Systems

What is it?

A system is a piece of software, either built by the organization or purchased from a third party.

For example, cloud-based tools that employees use on a daily basis typically qualify as systems. For example, Salesforce, Slack, JIRA, Miro, AWS S3, Gusto, etc. are all systems. Alternatively, customer applications written by your product team, like a front-end, a back-end, or a mobile app, are also systems.

Software used by individuals on their workstations, such as browsers, is not treated as a system as it doesn’t have significant compliance implications for the organization.

System Data Classification

A System Data classification is the mechanism used to denote what kind of data is stored or processed by a system. TrustOps intelligently generates the right kinds of tests and auto-assigns the controls for a system based on the data classification of the system. The more sensitive data stored within a system, the higher security it requires; therefore, selecting a more sensitive data classification bucket is recommended to generate the right tests for it.

The following screenshot shows systems with data classification.

By default, there are four types of data classifications in TrustOps:

1. Customer Confidential: This classification is applied if a system stores or processes your customer’s data or PHI.
   Example: data that belongs to your customer or production data that includes sensitive customer PII, such as:
   1. Customer data that is stored to provide services (does not include customer name, title, email address, etc.)
   2. Customer DOB, SSN
   3. Customer biometric records
   4. Customer passport numbers and driver licenses
   5. Customer login details (authentication)
   6. Customer IP addresses
   7. Customer credit card or bank account numbers
   8. Customer’s personal medical data and health
   9. Intellectual property
   10. Production data is stored and used to provide services.
       If compromised, it puts the organization at legal, financial, and reputational risk.
2. Company Restricted: This classification is applied if a system stores an organization’s sensitive data.
   Example: internal data that includes sensitive PII, such as:
   1. Employee’s full name and address
   2. Organization’s vendor contracts
   3. Tools that derive insights from the production systems, such as application performance management tools, reporting tools, etc.
      If compromised, it can negatively affect internal operations.
3. Company Confidential: This classification is applied if a system stores or processes data that is confidential to your organization.
   Example: Confidential Internal data used for internal purposes such as:
   1. Research projects
   2. Emails
   3. Internal documents
   4. Sales playbook
   5. Marketing materials
   6. Business plans and strategies
   7. Employee names and addresses
   8. Employee payroll
   9. Employees reviews
4. Public: This classification is applied if a system stores or processes data that is not sensitive and/or is available to the public.
   Example: Your organization’s website
   1. Blog Posts

System Details

The system details page provides you with detailed information about the system, the controls associated with it, and the status of each control. In addition to control-specific information, the system details page provides the risk associated with the system.

System Attributes

A system in TrustOps has the following attributes:

1. System Name: The corresponding name of the System.
2. System Purpose: What is the system’s main purpose?
3. System Description: This is intended for the customer to describe how they use the system internally, both for their own records as well as for auditors.
4. System Group: Which group or department function does the system belong to?
5. Data Classification attributed to the system: Level of data sensitivity associated with.
6. Resources: people who are working on the system.
7. Controls: How many adopted or planned controls are mapped to the system?
8. Risk: Risk associated with failing tests or not running.
9. Automated Tests: The tests associated with the system. 
10. Self-Assessment: Assessments associated with the system.
    The following screenshot shows the system attributes page in TrustOps.
    

Assignment

Assignments of systems are important to do. After reviewing all of your systems as part of your program, you can start by selecting a specific system owner. The system owner is in charge of running the tests associated with it and making sure the system is always in good health.

Who owns the system?

A system is owned by someone who has admin access to it since most of the requirements for evidence reside on the admin side of these systems. 

To assign owner of the system,

1. Go to “Systems” page of your TrustOps program.
2. Click on the profile icon on the top right corner of the screen.
   The following screenshot shows how to assign owner of the system.
   
3. Select owner from the list or invite owner who is not in the list. You can assign yourself as a owner. Click on “Assign To Yourself” or “Assign to New Owner”.

The following video will help you understand systems better.

Adding a System

A step-by-step guide to adding a System

1. In TrustOps, go to the Systems page on the panel on the left side of the screen.
2. Click on ‘+ Add System’.
   
3. The Add System window will ask you to select between “Third-Party Software and Cloud Services” or “Software Developed In-House.”
   
4. If you select “”Third-Party Software,”
   1. Select your system from extensive TrustCloud catalog of SaaS and On-Prem systems
      
   2. Click on the “Proceed” button, and again confirm your selection by clicking on “Proceed” button.
   3. Write system description, select data classification and explain the reason to add system.
      
   4. Click on the “Add System” button.
5. If you select “Software Developed In-House”,
   1. Enter system name, description, select the purpose and select platform.
      
   2. Click on the “Proceed” button.
      
   3. Select if your customers need to download the system and enter from where to download it.
   4. Click on the “Proceed” button.
   5. Select data classification and enter the reason.
      
   6. Click on the “+ Add System” button.

Removing a System

If you have off-boarded a system or are no longer using or storing data because you’ll be offboarding it soon, you need to remove it from your Trust Cloud as well. 

To remove a system,

1. Go to “Systems” page in your TrustOps program.
2. Click on the system.
3. Click on the three-dot button at the top-right corner.
   The following screenshot shows how to remove a system from the program.
   
4. Click on the “Remove from Program” button.
   
5. Click on the “Remove System”.