Computing Due Diligence (NTUC) + Hosted Information Risk Assessment (KC)
Computing Due Diligence (NTUC) + Hosted Information Risk Assessment (KC)
Business Continuity, Data and Regulatory Compliance
5.1. Business Continuity Plan (BCP) / Disaster Recovery (DR)
5.1.1. A business continuity / disaster recovery plan - YES:
For software, 2359 media will be providing automated backup service in which can be utilized to launch a secondary production service in another datacenter should there be a need for disaster recovery.
Azure data center disaster recovery policy here -
Botbot subscribes to the South-East Asia availability zone. Under the auto-scaling plan, our servers are scaled across multiple data centers in SEA, so that there is no downtime in case of disasters. In the rare case that all production servers are down, 2359 Media will be informed by Microsft, who will inform Income.
5.1.2 Location of the DR site
2359 media's office is based in Singapore. Exact Azure DR location information is not available. Botbot subscribes to the South-East Asia availability zone. Under the auto-scaling plan, our servers are scaled across multiple data centers in SEA, so that there is no downtime in case of disasters.
Azure disaster recovery policy -
Azure meets Singapore policies. Details here -
5.1.3. Regular performance of BCP/DRP exercise - NO
2359 media only provides software hence it is not a common practice for BCP/ DRP. If required, 2359 Media will participate in initiated drills.
5.1.4. Recovery Point Objective (RPO) and Recovery Time Objective (RTO) - NO
are two of the most important parameters of a disaster recovery or data protection plan. These are objectives which can guide enterprises to choose an optimal data backup plan.
5.2. Back up and Recovery/ Media Handling
5.2.1. Client's asset on the cloud is backed up regularly with encryption enforced - YES
On the software side, 2359 media provides automated backup with encryption enforced on Azure. Backup frequency is daily. Backup is progressive. Backup encryption standard used is AES 256. Details can be found here -
5.2.3. The backups media access is controlled
On the software side in 2359 Media only the System Engineer has access to recover the virtualized backup media. There is no third-party accessing the data besides 2359 media System Engineer. Income data is managed in the same way as all others.
5.2.2. Backup media is tested to ensure information availability when restoration from the backup media is necessary
On the software side, 2359 media provide virtualized backup services, rigorous testing are done to ensure that restoration is possible and data is correct. Human verification and automated query script is run to ensure the backup is successful and accessible.
5.3. Logging / Audit Trail
The audit trails and log files is encrypted, archived and retained (1 year)
All access are logged. We will not delete the log and audit files.
5.4. Rights to Audit
Client or MAS or their engaged independent auditors can go for onsite audit/ inspection when necessary.
2359 media requires at least 2 weeks notice to prepare the site.
Azure does not have stated protocols for on-site audit.
5.5. Data Sovereignty
From a legistration and compliance point of view, we have certified our Singapore Azure Datacenter to be MTCS Level 3 and PDPA compliant. In addition I work closely with the Botbot.ai team to ensure that data as-rest, in-transit resides in Singapore Datacenter only.
5.6. Sub contractor management plan - NO
5.7. Financial Strength and Stability - YES
2359 media is a Singtel Innov8 invested company which requires financial auditing yearly.
Vendor Data Security and Protection
2.1. Data Segregation and Storage
The segregation is logical
Data Centre: Azure singapore datacentre
No physical disks, only virtual disks are available, provided by Azure
The data will be stored within the application: Conversational data will be stored on 2359 Media application server - in the form of chat history, analytics and intent management. This may include data queried from clients servers through API.
2.2. Data at Rest
: encryption via AES 256
2.2.1. Encryption is employed
The encryption standards used AES 256
Automatically on upload
The encryption key management process and standards employed
2.2.2 Authentication and logical access controls is employed
to ensure Data Confidentiality, Integrity and Accountability (CIA) at CSP level : Azure AD is used for authentication and access control. As such only administrators have right to access all systems, power users have limited rights access depending on the security level of clearance.
2.3. Data in motion / Transmission
: Secure Transmission and encryption is employed, SSL enabled
2.4. Data in Process
The location of the processing facilities: Azure singapore datacenter
Data will be temporary stored for/during processing at servers' local storage/ volume ?!?!?!
Processing is fully automated
2.5. Deletion / Purging of Data
: virtual storage volumes are deleted upon completion/ termination
Hosted Information Risk Assessment (KC)
1. Company Profile
: 2359 Media Pte. Ltd.
Product Name/Service Offering
Holding/parent company name:
2359 Media Pte. Ltd. Singapore, Registration Business License: 200909983D
Business operating time
: 10 years
The number of staffs
: 48 full-time staffs in Singapore, 70 full-time staffs in Vietnam, 10 staffs in Indonesia.
Brief summary of the products/services
: 2359 Media has a proprietary chatbot called Botbot.AI, a chatbot technology designed and built by 2359 Media, which 2359 will customize, develop and license to clients.
Products/services will be outsourced/ subcontracted/ delegated to third party
: Botbot.AI service is hosted on Microsoft Azure technologies, including app service, databases and servers.
Physical locations globally where clients' confidential and/or proprietary data will reside, developed or is supported
: 3 Shenton Way, Shenton House. #20-09 Singapore 068805 - Registered Office Address
N.A., PCI and SoX are planned in the roadmap for Q2 2019.
2. Human Resources & Policies
Verify employee’s identity and conduct background checks for employees, consultants, temporary workers, offshore resources
a) Criminal Background:
Agreements that new hires (both employees and contractors) sign pertaining to non-disclosure, confidentiality, acceptable use, or code of conduct - YES
. It is stated in employees’ / contractors’ contract with regard to the following: non-disclosure, confidentiality, acceptable use.
Mandatory information security and privacy training for new and existing staff - NO
There is no mandatory information security and privacy training for all staff due to the wide range of available roles and responsibilities. All staff who deal with private information linked to NDA are versed with the terms and conditions of the contract.
A formal, documented security awareness and training program
: Briefing is linked to individual NDAs.
Duties, responsibilities or obligations assigned by client are outsourced, offshored, or delegated to third partie
: All activities related to the engagement is performed internally by 2359 Media. Botbot.AI uses Microsoft technologies to host services and data.
Formally documented written policies and procedure and frequent review
a) Data Classification - YES - annually
b) Acceptable Use - YES - annually
c) c) Data Handling, Destruction, Retention & Return - YES - annually
d) Remote Access & Third Party Access - NO
e) Change Management - YES - as required
f) Privacy - YES - as required
g) Incident, Problem & Emergency Mgmt - YES - as required
h) Business Continuity & Disaster Recovery - YES - annually
i) Password Management Policies - YES - annually
j) Encryption Policy and Standards - YES - as required
Policies and procedures for handling sensitive information outside of the country in which it was colleced
As 2359 Media services global clients, all information handling procedures are applicable globally
Actions for violation of security policies - YES
: action taken shall be governed by the laws of the Republic of Singapore to the fullest extent if there is any violation of security policie
3. Control Organizations
Internal Audit and Compliance personnel that govern corresponding policies, procedures, approvals, and review process - NOT YET SETUP
, to be reviewed in Q1 2019.
Risk Management personnel that govern corresponding policies, procedures, approvals, and review process - YES
Information Security personnel that govern the Information Security function - NOT YET
Currently information security is managed by Azure’s personnel. On 2359’s end, our focus is on SQL database encryption and application level security audits done in the form of code reviews with senior architects.
Information Security staff dedicated to
a) Security Awareness
: CTO and Senior Architect
b) Policy Enforcement; c) Risk Evaluation; d) Regulatory Compliance
: CTO and Senior Project Manager
Security management functionality is outsourced - NO
A response team to address privacy incidents and breaches of sensitive / confidential data - YES
currently addressed by the product development team
A Privacy Officer/Privacy Director
: Concurrently held by CTO.
A formal process or policy to prepare for and rectifying data breaches - WORK IN PROGRESS
and to be completed at Q1 2019.
Clients will be notified of all privacy related problems and incidents (e.g., privacy data breach) involving and/or impacting clients - YES
upon a detected breach clients will immediate notified.
A process implemented to ensure all violations, unauthorized access (including data protection) and anomalous activities are logged, monitored, reviewed and addressed in a timely manner -YES
all system processes are logged in the activity monitor database for audit and review purposes.
4. Physical & Information Security
: This section is not valid as Botbot.AI does not use on-prem servers. The service will be deployed on Microsoft Azure.
5. Change & Patch Management
A formal change control process - YES
Vendor Vulnerability and Change Management, Virtualisation, Risk Assessment, Penetration Test and Monitoring
3.1 Threat and Vulnerability Assessment
3.1.2. A Threat and Vulnerability Risk Assessment is done
to ascertain the security and robustness of CSP's physical, logical, information, data, processing, security and capability -
First round of VA has been conducted on 2 August 2018
3.1.1. A physical Threat and Vulnerability Risk Assessment (TVRA) - NO
: Fully cloud deployment, datacenter related analysis has to be conducted against Azure.
3.1.3. A vulnerability remediation flow and process available for known vulnerabilities - YES
: Vulnerabilities will be assessed by an inhouse security team, should there be a patch required, a senior management level person will make the approval and the patch will take place.
3.1.4. NO process or framework in place to address current or zero-day security vulnerabilities
The service is hosted on MS Azure. Azure’s security policies are indicated here -
3.2. Security Incident & Event Monitoring (SIEM)
3.2.1 Cloud SIEM monitoring is in place for physical and logical compromise of such arrangement
The following actions are logged and can be monitored:
account access changes
intent management updates
use of privileges
SIM is not conducted as there is no critical private information stored on the chatbot.
3.2.2 A Security Incident Response Plan (IRP) - YES
For software, 2359 media will be providing an incident reporting platform for incident logging. Depending on severity levels, the response times are 2hrs, 24hrs, 4 days. Details are documented in “Enterprise Incident Response Process” document attached.
3.3. Vulnerability Assessment Penetration Test (VAPT) , Virtualised Environment Security
3.3.1. Vulnerability Assessment Penetration Test (VAPT) - YES
VAPT is conducted by Nova Systems
3.3.2 Virtualised Environment Security
Yes. Our principle is always to “assume breach”
With this in mind, we have a Microsoft Red Teaming strategy, where specific group of security personnel runs penetration and vulnerability test against each other professionally. Rest assure we do not do it on customer’s subscription. Any findings (if any) are thereafter patched.
3.4. Vendor Change Management (CM)
Azure is a Microsoft product, and it is Microsoft’s SLA to ensure data is not compromised due to changes. Detailed information about their process is not in the public domain, however an organisation like Microsoft plays a pivotal role in defining as well as following industry standards.
CSP Incident Management, Outsourcing and Environmental Scanning
1.1. Cloud Incident Management - NO
1.2. Emerging Threat Detection Capability (Environmental Scanning) - YES
For Microsoft Azure, we have a CyberCrime center which monitor constantly threats 24/7. A key instance would be our immediate patching response when Intel’s CPU vulnerability disclosure.
Microsoft also provides anti-virus and anti-malware service for Azure subscribers as documented here -
User Access Control Management, Segregation of Duties and Corporate Governance Framework
4.1. User Access Control
4.1.1. A procedure to secure user IDs and access credentials at the CSP provision level - YES
4.1.2. Technology and standards utilised to ensure User Access Control - YES
4.1.3. Privileged access management control - Yes
(Access Matrix attached as “Dashboard Access Matrix.xlsx)
Azure AD is used for authentication and access control. As such only administrators have right to access all systems, power users have limited rights access depending on the security level of clearance.
4.1.4. Device access control
Current service is device agnostic. Data Protection:
In transit - Protected by SSL
Stored - Protected by TDE in SQL Server (details here:
In chat - Controlled by Facebook policies
4.2. Segregation of Duties and Governance Framework - YES
Experienced senior internal engineering team, led by VP, Engineering is responsible to manage the cloud service effectively.
Cloud Environment Resiliency
Web Application Firewall (WAF) (WAFs protect servers)
6.1.1. An Anti-DDoS feature in place to secure clients' service/data on the cloud by the CSP? - YES
Cloudflare is used, refer to
6.1.2. A Web Application Firewall (WAF) feature in place by the CSP for clients - YES
Pls refer to
Information about Firewall -
6.1.3.An Anti-Defacement feature in place by the CSP for clients - NO
Currently not in scope of work. In the roadmap for 2019.
Cloud Security Software Assurance:
Cloud Software Development Lifecycle and Code Review - YES
: 2359 media has an internal review process.