This document presents the responses submitted by Trans World Compliance to the information security supplier evaluation form. Each entry below includes the evaluation question, the supplier's reply, and detailed explanations.
| Information Security Confidential |
||
| SUPPLIER NAME: Trans World Compliance Inc. | ||
| Service offered: Software solution for regulatory compliance of the annual FATCA and CRS reporting process, providing the automation capabilities for record upload, remediation, and compliance with the FATCA and CRS reporting requirements. | ||
| Service receiving area at the bank: | ||
| General Inquiries | ||
| General Inquiries | Reply | Detail your answer |
| Did you complete the process of getting to know your supplier? | No | We have not received such documentation |
| Did you comply with the Confidentiality of Information Agreement documents? | No | We have not received such documentation |
| Do you have internal policies and procedures to securely manage the protection of your customers' data? | Yes | We have datailed policies and procedures that are documented in our Operations Manual and Cyber Security Policies documents. |
| Do you perform internal audits of your information security control framework? | Yes | Full audits are perfomed two times a year |
| Do you perform external audits of your information security control framework? | No | |
| Does it have a risk management process? | Yes | TWC follows the FAIR (Factor Analysis of Information Risk) methodology to determine risk in regard to ourIT operations and to identify those areas in need of mitigation. |
| Does it have a comprehensive evaluation process, including physical security aspects and security principles? information, for candidates to be hired? | Yes | TWC has an evaluation process detailed on our internal Operations manual including on all candidates before hiring. |
| Do you have processes and procedures to manage security incidents? | Yes | The processes documented to manage incidents are detailed in our internal Cyber Security Policies |
| Does the application have role access according to the segregation of duties? | Yes | The application uses the Spring Security Framework to ensure role based security in the format of Roles and Privileges. |
| Do you perform code analysis test, if the answer is yes, share it with us? | Yes | To ensure the quality of the code, TWC uses the Sonaqube and also does Pententing of its application during the whole development process and also after the release of offical versions |
| How do you ensure business continuity? | Yes | TWC has a complete Business continuity and Disaster Recovery Plan, that is based on the RTO and RPO periods, the Run Time Objective (RPO) is within a four-hour window. This may require a rebuild of the server andreinstallation of the database. Since we have offsite image backups, this should be much quicker for AWS servers. The Recovery Point Objectives (RPO) with database logs, we should be able to recover up to the minute. If the outage is not just a machine crash, but due to a complete outage of the facility, we should be able to recover up to the previous night’s backup. This makes the maximum loss of data updates done in the last 24 hours. |
| Do you have a change management process? | Yes | The change management is done by the development, security and bussiness teams during Bi Weekly sprints |
| Policies and Procedures | ||
| Indicate what policies and/or procedures you have in place in your organization. | Reply | Detail your answer |
| Classification and protection of information | Yes | Data is classified in to 4 levels of clearance, all employees and contractors are obliged to protect company data and information according to the data classification. |
| Safety in human resources | Yes | TWC ensures security to its employees providing training on privacy and data security. |
| Acceptable use of technology and information resources | Yes | Access to technology and resources are separated based on roles, developers do not have access to out production systems and operations teams does not have access to the code. |
| Access controls | Yes | Identity and access management (IAM) is used to make sure that only the right people can access an organization's data and resources. |
| Authorized and unauthorized use/access to the data | Yes | Internal Data is separated by roles following the IAM method, TWC does not have direct access to any personnally identifiable client data in our cloud or installed applications. CRS/FATCA One includes complete access and data change audit logging. |
| Security in software development | Yes | The code is reviewed and tested multiple times during the development process, Sonarqube is used to ensure code quality together with penetration testing to find possible vulnerabilities within the application. |
| Incident management | Yes | Incidents are managed our Cyber Security Policies, incidents are identified, the vulnerability is classified and dealt with in the time period specified for the risk level. |
| Compliance and regulations | Yes | TWC is compliant and commited to your privacy and support the EU’s General Data Protection Regulation (“GDPR”) and the EU-U.S. Privacy Shield Framework (“Privacy Shield”). |
| Policies relating to the transmission, storage and processing of confidential data, as well as data of customers | Yes | Trans World Compliance (“TWC”) is committed to your privacy and support the EU’s General Data Protection Regulation (“GDPR”) and the EU-U.S. Privacy Shield Framework (“Privacy Shield”). |
| Vulnerability Remediation Management Policies and Procedures | Yes | Our company cyber security policy outlines our guidelines and provisions for preserving the security of our data and technology infrastructure, vulnerabilities that are identifed are entered into our JIRA issue tracking system, classified, and prioritized. |
| Data retention and destruction | Yes | TWC does not have direct access to any personnally identifiable client data in our cloud or installed applications. In the case a client transmits personally identifiable client information to an employee for the purposes of support, loading, or otherwise, the employee should delete this after use or within 30 days, which ever is sooner. All data transmission must be secured with (at a minimum) password level encryption. |
| Update security policies on a regular basis | Yes | The security policies are updated on a regular basis, the periodicity varies depending on the policy. All policies and procedures a reviewed at least annually. |
| Audits | ||
| Information on your organization's audit process | Reply | Detail your answer |
| Based on what standard or framework are internal audits performed? | Yes | Our Datacenter has different security frameworks that are audited, some of them are ISSO 27001, SOC 1, SOC 2 and SOC 3 |
| Do you perform internal audits of your systems? Indicate periodicity | Yes | Full audits are perfomed two times a year, Disaster Recovery simulations are also done two times a year, Pentesting of the systems are done monthly |
| Do you perform external audits of your systems? Indicate periodicity | No | |
| How often does the external audit company change? | N/A | |
| Risk Management | ||
| Information regarding the information risk management process in your organization. | Reply | Detail your answer |
| Do you have a formal risk management process? | Yes | TWC follows the FAIR (Factor Analysis of Information Risk) methodology to determine risk in regard to ourIT operations and to identify those areas in need of mitigation. |
| Are service providers and subcontractors evaluated and monitored to determine whether they protect safety and privacy of sensitive information and systems? | Yes | All providers and subcontractors are evaluated and monitored periodcally to ensure client and internal security. |
| Have you had a security breach involving customer data? | No | |
| Do contracts with third parties provide for clauses to adequately protect the privacy and confidentiality of the information to which they may have access during the relationship? | Yes | All contracts with third parties provide for clauses to adequately protect the privacy and confidentiality of the information to which they may have access during the relationship |
| Change Management | ||
| Information regarding your organization's change management process that may affect the privacy of your customers and your organization's evaluation of its impact |
Reply | Detail your answer |
| Is there a formalized change management process? | Yes | The change management is done by the development, security and bussiness teams during Bi Weekly sprints |
| Do you have an exchange control committee? | Yes | The Security Committee is headed by the DPO and includes representatives from the Operations Group, the Development Group, and the Support Group. Other individuals may be invited. |
| Are representatives from the areas responsible for security and privacy part of the committee? | Yes | The Security Committee is headed by the DPO and includes representatives from the Operations Group, the Development Group, and the Support Group. Other individuals may be invited. |
| Do you keep records and documentation of the changes that go through this process? | Yes | Our JIRA system tracks all issues throughout the software development process and stores this in an auditable log. |
| Security and Incident Response | ||
| The level of protection of the information and the measures in case of an incident, where the information of the company is exposed, are evaluated. your customers |
Reply | Detail your answer |
| Do you have a perimeter firewall to protect your internal network? | Yes | We use AWS firewall services, VPC and security groups to ensure the network security and continuity |
| Do you have IDS as part of your infrastructure? | Yes | The IDS Suricata is a high performance, network analysis and threat detection, that works together with our firewall to provice Threat Detection |
| Do you have intrusion prevention systems as part of your security infrastructure? | Yes | The IPS responsible for threat prevention is AWS Guard Duty, that monitors the environment |
| Do you perform periodic vulnerability scans and penetration tests on assets, applications, and systems that contain customer data? | Yes | Penetration testing is done on a monthly basis with multiple tools on all of our systems including out systems that contain customer data? |
| Do you formally assess and re-evaluate your information security threats and risks at regular intervals, based on of the frequency of emerging threats to your systems and processes? | Yes | The penetration testing is done monthly and repeated if a vulnerabilty is discovered to ensure it was fixed |
| Do you perform periodic secure code analysis on applications containing customer data? | Yes | All code is peer reviewed, goes through an automated testing process, and manual testing. Code quality and penetration testing is done monthly to ensure the security of the application. Monitoring of CISA notifications protects against zero day exploits and other threats. |
| Do you have documented incident response procedures? | Yes | The company has specific response procedures documented on our operations manual detailing the classification and SLA period to resolve said vulnerabilities. |
| In case of a security incident, how do you handle it? | Yes | Incidents are handled following our Cyber Security Policies, incidents are identified, the vulnerability is classified and dealt with in the time period specified for the risk level. |
| Do you inform your customers about security incidents? | Yes | In the unlikely event of a security breach, within 24 hours of discovery, Trans World Compliance will notify the owners of any affected data and, where applicable by law, relevant Data Protection Authorities. |
| Personnel Security | ||
| Process carried out for the selection of internal personnel who have access to sensitive customer information. | Reply | Detail your answer |
| Do you have job descriptions for employees accessing confidential or sensitive information? | Yes | The company has datailed job descriptions and roles for every position. |
| Do you have controls in place to ensure that data is only accessed on a need-to-know basis. i.e. By roles or job description? | Yes | TWC controls data access using Identity and access management (IAM), for making sure that only the right people can access an organization's data and resources. |
| Do you have disciplinary processes to handle policy violations? | Yes | The disciplinary actions are specified in our internal Code of Conduct that is agreed and followed by all employees, penalties are based on damage or potential damage and can include everything up to and including termination and/or legal action for violations of the non-disclosure clause in employment contracts |
| Are controls in place to ensure that access to a user or supplier is removed when he orsheleaves the company or terminate the contract? | Yes | That access to any company data or resources is blocked or removed imediatly after the contract termination |
| Is training of internal users on data security issues conducted on a regular basis? | Yes | Security training to all employees is done every year to make sure everyone ones has a good understanding of privacy and security |
| Physical Security | ||
| Information on prevention and detection mechanisms to physically protect the information. | Reply | Detail your answer |
| Is there a physical security program in place at the locations where systems or services are provided to provide? | Yes | The data centers have monitoring, triaging, and executing security programs and controlled physical access management and intrusion detection response. |
| Compliance/certification/audit reports | ||
| Indicate which reports, certifications or other documents do you have? | Reply | Detail your answer |
| ISO 27001 | Yes | Our Datacenters comply with the ISO 27001 internationally-recognized standard for security management best practices and comprehensive security controls |
| SOX | No | Sarbanes-Oxley Act (SOX) is not relavant to Trans World Compliance. |
| SSAE16 | Yes | The Datacenters have the SSAE SOC 1 Type 2 report that evaluates the effectiveness of its controls that might affect your internal controls over financial reporting (ICFR). The audit is performed according to the SSAE 18 and ISAE 3402 standards |
| SOC 2 | Yes | Our Datacenters have the SOC 2 Type 2 certification report evaluates the controls that meet the criteria for security, availability, confidentiality, and privacy in the American Institute of Certified Public Accountants (AICPA) TSP section 100, Trust Services Criteria. |
| SOC3 | Yes | The Datacenters also have the SOC 3 which is a summary of the SOC 2 report. it outlines that the Datacenter meets the AICPA Trust Services Criteria in its SOC 2 audit report and includes the external auditor’s opinion of the operation of controls |
| PCI | No | CRS/FATCA One does not deal with credit card processing. |
| Others | No | |