Knowledge Center

Back to home

Knowledge Center

FAQ

FAQ

Discover answers to frequently asked questions on Ostendio.

What if the framework I want to use is not in Ostendio?

Admin Portal

Does the Admin Portal provide us with details of our partner’s contacts in the Trust Network?

Is there a way to send a “reminder” through Ostendio to an approver of a document?

What is the difference between creating a Vendor Connect request and adding a client via the Admin portal?

Application Security

What if admin or client deletes entire instance by accident? Recovery process?

What are the repercussions if admin or client with admin like privileges provides another third-party unauthorized access to the client instance?

Are all developers required to take secure-coding training?

Do you perform security testing in the following, DAST (Dynamic Application Security Testing) SAST (Static Application Security Testing) SCA (Software Composition Analysis) Penetration Testing?

Do you perform Peer Code Review during development?

Do you have SDLC (Secure Development Lifecycle) in place?

See more

Assets

Can admin/site admin see the private asset?

Create an Asset Security Profile Report

Assessment

How to manage Templates for a form repository. Would this be done from our Templates Module?

When do accept or reject options shows in the external assessment?

Is there a way to query for specific words in the chat of the assessment?

How does the assessment module score according to HITRUST, using the HITRUST scoring methodology?

Can we recover deleted questions in an assessment?

Can we export evidence from an Assessment in bulk including artifacts that are not attached as files?

Is risk assessment performed on a regular basis, and if so, how do you track compliance or noncompliance?

Will Ostendio be the assessor for my HITRUST/SOC 2/etc certification?

See more

Audit

When does the Task Owner receive an email notification in an audit?

Are assets automatically added or removed from audit tasks as they are activated/inactivated?

Can our Audit Partners review evidence on an External Assessment completed by a client just by adding them as Primary or Alternative Reviewers, or do they need some other permission?

Do you undergo third-party security audits such as ISO 27001, ISO27017, SOC-2, etc?

What is an Audit Task Scheme?

Audit Task Frequency

See more

Change Management

Is a rollback/recovery plan provided as part of the change request?

During the change control/management process, is separation of duties observed?

Is change control/management enforced across the organization (e.g. system changes, code releases, etc)?

Do you have change control/change management process in place?

Communication and Notifications

Why did I get a notification of a task due many days out?

Compliance Manager

What's the best way to manage compliance across multiple biz units within the platform?

How Compliance percentage is calculated?

what’s the best way to determine the scope of the ISMS for ISO 27001? Is there functionality in settings?

Why ISO 90003 compliance is not added to the Ostendio platform as it a QA standard?

How do you track compliance with policies if you require employees and contractors to follow them?

How is the Activity Compliance Score Calculated?

See more

Data Security

If Ostendio platform is completely shut down and never to be accessible again, how would we retrieve the data?

What happens if Ostendio pushes a platform update and it causes an interruption to an assessment workflow, delaying the certification process?

What if a client sees someone else’s data on their instance? Data is now public. What are repercussions and remediations?

What happens if someone accidentally deletes data from Ostendio?

If the admin portal got infected with a virus or malware what is the impact to current instance and other client instances?

When would the tool scan attachments for viruses and malware? During, post upload or scheduled?

What happens when the client uploads an infected attachment? Does Ostendio SaaS software scan uploaded attachments for viruses and malware?

Does our platform encrypt data using AES-265 or an equivalent standard?

Specify the method Ostendio used for encryption in transit.

Specify the method used for encryption at rest.

Do you have access to customer’s data in human-readable form?

See more

Document

Is there a size limitation for documents?

When a document is due on a certain date, are there reminders that are automatically sent to remind them from the Ostendio platform?

Is there a way that we can “check out” a document so that it can be reserved and ensure that only one person at a time can update it?

Is there a way to provide unique access to certain documents?

How can we view all the parent documents along with the children's documents in the wiki?

Is it possible to have the document reside in an external system and still capture acknowledgment?

Is it possible to create a document without an owner?

Can we view the inactive document from the version history?

Can we force the user to download a document before acknowledging it?

Is there a way to search documents by approver?

Is there a way to make a change that only affects the revision number?

See more

Endpoint Security

Provide the list of the security controls you have deployed on endpoints.

Does your organization allow the use of BYOD (Bring Your Own Device)? If so, describe the security controls you have in place to manage personal devices.

Are all company assets centrally managed or inventoried?

Framework Control Manager

Does the platform have a process for requesting new frameworks, or is it best to have the clients upload the custom frameworks as an assessment example if they support FDA 820?

Does the Ostendio support NIST + essential 8?

How do we map Controls to a large document such as an SSP- and the implementations?

Does the Ostendio platform support custom IRL / Framework uploads?

How can our partners use SOC 2 framework?

See more

Human Resources

Do you have a process in place to securely offboard employees/contractors?

Do all employees (including contractors) sign NDA (Non-Disclosure Agreement)?

Describe your onboarding process. Do all employees (including contractors) undergo a security background check?

Incident Response

Describe how do you track/handle incidents. Are incidents centrally managed?

Do you have a process in place to notify PowerSchool in case of an incident or data breach?

Does your incident response plan provide guidelines on the Identification, Containment, Eradication, and Recovery of an incident?

Do you have documented Incident Response Plan in place?

Identity & Access Control

Do non-US citizens have access to your application as developers or administrators?

Is users’ access logged and monitored?

Is MFA (Multi-Factor Authentication) enforced when logging into corporate systems?

How is your password policy enforced across the organization (e.g. password complexity, age, lockout settings, # of last passwords used, etc.)?

When granting access to systems/resources, do you use RBAC model (Role-Based Access Control)?

See more

Infrastructure(Network) Security

What security controls do you have deployed in your production or corporate network?

For Cloud or Hybrid networks, who is your hosting provider?

Describe your corporate/production network: On-Premise, Cloud hosting, Hybrid?

Integration

Does KnowBe4 sync users with Ostendio?

Physical security

Do you have visitor policy in place? Are visitors escorted at all time?

Do you have Disaster Recovery Plan in place? How often is it tested?

Policy and Procedures

What policy require to follow around ChatGPT/OpenAI?

How can a user access and review the Information Security Policy?

How does Ostendio handle and track the exceptions to policies/standards/procedures?

Report

How to generate reports on a frequent basis?

Do we have the ability to schedule reports to be run on a daily/weekly basis?

Sort the configuration datasets in custom reports

Risk Management

Can the risk management module grid be customized from a 6x6 grid to a 4x4 or 5x5?

Are you going to enable the Open API functionality to the risk management module for assets?

Do you have risk-based Information Security Policies/Standards/Procedures implemented across the organization? Is there any particular framework you follow?

Security Awareness Training

How often do you provide advanced role-based security training (e.g. system administrators, PII holders, etc.)?

How often do you provide essential security awareness training for all contractors?

How often do you provide essential security awareness training for all employees?

SSO

Is SSO possible for the Select instances?

Does the Okta Integration sync daily to catch new and leaving employees?

Ostendio Password Reset Step-by-Step Process

Ticket

Can we assign a ticket/reminder to an external assessment responder or the organization that isn’t the client?

How are we handling Corrective/preventative action plans?

Training

Does submitting a training late affect the next cycle date? What impact does it have on the next cycle date?

Why does the training download material in grey color?

How can I automate the Documents and Training material so that I don't have to remember to log in every year to send out documents or training to new employees in the company?

Users

How to track the logs and prompt ticket to suspended user?

How do we provide evidence to the auditor for the deleted users that they have completed training?

Should I delete or suspend the user who left the company?

How do we see history for a deleted user?

Does the system send notifications to the new Users when a client adds new Users through import?

Can we just delete a user without transferring his ownership?

See more

Vendor Management

What is the expiration tenure of Vendor connect request emails?

Is there an option to extend the invite to a third party after expiry?

Is management approval required to onboard any new 3rd parties?

Do you perform security reviews on all of your 3rd parties (vendors)? If so, how often?

Vulnerability Management

Do you have remediation targets (SLAs) set for vulnerabilities and pen-test findings? If so, please describe.

Do you perform risk-based evaluations of vulnerabilities and pen-testing findings? If so, describe the process.

Apart from vulnerability scans, do you perform penetration testing on your network? If so, please describe the frequency.

Do you have vulnerability management program in place? If so, please describe the scope and frequency of the scans.

Miscellaneous

What is the benefit of our clients having access to or being visible on the trust network?

Do you have a document that lists the differences between the plan types (Lite, Select, Enterprise, Premium & Premium Plus)?

What is the retention period for logs, files, audit information, etc?

How do you handle scheduled and mission-critical/emergency maintenance outages?

Where can I get the AICPA template for SOC2 to see if it is better than the SCF one?

What is the SCF support email id?

What types of files are supported for upload?

What are the limitations of the Lite Instances?

How many evidence can be uploaded or attached to the Lite license?

How often do you update the platform and share that information with the customers?

How do you create “Departments” on the Ostendio platform?

When should a client choose to use an electronic signature for the submission of a task? Is there a specific framework or type of document that should be mandatory for this?

How often is Ostendio platform data backed up?

Is it possible for a client to modify the Authorized Point of Contact for their organization, i.e., the person who receives external assessments?

Where can I find our W9 and tax ID number?

I need to provide validation documentation for my auditor, can you provide that?

See more