Q: Is there an anti-malware policy or program that has been approved by management, communicated to appropriate constituents, and an owner to maintain and review the policy? If Yes, please provide the policy and any applicable documents.
A: No, we regularly update our anti-malware tools, but we do not have a formal written policy for this.
Q: Is there a vulnerability management policy or program that has been approved by management, communicated to appropriate constituents, and an owner assigned to maintain and review the policy? If Yes, please provide the policy and any applicable documents.
A: No, this is part of our ISO 27001 process and is expected to be completed by the end of the year.
Q: Are vulnerability scans performed on all internet-facing assets at least monthly and after significant changes? Please specify when the last one was conducted, the scope, and the main findings.
A: Yes, we conduct monthly audits.
Q: Do you have controls in place to monitor and block the use of security tools (vulnerability analysis, pentesting, etc.), as well as to securely manage the data you collect? Please specify.
A: Yes, we have security measures in place to detect and block unauthorized use of security testing tools within our infrastructure. All penetration testing and vulnerability scanning activities are strictly controlled and performed by authorized personnel. Our security team ensures that any collected data from security assessments is securely stored and accessible only to designated individuals. We also follow secure logging practices to track security-related events and detect any unauthorized scanning attempts..
Q: Are vulnerability scans performed against internal networks and systems? Please specify when the last one was conducted, the scope, and the main findings.
A: No, not on the internal network for now, but we are exploring options with our providers.
Q: Does your organization perform regular (e.g., quarterly, annually) application penetration tests of the products/service?
A: Yes, we conduct penetration tests on a quarterly basis. Any findings are reviewed, prioritized, and addressed as part of our security improvement process.
Q: Are you monitoring dark web or threat intelligence feeds for potential risks to your platform?
A: No, we do not actively monitor dark web or external threat intelligence feeds. However, we continuously assess our security posture through regular penetration testing and vulnerability assessments.
Q: Do you conduct regular phishing simulations to measure employee awareness?
A: No, we do not currently conduct phishing simulations for employees. However, we maintain security best practices through regular penetration tests, vulnerability scans, and access control measures to minimize risks.
Q: Are penetration tests conducted from the internal network, external (Internet), or both? When was the last one conducted, with which scope, and what were the most important findings?
A: External only.
