Security

Data protection and security

CoreStream GRC is fully compliant with GDPR and applicable data privacy laws. We use CoreStream GRC Information Asset Management to record and manage our company’s information assets, Records of Processing Activities (ROPA), associated information flows, Data Protection Impact Assessments, risks and actions.

Frameworks & standards

At CoreStream GRC, we take a comprehensive approach to security and data protection, with rigorous processes in place to ensure the integrity and confidentiality of your information:

Audits and Certifications

1. CoreStream GRC is audited annually as part of our ISO 27001 certification, which includes assessments of our records management and data protection practices.
2. We hold ISO 27001, Cyber Essentials Plus certifications, and a SOC 2 Type 2 report for security and availability. These certifications are updated annually following thorough external audits, and copies can be provided upon request.

Penetration Testing and Security Validation

1. CoreStream GRC engages independent external CREST/CHECK-accredited providers to conduct penetration testing at least once a year.
2. Clients are also encouraged to perform their own security testing, which provides additional verification and helps identify any areas for improvement.
3. A copy of the most recent penetration test report is available upon request.

Continuous Vulnerability Management

1. Daily vulnerability scanning is in place to proactively identify new threats. We address any vulnerabilities as soon as they are detected, ensuring your data remains secure at all times.

User access and security

Authentication is almost always via Single Sign On. We support both SAML 2.0 and OIDC protocols and can integrate via any identity provider. If a client cannot utilize single sign on, we offer username and password-based access, which is secured using multifactor authentication using a soft token (TOTP protocol) from an authenticator app (such as MS, Google, Authy, or any authenticator app that adheres to TOTP standards).

Logging capabilities – The system offers detailed logging capabilities both within the operational and system data:

• Operational data logging: All user interactions are fully audit-trailed in version history, and this can be viewed through the front-end interface. Audit trail data can also be surfaced in reporting dashboards for trend analysis purposes. The audit trail captures who made the change, when, and the before / after values.
• System Data Logging: Many of these logs are available directly through the platform (for users with sufficient permissions), and include Error / Exception Logs, Login register, Failed login attempts, Export logs, Email logs. More technical operating system and database logs are also held.
• Rate Limiting: This is in place as a form of DDoS protection on our DNS servers.
• Encryption: CoreStream GRC encrypts all data, end to end, both when in transit and at rest. Backups are also encrypted. We utilize 256-bit AES cyphers.

Additional information can be provided on security if required, including architecture diagrams, policies etc.

Our standard backup policy is to take 7 daily (full) backups, and 6 monthly. We can configure policies on a client-by-client basis if this is not sufficient.

Backups are held off-site in an encrypted format, and authorized CoreStream GRC administrators only have access to perform restore operations. Backups cannot be deleted without a formal request, requiring secondary (senior) authorization.

In addition, clients can build their own exports for ingestion into other systems as required