Browse
Search
2024-024-E-IT Dept-Carahsoft Technology Corporation-Procurement of Crowdstrike
OrangeCountyNC
>
Board of County Commissioners
>
Contracts and Agreements
>
General Contracts and Agreements
>
2020's
>
2024
>
2024-024-E-IT Dept-Carahsoft Technology Corporation-Procurement of Crowdstrike
Metadata
Thumbnails
Annotations
Entry Properties
Last modified
1/25/2024 2:24:31 PM
Creation date
1/25/2024 2:24:01 PM
Metadata
Fields
Template:
Contract
Date
1/3/2024
Contract Starting Date
1/3/2024
Contract Ending Date
1/9/2024
Contract Document Type
Contract
Amount
$357,829.88
There are no annotations on this page.
Document management portal powered by Laserfiche WebLink 9 © 1998-2015
Laserfiche.
All rights reserved.
/
35
PDF
Print
Pages to print
Enter page numbers and/or page ranges separated by commas. For example, 1,3,5-12.
After downloading, print the document using a PDF reader (e.g. Adobe Reader).
View images
View plain text
CrowdStrike Form May 27 2019 16 of 17 <br />Appendix 1 <br />Information Security Controls for CrowdStrike Systems <br /> <br />Security Control <br />Category <br />Description <br />1. Governance a. Assign to an individual or a group of individuals appropriate roles for developing, <br />coordinating, implementing, and managing CrowdStrike’s administrative, physical, and <br />technical safeguards designed to protect the security, confidentiality, and integrity of <br />Personal Data <br />b. Use of data security personnel that are sufficiently trained, qualified, and experienced to <br />be able to fulfill their information security-related functions <br />2. Risk Assessment <br /> <br />a. Conduct periodic risk assessments designed to analyze existing information security <br />risks, identify potential new risks, and evaluate the effectiveness of existing security <br />controls <br />b. Maintain risk assessment processes designed to evaluate likelihood of risk occurrence <br />and material potential impacts if risks occur <br />c. Document formal risk assessments <br />d. Review formal risk assessments by appropriate managerial personnel <br />3. Information <br />Security Policies <br />a. Create information security policies, approved by management, published and <br />communicated to all employees and relevant external parties. <br />b. Review policies at planned intervals or if significant changes occur to ensure its <br />continuing suitability, adequacy, and effectiveness. <br />4. Human Resources <br />Security <br /> <br />a. Maintain policies requiring reasonable background checks of any new employees who <br />will have access to Personal Data or relevant CrowdStrike Systems, subject to local law <br />b. Regularly and periodically train personnel on information security controls and policies <br />that are relevant to their business responsibilities and based on their roles within the <br />organization <br />5. Asset Management <br /> <br />a. Maintain policies establishing data classification based on data criticality and sensitivity <br />b. Maintain policies establishing data retention and secure destruction requirements <br />c. Implement procedures to clearly identify assets and assign ownership <br />6. Access Controls a. Identify personnel or classes of personnel whose business functions and responsibilities <br />require access to Personal Data, relevant CrowdStrike Systems and the organization’s <br />premises <br />b. Maintain controls designed to limit access to Personal Data, relevant CrowdStrike <br />Systems and the facilities hosting the CrowdStrike Systems to authorized personnel <br />c. Review personnel access rights on a regular and periodic basis <br />d. Maintain physical access controls to facilities containing CrowdStrike Systems, including <br />by using access cards or fobs issued to CrowdStrike personnel as appropriate <br />e. Maintain policies requiring termination of physical and electronic access to Personal <br />Data and CrowdStrike Systems after termination of an employee <br />f. Implement access controls designed to authenticate users and limit access to <br />CrowdStrike Systems <br />g. Implement policies restricting access to the data center facili ties hosting CrowdStrike <br />Systems to approved data center personnel and limited and approved CrowdStrike <br />personnel <br />h. Maintain dual layer access authentication processes for CrowdStrike employees with <br />administrative access rights to CrowdStrike Systems <br />7. Cryptography <br /> <br />a. Implement encryption key management procedures <br />b. Encrypt sensitive data using a minimum of AES/128 bit ciphers in transit and at rest <br />8. Physical Security <br /> <br />a. Require two factor controls to access office premises <br />b. Register and escort visitors on prem ises <br />9. Operations <br />Security <br /> <br />a. Perform periodic network and application vulnerability testing using dedicat ed qualified <br />internal resources <br />b. Contract with qualified independent 3rd parties to perform periodic network and <br />application penetration testing <br />c. Implement procedures to document and remediate vulnerabilities discovered during <br />vulnerability and penetration tests <br />DocuSign Envelope ID: 15D73919-3C2B-4FD5-B1D4-12D3A740401FDocuSign Envelope ID: 8CCC378C-D84F-4D9F-BAF3-FB77653C088ADocuSign Envelope ID: BA2C0343-56AA-4434-92F9-D28AEB96D976
The URL can be used to link to this page
Your browser does not support the video tag.