I. Overview

The security-related technical and organizational measures (TOMS) provided below apply to all product and technology services provided by ChannelEngine internally and externally. 

II. Information Security Management System (ISMS)

ChannelEngine’s Information Security Management System (ISMS) consists of 5 security domains which cover all the required policies, processes, guidelines, best practices, and controls that ChannelEngine has identified as essential to develop, implement and adopt. The policies in the domains encompass the following areas:

• Identity and access management (IAM) policies
• Security & Risk management policies 
• Security engineering and operational policies
• Software development policies
• Security assessment, testing and audit policies
• Security awareness and education policies
• BCM & DR policies
• Contractual, legal & Privacy policies

All domains, including their controls, sub-controls and their implementation plans are explicitly described in ChannelEngine’s ISMS and security baseline.

1. Identity and access management

The identity and access management controls cover the logical and physical access activities regarding granting, revocation and alteration of access in accordance with the internally set access control matrix. 

2. Security and risk management

Risk management is the foundation and trigger of the entire security activities within ChannelEngine, security risks are actively addressed, controlled and mitigated in a timely manner. 

3. Security engineering and operations

ChannelEngine maintains a secure and well designed system structure, setting proper privacy and security-by-design principles, properly managing cryptography assets and implementing controls to ensure secure and smooth operations of the application and internal systems. The operations include logging and monitoring, incident management, change and configuration management and backup processes.

4. Software development security

ChannelEngine adopts secure software development methodologies, OWASP checks, secure development training, and secure open source software usage measures.

5. Security assessment, testing, auditing and reporting 

ChannelEngine implements organizational controls to ensure effectiveness of the ISMS and management oversight. Besides that, the company implements testing activities including vulnerability scanning, penetration testing, code reviews and compliance attestation (e.g. iso 27001:2022). 

6. Security awareness and education

Employee awareness and education are key activities in ChannelEngine. Security awareness training and awareness is provided to employees during onboarding and at regular intervals. Human resource security development is facilitated in the form of an annual developmental budget. 

7. BCM & DR policies

ChannelEngine implements measures to ensure business continuity if a crisis leads to a partial or total stoppage of the company’s operations.

8. Contractual, legal & Privacy policies

ChannelEngine implements organizational controls that cover data processing activities    , contractual obligations and privacy. The controls include DPA, DPIA and NDA’s. 
ChannelEngine implements organizational controls required to ensure effectiveness of the company’s ISMS.