The description of Resolver’s system throughout the period of October 1, 2022, through September 30, 2023, pursuant to Reporting on Service Organization Controls 2 (SOC 2) Type 2 examination performed under AT-C 105 and AT-C 205 and HIPAA/HITECH requirements.
Resolver provides applications to address security, compliance, and risk requirements for over 1,000 of the largest organizations in the world. Resolver’s software includes applications such as Incident Reporting, Command Center, Investigations & Case Management, Risk Assessment, Enterprise Risk Management, Internal Audit, Compliance, and Internal Control.
Resolver has over 380 employees across its offices around the globe and supports customers across 40 countries.
The company is structured functionally. Sales, Marketing, Finance & Operations, HR, Product Management, Professional Service, Customer Success and Development report to the President Executive. Development includes sub-teams devoted to Development, Quality, Information Security and DevOps. Professional Service includes sub-teams devoted to Customer Service, Consulting Services and Business Development, and Solution Engineering.
Resolver Core No-Code Risk Intelligence Software Solution
Resolver’s Integrated Risk, Governance and Compliance Management platform helps plan and prepare organizations to limit the likeliness or impact of events from occurring; this includes:
Perspective (PSV)
Perspective supports the response and recovery process when an event does occur, including:
RiskVision
RiskVision Information Security Platform Protect Client’s Data from Cyber Attacks and Data Breaches and helps organizations understand their information systems, through:
GRC Cloud
GRC Cloud houses data predominantly pertaining to risk and compliance. It contains highly confidential customer information relating to some or all of the following:
GAL
GAL houses data pertaining to business continuity, crisis, and emergency. It contains highly confidential customer information relating to some or all of the following:
Resolver designs its processes and procedures related to Global Alert Application, RiskVision Application, Resolver Core Application, GRC Cloud Application, and Perspective PSV Application, to meet its objectives for its Global Alert Application, RiskVision Application, Resolver Core Application, GRC Cloud Application, and Perspective PSV Application Services. Those objectives are based on the service commitments that Resolver makes to user entities, the laws and regulations that govern the provision of Global Alert Application, RiskVision Application, Resolver Core Application, GRC Cloud Application, and Perspective PSV Application Services, and the financial, operational, and compliance requirements that Resolver has established for the services. The Global Alert Application, RiskVision Application, Resolver Core Application, GRC Cloud Application, and Perspective PSV Application Services of Resolver are subject to the security and privacy requirements of the Health Insurance Portability and Accountability Act Administrative Simplification, as amended, including relevant regulations, as well as state privacy security laws and regulations in the jurisdictions in which Resolver operates.
Security commitments to user entities are documented and communicated in Service Level Agreements (SLAs) and other customer agreements, as well as in the description of the service offering provided online. Security commitments are standardized and include, but are not limited to, the following:
Resolver establishes operational requirements that support the achievement of security commitments, relevant laws and regulations, and other system requirements. Such requirements are communicated in Resolver’s system policies and procedures, system design documentation, and contracts with customers. Information security policies define an organization-wide approach to how systems and data are protected. These include policies around how the service is designed and developed, how the system is operated, how the internal business systems and networks are managed and how employees are hired and trained. In addition to these policies, standard operating procedures have been documented on how to carry out specific manual and automated processes required in the operation and development of Global Alert Application, RiskVision Application, and Resolver Core Application, GRC Cloud Application, and Perspective PSV Application Services.
Infrastructure
The Risk (Core), Audit (Core), Compliance (Core, GRC Cloud), Controls and Incident Management (Core, Perspective) Business Continuity & Disaster Recovery (GAL), Crisis & Emergency (GAL), Threat and Vulnerability (RiskVision) and IT Risk & Compliance (RiskVision) Management systems consist of six distinct software applications platforms:
Resolver Core, Perspective, GAL, RiskVision and GRC Cloud. Each application is deployed in one or more AWS regions.
Primary infrastructure used to provide Resolver’s Global Alert Application, RiskVision Application, Resolver Core Application, GRC Cloud Application, and Perspective PSV Application Services System includes the following:
AWS Region | Resolver Core | PSV | RiskVision | GAL | GRC |
AWS Australia | Amazon ECS managed immutable Containers, an instances of Docker Images build based on the latest release of Alpine Linux, Node.js, ElastiCache Redis, PostgreSQL RDS, RabbitMQ. Security in Depth approach is implemented** | N/A | N/A | N/A | N/A |
AWS Canada | Amazon ECS managed immutable Containers, an instances of Docker Images build based on the latest release of Alpine Linux, Node.js, ElastiCache Redis, PostgreSQL RDS, RabbitMQ. Security in Depth approach is implemented** | Windows Server 2016, IIS, .Net, SQL Server 2016 Standard. Security in Depth approach is implemented** | N/A | N/A | Windows Server 2016, IIS, .Net, SQL Server 2016 Standard |
AWS Europe (Germany) | Amazon ECS managed immutable Containers, an instances of Docker Images build based on the latest release of Alpine Linux, Node.js, ElastiCache Redis, PostgreSQL RDS, RabbitMQ. Security in Depth approach is implemented** | Windows Server 2016, IIS, .Net, SQL Server 2016 Standard. Security in Depth approach is implemented** | Windows Server 2016, IIS, .Net, SQL Server 2016 Standard. Security in Depth approach is implemented ** | Windows Server 2019, IIS, .Net, SQL Server 2019 Standard. Security in Depth approach is implemented ** | N/A |
AWS UK | Amazon ECS managed immutable Containers, an instances of Docker Images build based on the latest release of Alpine Linux, Node.js, ElastiCache Redis, PostgreSQL RDS, RabbitMQ. Security in Depth approach is implemented** | N/A | N/A | N/A | N/A |
AWS USA | Amazon ECS managed immutable Containers, an instances of Docker Images build based on the latest release of Alpine Linux, Node.js, ElastiCache Redis, PostgreSQL RDS, RabbitMQ. Security in Depth approach is implemented** | Windows Server 2016, IIS, .Net, SQL Server 2016 Enterprise. Security in Depth approach is implemented** | Windows Server 2016, IIS, .Net, SQL Server 2016 Standard. Security in Depth approach is implemented** | Windows Server 2019, IIS, .Net, SQL Server 2019 Standard. Security in Depth approach is implemented** | N/A |
*Core environment; Core platform services running inside of Amazon ECS, container management service cluster, deployed in at least two (2) separate AWS Availability Zones (AZ)), as an immutable Containers, an instances of Docker Images build based on the latest release of Alpine Linux, with no services other than the Resolver application available and/or running.
Alpine Linux was designed with security in mind, simplicity, and resource efficiency. It uses a hardened kernel and compiles user-space binaries as Position Independent Executables (PIE) with stack-smashing protection.
Each ECS cluster member runs a docker container for every Core micro service.
**“Security in Depth” approach means the use of available Security mechanisms in the different layers of the application deployment infrastructure to minimize potential attack vectors by creating multiple layers of protection in case one mechanism fails.
Since Resolver uses AWS hosting and deploys production environments using the AWS VPC service, the following AWS security features are used.
Security controls/mechanisms is on Network Level (Layer 4 of OSI model):
Application (HTTP/HTTPS) level mechanisms (Layer 7 of OSI Model):
OS infrastructure level mechanisms (Layer 4/5/6/7 of OSI Model)
The Risk (Core), Audit (Core), Compliance (Core, GRC Cloud), Controls and Incident Management (Core, Perspective) Business Continuity & Disaster Recovery (GAL), Crisis & Emergency (GAL), Threat and Vulnerability (RiskVision) and IT Risk & Compliance (RiskVision) Management applications are developed and supported internally. Resolver operates the internally developed web and application services on Windows Server 2016/2019 Standard.
Resolver Core services running inside Amazon Elastic Container Service (ECS), container management service, as immutable Containers, and instances of Docker Images built upon on the latest release of Alpine Linux, with no services other than the Resolver application available and/or running.
Alpine Linux was designed with security in mind, simplicity, and resource efficiency. It uses a hardened kernel and compiles user-space binaries as PIE with stack-smashing protection.
The database environment is Microsoft SQL Server 2016/2019 Standard and/or Microsoft SQL Server 2016/2019 Enterprise running on Windows Server 2016/2019 Standard operating systems as well as AWS PostgreSQL Relational Database Server (RDS) SaaS Service and MySQL.
Security Infrastructure
Logical access security software, infrastructure, and architectures have been implemented to support identification and authentication of authorized internal and external users; restriction of authorized internal and external user access to system components, or portions thereof, authorized by management, including hardware, data, software, mobile devices, output, and offline elements; and prevention and detection of unauthorized access to meet the entity’s commitments and system requirements as they relate to security and availability.
Software
Primary software used to provide Resolver’s Global Alert Application, RiskVision Application, Resolver Core Application, GRC Cloud Application, and Perspective PSV Application Services System includes the following:
Primary Software | ||
Software | Operating System | Purpose |
Box | SaaS Offering | File storage |
Bitbucket | SaaS Offering | Source control |
BambooHR | SaaS Offering | HR system |
Confluence | SaaS Offering | Content collaboration: Document / WiKi pages |
Jira | SaaS Offering | Development and change management |
GitLab | SaaS Offering | Source Code Management, Continuous Development and Continuous Integration (CD/CI) pipelines management tool |
Pendo.io | SaaS Offering | Cloud-based product engagement services |
ZenDesk | SaaS Offering | Cloud-based customer support services |
Salesforce.com | SaaS Offering | Cloud-based customer relationship management |
Slack Technologies | SaaS Offering | Cloud-based communication services |
Workato | SaaS Offering | Cloud-based integration and workflow automation services, only at the customer request, for an additional fee |
Pagerduty | SaaS Offering | Paging for system availability |
Papertrail | SaaS Offering | Product’s debugging logs |
Snyk.io | SaaS Offering | Third-party dependency monitoring for security vulnerabilities, Open Source Security (OSS) scanner |
Tenable.io | SaaS Offering | Vulnerability Management |
People
There are multiple departments involved in the technical development, delivery and operations of the Risk, Audit, Compliance, Controls, and Incident Management applications. These groups are led by the Chief Technology Officer (CTO) & Chief Information Security Officer (CISO), VP Professional Services and Chief Information Officer (CIO) who report to the President Executive:
People | |
Department | Function |
Product Management | Consults with customers, prospects, and subject matter experts to design the Risk, Audit, Compliance, Controls, and Incident Management applications. Works with Development to build the applications. |
Development | Builds the Risk, Audit, Compliance, Controls, and Incident Management applications. |
Quality Engineering | Performs functional, integration and performance testing and assures quality for the Risk, Audit, Compliance, Controls, and Incident Management applications. |
DevOps | Manages Production and Staging environments, performs required monitoring, incident management and maintenance. |
InfoSec | Manages information security across the company. Ensures customer data is protected, security controls are adequate, properly designed and functioning effectively. |
Customer Service | Provides end user support, first level incident triage. |
Professional Services | Implements the Risk, Audit, Compliance, Controls, and Incident Management applications for customers. |
Internal IT | Manages internal office networks, servers, desktops, software, and cloud apps. |
Data
Resolver Core No-Code Risk Intelligence Software Solution
Resolver Core houses data pertaining to security and risk. It contains highly confidential customer information relating to some or all of the following:
Process, risk and control documentation, Risk assessments, Audit work papers, Control testing results, Compliance requirements and assessments, Incident data, Corporate investigations and case files, Asset lists, Person information, potentially including personally identifiable information, Patient information, including potentially personal health information.
Data is housed in a PostgreSQL RDS database or an S3 bucket for file uploads. Data and files are encrypted at rest using an AES-256 algorithm and in transit using Transport Layer Security (TLS) v1.3 and v1.2. Users can only interact with the data through the web user interface (WUI) or the REST API. Users must possess valid login credentials with proper authorization to access the data through either mechanism.
Data interactions through the WUI also flow through the REST API. Data access occurs through the REST API. Administrative users have an additional option to upload data through an Excel data import tool. The Excel data import tool also uses the REST API to upload data.
Resolver Core Platform provides an Active Data Warehouse that provides real-time and historical access to data in the system. Every change made to any risk or environment variable is automatically captured and time stamped in Resolver Core Platform. In most other systems, data instances are transient: when data is updated, previous data is either overwritten, or a snapshot is taken for a specific variable without any supporting context.
The Active Data Warehousing providing access to customer’s historical data using their own BI tool.
The Data Warehouse is the separate from the active/live Amazon RDS for PostgreSQL data base instance.
Authentication is based on username and password generated by a user with appropriate access permissions and privileges within Resolver Core Platform via HTTPS over TLS v1.2 secure communication channel.
Users may export data they are authorized to access by running a report and exporting the result to Excel.
Perspective
Perspective houses data pertaining to security and investigations. It contains highly confidential customer information relating to some or all of the following:
Incident data, Corporate investigations and case files, Asset lists, Person information, potentially including Personally Identifiable Information (PII), Patient information, including potentially Personal Health Information (PHI), Security guard activities, Standard operating procedures.
Data is housed in a Microsoft SQL Server database. Data is encrypted at rest using an AES-256 algorithm and in transit using TLS 1.2. Users can only interact with the data through the user interface (UI) or the REST API. Users must possess valid login credentials with proper authorization to access the data through either mechanism. To use the API, users must request and possess an additional authorized key.
Users may export data they are authorized to access by running a query in the UI and exporting the result to Excel.
RiskVision
RiskVision houses data predominantly pertaining to risk and compliance. It contains highly confidential customer information relating to some or all of the following:
Process, risk and control documentation, Risk assessments, Audit work papers, Control testing results, Compliance requirements and assessments.
Transactional data is housed in a MySQL Server database. Data is encrypted at rest using an AES-256 algorithm and in transit using TLS 1.2. Transactional data is denormalized and stored in separate reporting data warehouse. Users can only interact with the data through the web user interface (WUI) or through Business Intelligence (BI) tool connected to the data warehouse. Users must possess valid login credentials with proper authorization to access the data through either mechanism.
Administrative users have an additional option to upload data through an Excel data import tool.
Users may export data they are authorized to access by running a report and exporting the result to Excel.
GAL
GAL houses data pertaining to business continuity, crisis, and emergency. It contains highly confidential customer information relating to some or all of the following:
Disaster Recovery, Business continuity plans, Crisis Planning, Emergency Response, Incident data, Asset lists, Person information, potentially including personally identifiable information.
Transactional data is housed in a Microsoft SQL Server database. Data is encrypted at rest using an AES-256 algorithm and in transit using TLS v1.2. Users can only interact with the data through the web user interface (WUI). Users must possess valid login credentials with proper authorization to access the data through either mechanism.
Users may export data they are authorized to access by running a report and exporting the result to CSV.
GRC Cloud
GRC Cloud houses data predominantly pertaining to risk and compliance. It contains highly confidential customer information relating to some or all of the following:
Process, risk and control documentation, Risk assessments, Audit work papers, Control testing results, Compliance requirements and assessments.
Transactional data is housed in a Microsoft SQL Server database. Data is encrypted at rest using an AES-256 algorithm and in transit using TLS 1.2. Transactional data is denormalized and stored in separate reporting data warehouse. Users can only interact with the data through the web user interface (WUI) or through Business Intelligence (BI) tool connected to the data warehouse. Users must possess valid login credentials with proper authorization to access the data through either mechanism.
Administrative users have an additional option to upload data through an Excel data import tool.
Users may export data they are authorized to access by running a report and exporting the result to Excel.
Hosted Data Access
Customer hosted data is treated equally as confidential. Resolver does not access the data except when granted permission by a customer for troubleshooting purposes.
Customers own their data and are responsible for the input of data into the system. Data classification is the responsibility of the customer. Resolver does not have knowledge of, or access to, the data to know what it contains, including PII and/or PHI data. If required, customers should have Complementary End User Controls for privacy and health information.
User authorization is the responsibility of the customer. Customers must ensure role-based permissions and memberships are appropriate to the users to which they have been assigned.
Privacy Commitments
The following excerpt is from Resolver’s privacy policy taken directly from Resolver’s website.
Resolver Values Your Privacy
This Privacy Statement (the “Statement”) governs all aspects of how RESOLVER and it affiliates (collectively “We”, “Us” or “Our”), collects, uses, maintains, discloses, and processes Personal Data (as defined below) from prospects, customers, suppliers, business partners and other individuals (“Users “, “You” or “Your” and similar words).
By accessing a Resolver website, registering for events, downloading content, obtaining information from Us, communicating with Us via e-mail, in person or through Our websites (or service providers’ websites on our behalf) or information volunteered by You and/or by using any Resolver software (“Software”), You agree to the terms of this Statement.
We are committed to protecting the confidentiality, integrity and security of all Personal Data entrusted to Us by You. Resolver has prepared this Statement to inform You of Our policy and practices concerning the collection, use, disclosure, and processing of Personal Data.
Personal Data that We Collect
We, from time-to-time, may collect information relating to an identified or identifiable natural person (“data subject”) who can be identified, directly or indirectly by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person (“Personal Data”).
This includes Personal Data:
“Cookies” are files or pieces of information that may be stored in Your computer’s hard drive when You visit a Resolver website or use Our Software. Cookies are also used to remember that You may have already provided Personal Data to Us and as a result, they help speed up Your future activities when accessing Our websites or Our Software. We share some Personal Data obtained through cookies with third-parties that provide certain services, including marketing automation services, to Us. Most Internet browsers are initially set to accept cookies. If You do not wish to accept cookies, You can set Your Internet browser to refuse cookies or to alert You when cookies are being sent.
You may have received a unique client ID and created a password in order to use Our Software. You are requested not to divulge Your client ID or password to anyone other than Your own personnel or Our personnel and then only for the purpose of permitting Our personnel to provide services to You.
In addition to cookies and Personal Data You provide to Us, We may collect other information about (i) Your visits to Our websites; and (ii) Your access to Our Software. For example, We may collect information about Your computer, such as Your IP address; the type of Internet browser You are using; the type of computer operating system You are using; the domain name of the websites from which You linked to Our websites; and usage statistics in relation to Your use of Our Software. This information will only be collected for planning, forecasting and/or evaluation purposes.
Please note that this Statement does not cover aggregated and/or anonymized data from which the identity of data subject cannot be determined. We retain the right to use any aggregated/anonymized data in any way that We determine appropriate.
We have no control over the content of third-party websites that may be identified on Our websites or, if applicable, accessed through hyperlinks.
Your Consent
Your provision of Personal Data to Us means that You agree and consent that We may collect, use, disclose and process Personal Data that You provide in accordance with this Statement. If You do not agree with these terms, You are requested not to provide any Personal Data to Us. Certain services can only be offered if You provide Personal Data to Us and/or You may not be able to access any of Our Software. Consequently, if You choose not to provide Us with any required Personal Data, We may not be able to offer You certain services or You may not be able to access any of Our Software.
How We Use Personal Data
We may, from time-to-time, use Personal Data that We collect from You (including through Our Software) or that You provide to Us to:
Our use of Personal Data is limited to these purposes. Unless permitted by law, no Personal Data about a User is collected, without an appropriate entity first obtaining the consent of the data subject to the collection, use, dissemination, or processing of that information.
Disclosure of Personal Data
We will use Personal Data collected from You and Users for internal purposes only. We may disclose Personal Data to organizations that perform services on Our behalf (“Service Providers”). Service Providers include sub-processors and authorized resellers of Our products and services. We shall take reasonable and appropriate steps to ensure that Personal Data provided to Service Providers (including, using standard contractual clauses, as appropriate) is processed only for the purposes of providing services to Us, under Our instruction and in a manner consistent with the relevant principles articulated in this Statement.
Please note that there are circumstances where the use or disclosure of Personal Data may be justified or permitted or where We are obliged to disclose information without consent. Such circumstances may include:
Where obliged or permitted to disclose information without consent, We will not disclose more information than is required. We do not sell any Personal Data that We have obtained.
International Transfers
Resolver, a Canadian legal entity domiciled in Toronto, Canada, is the primary legal entity that provides goods and services (including Software). With respect to Personal Data originating from the European Economic Area (EEA) that may be transferred to Canada, You acknowledge that the European Commission, pursuant to decision 2002/2/EC has declared the Canadian Personal Data Protection and Electronic Documents Act, that applies to Us, provides an adequate level of protection for Personal Data transferred from the European Community. Accordingly, if Personal Data originates from the EEA and is transferred to Canada, no additional safeguards are needed to meet the requirements of the applicable European data protection laws.
Whenever Personal Data that originates from the EEA is processed by a Resolver affiliate in a country that the European Commission has deemed to be inadequate, We do so with approved legal adequacy mechanisms in place (e.g., EU standard contractual clauses). For transfers of Personal Data to the United States, We rely on EU-US Privacy Shield or on the implementation of the EU standard contractual clauses, as appropriate.
Maintenance and Security of Personal Data
We retain Personal Data about Users as long as We believe it is necessary to fulfill the purpose for which it was collected. Currently, We hold Personal Data in North America, Europe, and Oceania. Personal Data maintained on Our systems is protected using industry standard security measures. However, We cannot guarantee that the information submitted to, maintained on, or transmitted from Our systems will be completely secure and transmission of information over the Internet is susceptible to possible loss, misrouting, interception, and misuse.
Access to Personal Data
You may update Personal Data either by accessing Our Software or by contacting Us. If You would like for Us to return, remove or make any additional corrections to any Personal Data or exercise any other data subject right available to you under the EU GDPR, you can click here to complete the Data Subject Access Request form directly and We will consider Your request under applicable law. Requests to access, correct, or remove Personal Data, to the extent possible, will be handled within thirty (30) days and may be subject to a fee, as permitted by applicable law. To protect Your privacy and security, We may take steps to verify Your identity before complying with the request.
You also have the right to complain to a data protection authority about Our processing of Personal Data. For more information, please contact Your local data protection authority.
Please note that due to technical constraints and the fact that We back up Our systems, Personal Data may continue to reside in Our systems for up to sixty (60) days after deletion. Individuals, therefore, should not expect that their Personal Data would be completely removed from Our systems in response to an accepted request for deletion.
We reserve the right to decline access to Personal Data where the information requested:
Where information will not or cannot be disclosed, the data subject making the request will be provided with the reasons for non-disclosure. Where information will be disclosed, We will endeavor to provide the information in question within a reasonable time and no later than thirty (30) days following the request.
We will not respond to repetitious or vexatious requests for access. In determining whether a request is repetitious or vexatious, We will consider such factors as the frequency with which information is updated, the purpose for which the information is used, and the nature of the information.
To guard against fraudulent requests for access, We will require sufficient information to allow it to confirm the identity of the person making the request before granting access or making corrections.
Amendment of Resolver practices and this Statement
This statement is in effect and was last revised as of December 23, 2022. We will from time-to-time review and revise Our privacy practices and this Statement. In the event of any amendment, an appropriate notice will be posted on this site. Statement changes will apply to the information collected from the date of posting of the revised Statement to this site as well as to existing information held by Us.
Contact information
If You have any questions about the privacy practices of Resolver, or You wish to access Your Personal Data, please contact:
Outside of the EEA: | Inside the EEA: |
Privacy Officer Resolver Inc. 804-111 Peter Street Toronto, ON M5V 2H1 Canada E-mail: privacy@resolver.com | GDPR Representative Resolver Inc. c/o Resolver Software Limited 199 Bishopsgate, London EC2M 3TY England E-mail: gdpr.representative@resolver.com |
Processes, Policies and Procedures
Formal IT policies and procedures exist that describe physical security, logical access, computer operations, change control, and data communication standards. Teams are expected to adhere to the Resolver policies and procedures that define how services should be delivered. These are located on the Company’s intranet and can be accessed by any Resolver team member.
Security Management
Security is managed at a senior level by the CISO who reports directly to the President Executive. With management approval, the CISO is responsible for defining and implementing the security policies, procedures, and mechanisms to enforce the organization information security needs. The CISO is supported by personnel that include informational security analysts, system administrators, network administrators and other subject matter experts.
Physical Security
Resolver uses properly certified hosting providers to house virtual environments, including application servers, database servers, webservers, and other technical infrastructure. The hosting company also provide backup facilities and services. Access to the data center environment is restricted to the fully authorized and vetted staff or the provider.
Similarly, Resolver offices are governed by access control and visitor policies. Access to the facilities outside of business hours requires a valid electronic key fob. During business hours, visitors must check in with reception and are accompanied by Resolver staff during their visit.
Servers are hosted within AWS. As such, physical security controls around the data center that hosts critical information is the responsibility of the subservice organization. Refer to the subservice organization section below for additional details.
Logical Access
Internal Users
User access is tightly governed by role and the user on-boarding and change procedures in which explicit permissions are required for any access to applications, data, or the network. There is user and role segmentation, both of which are managed and reviewed regularly. Resolver follows Role Based Access Control (RBAC) security model with privileges set to the most restrictive by default and allow to the application administrator to create security roles with a granular and very strict sets of permissions.
Customer Users
User access and authorization is the responsibility of the customer. Resolver does not control or manage which users will have access to which systems or data. The Risk, Audit, Compliance, Controls, and Incident Management systems follow a Role Based Access Control (RBAC) security model with privileges set to the most restrictive by default and allow to the application administrator to create security roles with a granular and very strict sets of permissions.
Customer User Data Access
Resolver Core
Customer data is stored in an AWS RDS PostgreSQL DB instance and in an AWS Simple Storage Service (S3) bucket.
On login, a user is issued a digitally signed, tamper proof JSON Web Token (JWT) that contains a customer ID. The token is passed to the web services on request.
In RDS, customer data is segregated into unique data tables created per customer. Data tables have a unique ID that the application matches to the customer ID in the JWT for requests. The application limits users to only view the data in the data tables specific to their customer ID.
In S3, customer data is segregated into a directory structure linked to the customer ID. The application limits users to only see and search the files that are in the directory for the customer ID contained in the JWT.
Perspective
Customer data is stored in a Microsoft SQL Server DB. Each customer has a unique and dedicated DB to store their data. The DB is accessed through a unique account with a unique password. Database access accounts are contained in individual configuration files that are stored in a dedicated directory per customer. The directory is linked to the customers’ access URL.
RiskVision
Customer data is stored in PostgreSQL and MySQL DB. Each customer has a unique and dedicated DB to store their data. The DB is accessed through a unique account with a unique password. Each customer is running a dedicated instance of RiskVision.
GAL
Customer data is stored in a Microsoft SQL Server DB. Each customer has a unique and dedicated DB to store their data. The DB is accessed through a unique account with a unique password. Each customer is running a dedicated instance of GAL.
GRC Cloud
Customer data is stored in a Microsoft SQL Server DB. Each customer has a unique and dedicated DB to store their data. The DB is accessed through a unique account with a unique password. Each customer is running an instance of GRC Cloud in a separate memory space that only has access to the DB account for its DB.
Hosting Access
Resolver’s hosting provider for the production environments is a Tier 1 provider with SOC2 certifications, including system access control standards. Both physical and logical controls are in place to ensure only permitted users are able to access equipment or the network on which the equipment resides. The hosting providers do not have access to the databases within their environment other than for system administration purposes.
Password Management
Resolver centrally controls network, database and application account creation and rights assignments. Usernames follow a naming standard and must be accompanied by a strong password. For external facing systems Resolver requires password resetting per the security policy and procedure guidelines.
Network Access and Security
Network access is controlled in two levels, through hosting provider integrated mechanisms (e.g., AWS Network Access Control Lists (ACLs) (AWS Firewall), AWS VPC Security Groups (SG)) and OS Firewall / IPsec Policy / IPtables mechanisms (Defense in Depth approach is implemented *) are enabled.
External activity is monitored, reviewed and escalations routed to and directly managed by the Resolver DevOps and Information Security teams.
Computer Operations – Backups
Core
For Core Database nightly full backups, Resolver utilizing automated AWS RDS backup feature providing an ability to recover a customer database to any point in time during the backup retention period (31 days).
Backups are encrypted on S3 or EBS Volumes utilizing AES 256.
Perspective and GRC Cloud
Resolver performs full weekly backup to EBS volume (highly available) cycled weekly after full backup, retain a copy of 5 weeks of full backups before cycling.
Snapshotted nightly (Backed by AWS S3, highly available and redundant) and retained for 31 days and Transaction log backup hourly to EBS volume (highly available). Cycled weekly after full backup.
Backups are encrypted on S3 or EBS Volumes utilizing AES 256.
GAL and RiskVision
Resolver performs full monthly backup, weekly incremental backup, and hourly DB Transaction logs backup, retaining a copy of 5 weeks of full backups before cycling.
Backups are encrypted utilizing AES 256.
Production Management, Server, and Environment Management
Resolver’s production environments are built to be distributed, virtualized, and interconnected with the environment through scripts with human interaction.
Resolver is able to provide customers with additional Scalability, Reliability and Security through the partnership with AWS. AWS provides server instances that are easily deployed with high availability for a variety of offerings focused on flexible and scalable. AWS provides physical security as well as reliable bandwidth. Refer to the subservice organizations section for additional details.
Computer Operations – Availability
Incident and Problem Management
The Resolver Incident Management team employs industry-standard diagnosis procedures to drive resolution during business-impacting events. Staff operators in Canada provide 24 x 7 x 365 coverage to detect incidents and to manage the impact and resolution.
Incidents are captured through a centralized ticketing system and then routed to the appropriate personnel for action. Incidents are categorized to indicate business impact and urgency.
AWS provides server instances that are easily deployed with high availability for a variety of offerings focused on flexible and scalable. AWS provides physical security as well as reliable bandwidth. Refer to the subservice organizations section for additional details.
Change Control
Resolver applies a systematic approach to managing change so that changes to customer impacting services are reviewed, tested, approved, and well communicated. Changes are recorded and tracked in a change ticketing system.
Change management processes are based on Resolver’s change management guidelines. These processes are documented and communicated to the necessary personnel. The goal of Resolver’s change management process is to prevent unintended service disruptions and maintain the integrity of service to the customer.
Changes deployed to production environments are:
Resolver physically separates the development/test environment from the production processing environment. There is a formal staging process for promoting tested and accepted changes from development to production. Developers do not have access to the Production environment.
The scope of this report includes Resolver’s Global Alert Application, RiskVision Application, Resolver Core Application, GRC Cloud Application, and Perspective PSV Application Services System performed in the Toronto, Ontario facilities.
This report does not include the data center hosting services provided by AWS at multiple facilities.
Integrity and Ethical Values
The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of Resolver’s control environment, affecting the design, administration, and monitoring of other components. Integrity and ethical behavior are the product of Resolver’s ethical and behavioral standards, how they are communicated, and how they are reinforced in practices. They include management’s actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of entity values and behavioral standards to personnel through policy statements and codes of conduct, as well as by example.
Specific control activities that the service organization has implemented in this area are described below:
Commitment to Competence
Resolver’s management defines competence as the knowledge and skills necessary to accomplish tasks that define employees’ roles and responsibilities. Management’s commitment to competence includes management’s consideration of the competence levels for particular jobs and how those levels translate into the requisite skills and knowledge.
Specific control activities that the service organization has implemented in this area are described below:
Training and Development
Resolver employees receive regular training as it pertains to their job functions. The training can take the form of supervised on-the-job training and externally through seminars and formal course work. As part of the on-boarding process of new personnel, employees undertake security awareness training and continue to do so on an annual basis.
Performance Appraisals and Advancement
Formal performance reviews are conducted on a semi-annual basis by an employee’s immediate supervisor. Personnel are evaluated on objective criteria based on performance. The review also includes a Self-Evaluation and a Peer Evaluation from two team members who have worked directly with the individual over the quarter. Ratings are then generated based on summary results. Continuous improvement plans are put into place based on feedback.
Management’s Philosophy and Operating Style
Resolver’s management philosophy and operating style encompass a broad range of characteristics. Such characteristics include management’s approach to taking and monitoring business risks, and management’s attitudes toward information processing, accounting functions, and personnel.
Specific control activities that the service organization has implemented in this area are described below:
Resolver’s activities are overseen by its applicable Board of Directors and members of its senior executive team. The Board and the senior executive team meet several times annually and have established and maintain the key operating policies and practices of the organization.
The senior executive team is led by the President Executive and consists of the following key functional roles:
Organizational Structure and Assignment of Authority and Responsibility
Resolver’s processing activities are allocated among personnel that are organized along functional lines. The reporting lines are depicted in the organization chart below:
Resolver has appointed a Chief Information Security Officer (CISO) who is responsible for security, technology, infrastructure and reports directly into the President Executive. The CISO, President Executive and executives are aware of the controls set within the organization and their importance. An approval process is in place in order to approve and implement technical policies and processes between the CISO and President Executive. On an annual basis, the Resolver Executive team reviews policies to ensure that controls continue to be effective and verify that changes and new policies adhere to how Resolver operates within its control set.
Resolver monitors resourcing and staffing through the semi-annual assessment of employee qualification alignment with entity objectives. As part of this process, management and employees formally evaluate, discuss, and recognize performance over the last half-year and set goals and priorities for the next half-year. Management further reviews operational plans and goals for the coming period to assess alignment of resources and employee skill sets.
Specific control activities that the service organization has implemented in this area are described below:
Human Resources Policies and Practices
Resolver has formal hiring practices that are designed to help ensure that new personnel are qualified for their job responsibilities. These practices are outlined below:
Hiring
On-Boarding
Resolver’s risk assessment process includes an established process to identify and take into consideration the implications of relevant risks. Business planning processes also include risk assessments, which include the following:
Integration with Risk Assessment
The environment in which the system operates; the commitments, agreements, and responsibilities of Resolver’s Global Alert Application, RiskVision Application, Resolver Core Application, GRC Cloud Application, and Perspective PSV Application Services System; as well as the nature of the components of the system result in risks that the criteria will not be met. Resolver addresses these risks through the implementation of suitably designed controls to provide reasonable assurance that the criteria are met. Because each system and the environment in which it operates are unique, the combination of risks to meeting the criteria and the controls necessary to address the risks will be unique. As part of the design and operation of the system, Resolver’s management identifies the specific risks that the criteria will not be met and the controls necessary to address those risks.
Resolver has implemented various methods of internal communication at a global level to help employees understand their individual roles and responsibilities and to communicate significant events in a timely manner. These methods include orientation and training programs for newly hired employees; annual training programs; regular management meetings for updates on business performance and other matters; and electronics means such as video conferencing, electronic mail messages, instant messaging communication and the posting of information via the Resolver’s intranet.
At the customer level, Resolver has also implemented various methods of external communication to support its customer base and the community through its Marketing and Customer Success teams. Mechanisms are in place to allow the customer support team to be notified and to notify customers of potential operational issues that could impact the customer experience.
Monitoring of performance, quality and adherence to company policies and internal controls is part of the day-to-day responsibilities of management. This is accomplished through regular review of established reports, which provide performance and quality results.
On-Going Monitoring
Resolver’s management conducts quality assurance monitoring on a regular basis and additional training is provided based upon results of monitoring procedures. Monitoring activities are used to initiate corrective action through department meetings, internal conference calls, and informal notifications.
Management’s close involvement in Resolver’s operations helps to identify significant variances from expectations regarding internal controls. Upper management evaluates the facts and circumstances related to any suspected control breakdown. A decision for addressing any control’s weakness is made based on whether the incident was isolated or requires a change in the company’s procedures or personnel. The goal of this process is to ensure legal compliance and to maximize the performance of Resolver’s personnel.
Reporting Deficiencies
An internal tracking tool is utilized to document and track the results of on-going monitoring procedures. Escalation procedures are maintained for responding and notifying management of any identified risks. Risks receiving a high rating are responded to immediately. Corrective actions, if necessary, are documented and tracked within the internal tracking tool. Annual risk meetings are held for management to review reported deficiencies and corrective actions.
Periodic Assessments
Resolver has developed a health information security management program to meet the information security and compliance requirements related to the Resolver’s Global Alert Application, RiskVision Application, Resolver Core Application, GRC Cloud Application, and Perspective PSV Application Services and its customer base. The program incorporates the elements of the HIPAA and the HITECH. The description below is a summary of safeguards that Resolver has implemented to adhere to the applicable components of HIPAA Final Security Rule and the breach notification requirements of HITECH.
Health information security policies and procedures have been implemented regarding the protection of information assets. The policies and procedures act as a guide for Resolver personnel. These policies and procedures define guidelines for the health information security program related to scope of services, which includes implementing and managing logical access security and controls, including the following:
These policies are reviewed and approved by management on at least an annual basis.
Resolver employees receive security awareness training for health information security as part of the onboarding process. This training is reinforced by security awareness communications on current issues which are distributed as needed. Additionally, employees are also required to participate in annual security awareness training.
Resolver completes evaluations throughout each calendar year regarding the effectiveness of the health information security program that include, but are not limited to, the following:
Areas of non-compliance Resolver’s internal control system surface from many sources, including the Company’s ongoing monitoring procedures, separate evaluations of the internal control system, and external parties. Management has developed protocols to help ensure findings, if identified, of internal control non-compliant items should be reported not only to the individual responsible for the function or activity involved, who is in the position to take corrective action. This process enables that individual to provide needed support or oversight for taking corrective action, and to communicate with others in the organization whose activities may be affected. Management evaluates the specific facts and circumstances related to areas of non-compliance in internal control procedures and make the decision for addressing any non-compliant items based on whether the incident was isolated or requires a change in the Company’s procedures or personnel.
Resolver maintains a documented incident response plan including breach notification requirements as mandated by HITECH. The procedures include, but are not limited to, the identification, response, escalation, and remediation of security breaches and other incidents. A formal breach notification process is utilized to document and track resolution of incidents noted. The incident response procedures are tested during the normal course of business and are updated as needed.
No significant changes have occurred to the services provided to user entities since the organization’s last review.
No significant incidents have occurred to the services provided to user entities since the organization’s last review.
The following Trust Services Criteria and HIPAA/HITECH requirements are not applicable to the system:
Trust Services Criteria and HIPAA/HITECH Requirements Not Applicable to the System | ||
Category / Safeguard | Criteria / Requirement | Reason |
Administrative Safeguard | 164.308(a)(4)(ii)(A) | Resolver is not a healthcare clearinghouse. |
164.308(b)(1), 164.308(b)(3), 164.308(b)(4) | Resolver is not a covered entity. | |
Physical Safeguard | 164.310(c) | Resolver is not a covered entity. |
Organizational Safeguard | 164.314(a)(2)(ii) | Resolver is not a government entity. |
164.314(b)(1), 164.314(b)(2) | Resolver is not a plan sponsor. | |
Breach Notification | 164.404(a), 164.404(b), 164.404(c)(1), 164.404(c)(2), 164.404(d)(1)(i), 164.404(d)(1)(ii), 164.404(d)(2), 164.404(d)(2)(i), 164.404(d)(2)(ii), 164.404(d)(3), 164.406, 164.408(a), 164.408(b), 164.408(c) | The entity is a business associate; its responsibilities for breach notification are limited to its covered entity customers. |
This report does not include the data center hosting services provided by AWS at multiple facilities.
Complementary Subservice Organization Controls
Resolver’s services are designed with the assumption that certain controls will be implemented by the subservice organization. Such controls are called complementary subservice organization controls. It is not feasible for all of the trust services criteria and HIPAA/HITECH requirements related to Resolver’s services to be solely achieved by Resolver’s control procedures. Accordingly, the subservice organization, in conjunction with the services, should establish their own internal controls or procedures to complement those of Resolver.
The following subservice organization controls should be implemented by AWS to provide additional assurance that the trust services criteria and HIPAA/HITECH requirements described within this report are met:
Subservice Organization Controls – AWS | ||
Category / Security Rule | Criteria / Regulation | Applicable Controls |
Common Criteria / Security, Physical Safeguard | CC6.4, 164.310(a)(1), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(d)(1), 164.310(d)(2)(ii) | AWSCA-4.12: KMS-Specific – Recovery key materials used for disaster recovery processes by KMS are physically secured offline so that no single AWS employee can gain access to the key material. |
AWSCA-4.13: KMS-Specific – Access attempts to recovery key materials are reviewed by authorized operators on a cadence defined in team processes. | ||
AWSCA-5.1: Physical access to data centers is approved by an authorized individual. | ||
AWSCA-5.2: Physical access is revoked within 24 hours of the employee or vendor record being deactivated. | ||
AWSCA-5.3: Physical access to data centers is reviewed on a quarterly basis by appropriate personnel. | ||
AWSCA-5.4: Physical access points to server locations are recorded by closed circuit television camera (CCTV). Images are retained for 90 days, unless limited by legal or contractual obligations. | ||
AWSCA-5.5: Physical access points to server locations are managed by electronic access control devices. | ||
AWSCA-5.6: Electronic intrusion detection systems are installed within data server locations to monitor, detect, and automatically alert appropriate personnel of security incidents. | ||
Availability | A1.2 | AWSCA-5.7: Amazon-owned data centers are protected by fire detection and suppression systems. |
AWSCA-5.8: Amazon-owned data centers are air conditioned to maintain appropriate atmospheric conditions. Personnel and systems monitor and control air temperature and humidity at appropriate levels. | ||
AWSCA-5.9: Uninterruptible Power Supply (UPS) units provide backup power in the event of an electrical failure in Amazon-owned data centers. | ||
AWSCA-5.10: Amazon-owned data centers have generators to provide backup power in case of electrical failure. | ||
AWSCA-5.11: Contracts are in place with third-party colocation service providers which include provisions to provide fire suppression systems, air conditioning to maintain appropriate atmospheric conditions, Uninterruptible Power Supply (UPS) units, and redundant power supplies. | ||
AWSCA-5.12: AWS performs periodic reviews of colocation service providers to validate adherence with AWS security and operational standards. | ||
AWSCA-7.2: S3-Specific – S3 performs continuous integrity checks of the data at rest. Objects are continuously validated against their checksums to prevent object corruption. | ||
AWSCA-7.3: S3-Specific – When disk corruption or device failure is detected, the system automatically attempts to restore normal levels of object storage redundancy. | ||
AWSCA-7.4: S3-Specific – Objects are stored redundantly across multiple fault-isolated facilities. | ||
AWSCA-7.5: S3-Specific – The design of systems is sufficiently redundant to sustain the loss of a data center facility without interruption to the service. | ||
AWSCA-8.1: Monitoring and alarming are configured by Service Owners to identify and notify operational and management personnel of incidents when early warning thresholds are crossed on key operational metrics. | ||
AWSCA-8.2: Incidents are logged within a ticketing system, assigned severity rating, and tracked to resolution. | ||
AWSCA-10.1: Critical AWS system components are replicated across multiple Availability Zones and backups are maintained. | ||
AWSCA-10.2: Backups of critical AWS system components are monitored for successful replication across multiple Availability Zones. |
Resolver management, along with the subservice organization, defines the scope and responsibility of the controls necessary to meet all the relevant trust services criteria through written contracts, such as SLAs. In addition, Resolver performs monitoring of the subservice organization controls, including reviewing attestation reports over services provided by vendors and the subservice organization.
Resolver’s services are designed with the assumption that certain controls will be implemented by user entities. Such controls are called complementary user entity controls. It is not feasible for all of the Trust Services Criteria related to Resolver’s services to be solely achieved by Resolver control procedures. Accordingly, user entities, in conjunction with the services, should establish their own internal controls or procedures to complement those of Resolver’s.
The following complementary user entity controls should be implemented by user entities to provide additional assurance that the Trust Services Criteria described within this report are met. As these items represent only a part of the control considerations that might be pertinent at the user entities’ locations, user entities’ auditors should exercise judgment in selecting and reviewing these complementary user entity controls.
In-Scope Trust Services Categories
Common Criteria (to the Security, Availability, Processing Integrity, Confidentiality and Privacy Categories) |
Security refers to the protection of:
|
Availability |
Availability refers to the accessibility of information used by the entity’s systems, as well as the products or services provided to its customers. The availability objective does not, in itself, set a minimum acceptable performance level; it does not address system functionality (the specific functions a system performs) or usability (the ability of users to apply system functions to the performance of specific tasks or problems). However, it does address whether systems include controls to support accessibility for operation, monitoring, and maintenance. |
Processing Integrity |
Processing integrity refers to the completeness, validity, accuracy, timeliness, and authorization of system processing. Processing integrity addresses whether systems achieve the aim or purpose for which they exist and whether they perform their intended functions in an unimpaired manner, free from error, delay, omission, and unauthorized or inadvertent manipulation. Because of the number of systems used by an entity, processing integrity is usually only addressed at the system or functional level of an entity. |
Confidentiality |
Confidentiality addresses the entity’s ability to protect information designated as confidential from its collection or creation through its final disposition and removal from the entity’s control in accordance with management’s objectives. Information is confidential if the custodian (for example, an entity that holds or stores information) of the information is required to limit its access, use, and retention and restrict its disclosure to defined parties (including those who may otherwise have authorized access within its system boundaries). Confidentiality requirements may be contained in laws or regulations or in contracts or agreements that contain commitments made to customers or others. The need for information to be confidential may arise for many different reasons. For example, the information may be proprietary, intended only for entity personnel. Confidentiality is distinguished from privacy in that privacy applies only to personal information, whereas confidentiality applies to various types of sensitive information. In addition, the privacy objective addresses requirements regarding collection, use, retention, disclosure, and disposal of personal information. Confidential information may include personal information as well as other information, such as trade secrets and intellectual property. |
Privacy |
Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives. Although the confidentiality applies to various types of sensitive information, privacy applies only to personal information. The privacy criteria are organized as follows:
|
Resolver has developed a health information security management program to meet the information security and compliance requirements related to Global Alert Application, RiskVision Application, Resolver Core Application, GRC Cloud Application, and Perspective PSV Application Services System and its customer base. The program incorporates the elements of the HIPAA and the HITECH. The description below is a summary of safeguards that Resolver has implemented to adhere to the applicable components of HIPAA Final Security Rule and the breach notification requirements of HITECH.
Administrative Safeguards – Policies and procedures designed to show how Resolver complies with the act:
Physical Safeguards – Controlling physical access to protected data:
Technical Safeguards – Controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient:
Organizational Safeguards – Adherence to policies and procedures in regard to PHI documentation availability, as well as documentation retention:
Breach Notification – A business associate shall, following the discovery of a breach of unsecured protected health information, notify the covered entity of such breach:
Control Activities Specified by the Service Organization
The applicable trust criteria and HIPAA/HITECH requirements, risks, and related control activities are included in Section 4 of this report to eliminate the redundancy that would result from listing them in this section. Although the applicable trust criteria and HIPAA/HITECH requirements and related control activities are included in Section 4, they are, nevertheless, an integral part of Resolver’s description of the system. Any applicable trust services criteria or HIPAA/HITECH requirements that are not addressed by control activities at Resolver are described within Section 4 and within the “Subservice Organizations” and “Criteria Not Applicable to the System” sections above.
The description of the service auditor’s tests of operating effectiveness and the results of those tests are also presented in Section 4. The description of the tests of operating effectiveness and the results of those tests are the responsibility of the service auditor and should be considered information provided by the service auditor.