1. What compliance framework or best practices does Wise Consulting follow?
Wise Consulting maintains NIST Cybersecurity Framework (CSF) compliance. This compliance is verified by Choice Cybersecurity, a third-party risk assessment firm
2. What is Wise Consulting’s GDPR compliance standing?
Wise Consulting is not GDPR Compliant, however we take our client's data confidentiality and protection seriously and have enforced necessary security measures to ensure data integrity is upheld. This includes but is not limited to encryption at rest and in motion, on-going monitoring, and vulnerability management.
Personnel Security & Training
1. Are Wise Consulting personnel required to complete Awareness Training?
All Wise Consulting users are required to undergo Security Awareness Training at least annually. Additional training is deployed as necessary at the discretion of Management.
2. Are Wise Consulting personnel required to sign Confidentiality Agreements or similar contracts prior to receiving access to client information?
All employees sign a confidentiality agreement prior to being provided access to the system.
3. Are Wise Consulting personnel screened as part of the pre-employment process?
Prior to hire, Wise Consulting employee background checks are conducted, in addition to other employee verification screenings.
1. What type of encryption at rest techniques does Wise Consulting implement?
Wise Consulting protects the boundaries of the information systems it creates, both from unauthorized infiltration and unauthorized exfiltration. Wise Consulting has established and applied robust cryptographic procedures where access control and/or information sensitivity warrant in support of network and data communications security. Both drive and file encryption are enforced to protect data at rest.
2. What type of encryption in motion techniques does Wise Consulting implement?
Wise Consulting requires the use of encrypted file links with built-in access restrictions as the primary method of data sharing. Additionally, email encryption is used when sending PII and other sensitive data electronically.
3. How does Wise Consulting manage encryption keys?
Encryption keys are stored within Microsoft’s Endpoint Management system with restricted access to IT.
1. How are users authenticated?
All users of Wise Consulting’s network resources must have a unique account ID that is password protected. Each user receives authorization for the account by an appropriate manager or member of the Wise Consulting team. Each user uses these credentials to identify and authenticate themselves. Passwords are not displayed during entry, are encrypted during transmission, and are stored in an encrypted format.
2. Does Wise Consulting enforce a password policy?
Passwords must be at least 12 characters in length with complexity (upper, lower, special characters, and numbers) enforced with an annual expiration. 5 Generations of passwords are remembered.
3. Is multi-factor authentication enforced throughout Wise Consulting’s environment?
Multi-factor authentication is enforced and required wherever possible, including device, application, and remote access.
4. Is “least privilege” enforced throughout Wise Consulting’s information systems?
Yes, least privilege is enforced. Access authorization is provided according to job function.
5. Are Wise Consulting users authorized to work remotely? How are remote connections secured?
Wise Consulting users are permitted to work remotely. Users connect via VPN and cloud application access that enforces encrypted connections (SSL, TLS, etc.).
6. How does Wise Consulting manage mobile devices?
Wise Consulting utilizes Microsoft Endpoint Manager to manage and monitor mobile devices, including BYOD devices. Intune is used to enable security requirements such as pin numbers, as well as remote wipe features.
Audit & Accountability
1. Does Wise Consulting maintain audit logs of activities within information systems?
A Security Incident & Event Monitoring (SIEM) solution is enforced throughout the information system and environment.
2. How often does Wise Consulting review audit logs?
Audit logs are reviewed daily.
3. Does Wise Consulting have the ability to receive alerts of suspicious activity?
Alerts of suspicious activity such as unauthorized access or attempts are sent immediately for investigation.
1. Does Wise Consulting have automated mechanisms to continuously monitor the network environment?
Vulnerability scans are continuously conducted on the environment to identify potential risks at any given time. Additionally, anti-virus and anti-malware solutions are implemented to identify potential risks.
2. Are vulnerability scans conducted within the Wise Consulting environment?
Vulnerability scans are continuously conducted and reviewed for threats to the information system and environment. Reports are generated monthly and unless major threats are identified, overall threats are reviewed and discussed on a quarterly basis.
3. How does Wise Consulting remediate the identified threats and vulnerabilities?
Threats and vulnerabilities are addressed according to criticality. Things that are identified and labeled as critical are addressed first.
1. Does Wise Consulting undergo risk assessments on a periodic basis?
Wise Consulting undergoes annual 3rd party security and compliance risk assessments to identify any gaps, risks and vulnerabilities within the network and compliance controls. Assessments include internal and external vulnerability scans and PII scans to identify the flow of sensitive data within the systems.
2. How does Wise Consulting determine next steps after completing a risk assessment?
Vulnerabilities and threats found during the risk assessment are addressed according to criticality. A plan is developed to help organize remediation efforts.
3. What other kind of assessments are conducted by Wise Consulting?
Security and Privacy Impact Assessments are conducted in conjunction with risk assessments.
1. Does Wise Consulting restrict and monitor the organization’s physical environment?
Wise Consulting enforces a number of security controls within the physical environment, including maintaining an access control system with automated logs.
2. How often are physical access activities reviewed?
Wise Consulting review physical access logs bi-annually.
3. Does Wise Consulting require visitors to sign in upon arrival?
Visitor procedures are in place, which documents visitor access and requires escorting. Internal physical security controls are enforced, which limits access to certain secured areas.
4. Is Wise Consulting’s network storage area secured and restricted with limited access?
Access to restricted areas, such as the network storage area, is restricted to authorized personnel only.
At Wise, the practitioner experience and hands-on knowledge our consultants have in specialized fields means we can offer high-quality support services across the Human Capital Management and Payroll spectrum.
At Wise Consulting, we believe that relationships are important. Just as we are passionate about providing the best possible support to our clients, for over twenty years Wise has been committed to productive partnership with two innovative companies that offer award-winning single-solution HCM Cloud Software product suites.
Our blog and videos are packed full of information about all things Human Capital Management and Payroll. For insight into what is happening in the HCM world and tips from our experienced consultants about optimizing your resources, click to learn.
“Wise Consulting became an extension of our team as if we had the experience of going through an implementation before, even though we didn’t. They knew what was needed ahead of time. I feel like we didn’t hit the ditches because they had the experience that is a level beyond executing and implementing.”