Door recognizes the importance of safeguarding its information resources. By implementing a comprehensive set of measures, Door aims to reduce the risk of disruption to its operations and protect its stakeholders’ interests. This policy is based on best practices in the industry, including the SOC-2 framework.
This policy has been created to prevent unauthorized disclosure, modification, removal or destruction of information assets, or interruptions to business activities.
This policy applies to all Door staff using Door information resources.
Door Management shall apply this policy to all members of the Door Workforce, and all third-party organizations that require access to Door systems and data, particularly where confidential and sensitive data is concerned. Any exceptions to this policy shall be facilitated via this document’s Policy Compliance section.
4.1.1 Managers shall ensure that all security procedures within their area of responsibility are carried out correctly to achieve compliance with security policies and standards.
4.1.2 Reviews of the compliance of systems with security and privacy policies, standards and any other security and privacy requirements (HIPAA, legal, etc.) are supported by system and information owners. Compliance reviews are conducted by security, privacy and/or audit individuals and incorporate reviews of documented evidence. Automated tools are used where possible, but manual processes are acceptable.
4.1.3 Annual compliance assessments are conducted. If any non-compliance is found as a result of the review, System owner:
4.1.4 The results and recommendations of these reviews are documented and approved by management.
4.1.5 The internal security organization regularly reviews the compliance of information processing as part of a formal risk assessment process. Automated compliance tools/scans are used where possible. The organization employs assessors or assessment teams to monitor the security controls in the information system on an ongoing basis as part of a continuous monitoring program. These teams will have a level of independence appropriate to the organization’s continuous monitoring strategy.
4.1.6 The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
4.1.7 The security organization maintains records of the compliance results (e.g., organization-defined metrics) in order to better track security trends within the organization, respond to the results of correlation and analysis, and to address longer term areas of concern.
4.2.1 Information systems shall be regularly checked for compliance with security implementation standards.
4.2.2 The organization checks the technical security configuration of information systems and network components. Checking is performed either manually, by an individual with experience with the systems, and/or with the assistance of automated software tools. These compliance checks are performed annually.
4.2.3 If any non-compliance is found as a result of the review, the organization:
4.2.4 Supply chain agreements (e.g., SLAs) between providers and customers (tenants) incorporate at least the following mutually-agreed-upon provisions and/or terms:
Third-party service providers demonstrate compliance with information security and confidentiality, access control, service definitions, and delivery level agreements included in third-party contracts. Third-party reports, records, and services undergo audit and review at least annually to govern and maintain compliance with the service delivery agreements.
Any decision to upgrade to a new release takes into account the business requirements for the change, and the security and privacy impacts of the release (e.g., the introduction of new security functionality or the number and severity of security problems affecting this version).
If systems or system components in production are no longer supported by the developer, vendor, or manufacturer, the organization must show evidence of a formal migration plan approved by management to replace the system or system components.
Previous versions of application software are retained as a contingency measure. Old versions of software are archived, together with all required information and parameters, procedures, configuration details, and supporting software for as long as the data is retained in archive or as dictated by the organization’s data retention policy.
Physical or logical access are only given to suppliers for support purposes when necessary, and with management approval. The supplier’s activities are monitored.
This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.
Further information and advice on this policy can be obtained from the Door Team, policies@doorfunds.com.