{"id":18477,"date":"2023-12-06T11:27:13","date_gmt":"2023-12-06T19:27:13","guid":{"rendered":"https:\/\/threecloud.wpengine.com\/?page_id=18477"},"modified":"2024-03-27T13:00:40","modified_gmt":"2024-03-27T20:00:40","slug":"trust-center","status":"publish","type":"page","link":"https:\/\/3cloudsolutions.com\/trust-center\/","title":{"rendered":"Trust Center"},"content":{"rendered":"<section id=\"gutenblock-block_6470170b7bdf45c7273e600a6a079cca\" class=\"gutenblock gutenblock--oms-columns bg-color-gradient  icon_image  num_columns_ \">\r\n\r\n        <div class=\"gutenblock-inner\">\r\n\r\n            <div class=\"container-fluid\">\r\n\r\n                \r\n                <div class=\"row align-items-center\">\r\n\r\n                    <div class=\"col-12 col-lg-5\">\r\n                        <div class=\"left_text\">\r\n                            <h3>3Cloud Security Lifecycle<\/h3>\n<p class=\"intro-text\">3Cloud follows strict standards and procedures in designing and implementing its security controls to protect the confidentiality, integrity, and availability of our data, corporate assets, processes, and technologies.<\/p>\n                        <\/div>\r\n                    <\/div>\r\n\r\n                    <div class=\"col-12 col-lg-7 col-xxl-6 offset-xxl-1\">\r\n                        <div class=\"row align-items-center columns_grid\">\r\n                            <div class=\"col-12 col-sm-6 columns_left\"><div class='column  has_image  has_text '><div class='column_inner'><div class='image_container'><img loading=\"lazy\" decoding=\"async\" width=\"60\" height=\"60\" src=\"https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/05\/icon-service.svg\" class=\"attachment-column_image size-column_image\" alt=\"3Cloud Solutions Microsoft Azure App Experience Quality Engineering\" \/><\/div><div class='text_container'><p class=\"pre-title\">Built by Experts<\/p><p>3Cloud Security Engineers, Systems Administrators, and Compliance Specialists collaborate to harden 3Cloud&#8217;s environment, while empowering 3Clouders to work securely and efficiently.<\/p>\n<\/div><\/div><\/div><\/div><div class=\"col-12 col-sm-6 columns_right\"><div class='column  has_image  has_text '><div class='column_inner'><div class='image_container'><img loading=\"lazy\" decoding=\"async\" width=\"60\" height=\"60\" src=\"https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/05\/icon-cloud-workload.svg\" class=\"attachment-column_image size-column_image\" alt=\"3Cloud Solutions Microsoft Azure Cloud Platform\" \/><\/div><div class='text_container'><p class=\"pre-title\">Designed by Experts<\/p><p>3Cloud security and compliance professionals follow guidelines from NIST, CIS, and data privacy and protection legal counsel when architecting its policies and controls.<\/p>\n<\/div><\/div><\/div><div class='column  has_image  has_text '><div class='column_inner'><div class='image_container'><img loading=\"lazy\" decoding=\"async\" width=\"600\" height=\"600\" src=\"https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/07\/lock-shield-icon.png\" class=\"attachment-column_image size-column_image\" alt=\"\" \/><\/div><div class='text_container'><p class=\"pre-title\">Validated by Experts<\/p><p>3Cloud personnel work with Microsoft Security experts, penetration testers, auditors, legal firms, and other professionals to validate policies and controls. Improvements feed back into the design phase.<\/p>\n<\/div><\/div><\/div><\/div>                        <\/div>\r\n                    <\/div>\r\n\r\n                <\/div> <!-- .row -->\r\n\r\n                \r\n            <\/div> <!-- .container-fluid -->\r\n\r\n        <\/div> <!-- \/.gutenblock__inner -->\r\n\r\n    <\/section><section id=\"gutenblock-block_4dd6e306b4acbfaebcc02929d8453b82\" class=\"gutenblock gutenblock--oms-blurbs num_columns_3 bg-color-white \">\r\n\r\n        <div class=\"gutenblock-inner\">\r\n\r\n            <div class=\"container-fluid\">\r\n\r\n                \n\n    <div class=\"row header_row\">\n        <div class=\"header_column\">\n            <h3>Validation by Experts<\/h3>\n        <\/div>\n    <\/div>\n\r\n                <div class=\"row justify-content-start justify-content-md-center\">\r\n\r\n                    <div class=\"column\"><div class='blurb   has_text '><div class='text_container'><p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/05\/icon-security-governance.svg\" alt=\"Data Protection\" width=\"100\" height=\"100\" align=\"center\" \/><\/p>\n<h4 style=\"text-align: center;\">Data protection<\/h4>\n<p style=\"text-align: center;\">Protecting your privacy is of paramount importance to us. Therefore, we do not share customer details with any third parties.<\/p>\n<\/div><\/div><\/div><div class=\"column\"><div class='blurb   has_text '><div class='text_container'><p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/05\/icon-web-dev.svg\" alt=\"Data Protection\" width=\"100\" height=\"100\" align=\"center\" \/><\/p>\n<h4 style=\"text-align: center;\">SOC 2 Report<\/h4>\n<p style=\"text-align: center;\">Our SOC 2 Type 2 report certifies 3Cloud&#8217;s controls for security, availability, integrity, and confidentiality. Available under an NDA for prospective clients upon request.<\/p>\n<p style=\"text-align: center;\"><a class=\"btn btn-primary mt-4\" href=\"mailto:contracts@3cloudsolutions.com\">REQUEST REPORT<\/a><\/p>\n<\/div><\/div><\/div><div class=\"column\"><div class='blurb   has_text '><div class='text_container'><p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/07\/MicrosoftTeams-image-10-150x150.png\" alt=\"Trusted Sec Logo\" width=\"100\" height=\"100\" align=\"center\" \/><\/p>\n<h4 style=\"text-align: center;\">cloud penetration test<\/h4>\n<p style=\"text-align: center;\">TrustedSec&#8217;s report delves deep into our cloud security highlighting vulnerabilities, risk mitigation and security measures.<\/p>\n<p style=\"text-align: center;\"><a class=\"btn btn-primary mt-4\" href=\"https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2024\/02\/3Cloud_Penetration_Test_Attestation_Letter.pdf\">VIEW ATTESTATION<\/a><\/p>\n<\/div><\/div><\/div>\r\n                <\/div> <!-- .row -->\r\n\r\n            <\/div> <!-- .container-fluid -->\r\n\r\n        <\/div> <!-- \/.gutenblock__inner -->\r\n\r\n    <\/section><section id=\"gutenblock-block_29d9d9051d57130211098f51083b0c72\" class=\"gutenblock gutenblock--oms-image-text bg-color-white  text_layout \">\r\n\r\n    <div class=\"gutenblock-inner\">\r\n\r\n        <div class=\"container-fluid\">\r\n\r\n            \n\r\n            <div class=\"row\">\r\n                <div class='column text'><div class='column_inner'><p><img decoding=\"async\" class=\"aligncenter size-full wp-image-23901\" src=\"https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/mainhead.jpg\" alt=\"\" width=\"100%\" srcset=\"https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/mainhead.jpg 1500w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/mainhead-300x82.jpg 300w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/mainhead-1024x279.jpg 1024w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/mainhead-768x209.jpg 768w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/mainhead-600x164.jpg 600w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/mainhead-992x270.jpg 992w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/mainhead-1200x327.jpg 1200w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/mainhead-60x16.jpg 60w\" sizes=\"(max-width: 1500px) 100vw, 1500px\" \/><\/p>\n<h2>Information Security Statement<\/h2>\n<p>November 2023<\/p>\n<h3>Overview<\/h3>\n<p>3Cloud is a team composed of industry-leading minds and problem solvers who launch organizations into the cloud\u2014delivering the ultimate Azure experience. Our laser-focused Azure experts have been entrusted by over 500 clients across the United States to architect solutions that meet their needs. Cloud environments introduce unique security and privacy challenges that we can help you overcome.<\/p>\n<p>The purpose of this statement is to list the pillars of security and privacy 3Cloud incorporates in its environment. As we aim to be a security and privacy leader in the Azure consulting space, we work passionately and efficiently to fortify the confidentiality, integrity and availability of treasured assets. In this statement, we explain the security principles that guide 3Cloud.<\/p>\n<hr \/>\n<h3>Business Overview<\/h3>\n<p>3Cloud is a cloud-based organization. Our operations rely on third-party software-as-a-service (SaaS) applications and service to communicate, store data, manage resources and deliver our expertise.<\/p>\n<p>3Cloud provides Professional and Managed Services, which are conducted in client environments, and does not provide environments to its clients. Moreover, data collected and stored by 3Cloud includes business contact information and other information required to fulfill its contractual obligations with its clients, such as project artifacts.<\/p>\n<p>Please refer to our <a href=\"https:\/\/3cloudsolutions.com\/privacy-policy\/\">Privacy Policy<\/a> for more about data collection, management, rights and more.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-23904\" src=\"https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/intercom.jpg\" alt=\"\" width=\"1500\" height=\"409\" srcset=\"https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/intercom.jpg 1500w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/intercom-300x82.jpg 300w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/intercom-1024x279.jpg 1024w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/intercom-768x209.jpg 768w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/intercom-600x164.jpg 600w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/intercom-992x270.jpg 992w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/intercom-1200x327.jpg 1200w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/intercom-60x16.jpg 60w\" sizes=\"auto, (max-width: 1500px) 100vw, 1500px\" \/><\/p>\n<h3>Personnel Security<\/h3>\n<h4>Background Checks<\/h4>\n<p>3Cloud has a strict and extensive adjudication process for new hires, which is completed prior to the candidate\u2019s start date. All 3Clouders undergo background checks at the global and national levels. These checks include social security number (SSN), sex offender lists and monitoring of global watchlists &amp; criminal activity. For contractors, letters of attestation are verified by 3Cloud Human Resources.<\/p>\n<h4>Physical Security<\/h4>\n<p>Access to 3Cloud offices is approved by management at the time of hire, and reviewed annually and as needed to ensure continuing access is authorized.<\/p>\n<p>Keyed locks, electronic access systems, cameras, alarmed entry and exit doors, required reporting of lost or stolen access tokens, restricted access areas and logging have been implemented to protect offices.<\/p>\n<p>Badges are assigned to employees who live within close proximity of 3Cloud offices and deprovisioned within 24 hours should an employee decide to move on from 3Cloud. Guest badges are assigned and revoked when no longer needed. Guests are required to wear unique badges while visiting our facilities.<\/p>\n<p>3Cloud Business Systems retains access logs for at least 90 days and monitors alerts as needed.<\/p>\n<h4>Security Awareness Training<\/h4>\n<p>All 3Cloud personnel must undergo security awareness training upon hire and annually thereafter.<\/p>\n<p>Training involves video modules, quizzes, simulated and adaptive phishing engagements, and remedial training. Training topics include security awareness, data privacy and protection, remote work security, artificial intelligence security, diversity and inclusion and sexual harassment prevention.<\/p>\n<p>Security posters containing best practices and common scam notifications are routinely distributed.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-23905\" src=\"https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/lock.jpg\" alt=\"\" width=\"1500\" height=\"409\" srcset=\"https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/lock.jpg 1500w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/lock-300x82.jpg 300w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/lock-1024x279.jpg 1024w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/lock-768x209.jpg 768w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/lock-600x164.jpg 600w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/lock-992x270.jpg 992w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/lock-1200x327.jpg 1200w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/lock-60x16.jpg 60w\" sizes=\"auto, (max-width: 1500px) 100vw, 1500px\" \/><\/p>\n<h3>Compliance<\/h3>\n<h4>Cloud Access Security Broker (CASB)<\/h4>\n<p>3Cloud makes use of a CASB to add an additional layer of protection to its endpoints and cloud operations. A CASB enforces security policies across applications and devices to assist with:<\/p>\n<ul>\n<li><em>Shadow IT management. <\/em>Applications are monitored and controlled to align with 3Cloud policy.<\/li>\n<li><em>Data loss prevention (DLP). <\/em>Policies establish guardrails to prevent unauthorized data sharing.<\/li>\n<li><em>Risk assessments. <\/em>A CASB informs 3Cloud\u2019s risk assessment process, enabling our organization to recognize and mitigate threats.<\/li>\n<li><em>Threat prevention. <\/em>Anomalous behavior, ransomware, at-risk users, and shadow IT can be detected and remediated with a CASB.<\/li>\n<\/ul>\n<p>3Cloud\u2019s CASB of choice has policies pertaining but not limited to authentication &amp; authorization, device profiling, encryption, logging &amp; alerting and malware detection\/prevention. These policies, and violations of them, are funneled into detection and alerting software.<\/p>\n<h4>Data Privacy &amp; Protection<\/h4>\n<p>3Cloud may access information about you that is necessary to fulfill its business obligations. This includes your name, phone number, title, email address and company contact information \u2013 among other data types. Data gathered during engagements is stored and accessed securely on a need-to-know basis. To read more about data processed by 3Cloud, please refer to our <a href=\"https:\/\/3cloudsolutions.com\/privacy-policy\">Privacy Policy<\/a>.<\/p>\n<p>Project artifact data generated from engagements is stored in the client\u2019s and\/or 3Cloud\u2019s collaboration environment. Security awareness training, identity &amp; access management and standardized cryptographic algorithms are just some of the ways 3Cloud keeps your data safe.<\/p>\n<p>3Cloud uses strong third-party cryptography to protect data at rest and data in transit. A few of the cryptographic protocols that 3Cloud utilizes include, but are not limited to: <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/information-protection\/bitlocker\/bitlocker-overview\">BitLocker<\/a>, <a href=\"https:\/\/docs.microsoft.com\/en-us\/sql\/relational-databases\/security\/encryption\/transparent-data-encryption?view=sql-server-ver15\">Transparent Data Encryption (TDE)<\/a>, <a href=\"https:\/\/docs.microsoft.com\/en-us\/mem\/configmgr\/core\/plan-design\/security\/enable-tls-1-2\">Transport Layer Security (TLS) 1.2<\/a> (or higher) and other standardized protocols. 3Cloud audits these protocols regularly to validate their security and ensure that they are appropriate for the data they aim to protect.<\/p>\n<h4>Independent Third-Party Attestations<\/h4>\n<p>3Cloud has been audited annually for SOC 2 Type 2 compliance since 2018 on the security trust services criteria. 3Cloud\u2019s SOC 2 Type 2 report is available under a Mutual Confidentiality Agreement (\u201cMCA\u201d).<\/p>\n<h4>Internal Audit<\/h4>\n<p>An Internal Audit Committee tests and verifies the applicable controls for a SOC 2 Type 2 attestation. The following business sectors and their responsibilities are in scope for this committee:<\/p>\n<ul>\n<li><em>Human Resources:<\/em> hiring, dismissal, performance reviews and 3Cloud organizational plans<\/li>\n<li><em>Business Systems:<\/em> provisioning and use of 3Cloud Information Technology processes<\/li>\n<li><em>Accounting &amp; Finance:<\/em> financial processes and procedures<\/li>\n<li><em>Security Operations:<\/em> account, network and device monitoring; device security and de-provisioning; and risk assessments<\/li>\n<li><em>Support processes:<\/em> Client reporting, servicing, security and user monitoring<\/li>\n<\/ul>\n<p>More detail regarding the audit of these functions can be found in our SOC 2 Type 2 report, which is available under an MCA.<\/p>\n<h4>Policy<\/h4>\n<p>3Cloud\u2019s <em>Information Security Policy <\/em>(\u201cISP\u201d) provides the foundation for our security philosophy and controls. The ISP is reviewed annually and as needed in accordance with our business objectives, risks and other key considerations<\/p>\n<p>In addition to the sections in this paper, contents include but are not limited to risk assessment handling, secrets management, endpoint security and email security. Other satellite policies surrounding the <em>Information Security Policy <\/em>include our <em>Incident Response Plan, Information Governance Policy, Third Party Vendor Management Policy and Artificial Intelligence Policy.<\/em><\/p>\n<p>Several security models drive the security architecture at 3Cloud: namely <a href=\"https:\/\/www.core.co.uk\/blog\/microsoft-security-365-defense-in-depth\">defense in depth<\/a> and <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/zero-trust\">zero trust architecture<\/a>. For more information about zero-trust architecture, check out NIST\u2019s <a href=\"https:\/\/www.nist.gov\/publications\/zero-trust-architecture\">publication<\/a>. Finally, 3Cloud leverages <a href=\"https:\/\/www.nist.gov\/cyberframework\">NIST\u2019s Cybersecurity Framework<\/a> to guide its cybersecurity program.<\/p>\n<p>These principles harmonize to protect 3Cloud\u2019s people, processes and technologies. Internal and external audits are conducted to ensure compliance with these principles.<\/p>\n<h4>Risk Management<\/h4>\n<p>A Risk Assessment Committee (\u201cRAC\u201d) identifies, triages and remediates risk to 3Cloud\u2019s business and mission critical operations.<\/p>\n<p>The RAC is composed of stakeholders from the executive level, Business Systems, Accounting &amp; Finance and Security Operations. Meetings are held quarterly and as needed, and communications occur in between meetings as new risks are identified.<\/p>\n<p>Once a risk is identified, it is assigned a priority, owner and a determination is made on how to address said risk\u2014accept or mitigate. If 3Cloud decides to mitigate the risk, controls are implemented at the people, process and\/or technology level(s) and the risk level is recalculated at the next conference.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-23907\" src=\"https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/login.jpg\" alt=\"\" width=\"1500\" height=\"409\" srcset=\"https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/login.jpg 1500w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/login-300x82.jpg 300w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/login-1024x279.jpg 1024w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/login-768x209.jpg 768w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/login-600x164.jpg 600w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/login-992x270.jpg 992w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/login-1200x327.jpg 1200w, https:\/\/3cloudsolutions.com\/wp-content\/uploads\/2023\/12\/login-60x16.jpg 60w\" sizes=\"auto, (max-width: 1500px) 100vw, 1500px\" \/><\/p>\n<h3>Security Operations<\/h3>\n<h4>Asset Management<\/h4>\n<p>3Cloud assets are run through a lifecycle management process and appropriate use of our assets is governed by policy. All assets are tagged and tracked in a centralized mobile device management (MDM) tool and their health and security are monitored by Business Systems and Security Operations.<\/p>\n<p>If a device is lost or stolen, authorized 3Cloud personnel can remotely wipe the device to prevent unauthorized access to 3Cloud data. Encryption is mandatory for data-at-rest on 3Cloud managed endpoints. We provide more information about our endpoint security controls in the \u201dDetection, Monitoring and Alerting\u201d section below.<\/p>\n<h4>Identity &amp; Access Management<\/h4>\n<p>Identities, like assets, go through a lifecycle management process from onboarding, intra-company transitions and off-boarding. These identities are protected with universally applied multi-factor authentication, conditional access policies, location restrictions, among other controls.<\/p>\n<p>When a user is onboarded, they are assigned access to resources with role-based access controls, which follow the <em>principle of least privilege.<\/em> Strong authentication is enforced for these accounts and they are closely monitored for anomalous and risky behavior. If suspicious activity is detected whether the threat is of an external nature or from an insider, 3Cloud has protocols in place to deal with these alerts in a swift and secure manner. Moreover, separation of duties is in place for damage limitation.<\/p>\n<p>As a user transitions between roles, the access package from their old role is de-provisioned and the newly assigned package is granted based on their new role to ensure no user has gratuitous access. Privileged role access requires approval from system and security administrators, and access is granted only if sufficient business justification has been provided. 3Cloud closely monitors administrator roles and keeps the count to a strict minimum. Administrator roles use separate privileged accounts and require Privileged Identity Management for activation. Finally, administrator roles are audited monthly and as needed to ensure compliance with the principle of least privilege.<\/p>\n<p>In the offboarding stage, our systems and security administrators follow a strict timeline by removing the user\u2019s access to 3Cloud systems and data upon departure.<\/p>\n<h4>Incident Response<\/h4>\n<p>3Cloud maintains an <em>Incident Response Plan<\/em> (\u201cIRP\u201d) that is reviewed annually and\/or as needed, and improved in consultation with data privacy and protection legal counsel. The plan:<\/p>\n<ul>\n<li>Provides an overview of how 3Cloud will respond to an incident affecting its information security<\/li>\n<li>Establishes an incident response team and their roles and responsibilities<\/li>\n<li>Describes the facilities that are in place to help with the management of the incident<\/li>\n<li>Defines how decisions will be made regarding our response to an incident<\/li>\n<li>Explains how communication within the organization and with external parties will be handled<\/li>\n<li>Provides contact details for key personnel and external agencies<\/li>\n<li>Defines what will happen once the incident is resolved, and the responders are stood down<\/li>\n<\/ul>\n<p>Incident response team members are provided with a copy of the IRP. An incident response tabletop exercise is conducted annually with legal to address highly impactful and highly probable cyber incidents.<\/p>\n<h4>Detection, Monitoring and Alerting<\/h4>\n<p>3Cloud\u2019s endpoints, virtual resources and collaboration suite is equipped with numerous security and compliance controls to mitigate external threats and insider risk:<\/p>\n<ul>\n<li>Virus &amp; threat protection<\/li>\n<li>Firewall &amp; network protection<\/li>\n<li>Vulnerability &amp; patch management<\/li>\n<li>Logging &amp; monitoring<\/li>\n<li>Strong authentication &amp; strong cryptography<\/li>\n<li>Application protection<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>Security updates are automatically pushed when available. This ensures malware definitions are current and endpoints are patched with the latest security fixes. Enforced cloud protection dynamically identifies new threats. Finally, security settings can only be disabled by administrators. Enforcement of this policy reduces the risk of malicious actors opening the flood gates for additional attacks.<\/p>\n<p>Resource logs are fed into and monitored within 3Cloud\u2019s security information and event management (\u201cSIEM\u201d) tool of choice, where they are handled by 3Cloud Security Operations. The SIEM aggregates data for its accounts, endpoints, applications and infrastructure; leverages threat intelligence and analytics to detect and investigate suspicious activities and multi-stage attacks; and optimizes our incident response.<\/p>\n<p>3Cloud works with third-parties to increase visibility, fine tune and ensure rapid response within its SIEM and other tools within its security stack. This is unpacked more in the \u201cPenetration Testing, Red Teaming, and Hardening Exercises\u201d section of this paper.<\/p>\n<h4>Penetration Testing, Red Teaming and Hardening Exercises<\/h4>\n<p>3Cloud undergoes annual penetration testing by <a href=\"https:\/\/trustedsec.com\/\">TrustedSec<\/a>. The findings of these exercises are reported to management and remediated in accordance with 3Cloud\u2019s <em>Vulnerability Management Policy. <\/em>If desired, a retest is done prior to the next engagement.<\/p>\n<p>Red Team exercises are used as a substitute for penetration tests should 3Cloud and TrustedSec decide that the exercise would be of greater benefit. This \u201cassumed breach\u201d approach grants TrustedSec personnel access to the 3Cloud environment and work begins from within. The findings of these exercises are reported to management and remediated in accordance with 3Cloud\u2019s <em>Vulnerability and Patch Management Policy.<\/em><\/p>\n<p>3Cloud also works with TrustedSec to conduct hardening exercises. These exercises have helped 3Cloud identify its critical assets and pipe them through a threat matrix. The outcome of these engagements is to develop a defensive playbook that 3Cloud Security Operations can implement and iteratively improve.<\/p>\n<p>Finally, 3Cloud works with Microsoft security experts to harden its Azure resources, Entra environment, and Microsoft 365 environment. Recommendations are provided and risks are mitigated based on their impact to 3Cloud business operations.<\/p>\n<p>Attestation letters for these engagements are available under an MCA.<\/p>\n<h4>Vulnerability Management<\/h4>\n<p>3Cloud maintains a <em>Vulnerability and Patch Management Policy <\/em>which governs how security vulnerabilities must be remediated. The Common Vulnerability Scoring System (\u201cCVSS\u201d) is used to classify and remediate vulnerabilities:<\/p>\n<table width=\"462\">\n<thead>\n<tr>\n<td width=\"144\"><strong>Risk Level<\/strong><\/td>\n<td width=\"156\"><strong>CVSS Rating<\/strong><\/td>\n<td width=\"162\"><strong>Remediation<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"144\">Critical<\/td>\n<td width=\"156\">9.0-10.0<\/td>\n<td width=\"162\">Within 48 hours<\/td>\n<\/tr>\n<tr>\n<td width=\"144\">High<\/td>\n<td width=\"156\">7.0-8.9<\/td>\n<td width=\"162\">Within 5 days<\/td>\n<\/tr>\n<tr>\n<td width=\"144\">Medium<\/td>\n<td width=\"156\">4.0-6.9<\/td>\n<td width=\"162\">Within 30 days<\/td>\n<\/tr>\n<tr>\n<td width=\"144\">Low<\/td>\n<td width=\"156\">0.1-3.9<\/td>\n<td width=\"162\">Within 30 days<\/td>\n<\/tr>\n<tr>\n<td width=\"144\">None<\/td>\n<td width=\"156\">0<\/td>\n<td width=\"162\">NA<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>Daily system scans are conducted to monitor for vulnerabilities. Findings are triaged, investigated and resolved by 3Cloud Security Operations and\/or Business Systems in accordance with the schedule above.<\/p>\n<h3>Business continuity and disaster recovery<\/h3>\n<p>3Cloud maintains a Disaster Recovery and Business Continuity Plan to ensure smooth operations of the business when the need arises to activate the plan. This plan is submitted annually to the SOC 2 Type 2 auditors for review and verification of testing.<\/p>\n<p>All essential applications are SaaS subscriptions. As such, 3Cloud relies on the service level agreements and business continuity and disaster recovery plans of the subscription vendors. Moreover, as 3Cloud\u2019s employees are distributed geographically, the need for a secondary site or other traditional Business Continuity Plan is not required.<\/p>\n<p>Testing of this plan occurs annually and is verified by SOC 2 Type 2 auditors.<\/p>\n<h3>Conclusion<\/h3>\n<p>Security and privacy are championed at all levels of the 3Coud organization, which allows us to dedicate resources to ensure the protection of our clients, partners, team members and their data. Our internal security experts work diligently with auditors and consultants to ensure there is continuous improvement in our security and compliance program.<\/p>\n<p>If there are security concerns or risk compliance questions, please email <span class=\"ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak\" dir=\"ltr\"><a class=\"fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn\" title=\"mailto:secops@3cloudsolutions.com\" href=\"mailto:secops@3cloudsolutions.com\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Link secops@3cloudsolutions.com\">secops@3cloudsolutions.com<\/a><\/span>.<\/p>\n<\/div><\/div>            <\/div> <!-- .row -->\r\n\r\n\t        \n\r\n        <\/div> <!-- .container-fluid -->\r\n\r\n    <\/div> <!-- \/.gutenblock__inner -->\r\n\r\n<\/section>","protected":false},"excerpt":{"rendered":"","protected":false},"author":101,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":true,"content-type":"","footnotes":""},"class_list":["post-18477","page","type-page","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/3cloudsolutions.com\/wp-json\/wp\/v2\/pages\/18477","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/3cloudsolutions.com\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/3cloudsolutions.com\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/3cloudsolutions.com\/wp-json\/wp\/v2\/users\/101"}],"replies":[{"embeddable":true,"href":"https:\/\/3cloudsolutions.com\/wp-json\/wp\/v2\/comments?post=18477"}],"version-history":[{"count":0,"href":"https:\/\/3cloudsolutions.com\/wp-json\/wp\/v2\/pages\/18477\/revisions"}],"wp:attachment":[{"href":"https:\/\/3cloudsolutions.com\/wp-json\/wp\/v2\/media?parent=18477"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}