All information assets must meet the required security controls defined in the NIST SP 800-53, Rev 4, Security and Privacy Controls. This document addresses the procedures and standards set forth to implement the family of System and Information Integrity security controls. See System and Service Acquisition for details on acquiring new information systems.


  • The Change Management and Patch Management processes shall be used to evaluate and remediate flaws found in information systems.
  • IT Management shall maintain a list of sources of information about security problems and software updates for system and application software and monitor those sources regularly.
  • System and application bug fixes or patches shall be accepted only from highly reliable sources, such as the software vendor.
  • Vulnerability exceptions are permitted in documented cases where a vulnerability has been identified but a patch is not currently available (zero-day vulnerability). When a vulnerability risk is “critical” or “high-level” and no patch is available, steps must be taken to mitigate the risk through other methods. A patch needs to be applied when it becomes available.
  • Code scans and vulnerability scans will be performed as appropriate to determine if a specific flaw has been remediated

Flaws shall be categorized as low, medium, high and critical. IT Management shall be responsible for categorization of flaws. Timeline for remediation is determined by category (Low - 120 days, Medium - 45 days, High - 10 days, Critical - 2 days).


All hosting partners must be FedRAMP accredited which requires FedRAMP security controls for Malicious Code Protection.

The following policy shall be used guidance to protect against malicious code - https://www.us-cert.gov/ncas/tips/ST18-271.

Defense in depth shall be implemented to protect information resources including malicious code protection, such as antivirus software and antimalware and intrusion detection systems. Also, all email services must have APT (Advanced Persistent Threat) protection and email scanning to limit malicious code transmission via email.

Information systems shall be checked to make sure:

  • Malicious code protection mechanisms at information system entry and exit points detect and eradicate malicious code.
  • Systems are configured to scan for malicious code on a weekly basis if not more often
  • Centrally managed malicious code protection mechanisms with automatic updates are in place.

Per policy, anti-virus software must be active on all computer devices. If a scan or download reports malicious code then staff member must immediately report the issue to IT Management (see Information Security Training for additional details). IT Management is responsible for discarding "false positives."

Finally, vulnerability scans will be used to discover any pathways for Malicious Code Execution exist.


All hosting partners must be FedRAMP accredited which requires continuous security monitoring (e.g. a IDS/IPS and SIEM). Hosting partners are required to share high/critical events. These events will be evaluated per the Incident Management Policy.

A SIEM (Security Information and Event Management ) tool is used (in addition to the hosting partner SIEM tool) for log aggregation and monitoring of information systems. See Logging and Monitoring Policy for more information. SIEM tool will be configured to send out email alerts to IT Management. Access to the SIEM tool will be restricted to only required personnel.

All monitoring activity will be reviewed with the legal and privacy teams to ensure conformity with applicable federal laws, Executive Orders, directives, policies, or regulations (e.g. logs should not contain sensitive data).

If IT Management determines that a heightened threat state is warranted (e.g. advisories from US cert) then the frequency of manual reviews shall be increased to mitigate risk to the organization.


FedRAMP accredited hosting providers are responsible for monitoring/actioning security alerts, advisories, and directives at the network and operating system level.

Sources for events shall include:

  • US-cert
  • Vendor alert (for subsystems)

If any security risks are identified internally, an alert or advisory shall be sent out to impacted personnel (PL002) within 24 hours of discovery.

The Change Management Process shall be used to monitor and remediate identified risks. The Patch Management shall be used as appropriate if required.


Information within an information system shall be retained in accordance with applicable federal laws, directives, policies, regulations, State standards, operational requirements and customer subscription contract.

Customer data shall be retained based on the Terms of Service (varies per subscription contract). Terms of Service allows for customer to request extended retention of data. Customer can download their data at any time (as long as they have an active subscription) or submit a written request for their data. We commit to returning data within 10 days of request.

Standard retention policy:

  • Discontinued Usage - If a customer decides to discontinue usage of application, we will retain the customer data for a period of ninety (90) days. At that time we reserve the right to purge that customer’s data from all systems. The customer can submit a written request that all data be purged immediately. We will purge data within ten (10) business days of a written request.
  • Extended Retention - A customer can submit a written request to retain customer data for a longer than ninety days; however, this may result in additional storage fees to the customer.

See audit section for details on controls for reviewing applicable federal laws, directives, policies, regulations, State standards and operational requirements.

Data Destruction

Procedures are in place to ensure data destruction occurs as a normal course of business. Procedures are also in place to ensure data destruction occurs in the event that we stop offering our services.

  • Decommissioned and Repurposed Equipment - When equipment is decommissioned or repurposed, industry standard techniques are used to fully erase data from any attached storage media.
  • Hard Copy Destruction - Hard copies of customer data are sometimes created in order to resolve a support ticket. Employees are trained to shred hard copies of customer data as soon as an issue is resolved.
  • Downloading of Customer Data by Employees - If customer data must be downloaded to resolve a customer issue, the data can only be downloaded to designated servers. Employees are trained to perform a “deep delete” of the data as soon as an issue is resolved.
  • Data Destruction Certificate - We will provide a data destruction certificate within ten (10) business days of a written request from customer.
  • All data destruction activities must be logged. Logs must be retained for a minimum of 4 years.


For any new or existing information systems used, we will evaluate the underlying technology to determine if vulnerabilities associated with memory protection pose a security risk.


Information System Integrity Audit Report (SI001) - There shall be a quarterly audit of information systems (see Internal Audit) to make sure all as per the 'Information Systems Inventory' (SA001) are in compliance with this policy (See Systems Acquisition for details on the 'Information Systems Inventory').

  • Quarterly Information System Integrity Audit Report (SI001)
  • Quarterly Management Review (MR001) includes assessment of last SI001
  • Annual Management Review (MR002) includes review of this policy.

Procedure for SI001 audit follows:

  • Review of Information Security Sources for potential issues (for example, US-CERT)
  • Review any changes to Information Handling and Retention laws/regulations/etc. (see section above)
  • Review changes to Security Alerts, Advisories, and Directives (see section above)
  • Review of information system vendor websites for critical patches and other updates
  • Report issues using the Change Management Process and Patch Management processes as appropriate
  • Review technologies used for memory protection and process isolation risks
  • Review of data destruction logs for accuracy, completeness and required retention (must retain a minimum 4 years history)