Orange County NC Website
Browse       Search
DocuSign Envelope ID:8CCC378C-D84F-4D9F-BAF3-FB77653C088A <br /> Appendix 1 <br /> Information Security Controls for CrowdStrike Systems <br /> Security Control Description <br /> Category <br /> 1. Governance a. Assign to an individual or a group of individuals appropriate roles for developing, <br /> coordinating, implementing, and managing CrowdStrike's administrative, physical, and <br /> technical safeguards designed to protect the security, confidentiality, and integrity of <br /> Personal Data <br /> b. Use of data security personnel that are sufficiently trained, qualified, and experienced to <br /> be able to fulfill their information security-related functions <br /> 2. Risk Assessment a. Conduct periodic risk assessments designed to analyze existing information security <br /> risks, identify potential new risks, and evaluate the effectiveness of existing security <br /> controls <br /> b. Maintain risk assessment processes designed to evaluate likelihood of risk occurrence <br /> and material potential impacts if risks occur <br /> c. Document formal risk assessments <br /> d. Review formal risk assessments by appropriate managerial personnel <br /> 3. Information a. Create information security policies, approved by management, published and <br /> Security Policies communicated to all employees and relevant external parties. <br /> b. Review policies at planned intervals or if significant changes occur to ensure its <br /> continuing suitability, adequacy, and effectiveness. <br /> 4. Human Resources a. Maintain policies requiring reasonable background checks of any new employees who <br /> Security will have access to Personal Data or relevant CrowdStrike Systems, subject to local law <br /> b. Regularly and periodically train personnel on information security controls and policies <br /> that are relevant to their business responsibilities and based on their roles within the <br /> organization <br /> 5. Asset Management a. Maintain policies establishing data classification based on data criticality and sensitivity <br /> b. Maintain policies establishing data retention and secure destruction requirements <br /> c. Implement procedures to clearly identify assets and assign ownership <br /> 6. Access Controls a. Identify personnel or classes of personnel whose business functions and responsibilities <br /> require access to Personal Data, relevant CrowdStrike Systems and the organization's <br /> premises <br /> b. Maintain controls designed to limit access to Personal Data, relevant CrowdStrike <br /> Systems and the facilities hosting the CrowdStrike Systems to authorized personnel <br /> c. Review personnel access rights on a regular and periodic basis <br /> d. Maintain physical access controls to facilities containing CrowdStrike Systems, including <br /> by using access cards or fobs issued to CrowdStrike personnel as appropriate <br /> e. Maintain policies requiring termination of physical and electronic access to Personal <br /> Data and CrowdStrike Systems after termination of an employee <br /> f. Implement access controls designed to authenticate users and limit access to <br /> CrowdStrike Systems <br /> g. Implement policies restricting access to the data center facilities hosting CrowdStrike <br /> Systems to approved data center personnel and limited and approved CrowdStrike <br /> personnel <br /> h. Maintain dual layer access authentication processes for CrowdStrike employees with <br /> administrative access rights to CrowdStrike Systems <br /> 7. Cryptography a. Implement encryption key management procedures <br /> b. Encrypt sensitive data using a minimum of AES/128 bit ciphers in transit and at rest <br /> 8. Physical Security a. Require two factor controls to access office premises <br /> b. Register and escort visitors on premises <br /> 9. Operations a. Perform periodic network and application vulnerability testing using dedicated qualified <br /> Security internal resources <br /> b. Contract with qualified independent 3rd parties to perform periodic network and <br /> application penetration testing <br /> c. Implement procedures to document and remediate vulnerabilities discovered during <br /> vulnerability and penetration tests <br /> CrowdStrike Form May 27 2019 16 of 17 <br />