![Ostendio - People-First Integrated Risk Management Platform.png]](https://knowledge.ostendio.com/hs-fs/hubfs/Ostendio%20-%20People-First%20Integrated%20Risk%20Management%20Platform.png?height=40&name=Ostendio%20-%20People-First%20Integrated%20Risk%20Management%20Platform.png){kind=small}
Additional Resources
FAQs, release notes, and other additional resources
Basic Employee Training
Video Resources
FAQ
- What if the framework I want to use is not in Ostendio?
- Does the Admin Portal provide us with details of our partner’s contacts in the Trust Network?
- Is there a way to send a “reminder” through Ostendio to an approver of a document?
- What is the difference between creating a Vendor Connect request and adding a client via the Admin portal?
- What if admin or client deletes entire instance by accident? Recovery process?
- What are the repercussions if admin or client with admin like privileges provides another third-party unauthorized access to the client instance?
- Are all developers required to take secure-coding training?
- What kind of security testing do you perform?
- Do you perform Peer Code Review during development?
- Do you have SDLC (Secure Development Lifecycle) in place?
- Can Admin/Site Admin see a private Asset?
- Can I Create an Asset Security Profile Report
- How to manage Templates for a form repository.
- When do accept or reject options shows in the external assessment?
- Is there a way to query for specific words in the chat of the assessment?
- How does the assessment module score according to HITRUST, using the HITRUST scoring methodology?
- Can we recover deleted questions in an assessment?
- Can we export evidence from an Assessment in bulk including artifacts that are not attached as files?
- Are risk assessments performed on a regular basis? If so, how do you track compliance or noncompliance?
- Will Ostendio be the assessor for my HITRUST/SOC 2/etc certification?
- When does the Task Owner receive an email notification in a recurring task?
- Are assets automatically added or removed from recurring tasks as they are activated/inactivated?
- Can our Audit Partners review evidence on an External Assessment completed by a client just by adding them as Primary or Alternative Reviewers, or do they need some other permission?
- Do you undergo third-party security audits such as ISO 27001, ISO27017, SOC-2, etc?
- What is an Recurring Task Scheme?
- Is a rollback/recovery plan provided as part of the change request?
- During the change control/management process, is separation of duties observed?
- Is change control/management enforced across the organization (e.g. system changes, code releases, etc)?
- Do you have change control/change management process in place?
- Why did I get a notification of a task due many days out?
- What's the best way to manage compliance across multiple biz units within the platform?
- How Compliance percentage is calculated?
- What’s the best way to determine the scope of the ISMS for ISO 27001? Is there functionality in settings?
- Why is ISO 90003 compliance not added as a QA standard in the Ostendio platform?
- How do you track compliance with policies if you require employees and contractors to follow them?
- How is the Activity Compliance Score Calculated?
- If the Ostendio platform is completely shut down and never to be accessible again, how would we retrieve the data?
- What happens if Ostendio pushes a platform update and it causes an interruption to an assessment workflow, delaying the certification process?
- What if a client sees someone else’s data on their instance? Data is now public. What are repercussions and remediations?
- What happens if someone accidentally deletes data from Ostendio?
- If the admin portal got infected with a virus or malware what is the impact to current instance and other client instances?
- When would the tool scan attachments for viruses and malware? During, post upload or scheduled?
- What happens when the client uploads an infected attachment? Does Ostendio SaaS software scan uploaded attachments for viruses and malware?
- Does our platform encrypt data using AES-265 or an equivalent standard?
- Specify the method Ostendio used for encryption in transit.
- Specify the method used for encryption at rest.
- Do you have access to customer’s data in human-readable form?
- Is there a size limitation for documents?
- When a document is due on a certain date, are there reminders that are automatically sent to remind them from the Ostendio platform?
- Is there a way that we can “check out” a document so that it can be reserved and ensure that only one person at a time can update it?
- Is there a way to provide unique access to certain documents?
- How can we view all the parent documents along with the child documents in the wiki?
- Is it possible to have the document reside in an external system and still capture acknowledgment?
- Is it possible to create a document without an owner?
- Can we view the inactive document from the version history?
- Can we force the user to download a document before acknowledging it?
- Is there a way to search documents by approver?
- Is there a way to make a change that only affects the revision number?
- Provide the list of the security controls you have deployed on endpoints.
- Does your organization allow the use of BYOD (Bring Your Own Device)? If so, describe the security controls you have in place to manage personal devices.
- Are all company assets centrally managed or inventoried?
- Does the platform have a process for requesting new frameworks, or is it best to have the clients upload the custom frameworks as an assessment example if they support FDA 820?
- How do we map Controls to a large document such as an SSP- and the implementations?
- Does the Ostendio platform support custom IRL / Framework uploads?
- How can our partners use SOC 2 framework?
- Do you have a process in place to securely offboard employees/contractors?
- Do all employees (including contractors) sign NDA (Non-Disclosure Agreement)?
- Describe your onboarding process. Do all employees (including contractors) undergo a security background check?
- Describe how you track/handle incidents. Are incidents centrally managed
- Do you have a process in place to notify clients in case of an incident or data breach?
- Does your incident response plan provide guidelines on the Identification, Containment, Eradication, and Recovery of an incident?
- Do you have documented Incident Response Plan in place?
- Do non-US citizens have access to your application as developers or administrators?
- Is users’ access logged and monitored?
- Is MFA (Multi-Factor Authentication) enforced when logging into corporate systems?
- How is your password policy enforced across the organization (e.g. password complexity, age, lockout settings, # of last passwords used, etc.)?
- When granting access to systems/resources, do you use RBAC model (Role-Based Access Control)?
- What security controls do you have deployed in your production or corporate network?
- For Cloud or Hybrid networks, who is your hosting provider?
- Describe your corporate/production network: On-Premise, Cloud hosting, Hybrid?
- Does KnowBe4 sync users with Ostendio?
- Do you have visitor policy in place? Are visitors escorted at all time?
- Do you have Disaster Recovery Plan in place? How often is it tested?
- What policy require to follow around ChatGPT/OpenAI?
- How can a user access and review the Information Security Policy?
- How does Ostendio handle and track the exceptions to policies/standards/procedures?
- How to generate reports on a frequent basis?
- Do we have the ability to schedule reports to be run on a daily/weekly basis?
- Sort the configuration datasets in custom reports
- Can the risk management module grid be customized from a 6x6 grid to a 4x4 or 5x5?
- Are you going to enable the Open API functionality to the risk management module for assets?
- Do you have risk-based Information Security Policies/Standards/Procedures implemented across the organization? Is there any particular framework you follow?
- How often do you provide advanced role-based security training (e.g. system administrators, PII holders, etc.)?
- How often do you provide essential security awareness training for all contractors?
- How often do you provide essential security awareness training for all employees?
- Is SSO possible for all Ostendio plan types??
- Does the Okta Integration sync daily to catch new and leaving employees?
- Ostendio Password Reset Step-by-Step Process
- Can we assign a ticket/reminder to an external assessment responder or the organization that isn’t the client?
- How are we handling Corrective/preventative action plans?
- Does submitting a training late affect the next cycle date? What impact does it have on the next cycle date?
- Why does the training download material in grey color?
- How can I automate the Documents and Training material so that I don't have to remember to log in every year to send out documents or training to new employees in the company?
- How to track the logs and prompt ticket to suspended user?
- How do we provide evidence to the auditor for the deleted users that they have completed training?
- Should I delete or suspend the user who left the company?
- How do we see history for a deleted user?
- Does the system send notifications to the new Users when a client adds new Users through import?
- Can we just delete a user without transferring his ownership?
- What is the expiration tenure of Vendor connect request emails?
- Is there an option to extend the invite to a third party after expiry?
- Is management approval required to onboard any new 3rd parties?
- Do you perform security reviews on all of your 3rd parties (vendors)? If so, how often?
- Do you have remediation targets (SLAs) set for vulnerabilities and pen-test findings? If so, please describe.
- Do you perform risk-based evaluations of vulnerabilities and pen-testing findings? If so, describe the process.
- Apart from vulnerability scans, do you perform penetration testing on your network? If so, please describe the frequency.
- Do you have vulnerability management program in place? If so, please describe the scope and frequency of the scans.
- What is the benefit of our clients having access to or being visible on the trust network?
- Do you have a document that lists the differences between plan types?
- What is the retention period for logs, files, audit information, etc?
- How do you handle scheduled and mission-critical/emergency maintenance outages?
- Where can I get the AICPA template for SOC2 to see if it is better than the SCF one?
- What types of files are supported for upload?
- How often do you update the platform and share that information with the customers?
- How do you create “Departments” on the Ostendio platform?
- When should a client choose to use an electronic signature for the submission of a task? Is there a specific framework or type of document that should be mandatory for this?
- How often is Ostendio platform data backed up?
- Is it possible for a client to modify the Authorized Point of Contact for their organization, i.e., the person who receives external assessments?
- Where can I find our W9 and tax ID number?
- I need to provide validation documentation for my auditor, can you provide that?
FAQ for Admins
- How to Terminate an Ostendio Trust Network Connection
- Why It's Important to Use Smart Tags
- How to Send a Reminder Message to Consumers for Training or Document Acknowledgement
- What do the colors in the Ostendio platform represent?
- Risk Score & Level Definitions
- How many standards/regulations can I map to on the platform?
- Can Ostendio Integrate with...?
- What is the difference between an Ostendio Auditor Connect Premier Partner and an Ostendio Auditor Connect Marketing Partner?
- What is the difference between an Admin and a Site Admin?
- How do I update my Okta configuration to work with the new Ostend.io URL?