Is there a formalized risk governance plan approved by management that defines the Enterprise Risk Management program requirements?
Yes there is a formalized risk governance plan.
Does the risk governance plan include risk management policies, procedures, and internal controls?
Chezie’s Risk Governance Plan is guided by procedures and our risk management policy. Please see Risk Management Policy.
Is there a documented third-party risk management program in place for the selection, oversight and risk assessment of third parties (e.g., subcontractors, suppliers, service providers, dependent service providers, sub-processors) in scope for the services?
Currently, we do not have a third-party risk management program, but we have plans to implement one in the near future.
Are annual internal risk assessments performed?
Yes. All annual risk assessments are performed in-house.
Does your organization maintain an internal risk register for tracking and remediating risks?
As part of our risk governance plan, we maintain an internal risk register.
How often is the risk register reviewed internally?
We review our risk register annually.
Is there a set of information security policies that have been approved by management, published, and communicated to constituents?
Yes, please see Information Security Policy.
Do the information security policies and procedures establish requirements for the protection of information that is processed, stored or transmitted on external systems?
The information security policies and procedures establish requirements for the protection of information. We follow industry-standard best practices to ensure all information we handle is done so with security in mind.
Have all information security policies and standards been reviewed in the last 12 months?
All information security policies have been reviewed in the last 12 months.
Where is client data stored geographically
AWS West Region, AWS East Region (backup).
Do you logically and physically segregate production and non-production environments? How do you ensure Production Data is not to be replicated or used in your test environments?
There is a logical and physical disassociation between local environments and remote environments. Our data models are built before a line of code is written so we're able to develop locally with dummy data that matches (in shape) to the data that lives in our servers.