tests:
Keep Financial has a defined vendor management policy that establishes requirements of ensuring third-party entities meet the organization's data preservation and protection requirements.
Keep Financial maintains a directory of its key vendors, including its agreements that specify terms, conditions and responsibilities.
Keep Financial maintains a directory of its key vendors, including their compliance reports. Critical vendor compliance reports are reviewed annually.
Username and password (password standard implemented) or SSD required to authenticate into application, MFA optional for external users, and MFA required for employee users.
Role-based security is in place for internal and external users, including super admin users.
Keep Financial 's customer data is segregated from the data of other customers
Keep Financial 's application user passwords are stored using a salted password hash.
External users must accept the Terms of Service prior to their account being created.
Keep Financial automatically logs users out after a predefined inactivity interval and/or closure of the internet browser. and requires users to reauthenticate
Keep Financial 's security commitments are communicated to external users, as appropriate.
Continuously Monitored via 1 Drata Test:
Keep Financial maintains a Privacy Policy that is available to all external users and internal employees, and it details the company's confidentiality and privacy commitments.
Continuously Monitored via 1 Drata Test:
Keep Financial maintains a Terms of Service that is available to all external users and internal employees, and the terms detail the company's security and availability commitments regarding the systems. Client Agreements or Master Service Agreements are in place for when the Terms of Service may not apply.
Continuously Monitored via 1 Drata Test:
Keep Financial requires two factor authentication to access sensitive systems and applications in the form of user ID, password, OTP and/or certificate.
Continuously Monitored via 3 Drata Tests:
Keep Financial has established formal guidelines for passwords to govern the management and use of authentication mechanisms.
Continuously Monitored via 1 Drata Test:
Appropriate levels of access to infrastructure and code review tools are granted to new employees within one week of their start date.
Access to corporate network, production machines, network devices, and support tools requires a unique ID.
Continuously Monitored via 3 Drata Tests:
Access to infrastructure and code review tools is removed from terminated employees within one business day.
Continuously Monitored via 2 Drata Tests:
SSH users use unique accounts to access production machines. Additionally, the use of the "Root" account is not allowed.
No public SSH is allowed.
Continuously Monitored via 1 Drata Test:
Keep Financial communicates system changes to customers that may affect security, availability, processing integrity, or confidentiality.
Read/ Write access to cloud data storage is configured to restrict public access.
Continuously Monitored via I Drata Test:
Keep Financial performs backups daily and retains them in accordance with a predefined schedule in the Backup Policy.
Continuously Monitored via 1 Drata Test:
Keep Financial has a defined backup policy that establishes the requirements for backup information, software and systems.
Continuously Monitored via 1 Drata Test:
Storage buckets that contain customer data are versioned.
Continuously Monitored via 1 Drata Test:
Keep Financial uses a system that collects and stores server logs in a central location. The system can be queried in an ad hoc fashion by authorized users.
Keep Financial uses logging software that sends alerts to appropriate personnel. Corrective actions are performed, as necessary, in a timely manner.
Keep Financial has implemented tools to monitor Keep Financial 's databases and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.
Continuously Monitored via 3 Drata Tests:
Keep Financial has implemented tools to monitor Keep Financial 's messaging queues and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.
Continuously Monitored via 1 Drata Test:
Keep Financial has implemented tools to monitor Keep Financial 's NoSQL databases and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.
Continuously Monitored via 1 Drata Test:
Keep Financial has implemented tools to monitor Keep Financial 's servers and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.
Continuously Monitored via 1 Drata Test:
Keep Financial is cloud infrastructure is monitored through an operational audit system that sends alerts to appropriate personnel
Users can only access the production system remotely through the use of encrypted communication systems.
Keep Financial uses configurations that ensure only approved networking ports and protocols are implemented, including firewalls.
Continuously Monitored via 1 Drata Test:
WAF in place to protect Keep Financial 's application from outside threats.
Continuously Monitored via 1 Drata Test:
An intrusion detection system (IDS) is in place to detect potential intrusions, alert personnel when a potential intrusion is detected
Keep Financial has infrastructure logging configured to monitor web traffic and suspicious activity. When anomalous traffic activity is identified, alerts are automatically created, sent to appropriate personnel and resolved, as necessary.
Continuously Monitored via 1 Drata Test:
Keep Financial is using Drata to monitor the security and compliance of its cloud infrastructure configuration
Continuously Monitored via I Drata Test:
Keep Financial does not use Root Account on Infrastructure provider
Continuously Monitored via 1 Drata Test:
Keep Financial has an established key management process in place to support the organization's use of cryptographic techniques.
Continuously Monitored via 1 Drata Test:
Keep Financial has a defined policy that establishes requirements for the use of cryptographic controls.
Continuously Monitored via I Drata Test:
Keep Financial has security policies that have been approved by management and detail how physical security for the company's headquarters is maintained. These policies are accessible to all employees and contractors.
Continuously Monitored via I Drata Test:
Keep Financial monitors its processing capacity and usage on a quarterly basis in order to appropriately manage capacity demand and to enable the implementation of additional capacity to meet availability commitments.
Keep Financial uses a load balancer to automatically distribute incoming application traffic across multiple instances and availability zones.
Continuously Monitored via 1 Drata Test:
Keep Financial automatically provisions new server instances when predefined capacity thresholds are met.
Keep Financial monitors the status of backups on a daily basis and action is taken when the backup process fails.
Keep Financial has an automated email sent to appropriate personnel when the backup process fails. Failed backups are resolved in a timely manner.
Keep Financial tests the integrity and completeness of back-up information on an annual basis.
Keep Financial has established a data classification policy in order to identify the types of confidential information possessed by the entity and types of protection that are required.
Continuously Monitored via 1 Drata Test:
Keep Financial deletes customer data within 30 days of the customer terminating its contract.
Continuously Monitored via 1 Drata Test:
Keep Financial 's application edits limit input to acceptable value ranges
Keep Financial maintains policies and procedures that define allowable use and disclosure scenarios.
Keep Financial 's management reviews privacy policies and procedures annually to ensure that personal information is used in conformity with the purposes identified in the privacy notice.
Keep Financial implements policies and procedures to erase or otherwise destroy personal information that has been identified for destruction.
Keep Financial 's privacy policies or other specific instructions or requirements for handling personal information are communicated to third parties to whom personal information is disclosed.
As personal information is collected, automated edit checks are in place to ensure that data entry fields are completed properly.
As personal information is collected, users are asked to confirm that their information is correct prior to submitting the information to Keep Financial .
Keep Financial informs users about how to contact Keep Financial with inquiries, complaints, and disputes via the privacy practices that are posted on the Keep Financial 's public-facing website.
Data subjects can submit inquiries, complaints, and disputes via the customer portal.
Keep Financial has a process for tracking users' inquiries, complaints, and disputes within the incident tracking system.
Invalid authentication attempts are limited by locking out the user ID after not more than 10 failed attempts.
Keep Financial ensures that incident response plan testing is performed on an annual basis.
The deployed anti-malware solution is configured to detect all known types of malware and to remove, block, or contain all known types of malware, and is kept current via automatic updates.
The implemented anti-malware solutions are configured to perform automatic scans or continuous behavioral analysis of systems or processes when removable electronic media is inserted, connected, or logically mounted within the environment.
The implemented anti-malware solutions are configured to perform periodic scans and active or real-time scans, or perform continuous behavioral analysis of systems or processes.
Keep Financial retains audit log history and historical records of activity for at least 12 months, with at least the most recent three months immediately available for analysis.
Keep Financial has configured audit logs to trace each action to an individual user. Audit logs contain user identification, type of event, date and time, success and failure indication, origination of event, identity or name of affected data, and system component, resource, or service.
Audit log files are protected to prevent modifications by individuals (e.g., via access control mechanisms, physical segregation, network segregation, etc.)
Automated audit trails or logs are implemented for all system components to capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.
Audit Trail for Identification and Authentication Mechanism Changes
Automated audit trails or logs are implemented to capture all changes to identification and authentication credentials (e.g., creation of new accounts, elevation of privileges, changes, additions, or deletions to accounts with administrative access, etc.).
Automated audit trails or logs are implemented for all system components to capture all invalid access attempts.
Automated audit trails or logs are implemented for all system components to capture all creation and deletion of system-level objects.
Audit logs are enabled and active for all system components and sensitive data in accordance with company policies.
Keep Financial has documented policies and procedures for authentication that are communicated to all personnel. These documents include guidance on selecting strong authentication factors, guidance on protecting authentication credentials, instructions not to reuse previously used credentials, instructions to change authentication credentials in the event of known or suspected compromise along with guidance on how to report the incident, etc.
The company's board of directors has a documented charter that outlines its oversight responsibilities for internal control.
The company's board members have sufficient expertise to oversee management's ability to design, implement and operate information security controls. The board engages third-party information security experts and consultants as needed.
The company's board of directors meets at least annually and maintains formal meeting minutes. The board includes directors that are independent of the company.
The company's board of directors or a relevant subcommittee is briefed by senior management at least annually on the state of the company's cybersecurity and privacy risk. The board provides feedback and direction to management as needed.
Keep Financial has deployed a file integrity monitoring or change-detection mechanism to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, audit files, or content files to ensure critical data cannot be changed without generating alerts.
Keep Financial has a documented a policy that describes the requirements for managing changes across the organization, including changes to infrastructure, systems, and applications.
Keep Financial synchronizes all critical system clocks and times using time-synchronization technology such as Network Time Protocol (NTP).
Keep Financial has enabled deletion protection for cloud resources to prevent irreversible data loss or downtime resulting from accidental or malicious actions.
Keep Financial uses tags to assign metadata to cloud resources to facilitate identification, inventory. and classification of virtual assets.
Keep Financial has configured lifecycle rules for cloud storage buckets to delete objects automatically after expiration of their retention periods.
Keep Financial ensures that code changes are tested prior to deployment to ensure quality and security.
Keep Financial notifies customers of any intended changes (including additions and replacements) in subprocessors that process PII so that customers have an opportunity to object to such changes.
Keep Financial exchanges information with relevant security and privacy organizations, including information on newly identified threats and vulnerabilities, through bulletin subscriptions, email alerts from security advisories, participation in conferences, etc.
Keep Financial has defined and documented policies and procedures for the secure transfer of information within the organization and with any external parties.
Keep Financial has identified and documented skill and competence requirements for personnel that contribute to the development, implementation and oversight of its management system(s) and retains documented evidence of competence.
Keep Financial performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings.
When a data subject an authorized agent to submit a privacy right request, Keep Financial confirms directly with the data subject that they provided the authorized agent permission to submit the request prior to fulfilling the request and retains supporting documentation.
Keep Financial has implemented processes to change credentials (secrets, access keys, etc.) periodically based on a defined schedule.
Keep Financial has implemented processes to change cryptographic keys periodically based on a defined schedule.
Keep Financial maintains cybersecurity insurance to mitigate the financial impact of business disruptions.
Keep Financial has a defined process for the de-identification of data that has been classified as sensitive.
Keep Financial has data processing agreements in place with data processing ecosystem parties which include minimum technical and organizational measures designed to meet the objectives of Keep Financial 's privacy program.
Application/data processing for Keep Financial 's system is logged and monitored to ensure processing is done completely and accurately. Errors in application/data processing are documented, investigated, escalated and corrected in accordance with policies and procedures.
Keep Financial disposes of data securely upon expiration of the established retention periods or when no longer needed for legal. regulatory, and/or business reasons.
Keep Financial has documented and implemented a process to obtain consent from data subjects prior to collecting PII. The organization obtains and records consent from data subjects according to the documented process.
A data-flow diagram is maintained to show all account data flows across systems and networks. The diagram is reviewed and updated annually or as needed upon changes to the environment.
Management has defined company objectives, including operational objectives at the entity and functional levels, financial performance goals, and other objectives as appropriate to serve as the basis for risk assessment activities (e.g., objectives related to security, compliance, risk mitigation, etc.), Management communicates its objectives and any changes to those objectives to personnel.
Keep Financial has appointed and documented responsibilities of an individual (e.g., data protection officer) responsible for developing, implementing, maintaining and monitoring an organization-wide governance and privacy program and acting as a point of contact to authorities and data subjects to ensure compliance with all applicable laws and regulations regarding the processing of PII.
Keep Financial has a defined disciplinary sanctions process to be enacted when a member of the workforce violates the company's policies or causes a security or privacy incident. Management retains documentation of instances when the disciplinary process was enacted.
Keep Financial uses DLP (Data Loss Prevention) software to prevent unencrypted sensitive information from being transmitted over email
Keep Financial provides a dual opt-in mechanism for consent to sell or share personal information whereby the data subject first requests to opt-in and then, separately confirms their choice to opt-in.
Entry controls (e.g., badge access systems, etc.) are in place at Keep Financial 's locations to restrict physical access to corporate facilities, including systems or areas that may process or store sensitive data, to authorized personnel, and to monitor such access.
Keep Financial ensures that file integrity monitoring (F 1M) software is in place to detect whether operating system and application software files have been tampered with.
Fire detection and suppression systems are installed in critical locations to protect people and assets in the event of a disaster. Maintenance is conducted periodically in accordance with manufacturer guidance.
Keep Financial performs an evaluation of fraud risks at least annually, either as a separate evaluation or as part of the overall enterprise risk assessment. The evaluation of fraud risk is performed in accordance with the company's risk assessment methodology.
Keep Financial has established, documented, and implemented a method for verifying that the person making a privacy right request is the data subject or an authorized agent. If Keep Financial cannot confirm the identity or authorization of the requestor, Keep Financial notifies the requestor, denies the request, and retains supporting documentation.
Keep Financial has a defined and documented Information Security Management System (ISMS) Plan, for the establishment, implementation, maintenance, and continuous improvement of its information security and risk management program.
Keep Financial has identified and documented the legal, statutory, regulatory and contractual requirements relevant to the organization as well as the specific processes to manage and satisfy these requirements.
Key Retirement Policies and Procedures
Keep Financial retires, replaces or destructs cryptographic keys that are no longer used or needed or when the key expires, the integrity of the key has been weakened, or the key is known or suspected to be compromised, in accordance with documented company policies and procedures. Retired or replaced keys are not used for encryption operations.
Keep Financial stores cryptographic keys in the fewest possible locations to minimize the potential for keys to be exposed to unauthorized parties.
Critical facilities are equipped with a leak detection system to detect water in the event of a flood or leakage.
Where any optionality in the collection and processing Of PII exists, Keep Financial has disabled that option by default and only enabled by explicit choice of the data subject.
Access to audit log files and associated configurations is limited to those with a job-related need as authorized by management.
Keep Financial has configured account lockout duration following a set number of invalid authentication attempts to a minimum of 30 minutes or until the identity of the user is confirmed (for example, by a system administrator).
Keep Financial has a documented policy that outlines requirements for audit logging and monitoring of system activity at the company.
Management approves all media with sensitive data that is moved outside the facility, including when media is distributed to individuals, Documentation of management's approval for the movement of media is retained.
When a nonconformity is identified, Keep Financial performs a root-cause analysis and implements corrective actions to address the nonconformity, Keep Financial retains documentation of the analysis and subsequent actions taken and of the results of any corrective action.
Management System Management Review
Keep Financial 's top management conducts reviews of its management system(s) at planned intervals to evaluate suitability, adequacy and effectiveness. Keep Financial retains documentation of the results of management reviews.
Keep Financial has documented the scope of its management system(s) that outlines the boundaries and applicability of the system(s) and considers internal and external issues, requirements of interested parties, and interfaces and dependencies with other organizations.
Keep Financial obtains express consent from data subjects prior to using any PII processed under a contract for marketing and advertising which is not a condition for using the service.
Keep Financial has defined performance and/or effectiveness measurements for its management system(s) and implemented procedures to monitor these measurements periodically as determined by the organization.
Keep Financial provides customers with a mechanism for data subjects to object to the processing of their PII (e.g. objections relating to the processing of PII for direct marketing purposes, etc.).
All media with sensitive data is classified in accordance with the nature of the data and the company's data classification policy.
Electronic media is destroyed or sensitive data is rendered unrecoverable so that it cannot be reconstructed when no longer needed for business or legal reasons.
Keep Financial maintains documented inventory all electronic media with sensitive data. A verification of the inventory is conducted at least once every 12 months in accordance with company procedures.
All media with sensitive data is encrypted and/or physically secured to prevent unauthorized persons from gaining access to the data.
Keep Financial reviews, approves, tracks, documents, and verifies media sanitization and disposal actions (for example, when media is taken offsite for maintenance) in accordance with company policies and procedures.
Media with sensitive data sent outside the company's facilities is logged, securely transmitted (e.g., via secure courier or other trackable method), and captured within offsite tracking logs to include details about media location.
All remote access to the entity's network (including that of users, administrators, and third parties or vendors) requires multi-factor authentication.
A mobile device management (MDM) is installed in company-issued devices and bring-your-own devices used for company purposes to enforce security for assets off-premise (e.g., location tracking, remote locking and wiping, threat detection, restrictions on software installation, etc.)
Keep Financial is security awareness program includes multiple methods of communicating awareness and educating personnel, such as newsletters, web-based training. in-person training, team meetings, phishing simulations, etc. Periodic security updates are provided to personnel through these multiple methods of communication.
Keep Financial limits access to system components and sensitive data to only those individuals whose job requires such access.
Keep Financial has defined and documented a policy that outlines requirements for deployment, management and operation of network security controls at the company
Keep Financial documents and maintains a record of authorized disclosures of PII to third parties (including what PII has been disclosed, to whom and when). Keep Financial also notifies customers of any legally binding requests for disclosure of P II, unless prohibited by law.
Keep Financial has implemented mechanisms to obscure the feedback of authentication information, such as usernames/passwords, during the authentication process where technically feasible (e.g., in company-developed systems or applications. configurable third-party systems, etc.).
Specific personnel are designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents and operational issues through an on-call rotation schedule.
Keep Financial has implemented security protocols so that only trusted keys and/or certificates are accepted during transmission of sensitive data that are confirmed valid and not expired or revoked.
System configuration settings are in place to enforce password history requirements. Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords used, at a minimum.
Keep Financial has an established threat assessment process to continuously analyze threats and disseminate the information appropriately.
Keep Financial conducts independent assessments (e.g., internal audits) at planned intervals to ensure that its internal controls are effectively implemented and maintained and in conformance with the organization's requirements. Keep Financial retains documented information of the internal audit program and audit results.
Developers are required to complete secure code development training at least once every 12 months, including training on software security relevant to their job function and development languages, secure software design and secure coding techniques, and how to use tools for detecting vulnerabilities in software if these are used in the organization.
Keep Financial personnel are required to wear a badge or other form of identification within company facilities. Keep Financial provides visitors with a badge or other form of identification that visibly distinguishes visitors from onsite personnel.
Keep Financial conducts periodic phishing simulations as part of the company's security awareness initiatives.
Keep Financial has security policies that have been approved by management and detail how physical access to the company's headquarters is maintained. These policies are accessible to all employees and contractors.
Keep Financial has documented policies and procedures for logging and log monitoring that describe the events the organization must log and monitor, the general systems and system components that should be monitored, the specific information that must be captured in logs, the configuration of specific elements of the logging infrastructure, etc.
Keep Financial assigns permissions through groups or roles based on the principle of least privilege and limits the use of wild-card prmissions or broad-access patterns.
Keep Financial has established training programs to help personnel understand their obligations and responsibilities for the protection of personally identifiable information (P II) and associated regulatory requirements. Personnel (including employees and contractors as applicable) are required to complete the training during onboarding and annually thereafter.
Keep Financial has defined and documented policies and procedures for handling and responding to requests from data subjects to exercise their data subject rights.
Access to manage utility programs (including anti-virus consoles and diagnostic, patching, backup, or network tools, or any other utility can be capable of overriding system and application controls) is restricted to authorized system administrators. Standard users cannot disable privileged utilities or modify their configurations.
Keep Financial ensures that releases are approved by appropriate members of management prior to production release.
Changes to all system components in the production environment (including software, code, infrastructure. network, configuration changes, etc.) are made according to established policies and procedures that include documentation (change description, justification, evaluation of security impact, approval by authorized parties, rollback procedures) and testing (including security impact testing and code vulnerability testing for custom development changes).
Keep Financial has documented and implemented procedures for the control of documented information relevant for its management system(s).
Keep Financial has an established and documented record of processing activity (ROPA), which includes descriptions of the of lawful collection and use of PII, including the specific purposes for which PII is processed.
Keep Financial has implemented redundancy strategies for equipment, systems and processes as deemed necessary per the business continuity plans meet availability requirements (e.g., redundancy in network components, production resources, supporting utilities, service providers, processing sites, etc.)
Keep Financial does application regression testing to validate key processing for the application during the change management process.
Keep Financial ensures that company-issued removable media devices (USB drives) are encrypted.
Keep Financial restricts access to the identification or badge system to authorized personnel based on need-to-know principles.
Keep Financial restricts physical access to wireless access points. gateways, networking/communications hardware, and
telecommunication lines within the company facilities.
Keep Financial has implemented mechanisms to enable allow-by-exception or deny-by-exception rules to prevent the use of unauthorized software in the organization.
Keep Financial tracks and documents the return of all electronic and physical assets upon termination as part of the offboarding process. Access mechanisms such as keys, access cards, MFA tokens, are disabled or collected by IT or HR personnel.
Keep Financial has documented and implemented procedures and mechanisms to locate, retrieve, and provide a copy of the PII that is collected and/or processed when requested by the data subject, or to notify them if the PII has been deleted or de-identified.
Keep Financial has documented software development procedures that outline the company's processes for secure development. The documented processes include references to industry standards and/or best practices for secure development, security requirement considerations (for example, secure authentication and logging, etc.), and consideration information security issues during each stage of the software development life cycle.
Keep Financial provides customers with the capabilities for secure log-on procedures for any user accounts under the customers' control (e.g., single sign-on, multi-factor authentication, masking of passwords, minimal information disclosures in error messages. etc.)
Keep Financial has implemented secure login procedures for in-house developed systems to deter enumeration or brute-force attacks (e.g., displaying limited information in login error messages without indicating which data is correct or incorrect, etc.)
Keep Financial physical surveillance mechanisms (e.g., video monitoring systems, sensors and detectors) are in place to deter and detect unauthorized physical access and are protected from tampering or disabling.
Keep Financial maintains secure and supported configuration standards for application and platform runtimes.
Keep Financial uses network segmentation and/or other techniques to isolate portions of the environment and to control traffic between them based on security and business needs.
Group, shared, or generic account usage is prevented unless strictly necessary and supported by documented business justification and management approval, Mechanisms are in place to confirm individual user identity before access to the account is granted and to trace every action to an individual user.
Keep Financial checks software components and libraries for policy and license compliance, security risks, and supported versions (e.g. using software composition analysis CSCA) tools in development pipeline, etc.). If vulnerabilities in these software components or libraries are identified, fixes are implemented in accordance with the company's vulnerability management policies.
Keep Financial has implemented a software update management process where critical patches and application updates are installed for all authorized software within priority SLAs established in company policies.
Keep Financial has a documented statement of applicability, which defines the controls deemed necessary by the organization as a result of the risk assessment to implement the risk treatment plan.
Keep Financial uses static application security testing (SAST) or equivalent tool as part of the CI/CD pipeline to detect vulnerabilities in the code base. When vulnerabilities are identified, corrections are implemented prior to release as appropriate based on the nature of the vulnerability.
Key-management policies and procedures are documented and implemented including: generation of strong cryptographic keys, secure distribution, and secure storage of cryptographic keys used to protect sensitive data.
Internal systems receive time information only from designated central time server or servers.
Server rooms and data centers are air conditioned to maintain appropriate atmospheric conditions. Systems are in place to monitor and control air temperature and humidity at appropriate levels. Maintenance is conducted periodically in accordance with manufacturer guidance.
Where there is more than one designated time server, the time servers peer with one another to keep accurate time.
Systems are configured so that one or more designated central time servers are in use and receiving time from industry-accepted external sources based on International Atomic Time or Coordinated Universal Time (UTC).
Upon receiving a privacy right request. privacy inquiry, or privacy incident report, Keep Financial provides confirmation of receipt and responds to the request, inquiry, or report within the timeframes established by regulatory requirements.
Uninterruptible power supply (UPS) systems units are in place to provide backup power in the event of an electrical failure in the data
centers or server rooms. Maintenance is conducted periodically in accordance with manufacturer guidance.
Passwords are set to a unique value for first-time use and upon reset. Temporary initial passwords are forced to be changed immediately after the first use.
Keep Financial limits the use of unencrypted physical media and portable devices to only when strictly necessary. Use of unencrypted physical media is documented to include business justification and approval.
Keep Financial provides user guides, help articles. system documentation or other mechanisms to users to share information about the design and operation of the system and its boundaries. The information provided includes functional and nonfunctional requirements related to system processing and information specifications required to support the use of the system.
All vendor-supplied default accounts are either disabled or removed, or their default password is changed in accordance with the company's policy and compliance requirements.
Keep Financial performs due diligence activities prior to engaging with a new service provider or vendor, which may include review of security questionnaires and compliance reports, review of vendor-provided policies. procedures or other documents, analysis of delegated or shared responsibilities with the prospective vendor, etc. Results of the due diligence activities including action items are documented.
Keep Financial ensures that virtual machine OS patches are applied monthly.
Visitor badges or identification are surrendered or deactivated before visitors leave the facility or at the date of expiration.
Keep Financial maintains a visitor log to keep an audit trail of visitor activity to the company facilities, computer rooms or data centers where sensitive data may be stored or transmitted.
Visitors are authorized before entering, and escorted at all times within company facilities including areas where sensitive data may processed or maintained.
Distributed Denial of Service. A DDoS attack is an attack in which multiple compromised computer systems flood a target—such as a server, website, or other network resource—with messages or requests to cause a denial of service for users of the targeted resource.
A security system that requires multiple methods of authentication using different types of credentials to verify users' identities before they can access a service.
The practice of testing a computer system, network, or web application to find vulnerabilities that an attacker might exploit.
The principle of giving a user or account only the privileges that are required to perform a job or necessary function.
A process for planning, creating. testing. and deploying a software system.
A cryptographic network protocol for operating network services securely over an unsecured network.
The standard security technology for establishing an encrypted link between a web server and a browser.
Drata performs continuous, automated monitoring of Keep Financial's security controls to ensure Keep Financial complies with industry-accepted security standards. Due to the continuous monitoring Drata performs, this report is automatically updated to reflect the latest findings.
Drata provides companies with a product suite designed to continuously monitor and collect evidence of hundreds of security controls across the company's IT systems and processes. Drata's cloud-based software connects with companies' infrastructure, identity providers, developer tools, HRIS, version control tools, and more to provide a comprehensive view of their security and compliance posture, while automating and streamlining the workflows, processes, and manual compliance tasks.
Drata is a software as a service company based in San Diego, California. Learn more at drata.com.