We proactively compiled answers to top questions about Visier to help you get a better sense of our practices. Please also visit the various pages within Visier’s Trust site to learn about our approach to security, privacy, and compliance at an organizational, platform, and operational level.
Governance and Audit
What standards and frameworks are Visier policies and procedures based on?
Visier policies, practices and internal controls are generally based on standards and frameworks including:
- ISO/IEC 27001; ISO/IEC 27002; ISO/IEC 27005; ISO/IEC 31000
- ITIL and COBIT frameworks
- Relevant publications from the United States National Institute of Standards and Technology (NIST)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- EU General Data Protection Regulation (GDPR)
- E.U. – U.S. and Swiss – U.S. Privacy Shield Frameworks
Does Visier provide a SOC 2 report?
Visier provides its customers with a SOC 2 Type II audit report upon request each year.
Does Visier provide a SOC 1 report?
Presently, Visier does not intend to pursue the SOC 1 report as the type of data it accepts as part of the service from its customers does not contain financial information and would not have any impact on our customers financial reporting.
Per AICPA, “SOC1 reports are specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements."
For further information, please visit the AICPA website at: https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/users.html
Are corporate policies reviewed and approved at least annually?
Security Organization and Risk Management
Does Visier have an Information Security team that is formally responsible for information security?
Is there a documented Information Security Policy?
Does Visier have a Governance, Risk, and Compliance (GRC) team?
Does Visier have a Risk Management Program which includes Third Party Risk Management?
Does Visier make its sub-service organizations’ SOC reports available?
To request for the SOC reports of Visier’s sub processors, please visit their respective websites. A list of Visier’s sub processors can be found here: https://www.visier.com/trust/privacy/
Does Visier perform background checks of its employees?
Does Visier support the principle of segregation of duties (SoD) and least privilege?
Is access to key resources reviewed periodically?
Does Visier manage privileged access to key resources?
What identity providers (IdP) are supported? Do Visier solutions support strong authentication mechanisms such as digital certificates, smart cards, and SecurID?
Visier fully supports SSO using IdP initiated logins via Security Assertion Markup Language (SAML) 2.0 compliant solutions, including Microsoft ADFS, Ping Identity, OKTA, CA SiteMinder, and IBM Tivoli Access Manager. Visier will work with those who may be using other SAML 2.0 solutions to ensure authenticated sessions can be properly established.
Is access to sensitive data restricted?
Is user access logged?
Is customer data stored locally on end-user devices?
No. Customer data is always stored within Visier’s secure data centers.
Are development, test and production environments and networks sufficiently segregated?
Is data encrypted in transit and at rest?
Is one’s data logically segregated from another’s?
Does Visier have a data retention policy?
Is customer data securely destroyed?
Where can someone find further information on Visier’s Privacy and Data Protection Program?
More information on Visier’s Privacy and Data Protection Program can be found at: https://www.visier.com/trust/privacy/
Does Visier have a Physical Security Policy?
Are there physical security controls to effectively protect customer data?
Does Visier have an Asset Management Policy and Program?
Does Visier have a Threat and Vulnerability Management Program?
Are vulnerability scans performed?
Does Visier use cyber threat intelligence to identify, assess, and manage threats?
Does Visier have a patch management policy and process?
Are customers allowed to perform their own web application penetration testing?
Yes. Visier allows its customers to perform web application penetration tests per contractual agreements, and up to two times per year. Such testing is subject to mutual agreement of scope and timelines between Visier and the customer.
Does visier harden its systems (including operating systems, applications, databases)?
Secure Application Development
What methodology is used for software development?
Visier uses the Agile software development methodology as part of its Software Development Lifecycle (SDLC).
Is Segregation of Duties (SoD) enforced for developing, testing and deploying code?
Are developers trained on secure coding?
Does Visier have an Incident Response Program?
When does Visier notify customers about incidents which impact them?
In the event of a confirmed incident involving customer data, designated contacts at the affected customer organizations are notified within stipulated timelines in accordance with the Customer Data Safeguards Policy.
How can I report a security issue to Visier?
To report a security issue to Visier’s IS team, please contact email@example.com.
Business Continuity and System Resiliency
Does Visier have a Business Continuity Policy?
Does Visier have a Disaster Recovery Plan?
Where can I find more information about Visier’s response to security incidents?
Please check the Alerts and Advisories page on Visier’s Trust Services site. The site is updated as required, as Visier continues to monitor changes in the global landscape.
How can customers check the current uptime status of the Visier solution?
Customers can check the uptime status of all Visier solutions at https://status.visier.com.