CPM Educational Program Security Portal
CPM guards the security and integrity of its network infrastructure to protect the company and its client’s sensitive data. As a result, CPM has earned a reputation of providing a trusted environment for its customer information. The following items are high level components of CPM's governance, risk, compliance and security program.
CPM has established a management framework to control the implementation of information security within the organization. CPM’s Chief Technology Officer (CTO) has full accountability of protecting CPM information by providing strategic oversight of internal: IT Security Operations, IT Security Risk Management, and Business Continuity Planning services.
Vendor Management Review
CPM periodically evaluates its compliance with security standards, by conducting security risk assessments.
Vendors do not have access to customer data.
CPM uses AWS cloud services whose security processes are outlined in the AWS SOC2 Report.
Approved Risk Management Program
Risks are identified, quantified, and prioritized and treated to an acceptable level.
CPM conducts a documented assessment of security controls at least annually. The assessment is conducted to determine the extent to which controls are implemented correctly, operating as intended, and producing the desired outcome. Technical and non-technical evaluations are also conducted periodically to identify any new risks or to determine the effectiveness of the Security Policies and Procedures.
Data Encrypted in Transit
All data transmitted and received by the CPM platform in encrypted in transit utilizing TLS 1.2.
Customer Data Removal
Customer data is removed from CPM systems as per contract and/or data privacy agreements (DPA).
CPM follows all laws and regulations in terms of data retention requirements.
Data Encrypted at Rest
CPM configures systems housing customer data to encrypt data at rest. Data is encrypted using the AES-256 encryption algorithm with encryption keys managed by a key management solution.
Penetration Testing
Penetration testing is performed annually.
Vulnerability Management Process
Vulnerabilities that are discovered via monthly scans are patched according to criticality.
Personally Identifiable Information (PII)
Our product collects a minimal set of information needed to setup user accounts that utilize the CPM suite of products, as well as for potential customers that request information about your security program. We will never sell or share your information.
Protected Health Information (PHI)
CPM does not collect Protected Health Information.
Intrusion Detection
The CPM team utilizes an industry leading intrusion detection, prevention, and EDR solution on all endpoint devices.
Intrusion Prevention
The CPM team utilizes an industry leading intrusion detection, prevention, and EDR solution on all endpoint devices.
Network Device Hardening
CPM configures restrictive AWS the use of private subnets and Security Groups internally and externally to ensure systems cannot communicate with unintended systems.
Mobile Device Management Solution
Customer data is not stored on mobile devices.
Internal Compliance Department
CPM complies with legal requirements to avoid breaches of any law, statutory, regulatory, or contractual obligations and ensures compliance of systems with organizational security policies and standards.
Business Continuity Plan
Business Continuity processes have been implemented to counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters and to ensure their timely resumption.
Recovery Time Objective
CPM's recovery time objective is 24 hours.
Recovery Point Objective
CPM's recovery point objective is 24 hours.
Formal Incident Response Plan
CPM incident response processes ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken. Event reporting and escalation procedures are in place.
Software Development Lifecycle
Code changes undergo internal code review for completeness and security. All team members undergo security training provided by a senior security member of our the CPM team.
Patching Schedule
Operating systems are patched automatically when CPM applications are deployed. When out of band vulnerabilities are discovered they are patched according to criticality.
Change Control Documentation
Changes can only be applied to our production environment by select senior members of our engineering team and must be reviewed prior to deployment.
Secure Web Traffic
Staff Scoped Data Access
Access to information, information processing facilities and business processes is controlled based upon business and security requirements. Procedures are in place to control the allocation of access rights to information systems and services including networks, operating systems, application, and mobile devices.
Physical Security Controls
Physical security measures prevent unauthorized physical access, damage, and interference to the Myonex, Inc. premises, equipment, and information.
Physical Security Policy
CPM utilizes AWS which provides physical security around their data centers with an overview available here: https://aws.amazon.com/compliance/data-center/controls/
Background Screening
All CPM employees and contractors are required to have a federal and local background check prior to accessing customer data.
Off-boarding Process
When off-boarding an employee, the CPM management team follows an employee dismissal checklist stored in our Human Resources system.
Disciplinary Process
Disciplinary infractions are reviewed by the executive management which decides how the organization should respond as dictated by internal policies.
Employee Agreements
All employees and contractors must agree to an Employee Agreement and a Mutual Non-Disclosure Agreement prior to working with CPM
Human Resource Policy
CPM addresses staff security:
Prior to employment to ensure that all staff understand responsibilities and are suitable for their roles; reduce the risk of theft, fraud and or misuse of facilities/resources
During Employment to ensure that all staff are aware of information security threats and concerns, their responsibilities, and liabilities, and are equipped to support the security policy in the course of their normal work.
Post Employment by ensuring that all staff exit an organization or change employment in an orderly manner.
Asset Management Policy
Assets are accounted for, and information is classified to indicate the need, priorities and expected degree of protection.
Designated Security Point of Contact
Curtis Fuhriman - Chief Technology Officer
Policy Review Cadence
CPM's information security policies are reviewed and updated on an annual basis.
Information Security Policy
CPM has an internal Information security policy that is sponsored and approved by management and published to all employees and contractors.