Information Security Questions and Answers

RobobAI has a defined and established Information Security Policy.

The Information Security Policies are reviewed annually. Policies are also reviewed when the business undertakes significant change business or if there is a change in the operating environment.

RobobAI's Head of Security, Infrastructure and IT Operations is responsible for security policy development, maintenance, and issuing new updates.

The information security policy is made available to all employees as well as authorised third-parties as appropriate.

Information security responsibilities have been established and defined in accordance with the data security policies. This includes roles, responsibilities and authority for carrying out specific data security processes.

Robobai information security, and its implementation, are reviewed via a quarterly internal audit. These include control objectives, controls, policies, processes and procedures for information security. Robobai is ISO 27001:2013 certified . This is the internationally accepted benchmark in information security standards from British Standards Institute (BSI).

RobobAI engages an approved third-party to periodically undertake technical assessment of the security perimeter infrastructure. It ensures all identified security vulnerabilities and risks are appropriately managed.

RobobAI ensures that all relevant information security requirements are established and agreed with each supplier. They are also included in supplier agreements and contracts.

RobobAI ensures that all relevant information security requirements are established and agreed with each supplier before they access, process, store, communicate, or provide IT infrastructure components to Robobai. Robobai has established an access control policy outlining the requirements for access management privileges.

RobobAI has identified applicable legislative, statutory, regulatory and contractual requirements for each information system and organization prior to working with them.

RobobAI has an established a process to identify, record and maintain information assets. The asset inventory is reviewed and updated quarterly. Each of the identified assets has an identified asset owner.

RobobAI has an established process of information classification and labelling along with required associated protective controls (asset handling and storage). This take into consideration business and legal requirements.

RobobAI has active monitoring and reporting on system utilization. This data is used to drive capacity planning decisions.

Yes. RobobAI employment agreements for colleagues and contractors include resposibilitnies in relation to information security and non - disclosure.

Robobai conducts background screening on all prospective candidates. This is carried out in accordance business, legal and ethical requirements.

Robobai ensures that all employees receive regular awareness, education and training with respect to information security, organizational policies and procedures.

Robobai has established a formal disciplinary process and this has been communicated to all employees.

Yes. Robobai employees and third party services are required to sign employment and service agreements which include privacy, confidentiality and non-disclosure requirements.

Robobai does not permit the use of BYO devices.

Robobai is a virtual cloud based company where all technology infrastructure is hosted by a third party provider. Access to Robobai office space is managed via biometric access and all work stations are password protected.

Yes, Robobai is a virtual cloud based company where all technology infrastructure is securely hosted by a third party provider.

Robobai is a virtual cloud based company where all technology infrastructure is securely hosted by a third party provider.

Robobai is a virtual cloud based company where all technology infrastructure is securely hosted by a third party provider.

Robobai is a virtual cloud based company where all technology infrastructure is securely hosted by a third party provider. Access to Robobai office space is controlled via biometric or key card.

Robobai is a virtual cloud based company where all technology infrastructure is securely hosted by a third party provider.

Robobai is a virtual cloud based company where all technology infrastructure is securely hosted by a third party provider. Robobai's office space is protected by onsite security and monitored security camera's.

Robobai is a virtual cloud based company where all technology infrastructure is securely hosted by a third party provider which provides us with a highly available technology. Robobai has a tested DR and BCP strategy and a work force equipped to securely work remotely.

RobobAI is a virtual cloud based company where all technology infrastructure is securely hosted and maintained by a third party provider.

Robobai has enabled logging to monitor and log informational, error and warning of identified events.

Yes,Robobai has a formal media and asset destruction policy.

.

All computers connected to the Robobai network are configured to have a password-enabled screen saver. This security lockout feature automatically initiates after the computer remains idle after a predefined time period.

Robobai has enabled logging to monitor and log informational, error and warning of identified events. These logs are reviewed periodically

Robobai has identified and documented all roles, responsibilities and authorities. This includes conflicting duties and areas of responsibilities. These conflicting duties have been segregated to reduce opportunities for unauthorized or unintentional modification or misuse of Robobai assets.

RobobaAI follows a defined change management policy. Changes are deployed into RobobAI production following a formal review and approval process.

Robobai has established a formal process to identify, detect and act against malware including newly discovered vulnerabilities and threats. The process includes procedures and controls which cover: - malicious and unwanted software (block, detect, and clean) - use of unauthorized software - patch management - user awareness

RobobAI has implemented controls to filter, block, and monitor inbound and outbound traffic.

Robobai has an asset destruction policy that documents the secure destruction of media.

Robobai records and stores log data of all asset/media destruction.

Robobai ensures that all system documentation (network diagrams, run books, configuration guides, etc.) and related information is stored on a secure server. It it only accessed by authorised personnel using encrypted remote VPN.

Yes. Robobai has defined and monitored backup policy. All identified business information and related data is backed up on daily basis for all production VM's.

Robobai does not use tape-backup media. Robobai uses a cloud-based backup service.

(1) Does your company have a documented information security incident management procedure in place which addresses the following? AND
(2) Does your company have an incident response team with defined roles and responsibilities? AND

(3) How often are security incident (event) response drill performed?
1.1) Incident discovery (with high level security incident categories defined)
1.2) Incident notification
1.3) Risk ranking
1.4) Incident resolution (to the categories defined above)
1.5) Reporting (suitable timing to meet the local regulatory requirements)
1.6) Lesson learn
1.7) Trend analysis of past incidents, whenever applicable"

"Robobai has documented Incident Management Policy.

RobobAI has implemented an information security incident management process which covers: - Incident identification and notification

- Incident escalation

- defined roles and responsibilities

- RACI Matrix

- Incident Ranking

- Incident RACI Matrix

- Incident KPIs

.

Robobai has implemented a centrally managed enterprise level anti-malware solution. The solution is installed on all systems and devices (e.g. servers, laptops and desktops). The anti-virus signatures are updated on a continuous basis and distributed to all connected devices.

RobobAI executes regular penetration tests and monthly vulnerability scanning of both applications and infrastructure.

Data encryption is provided for all data in transit and at rest.

Encryption is to current best practice and is regularly reviewed.

RobobAI makes use of a secure third party key management service.

Robobai has enabled logging to monitor and log informational, error and warning of identified events. These logs are reviewed periodically

Detailed access requirements are documented in the Access Control Policy. The policy covers: - Account usage / password policies - Appropriate access based on need to know and least privilege - Unique account to each individual (not revealing level of access) - User account for both ""HUMAN USER"" (e.g. staff Active Directory account) and ""SYSTEM USER"" (e.g. service account) - Approval, provisioning, deletion, changes are logged, reviewed and archived, - Logical Access Logging, Review and Monitoring (e.g. successful and failed logins) for applications, operating systems

RobobAI has enforced multi-factor authentication for remote connectivity.

Robobai has implemented network segmentation as one of the mitigation strategies to protect data from breaches and other cyber security threats. Robobai has established a well defined network structure that includes a secure internal network zone with multiple zones to address business requirements.

Robobai has enabled industry best practice security mechanisms to aid Robobai administrators to manage our infrastructure. These mechanisms include:
- Authentication and Azure role-based access control (Azure RBAC)
- Monitoring, logging, and auditing
- Certificates and encrypted communications
- A web management portal
- Network packet filtering
Robobai has implemented features to restrict, log and monitor administrator access to Microsoft Azure cloud applications and data.

Robobai has logging in place for all system access.

Robobai has intrusion detection software in place at both a workstation and server level.

Robobai has implemented access controls to prevent users from copying/downloading data to personal devices.

Robobai has established a secure software development life cycle (SDLC) to enable the development team to produce quality software in the fastest time and at the lowest cost. The team achieves these goals by following best practices and a structured approach.

No. Robobai does not use any data sets which contains personal information when testing an application.

Robobai has established procedures to prevent the introduction of unauthorized or untested application programs into the live environment and protect the source code libraries. Robobai also protects the integrity of the source libraries by exercising control over libraries that are admitted to the system, and changes to those libraries.

Robobai follows secure SDLC processes which include a technical review of application. Any Robobai application review covers security issues across all aspects of application development lifecycle.

Robobai has implemented a Secure SDLC process. Information security is addressed and covered in all stages of software development such as: Concept and planning, Requirements Analysis, Architecture and design, Development, QA Testing , Release and production and maintenance.

Yes. Robobai developers are trained in secure coding techniques that are aligned to industry best practice.

Robobai provides training to Incident Response team to enable them to respond and resolve incidents. It includes specific technical skills such as programming, systems administration, client operations and application support.

Robobai has established a business continuity plan and DR plan to restore technology infrastructure and operations after a crisis.