Compliance Audits and External Communications

2025.1

Controls and Procedures

Compliance Program Management

1. IMPLAN management and security/compliance team has identified and regularly reviews all relevant statutory, regulatory, and contractual requirements.

2. IMPLAN's compliance policy includes requirements to meet any and all applicable compliance requirements.

3. Additionally, the Vendor Risk Management policies and procedures specify the details related to contractual agreements with clients, partners and vendors, as well as requirements and process related to intellectual property rights and the use of proprietary software products.

4. The compliance and security team shall consist of the Vice President of Product and Technology, the Director of Infrastructure and Technology, and the Network Administrator. These members will work with IMPLAN Leadership to continually improve the security posture and compliance of IMPLAN.

Continuous Compliance Monitoring

1. The status of compliance is tracked via JupiterOne.
2. The system will monitor and report, through secure integrations into other systems, on the status of configured metrics which align with IMPLAN company policy and controls.

Types of System Audits

IMPLAN's auditing processes include the following.

1. Configuration and Activity Monitoring: This refers to the logging, monitoring, scanning and alerting of a system, account, or environment, which may be achieved using real-time automated scripts/software or a manual review/testing. This type of auditing is performed continuously as part of IMPLAN operations.

   !!! tip "Examples include:"

   * User: User and account-level audit trails generally monitor and log all commands directly initiated by the user, all identification and authentication attempts, and data and services accessed. * Application: Application-level audit trails generally monitor and log all user activities, including data accessed and modified and specific actions. * System: System-level audit trails generally monitor and log user activities, applications accessed, file integrity, and other system-defined specific actions. * Network: Network-level scans or audit trails generally monitor information on what is operating, perform penetrations, and identify vulnerabilities. * Traffic: Traffic refers to the incoming and outgoing traffic into and out of production/restricted environments. For example, firewall logs or VPC flow logs in AWS. * Data: Data includes all successful and failed attempts at production data access and editing. *Data associated with above events will include origin, destination, action performed, timestamp, and other relevant details available.*

2. Access Review: This refers to the review of all user and service accounts and permissions across IMPLAN operational environments, including on-premise systems, cloud environments such as AWS accounts, and other applications such as collaboration software, ticketing system and code repos.

   • IMPLAN developed an internal tool to automatically pull configurations from our cloud based environments, including
     • AWS access configuration from IAM policies, EC2 VPC and security group settings, S3 bucket policies, Lambda and API Gateway resources, etc.;
     • Users, groups, application access from Okta IdP;
     • Network access settings from Cisco Meraki, etc.
   • The data is collected either on demand triggered by security team or by changes in the operational environment.
   • The data is used by the tool to aggregate and analyze user and application access.
   • Access to other systems and applications that are not covered by this automated tool are reviewed manually on a quarterly basis or with any significant change to the target environment.
   • As a result of each review, unused or invalid access will be removed.

3. Compliance and Controls Audit: This refers to the audit performed against the Technical, Administrative, and/or Physical controls as defined in IMPLAN policies and procedures, to measure their adoption and effectiveness. This type of auditing is typically performed by either a designated internal audit team or an external audit firm, at defined intervals or prompted by a trigger event.

   !!! tip "Potential trigger events include:"

   * Scheduled compliance audit/assessment (e.g. annual risk assessment) * High risk or problem prone incidents or events, or as part of post-incident activities * Business associate, customer, or partner complaints * Identification of significant security vulnerabilities * Atypical patterns of activity * Failed authentication attempts * Remote access use and activity * Activity post termination * Random audits

Requesting Audit and Compliance Reports IMPLAN, at its sole discretion, shares audit reports, including any Corrective Action Plans (CAPs) and exceptions, with customers on a case by case basis. All audit reports are shared under explicit NDA in IMPLAN format between IMPLAN and party to receive materials. Audit reports can be requested by IMPLAN workforce members for Customers or directly by IMPLAN Customers.

The following process is used to request audit reports:

1. A request may be sent by email to support@implan.com or by submitting a request via IMPLAN Internal Support Portal or Email. In the request, please specify the type of report being requested and any required timelines for the report.
2. IMPLAN security team will confirm if a current NDA is in place with the party requesting the audit report. If there is no NDA in place, IMPLAN will send one for execution.
3. Once it has been confirmed that an NDA is executed, IMPLAN will send the customer the requested audit report.