Version 1.0
SCOPE
These Supplier Information Security Standards (the “Standards”) list the minimum security controls that Carta’s Suppliers are required to adopt when (a) accessing Carta facilities, networks, and/or information systems, (b) handling Carta confidential information, and/or processing Carta data on Supplier’s systems, or (c) having custody of Carta hardware assets.
SUPPLIER OBLIGATIONS
Supplier is responsible for compliance with these Standards by its personnel (Suppliers’ employees, subcontractors and Suppliers’ third parties / vendors), including ensuring that all personnel are bound by contractual terms consistent with the requirements of these Standards. Additional security compliance requirements may be specified in Supplier’s agreement. Please contact the Carta Information Security Team at trust@carta.com with any questions.
PART A: PERSONNEL/HUMAN RESOURCES SECURITY
Control Reference | Control Title | Control Objective(s) | Mapped CSA Control | Mapped Trust Services Criteria | Mapped 27001 Control |
A.1 | Background Screening Policy & Procedures | Unless otherwise agreed to with Carta, Supplier will perform background checks, consistent with local laws and regulations, for all personnel. | HRS-01 | CC1.4 | A.7.1.1 |
A.2 | Non-Disclosure Agreements | Supplier personnel are required to agree, in writing, to abide by Supplier’s security requirements and confidentiality policies. | HRS-10 | CC1.1 | A.7.1.2 |
A.3 | Security and Sensitive Data Awareness & Training | Supplier must have a comprehensive security awareness program for all personnel that encompasses education, training and updates for security policies, procedures and requirements. Security awareness training must occur at time of hiring and repeated at regular intervals thereafter (no less than every two (2) years). | HRS-11 & HRS-12 | CC2.2 | A.7.1.2 |
A.4 | Compliance User Responsibility | Supplier must have formal disciplinary processes in place for personnel and take appropriate action against personnel who violate Supplier’s organizational policies. | HRS-13 | CC1.5 | A.7.2.1 |
A.5 | Employment Termination | Upon termination of employment, Supplier will promptly remove personnel access to information systems, networks, and applications. Supplier will remind personnel that they must not retain any confidential information. | HRS-06, |
CC6.2
CC6.3 |
A.7.3.1 |
A.6 | Authorized Access | Where applicable, Supplier will maintain a complete list of all personnel with permission to access Carta facilities, information systems, networks and applications, including their employment location. |
PART B: BUSINESS CONTINUITY AND DISASTER RECOVERY
B.1 | Business Continuity Management and Disaster Response Plan | Suppliers must have a Disaster Recovery (DR) program and maintain a documented organizational Business Continuity Plan (BCP). The program and plans must be designed to ensure that Supplier can continue to function through operational interruption and continue to provide services, as specified in the agreement. | BCR-01 BCR-09 |
CC9.1
A1.1 A1.2 |
A.5.1, A.7.2.1, A.17.1 |
B.2 | Response Plan Exercise | The BCP and DR program / plan must be tested on a regular basis (at minimum, on an annual basis). Supplier must document the results. On request, Supplier will provide documentation for Carta’s review to confirm that tests are being performed. | BCR-10 | A1.3 | |
B.3 | Disaster Impact Notification | If there is an event, which does or will likely impact Supplier’s capability to perform services for Carta, including execution of the DR plan, Supplier must promptly notify their Carta business contact. |
PART C: INFORMATION SECURITY ORGANIZATION, POLICIES & PROCEDURES
C.1 | Governance Responsibility Model | Supplier must have clearly defined organizational IT/information security roles, responsibilities and accountability. | GRC-06 | CC1.3 | 5.3, A.6.1.1, A.7.2.1 |
C.2 | Governance Program Policy & Procedures | Supplier must publish and maintain formal written information security policies. Information security policies must be approved by management and communicate personnel’s obligations to protect confidential information and the acceptable use and protection of information. | GRC-01 |
CC1.3
CC2.2 CC5.3 |
5.1, 5.2, 5.3 |
C.3 | Data Security and Privacy Management | Supplier must classify, protect and manage the lifecycle of Information in accordance with their information classification scheme and in terms of its sensitivity. | DSP-01 |
CC6.1
CC6.2 |
A.5.1.1, A.5.1.2, A.8.2.1, A.12.1 |
C.4 | Supply Chain Management |
Supplier will implement security processes for managing suppliers and subcontractors throughout the business relationship lifecycle.
Supplier will maintain a list of its authorized subcontractors, the country/countries to which confidential information may be transferred to or accessed from, a description of the services performed by such subcontractors, and make that list available to Carta. |
STA-01
STA-02 STA-14 |
CC1.3
CC9.2 |
A.5.1, A.5.2, 6.2, 8.1, 8.2, 8.3, 9.1, 9.3, A.15.1, A.15.2, A.15.1.2 |
C.5 | Asset Management | Supplier will maintain an inventory of assets that includes all business critical information systems and information processing sites that are used in the delivery of services to Carta. The asset inventory should be accurate, up to date and have owners assigned to each asset. | DCS-05 DCS-06 |
CC3.2
CC6.1 A1.1 |
A.8.2.1, A.8.1.1 |
PART D: COMPLIANCE AND ASSESSMENTS
Regulatory Compliance | ||||
D.1 | If services involve the processing of payment card information, Supplier will maintain compliance with the current version of the Data Security Standards (DSS) from the Payment Card Industry Security Standards Council (PCI SSC) for the duration of the services provided to Carta. On request, Supplier will provide Carta with the most recent PCI SSC “Attestation of Compliance” (AoC) reports prepared by a third-party PCI Qualified Security Assessor (QSA) for both Supplier’s systems and for any third-parties used by the Supplier for handling payment card data. |
Security Compliance and Assessments | ||||
D.2 | If Supplier is provided access to Personal Information by Carta or Carta customers, or Personal Information is otherwise processed by Supplier on Carta’s or Carta’s customer’s behalf, Supplier must sign a Carta Data Processing Agreement. | |||
D.3 | Supplier will provide Carta with the contact information of the person(s) Carta may contact in relation to any information security and/or compliance issues. | |||
D.4 | If requested, on an annual basis, Supplier will complete a documented security questionnaire and provide written responses about its security practices, to enable Carta to assess compliance with the requirements of these Standards and applicable law. | |||
D.5 | If requested, in order to confirm compliance with these Standards, upon reasonable notice and in coordination with Supplier, Carta may perform on-site security assessments. Supplier must promptly correct any noncompliance issues identified during the documented and/or on-site security assessment process. |
PART E: SECURITY INCIDENT MANAGEMENT AND REPORTING
E.1 | Security Incident Management | Supplier must have documented information security incident response procedures that enable the effective and orderly management of security incidents. The procedures must cover the reporting, analysis, monitoring and resolution of security incidents | SEF-01 |
CC7.2
CC7.3 CC7.4 CC7.5 |
A.16.1 |
E.2 | Incident Response Plan | Security incidents should be handled by a dedicated security incident response team or personnel who are trained in handling and assessing security incidents in order to ensure appropriate procedures are followed for the identification, collection, acquisition, and preservation of information. | SEF-03 |
CC7.4
CC7.5 |
A.16.1.5 |
E.3 | Disclosure Notification | Other than to law enforcement or as otherwise required by law, Supplier may not make or permit any statements concerning security incidents involving Carta confidential information, information systems or assets to a third-party without the written authorization of Carta’s Legal Department, unless the statements do not identify or could not reasonably be used to identify Carta as being impacted by the incident. | DSP-18 | ||
E.4 | Security Breach Notification | Supplier must report security incidents of which they become aware relating to the Carta services without undue delay (but at the latest within 24 hours) to their business contacts at Carta for the applicable services impacted by the security incident and notifying trust@carta.com. | SEF-07 |
CC7.4
CC7.5 |
A.16.1.1, A.16.1.2, A.16.1.5 |
PART F: IT SECURITY STANDARDS
F.1 | Application Security Baseline, OS Hardening & Base Controls | Supplier’s information systems, network devices, and applications should be configured and deployed using a secure approved baseline. Ports/services that are not used should be disabled. |
AIS-02
IVS-04 |
CC7.1
CC8.1 |
A.5.1.1, A.7.2.2, A.14.2.2, A.14.2.3, A.14.2.4 |
F.2 | Inactive Session Termination | Supplier must implement controls to terminate inactive sessions and restrict the connection times of idle/inactive sessions on information systems, network devices and applications. | CC6.1 | ||
F.3 | Clock Synchronization | System clocks should be synchronized to a trusted time server source so that time/time zone is accurately maintained on all information systems, network devices, and applications, to ensure logs files have consistent time stamp information recorded. | LOG-06 | CC7.2 | A.12.4.4 |
F.4 | Secure Application Design and Development, and Quality Testing | Prior to implementation of information systems, network devices, and applications that will be used to process/store Carta confidential information, a security review process should be followed to validate security of the information systems, network devices, and applications to identify and remediate critical security issues ahead of deployment. | AIS-04 CCC-02, | CC8.1 |
A.14.1.1, A.14.1.2, A.14.2.1,
A.14.2.2 |
F.5 | Independent Assessments, Internal Compliance Testing, Penetration Testing | Supplier will perform security assessments in the form of technical scans and testing of information systems, networks, and applications at planned intervals, at least annually, to verify compliance with organizational security policies and standards. |
A&A-02,
STA-11, TVM-06 |
CC4.1 |
A.18.2.1
A.15.2 A.12.6, A.12.6.1 |
F.6 | Change Management Policy & Procedures | Supplier will maintain documented change management procedures that provide a consistent approach for controlling and identifying configuration changes for information systems, network devices, and applications. | CCC-01 | CC8.1 | A.12.1.1, A.12.1.2, A.114.2.2, A.14.2.3 |
F.7 | Remote Wipe | If mobile devices are used in the delivery of services to Carta, devices should be managed using a centralized solution that has the capability to remotely lock and wipe lost/stolen devices. | UEM-13 | CC6.7 | A.6.2.1 |
Network Security | |||||
F.8 | Network Defense | Supplier will implement network security infrastructure such as Firewalls, Intrusion Detection/Prevention Systems (IDS/IPS) and other security controls that provide continuous monitoring, have the capability to restrict unauthorized network traffic, detect and limit the impact of attacks. | IVS-09 |
CC6.6
CC6.8 |
A.14.1.2, A.11.1.4 |
F.9 | Network Security | Network traffic shall be appropriately segregated with routing and access controls separating traffic on internal networks from public or other untrusted networks. | IVS-03 |
CC6.1
CC6.6 |
A.13.1.1, A.13.1.2, A.13.1.3 |
F.10 | Third-Party Endpoint Security | Remote access to the Suppliers network must be approved and restricted to authorized personnel. Remote access must be controlled by secure access control protocols, strong encryption, authentication and authorization. | UEM.14 |
CC6.1
CC6.2 CC6.3 CC6.6 |
A.15.1.1, A14.1.2, A.6.1.1, A.9.2.2, A.9.2.4 |
Logging | |||||
F.11 | Logging and Monitoring Policy and Procedures | Supplier must maintain logs from information systems, network devices, and applications for a minimum period of ninety (90) days in ‘hot’ storage and 1 year in ‘cold’ storage. Log files should be stored on a centralized logging server. Logs should be sufficiently detailed in order to assist in the identification of the source of an issue and enable a sequence of events to be recreated. | LOG-01 | CC7.2 | |
F.12 | Logging Scope and Log Records | Logs must capture information system, network device and application security related event information, alerts, failures, and errors. | LOG-07, LOG-08 | CC7.2 | A.12.4.1 |
F.13 | Safeguard Logs Integrity | Integrity of logs files must be maintained and protected from tampering by restricting access to systems that store log files. | IAM-12 | CC6.1 |
A.12.4.1
A.12.4.2 A.12.4.3 |
F.14 | Audit Logs, Log Access, and Accountability | Logs must be continually monitored, reviewed and analyzed for suspicious and unauthorized activity and to verify the integrity of the logging process. Logs must record when (date and time), who (such as user or service account) and where (IP address/hostname) for all access and authentication attempts |
LOG-02,
LOG-04, |
CC7.2
CC7.3 |
A.11.1.3
A.12.4.1 A.12.4.2 |
Technical Vulnerability and Patch Management | |||||
F.15 | Threat and Vulnerability Management Policy and Procedures |
Supplier must include as part of their vulnerability management program, the receipt of vulnerability related security alerts and intelligence from external and internal sources in order to identify and monitor for vulnerabilities in their environment.
Vulnerability scans (authenticated and unauthenticated) and penetration tests must be performed against internal and external networks and applications periodically and prior to system provisioning for all systems that process, store, or transmit Carta Confidential Information. |
TVM-01, |
CC4.1
CC7.1 |
5.2, A.5.1.1 |
F.16 | Vulnerability Remediation |
Supplier may only use technology vendors that provide patch updates. Supplier’s own procedures must have patch and vulnerability management processes that promptly apply patches to all technology in use including hardware, operating systems, applications and network devices in a consistent, standardized and prioritized manner based upon criticality and risk. If a security patch cannot be promptly applied, then effective risk mitigation controls must be implemented until such time patches can be applied.
Any critical vulnerabilities identified through intelligence gathering, vulnerability scans, or penetration testing must be prioritized and remediated within a well-defined timeframe commensurate with the vulnerability risk. |
TVM-03, AIS-07,
TVM-08, TVM-09, |
CC7.1
CC7.2 CC7.3 CC7.4 CC7.5 |
A12.2.1
A.16.1.5, A.12.6.1 A.16.1.2, A.16.1.3 |
F.17 | Endpoint Management | Laptop/desktop computers should be configured to automatically receive operating system patches and updates from a centralized service that manages and distributes updates. | UEM-07, | CC6.8 | A.14.2, A.14.2.2, A.14.2.3, A.14.2.4 |
F.18 | Anti-Malware Detection and Prevention | Supplier must use endpoint protection, such as anti-virus/malware detection software. This software must be installed, configured, enabled, and updated to prevent, detect and remove malicious code, e.g. malware, viruses, spyware and Trojans. Endpoint protection solutions should detect if the software has been removed, disabled, or is not receiving regular updates. | UEM-09, |
CC6.8
CC7.1 |
A.12.2 |
F.19 | Malware Protection Policy & Procedures | Automatic virus and malware scanning checks must be carried out on all e-mail attachments that are sent to or received from external sources. Attachments that are identified as containing malicious code must be removed. | TVM-02, |
CC6.6
CC6.8 |
A.5.1.1, A.5.1.2, A.5.2, A.6.2.1, A.6.2.2, A.7.2.2, A.10.1.1, A.12.2.1, A.13.2.1, A.15.1.2 |
Information Backup | |||||
F.20 | Backup | Supplier must ensure that information systems, computers and software involved in the performance of the services provided to Carta are backed up. Backups must be tested in accordance with operational backup standards. | BCR-08, | A1.2 | A.12.3 |
F.21 | Data Encryption | Carta confidential information that is stored in backups must be encrypted using AES-256-bit or higher encryption or other strong encryption standard depending on backup method. | CEK-03, | CC6.1 |
A.10.1, A.10.1.1, A.10.1.2, A.13.2.1, A.14.1.3,
A.14.1.2, A.18.1.1, A.18.1.2, A.18.1.3 |
Account Management (inclusive of user, systems, and admin) | |||||
F.22 | Service Agreement Compliance, Access Roles, User Access Provisioning, User Access Changes & Revocation | Supplier must have account management procedures to support the secure creation, amendment and deletion of accounts on information systems, network devices and applications. |
STA-12, IAM-11
IAM-06 IAM-07 |
CC6.1
CC6.2 CC6.3 |
A.5.2, A.5.1, A.7.2.1, A.15.1.2A.15.1.3 |
F.23 | Identity and Access Management, Authorization Mechanism | The procedures should include processes for ensuring that information systems, applications, and network device owners authorize all account requests and revoke any unnecessary access based on job role |
IAM-01,
IAM-05, IAM-16 |
CC6.2
CC6.3 |
9.1.1, A.9.1.1 A.5.1.2
A.9.1.1, A.8.1.2, A.9.2.3 A.9.2.5 |
F.24 | Uniquely Identifiable Users | Supplier personnel must not share account credentials. All user accounts must be attributable to individuals (i.e. every account will have a unique authentication credential). | IAM-13, | CC6.1 | A.9.2.1 |
Access Controls | |||||
F.25 | Strong Authentication | Access controls must be implemented for information systems, networks, and applications that verify the identity of all users and restrict access to authorized users. Multifactor authentication technology is required for all Supplier’s systems containing Carta data. | IAM-14, |
CC6.1
CC6.6 |
A.9.1.2, A.9.2.4, A.9.4.2 |
F.26 | Management of Privileged Access Roles | Access controls must use a role based access model and differentiate access levels for end-users and privileged access (e.g. systems administrators). | IAM-10, | CC6.3 | A.9.2.3 |
F.27 | Authorization Mechanism and Segregation of Privileged Access Roles | Approvals for access requests must have appropriate segregation of duties, e.g. different personnel must perform the access authorization and access administration roles. |
IAM-09,
IAM-16, |
CC6.2
CC6.3 |
A.9.2.3
A.9.2.5 |
F.28 | User Access Review | Access lists for information systems, network devices and applications must be reviewed on a regular basis and access removed when no longer required such as personnel job role change or termination. | IAM-08, | CC6.2 | A.9.2.5, A.9.2.6, A.9.4.1, A.6.1.2 |
Password Management | |||||
Account authentication credentials must be unique and not be reused for other accounts. | CC6.1 | ||||
F.29 | Password Management, and Strong Password Policy and Procedures |
|
IAM-15 IAM-02 | CC6.1 | A.9.2.4, A.9.3.1, A.9.4.3 |
Protection of Carta Confidential Information | |||||
F.30 | Data Encryption | Carta confidential information must be stored on secure Supplier systems that are fully encrypted using AES-256-bit or higher encryption. Localized storage of Carta confidential information (e.g. on laptops, desktops, mobile devices etc.) should be avoided. In cases where Carta confidential information is stored on supplier laptops, desktops and mobile devices, these systems and devices must be encrypted by default using AES-256-bit or higher encryption, including any additional media cards and attached storage. | CEK-03, |
CC6.1
CC6.7 |
A.10.1, A.10.1.1, A.10.1.2 A.13.2.1 A.14.1.3 A.14.1.2 A.18.1.1 A.18.1.2 A.18.1.3 |
F.31 | Data Retention and Deletion | Supplier will delete Carta’s confidential information upon Carta’s request, upon completion of services, or upon the termination of services. If required for regulatory retention purposes, by law, or as specified in the agreement, Supplier is permitted to retain one copy of the foregoing materials, as required, provided that any such copy is encrypted, is not used or accessed for any other purpose and is protected in accordance with the requirements of these Standards, and is promptly deletion if no longer required for regulatory retention purposes. | DSP-16, |
C1.1
C1.2 |
A.18.1.3 |
F.32 | Secure Disposal | Electronic media that is decommissioned and has been used in the delivery of services to Carta must be sanitized before disposal or repurposing, using a process that assures data deletion and prevents data from being reconstructed or read, as prescribed in a recognized standard (e.g. NIST SP 800-88). Defective electronic media containing Carta confidential information must be physically destroyed | DSP-02, | CC6.5 | A.8.3.2, A.11.2.7 |
F.33 | Communication Encryption | Carta confidential information must be transmitted using encrypted protocols that protect the transfer of information, e.g., SFTP, TLS. Where services require Carta confidential information to be exchanged using e-mail, Transport Layer Security (TLS) between Carta mail gateways and Supplier mail gateways must be used | |||
F.34 | No Personal Email Accounts | Supplier will not permit the use of personal email accounts for exchanging Carta confidential information. | |||
F.35 | No Carta Data in Dev, Test, or Staging | Supplier must not use Carta confidential information from production systems for development, testing or staging purposes. |
PART G: SECURE SOFTWARE DEVELOPMENT
G.1 | Secure Application Design and Development |
Supplier ensures that all software and services used by Supplier to provision the Supplier’s services, including those developed by Supplier and those provided by others, have been developed following a software development lifecycle process which includes industry best practices for achieving and sustaining required security qualities for confidentiality, integrity and availability protection.
Software security vulnerabilities (e.g. OWASP Top Ten or CWE listings) shall be avoided. |
AIS-04, AIS-05, AIS-06 | CC8.1 | A.14.1.1 A.14.1.2 A.14.2.1 A.14.2.8 A.14.2.9 A.12.1.2 A.14.2.2 |
G.2 | Application Security Policy and Procedures | The expected security measures and controls applied for software provisioning, such as Security Education of the development workforce, Secure Architecture and Design principles, Secure Coding practices, Security Testing methods and tools applied, Security Response to react timely on applicable software vulnerabilities that become known, as well as application security controls embedded and enforced by the software itself, such as identity management, authentication, authorization, encryption etc. shall be adequate to meet relevant business, technology and regulatory risks according to international standards such as ISO/IEC 27034. | AIS-01, AIS-02 | CC8.1 |
A.14.2.1 A.14.2.5
A.5.1.1 A.7.2.2 |
G.3 | Application Vulnerability Remediation | Supplier has procedures in place to ensure integrity of software updates and can demonstrate that precautions are taken to ensure that any of its own or 3rd party or open source software used for providing the Supplier services do not contain known backdoors, viruses, trojans or other kind of malicious code. | AIS-07 | CC8.1 | A.16.1.5, A.12.6.1 |
PART H: BASELINE PHYSICAL SECURITY
Supplier Facilities
H.1 | Supplier must maintain the following controls at all Supplier facilities (including third party facilities used by Supplier) from which Carta’s networks, information systems and/or confidential information may be accessed. |
H.2 | Supplier must maintain a physical security plan to protect offices and information processing facilities that addresses internal and external threats to sites. Plans must be reviewed and updated on at least an annual basis. |
H.3 | Sites must have secure entry points that restrict access and protect against unauthorized access. Access to all locations must be limited to authorized personnel and approved visitors. All visitors must be required to sign a visitor register. Entry points should have security cameras. |
H.4 | Access areas to information processing facilities should be manned by a security guard. Out of hours access should be monitored, recorded, and controlled. Logs detailing access must be stored for a period of at least 90 days. |
H.5 | Supplier personnel and authorized visitors must be issued identification cards. Visitor identification cards must be distinguishable from Supplier personnel identification cards and must be retrieved and inventoried daily. |
H.6 | Access cards and keys that provide access to secure areas and information processing facilities such as data centers must be monitored and limited to authorized personnel. Regular reviews of access rights must be performed. |
H.7 | Off-site removal of information systems, computers, and network devices must be restricted, approved and authorized by asset owners and appropriate security departments. |
H.8 | Documents that contain Carta confidential information must be kept in a secure location when not in use. |