Security Q % A

Organizational Security

1. Does your organization have a documented information security policy?

Robobai has a defined and established Information Security Policy.

2. How often are security policies reviewed and updated?

The Information Security Policies are reviewed annually. Policies are also reviewed when the business undertakes significant change business or if there is a change in the operating environment.

3. Who is responsible for security policy development, maintenance, and issuance?

Robobai's Head of Security, Infrastructure and IT Operations is responsible for security policy development, maintenance, and issuing new updates.

4. Are all security policies and standards readily available to all users (e.g., posted on company intranet)?

The information security policy is made available to all employees as well as authorised third-parties as appropriate.

5. Are security-related job responsibilities and accountabilities clearly defined and documented?

Information security responsibilities have been established and defined in accordance with the data security policies. This includes roles, responsibilities and authority for carrying out specific data security processes.

6. Have the security policies, standards, and procedures been reviewed and critiqued by a qualified third party?

Robobai information security, and its implementation, are reviewed via a quarterly internal audit. These include control objectives, controls, policies, processes and procedures for information security. Robobai is ISO 27001:2013 certified . This is the internationally accepted benchmark in information security standards from British Standards Institute (BSI).

7. Has the security perimeter infrastructure been assessed and reviewed by a qualified third party?

Robobai engages an approved third-party to periodically undertake technical assessment of the security perimeter infrastructure. It ensures all identified security vulnerabilities and risks are appropriately managed.

8. Do your third-party contracts document responsibilities with repect to information protection requirements?

Robobai ensures that all relevant information security requirements are established and agreed with each supplier. They are also included in supplier agreements and contracts.

9. Describe the process by which third- parties are granted privileged access to data.

Robobai ensures that all relevant information security requirements are established and agreed with each supplier before they access, process, store, communicate, or provide IT infrastructure components to Robobai. Robobai has established an access control policy outlining the requirements for access management privileges.

10. Have all legislative, statutory, regulatory and contractual requirements for each information system and the organization been defined. Do these include procedures for intellectual property rights, protection of records, privacy and protection of personal information and regulation of cryptographic controls?

Robobai has identified applicable legislative, statutory, regulatory and contractual requirements for each information system and organization prior to working with them.

Asset Classification and Control

11. Do you maintain an inventory of all important information assets with asset owners clearly identified?

Robobai has an established a process to identify, record and maintain information assets. The asset inventory is reviewed and updated quarterly. Each of the identified assets has an identified asset owner.

12. Describe your information classification methods and labelling practices.

Robobai has an established process of information classification and labelling along with required associated protective controls (asset handling and storage). This take into consideration business and legal requirements.

13. How are resources monitored and future capacity requirements projections made?

Robobai has active monitoring and reporting on system utilization. This data is used to drive capacity planning decisions.


14. Do Robobai's terms and conditions of employment clearly define information security requirements, including non-disclosure provisions for separated employees and contractors?

Yes. Robobai employment agreements for colleagues and contractors include resposibilitnies in relation to information security and non - disclosure.

15. Describe the screening process for all users (employees, contractors, vendors, and other third-parties)?

Robobai conducts background screening on all prospective candidates. This is carried out in accordance business, legal and ethical requirements.

16. Do you conduct formal information security awareness training for all users, including upper management?

Robobai ensures that all employees receive regular awareness, education and training with respect to information security, organizational policies and procedures.

17. Is there a formal procedure documenting actions that must be taken in the even that a user has violated any information security policies?

Robobai has established a formal disciplinary process and this has been communicated to all employees.

18. Are all users required to sign a confidentiality agreement?

Yes. Robobai employees and third party services are required to sign employment and service agreements which include privacy, confidentiality and non-disclosure requirements.

19. Does Robobai allow BYOD (Bring Your Own Device)? Are BYOD assets allowed to connect directly to a business network? If not, how do they connect?

Robobai does not permit the use of BYO devices.

Physical Security

20. Describe the physical security mechanisms that prevent unauthorized access to your office space, user workstations, and server rooms/data centres?

Robobai is a virtual cloud based company where all technology infrastructure is hosted by a third party provider. Access to Robobai office space is managed via biometric access and all work stations are password protected.

21. Are all critical information assets located in a physically secure area?

Yes, Robobai is a virtual cloud based company where all technology infrastructure is securely hosted by a third party provider.

22. How do you protect your systems from environmental hazards such as fire, smoke, water, electrical supply interfaces, and dust?

Robobai is a virtual cloud based company where all technology infrastructure is securely hosted by a third party provider.

23. What type of fire suppression systems are installed in the data centres (pre-action, mist, wet, clean agent, etc.)?

Robobai is a virtual cloud based company where all technology infrastructure is securely hosted by a third party provider.

24. What physical access restrictions have you put in place? Please describe your access system.

Robobai is a virtual cloud based company where all technology infrastructure is securely hosted by a third party provider. Access to Robobai office space is controlled via biometric or key card.

25. How is contractor access granted to secure locations?

Robobai is a virtual cloud based company where all technology infrastructure is securely hosted by a third party provider.

26. What exterior security is provided(i.e. gates, secure vehicle access, security cameras, etc.)?

Robobai is a virtual cloud based company where all technology infrastructure is securely hosted by a third party provider. Robobai's office space is protected by onsite security and monitored security camera's.

27. Is there a natural disaster risk? What means of business continuity and disaster recovery are employed to mitigate?

Robobai is a virtual cloud based company where all technology infrastructure is securely hosted by a third party provider which provides us with a highly available technology. Robobai has a tested DR and BCP strategy and a work force equipped to securely work remotely.

28. Describe your facilities system maintenance process.

Robobai is a virtual cloud based company where all technology infrastructure is securely hosted and maintained by a third party provider.

29. Are the systems configured to record system faults?

Robobai has enabled logging to monitor and log informational, error and warning of identified events.

30. Do you have a formal media destruction policy?

Yes,Robobai has a formal media and asset destruction policy.

31. Do you employ automatic locking screen savers when users’ workstations remain idle after a set period of time?

All computers connected to the Robobai network are configured to have a password-enabled screen saver. This security lockout feature automatically initiates after the computer remains idle after a predefined time period.

32. Are logs maintained that record all changes to information systems?

Robobai has enabled logging to monitor and log informational, error and warning of identified events. These logs are reviewed periodically.

Communications and Operations

33. Describe how you segregate duties to ensure a secure environment.

Robobai has identified and documented all roles, responsibilities and authorities. This includes conflicting duties and areas of responsibilities. These conflicting duties have been segregated to reduce opportunities for unauthorized or unintentional modification or misuse of Robobai assets.

34. Describe how changes are deployed into the production environment.

Robobai follows a defined change management policy. Changes are deployed into Robobai production following a formal review and approval process.

35. How do you protect your systems against newly-discovered vulnerabilities and threats? How do you prevent end users from installing potentially malicious software (e.g., list of approved applications, locking down the desktop)?

Robobai has established a formal process to identify, detect and act against malware including newly discovered vulnerabilities and threats. The process includes procedures and controls which cover: - malicious and unwanted software (block, detect, and clean) - use of unauthorized software - patch management - user awareness

36. Do you scan traffic coming into your network for viruses?

Robobai has implemented controls to filter, block, and monitor inbound and outbound traffic.

37. How do you protect the confidentiality and integrity of data between your company and customers?

Robobai has implemented mechanisms to ensure the confidentiality and integrity of all transmitted information. This includes secure data architecture, encryption (digital signatures, SSL, TLS, or cryptographic hashing), input validations etc.

38. How do you dispose of computer media when they are no longer of use?

Robobai has an asset destruction policy that documents the secure destruction of media.

39. Do you keep logs of media disposal activity?

Robobai records and stores log data of all asset/media destruction.

40. How is system documentation (network diagrams, run books, configuration guides, etc.) secured from unauthorized access?

Robobai ensures that all system documentation (network diagrams, run books, configuration guides, etc.) and related information is stored on a secure server. It it only accessed by authorised personnel using encrypted remote VPN.

41. Are backup procedures documented and monitored to ensure they are properly followed?

Yes. Robobai has defined and monitored backup policy. All identified business information and related data is backed up on daily basis for all production VM's.

42. Describe how you protect information media (e.g., back-up tapes) that is shipped offsite.

Robobai does not use tape-backup media. Robobai uses a cloud-based backup service.

43. With respect to information security incident: (1) Does your company have a documented information security incident management procedure in place which addresses the following? AND
(2) Does your company have an incident response team with defined roles and responsibilities? AND
(3) How often are security incident (event) response drill performed?
1.1) Incident discovery (with high level security incident categories defined)
1.2) Incident notification
1.3) Risk ranking
1.4) Incident resolution (to the categories defined above)
1.5) Reporting (suitable timing to meet the local regulatory requirements)
1.6) Lesson learn
1.7) Trend analysis of past incidents, whenever applicable"

"Robobai has documented Incident Management Policy.

44. What processes and standards do you follow for incident management?

Robobai has implemented an information security incident management process which covers: - Incident identification and notification
- Incident escalation
- defined roles and responsibilities
- RACI Matrix
- Incident Ranking
- Incident RACI Matrix
- Incident KPIs

45. Does your company have antivirus / malware protection installed on all systems? How frequently is it updated, are controls in place to prevent it from being disabled?

Robobai has implemented a centrally managed enterprise level anti-malware solution. The solution is installed on all systems and devices (e.g. servers, laptops and desktops). The anti-virus signatures are updated on a continuous basis and distributed to all connected devices.

46. Are network penetration tests of your infrastructure conducted regularly?

Robobai executes regular penetration tests and monthly vulnerability scanning of both applications and infrastructure.

47. What data is encrypted?

Data encryption is provided for all data in transit and at rest.

48. What encryption cipher is used?

Encryption is to current best practice and is regularly reviewed.

49. What encryption key management service is used?

Robobai makes use of a secure third party key management service.

Access Control

50. Please describe your Access Control Policy.

Detailed access requirements are documented in the Access Control Policy. The policy covers: - Account usage / password policies - Appropriate access based on need to know and least privilege - Unique account to each individual (not revealing level of access) - User account for both ""HUMAN USER"" (e.g. staff Active Directory account) and ""SYSTEM USER"" (e.g. service account) - Approval, provisioning, deletion, changes are logged, reviewed and archived, - Logical Access Logging, Review and Monitoring (e.g. successful and failed logins) for applications, operating systems

51. Describe your authentication methods used to authenticate users and or third parties via external connections.

Robobai has enforced multi-factor authentication for remote connectivity.

52. Do you conduct periodic checks on users’ accesses to ensure their access matches their responsibilities?

Robobai conducts quarterly access reviews to verify user access privileges and to maintain the correct level of user privileges. Access reviews are performed every quarter.

53. Describe how you segment your network (i.e. secure zones)

Robobai has implemented network segmentation as one of the mitigation strategies to protect data from breaches and other cyber security threats. Robobai has established a well defined network structure that includes a secure internal network zone with multiple zones to address business requirements.

54. Do you enable any remote administration capabilities on your servers and network devices? If so, which protocol(s) do you use?

Robobai has enabled industry best practice security mechanisms to aid Robobai administrators to manage our infrastructure. These mechanisms include:
- Authentication and Azure role-based access control (Azure RBAC)
- Monitoring, logging, and auditing
- Certificates and encrypted communications
- A web management portal
- Network packet filtering
Robobai has implemented features to restrict, log and monitor administrator access to Microsoft Azure cloud applications and data.

55. Describe any controls which are used to monitor and record system and application access.

Robobai has logging in place for all system access.

56. To what extent are user's system use logged and monitored?

Robobai logs a range of user activity. Logon logoff and update / delete activites are logged dependant upon application.

57. Do workstations or production servers currently utilize any type of Host Intrusion Prevention or Detection software?

Robobai has intrusion detection software in place at both a workstation and server level.

58. How are remote users prevented from copying data to personal devices when using remote connectivity?

Robobai has implemented access controls to prevent users from copying/downloading data to personal devices.

Development Maintenance

59. What tools and technologies do you utilize to effectively manage the development lifecycle?

Robobai has established a secure software development life cycle (SDLC) to enable the development team to produce quality software in the fastest time and at the lowest cost. The team achieves these goals by following best practices and a structured approach.

60. Do you use data sets containing personal information from actual people when testing an application? If so, what measures do you take to protect that information?

No. Robobai does not use any data sets which contains personal information when testing an application.

61. Are your test systems secured in the same manner as your production systems?

Robobai has implemented a layered approach to secure networks to ensure appropriate protection. We have segregated our networks by zones (production, staging and development zones) to limit access and provide access only on a needs basis.

62. Describe how you protect your application source libraries.

Robobai has established procedures to prevent the introduction of unauthorized or untested application programs into the live environment and protect the source code libraries. Robobai also protects the integrity of the source libraries by exercising control over libraries that are admitted to the system, and changes to those libraries.

63. Do security specialists conduct technical reviews of application designs?

Robobai follows secure SDLC processes which include a technical review of application. Any Robobai application review covers security issues across all aspects of application development lifecycle.

64. Are security professionals involved in the testing phase of an application?

Testing is conducted by Robobai QA Team as well as Robobai Infrastructure Team who are qualified in Information security.

65. Describe how you protect your applications from covert channels and Trojan code.

Robobai uses tools to test applications to uncover vulnerabilities, threats, risks and prevents malicious attacks from intruders. The purpose of the testing is to identify all possible loopholes and weaknesses including covert channels which might result in a loss of information.

66. During the course of a software development project, when do you typically start to discuss the security design requirements?

Robobai has implemented a Secure SDLC process. Information security is addressed and covered in all stages of software development such as: Concept and planning, Requirements Analysis, Architecture and design, Development, QA Testing , Release and production and maintenance.

67. Have your developers been trained in secure coding techniques?

Yes. Robobai developers are trained in secure coding techniques that are aligned to industry best practice.

Incident Management

68. Has a dedicated Information Security Response Team been established?

Robobai Incident Security Response team includes the Incident Manager, Incident Coordinator (who receives the initial incident), Incident Analyst (resource from Product Development and/or Infrastructure) Functional Heads (CTO /Product Head) and Vendor/Supplier as required.

69. Has the Incident Response Team been trained in evidence gathering and handling?

Robobai provides training to Incident Response team to enable them to respond and resolve incidents. It includes specific technical skills such as programming, systems administration, client operations and application support.

70. Are incident reports issued to appropriate management?

Yes. Periodic Incident management reports are provided every quarter.

71. After an incident, are policies and procedures reviewed to determine if modifications need to be implemented?

After resolution of incident, CTO and relevant team members collaborate to identify lessons learnt from the incident, and to determine if any policies and procedures require revision.

Business Continuity Planning

72. Does your company have a documented Business Continuity and Disaster Recovery Plan?

Robobai has established a business continuity plan and DR plan to restore technology infrastructure and operations after a crisis.

73. Has your company tested Business Continuity and Disaster Recovery Plan within the past 12 months?

The BCP DR plan is tested annually.

74. Do your company key managers securely hold copies of BC/DR plans and associated essential documents at BC/DR location and away from normal office locations?

Yes. Key identified staff hold securely hold copies of BC/DR plans and associated essential documents. All these documents are available on the cloud and can be accessed from any device.

75. Does your company product or service meet the established/agreed Recovery Time Objective (RTO) and Recovery Point Objective (RPO) with HSBC?

Robobai has defined BCP and DR policy. Robobai will define and agree the RTO and RPO with customers as required.

76. Are information security controls, features, etc., that are in place for normal operations, required during contingencies, recovery processes, etc.?

Robobai tech team has implemented a production environment with high availability to ensure minimum impact on operation during contingencies.


77. Are the security policies and procedures routinely tested?

Yes, security policies and procedures are tested bi - annually via internal audit review.

78. Does your company have an individual or a team for ensuring compliance with information security policies within the organization (i.e. internal audit, compliance)?

Robobai has designated Steering Committee which ensures compliance with information security policies.

79. Does your company perform independent (i.e. independent of IT personnel) security reviews/internal audit?

Yes. Robobai performs bi - annual internal audit reviws and annual external audit reviews.

80. Does your company perform regular audit to ensure compliance with any legal, regulatory or industry requirements?

Robobai Legal team provides ongoing inputs and guidance on regulatory or industry requirements. These are reviewed periodically.

81. Does your company perform information security risk assessments on a regular basis (i.e. at least annually) to take into account of changing business requirements and threats?

Yes. Robobai conducts comprehensive Information security risk assessment at least once every 12 months. The objective is to identify, analyse and mitigate risks associated with the organization's information systems.