Docy Child

Systems

Estimated reading: 6 minutes 673 views

What is it?

A system is a piece of software, either built by the company or purchased from a third-party.

For example, cloud-based tools that employees use on a daily basis, typically qualify as systems. For example → Salesforce, Slack, JIRA, Miro, AWS S3, Gusto, etc. are all systems.  Alternatively, customer applications written by your product team like a front-end, or a backend, or a mobile app, are also systems.

Software used by individuals on their workstations, such as browsers, don’t typically get treated as systems because they don’t have significant compliance implications for the company.

System Data Classification

Data classification is the mechanism to denote what kind of data is stored or processed by a system.  TrustOps intelligently generates the right kinds of tests, and auto-assigns the right kinds of controls for a system, based on the data classification of the system.  The more sensitive data is stored within a system, the higher security it requires, therefore selecting a more sensitive data classification bucket is recommended to generate the right tests for it.

systems
Systems with data classification

By default, there are 4 types of data classifications in TrustOps:

Customer Confidential: This classification is applied if a system stores or processes your customer’s data or PHI.

Example: data that belongs to your customer, or production data that include sensitive customer PII such as:

  • Customer data that is stored to provide services (does not include customer name, title, email address etc.)
  • Customer DoB, SSN
  • Customer biometric records
  • Customer passport number / driver licenses
  • Customer login details (authentication)
  • Customer IP addresses
  • Customer credit card/bank account numbers
  • Customer personal medical data/health
  • Intellectual property
  • Production data stored and used to provide services

If compromised it puts the company at legal, financial, reputational risks

Company Restricted:  This classification is applied if a system stores Company Sensitive Data

Example: internal data that include sensitive PII such as:

  • Employee’s full name, address
  • Company vendor’s contracts
  • Tools that derive insights from the production systems such as application performance management tools, reporting tools, etc.

If compromised it could negatively affect internal operations

Company Confidential:  This classification is applied if a system stores or processes data that is confidential to your company.

Example: Confidential Internal data used for internal purposes such as:

  • Research projects
  • Emails
  • Internal documents
  • Sales playbook
  • Marketing materials
  • Business plans, strategies
  • Employee names, addresses
  • Employee payroll
  • Employees reviews

Public: This classification is applied if a system stores or processes data that is not senstive and/or is available to the public

Example:

  • Your Company’s website
    • Blog Posts

Adding a System

Step by Step guide to Add a System

  1. In TrustOps, locate the Systems page on the panel on the left side of the screen.
  2. Select + Add System

Adding a System from TrustCloud’s Catalog

  1. Select Add a System from the TrustCloud Catalog.
  2. Search for the system you’re looking for and click Proceed.
  3. Select a data classification for the system. Select Add System.

Adding a System Not in TrustCloud’s Catalog

  1. Select Add a System from the TrustCloud Catalog
  2. Select “I don’t see my system here” and click Proceed.
  3. Select a Purpose from the drop down menu. Add a website if applicable. Send request.

Add Self-Authored System

  1. Add a system name and the purpose of the system.
  2. Choose whether or not customers will need to download the system and click Proceed.
  3. Choose a platform the system runs on.
  4. Select a data classification for the system. Select Add System.

System Details

The system details page provides you with detailed information about the system, the controls associated with the systems, and the status of each control.  In addition to controls specific information, the system details page provides you with the risk associated with the system.

System Attributes

A system in TrustOps has these following attributes:

  • System Name- Corresponding name of the System
  • System Purpose- what is the systems main purpose
  • System Description- intended for the customer to describe how they use the system internally, both for their own records as well as for auditors
  • System Group- Which group/department function the system belongs to
  • Data Classification attributed to the system- Level of data sensitivity associated with
  • System Controls- How many adopted or planned controls are mapped to the system
  • System Risk- Risk associated with failing tests or not run
  • Test Associated to the system- Full view of all automated and self assessments test
TrustOps systems
Systems attributes page in TrustOps

Assignment

Assignments of systems are important to do. When you have reviewed all of your systems part of your program, you can start selecting a specific system owner. The system owner will be in charge of running the test associated with it and making sure the system is always in good health.

Who should own a system?

A system should preferably be owned by someone who has admin access to the system since most of the requirements for evidence will live in the admin side of these systems.

Video: Understanding systems

Adding Systems

If you have recently on-boarded or off-boarded any vendors, you must make that change into your program as well.

In the case you need to add a system, it is very easy to do that in TrustOps! On the System page, at the top right corner you’ll notice a “add System” tab. Feel free to use that every time you need to add a new system.

Once you click on that tab, a window with two options will open up (see image below)

Systems
After clicking on “add System” tab

Removing a System

If you have off-boarded a system, or are no longer using/storing data because you’ll be offboarding it soon, It’s time to remove it from your Trust Cloud as well. That action can be taken after clicking on a system card, as shown at the beginning of this page, and selecting the three dotted button at the top right corner, then hit remove from your program.

TrustOps - deleting a system
Deleting a system from TrustOps

 

Join the conversation

ON THIS PAGE
SUBSCRIBE
FlightSchool
SHARE THIS ARTICLE
Twitter Facebook LinkedIn

❤️  Joyfully crafted by a 100% distributed team.