Knowledge Center

Back to home

Knowledge Center

Additional Resources

Additional Resources

FAQs, release notes, and other additional resources

Basic Employee Training

Ostendio Compliance Score & Rank

Completing Assigned Pending Actions

Completing an Electronic Signature in Ostendio

Accessing Pending Actions from an Email

Logging into Ostendio

See more

Video Resources

Incident Management video: Assuring IR & BCP with Ostendio

Asset Management

How to Implement Incident Response and Business Continuity with Ostendio

FAQ

What if the framework I want to use is not in Ostendio?

Does the Admin Portal provide us with details of our partner’s contacts in the Trust Network?

Is there a way to send a “reminder” through Ostendio to an approver of a document?

What is the difference between creating a Vendor Connect request and adding a client via the Admin portal?

What if admin or client deletes entire instance by accident? Recovery process?

What are the repercussions if admin or client with admin like privileges provides another third-party unauthorized access to the client instance?

Are all developers required to take secure-coding training?

What kind of security testing do you perform?

Do you perform Peer Code Review during development?

Do you have SDLC (Secure Development Lifecycle) in place?

Can Admin/Site Admin see a private Asset?

Can I Create an Asset Security Profile Report

How to manage Templates for a form repository.

When do accept or reject options shows in the external assessment?

Is there a way to query for specific words in the chat of the assessment?

How does the assessment module score according to HITRUST, using the HITRUST scoring methodology?

Can we recover deleted questions in an assessment?

Can we export evidence from an Assessment in bulk including artifacts that are not attached as files?

Are risk assessments performed on a regular basis? If so, how do you track compliance or noncompliance?

Will Ostendio be the assessor for my HITRUST/SOC 2/etc certification?

When does the Task Owner receive an email notification in an audit?

Are assets automatically added or removed from audit tasks as they are activated/inactivated?

Can our Audit Partners review evidence on an External Assessment completed by a client just by adding them as Primary or Alternative Reviewers, or do they need some other permission?

Do you undergo third-party security audits such as ISO 27001, ISO27017, SOC-2, etc?

What is an Audit Task Scheme?

Audit Task Frequency

Is a rollback/recovery plan provided as part of the change request?

During the change control/management process, is separation of duties observed?

Is change control/management enforced across the organization (e.g. system changes, code releases, etc)?

Do you have change control/change management process in place?

Why did I get a notification of a task due many days out?

What's the best way to manage compliance across multiple biz units within the platform?

How Compliance percentage is calculated?

What’s the best way to determine the scope of the ISMS for ISO 27001? Is there functionality in settings?

Why is ISO 90003 compliance not added as a QA standard in the Ostendio platform?

How do you track compliance with policies if you require employees and contractors to follow them?

How is the Activity Compliance Score Calculated?

If the Ostendio platform is completely shut down and never to be accessible again, how would we retrieve the data?

What happens if Ostendio pushes a platform update and it causes an interruption to an assessment workflow, delaying the certification process?

What if a client sees someone else’s data on their instance? Data is now public. What are repercussions and remediations?

What happens if someone accidentally deletes data from Ostendio?

If the admin portal got infected with a virus or malware what is the impact to current instance and other client instances?

When would the tool scan attachments for viruses and malware? During, post upload or scheduled?

What happens when the client uploads an infected attachment? Does Ostendio SaaS software scan uploaded attachments for viruses and malware?

Does our platform encrypt data using AES-265 or an equivalent standard?

Specify the method Ostendio used for encryption in transit.

Specify the method used for encryption at rest.

Do you have access to customer’s data in human-readable form?

Is there a size limitation for documents?

When a document is due on a certain date, are there reminders that are automatically sent to remind them from the Ostendio platform?

Is there a way that we can “check out” a document so that it can be reserved and ensure that only one person at a time can update it?

Is there a way to provide unique access to certain documents?

How can we view all the parent documents along with the child documents in the wiki?

Is it possible to have the document reside in an external system and still capture acknowledgment?

Is it possible to create a document without an owner?

Can we view the inactive document from the version history?

Can we force the user to download a document before acknowledging it?

Is there a way to search documents by approver?

Is there a way to make a change that only affects the revision number?

Provide the list of the security controls you have deployed on endpoints.

Does your organization allow the use of BYOD (Bring Your Own Device)? If so, describe the security controls you have in place to manage personal devices.

Are all company assets centrally managed or inventoried?

Does the platform have a process for requesting new frameworks, or is it best to have the clients upload the custom frameworks as an assessment example if they support FDA 820?

How do we map Controls to a large document such as an SSP- and the implementations?

Does the Ostendio platform support custom IRL / Framework uploads?

How can our partners use SOC 2 framework?

Do you have a process in place to securely offboard employees/contractors?

Do all employees (including contractors) sign NDA (Non-Disclosure Agreement)?

Describe your onboarding process. Do all employees (including contractors) undergo a security background check?

Describe how you track/handle incidents. Are incidents centrally managed

Do you have a process in place to notify clients in case of an incident or data breach?

Does your incident response plan provide guidelines on the Identification, Containment, Eradication, and Recovery of an incident?

Do you have documented Incident Response Plan in place?

Do non-US citizens have access to your application as developers or administrators?

Is users’ access logged and monitored?

Is MFA (Multi-Factor Authentication) enforced when logging into corporate systems?

How is your password policy enforced across the organization (e.g. password complexity, age, lockout settings, # of last passwords used, etc.)?

When granting access to systems/resources, do you use RBAC model (Role-Based Access Control)?

What security controls do you have deployed in your production or corporate network?

For Cloud or Hybrid networks, who is your hosting provider?

Describe your corporate/production network: On-Premise, Cloud hosting, Hybrid?

Does KnowBe4 sync users with Ostendio?

Do you have visitor policy in place? Are visitors escorted at all time?

Do you have Disaster Recovery Plan in place? How often is it tested?

What policy require to follow around ChatGPT/OpenAI?

How can a user access and review the Information Security Policy?

How does Ostendio handle and track the exceptions to policies/standards/procedures?

How to generate reports on a frequent basis?

Do we have the ability to schedule reports to be run on a daily/weekly basis?

Sort the configuration datasets in custom reports

Can the risk management module grid be customized from a 6x6 grid to a 4x4 or 5x5?

Are you going to enable the Open API functionality to the risk management module for assets?

Do you have risk-based Information Security Policies/Standards/Procedures implemented across the organization? Is there any particular framework you follow?

How often do you provide advanced role-based security training (e.g. system administrators, PII holders, etc.)?

How often do you provide essential security awareness training for all contractors?

How often do you provide essential security awareness training for all employees?

Is SSO possible for all Ostendio plan types??

Does the Okta Integration sync daily to catch new and leaving employees?

Ostendio Password Reset Step-by-Step Process

Can we assign a ticket/reminder to an external assessment responder or the organization that isn’t the client?

How are we handling Corrective/preventative action plans?

Does submitting a training late affect the next cycle date? What impact does it have on the next cycle date?

Why does the training download material in grey color?

How can I automate the Documents and Training material so that I don't have to remember to log in every year to send out documents or training to new employees in the company?

How to track the logs and prompt ticket to suspended user?

How do we provide evidence to the auditor for the deleted users that they have completed training?

Should I delete or suspend the user who left the company?

How do we see history for a deleted user?

Does the system send notifications to the new Users when a client adds new Users through import?

Can we just delete a user without transferring his ownership?

What is the expiration tenure of Vendor connect request emails?

Is there an option to extend the invite to a third party after expiry?

Is management approval required to onboard any new 3rd parties?

Do you perform security reviews on all of your 3rd parties (vendors)? If so, how often?

Do you have remediation targets (SLAs) set for vulnerabilities and pen-test findings? If so, please describe.

Do you perform risk-based evaluations of vulnerabilities and pen-testing findings? If so, describe the process.

Apart from vulnerability scans, do you perform penetration testing on your network? If so, please describe the frequency.

Do you have vulnerability management program in place? If so, please describe the scope and frequency of the scans.

What is the benefit of our clients having access to or being visible on the trust network?

Do you have a document that lists the differences between plan types?

What is the retention period for logs, files, audit information, etc?

How do you handle scheduled and mission-critical/emergency maintenance outages?

Where can I get the AICPA template for SOC2 to see if it is better than the SCF one?

What types of files are supported for upload?

How often do you update the platform and share that information with the customers?

How do you create “Departments” on the Ostendio platform?

When should a client choose to use an electronic signature for the submission of a task? Is there a specific framework or type of document that should be mandatory for this?

How often is Ostendio platform data backed up?

Is it possible for a client to modify the Authorized Point of Contact for their organization, i.e., the person who receives external assessments?

Where can I find our W9 and tax ID number?

I need to provide validation documentation for my auditor, can you provide that?

See more

FAQ for Admins

How to Terminate an Ostendio Trust Network Connection

Why It's Important to Use Smart Tags

How to Send a Reminder Message to Consumers for Training or Document Acknowledgement

What do the colors in the Ostendio platform represent?

Risk Score & Level Definitions

How many standards/regulations can I map to on the platform?

Can Ostendio Integrate with...?

What is the difference between an Ostendio Auditor Connect Premier Partner and an Ostendio Auditor Connect Marketing Partner?

What is the difference between an Admin and a Site Admin?

How do I update my Okta configuration to work with the new Ostend.io URL?

See more