Organization and Scope
- Which HARVARD BUSINESS IMPACT Enterprise products and services are covered by this questionnaire? Harvard ManageMentor, HBR Spark, HBP Collection, Harvard Business Impact Enterprise Cohort Programs
Security Governance and Risk
- Does HARVARD BUSINESS IMPACT maintain a documented information security program? Yes
- Is there an executive or designated role accountable for information security? Yes
- Are information security policies formally approved and reviewed on a regular basis? Yes
- Does HARVARD BUSINESS IMPACT conduct formal information security risk assessments? Yes
- Are third-party and vendor security risks assessed as part of the risk management process? Yes
Cloud Hosting and Architecture
- Which cloud service providers host HARVARD BUSINESS IMPACT Enterprise services? Solutions developed by HBI leverage AWS to host our web applications. We partner with D2L to leverage their Brightspace platform to deliver our Cohorts. D2L’s Brightspace is also hosted in AWS
- Are customer environments logically segregated in the cloud? Yes
- Are production and non-production environments separated? Yes
- Is access to cloud infrastructure restricted to authorized personnel only? Yes
Data Protection and Privacy
- Does HARVARD BUSINESS IMPACT maintain a formal data classification standard? Yes
- What categories of customer data are processed by HARVARD BUSINESS IMPACT Enterprise services? Personally Identifiable Information and Personal Information are recommended however customer has the authority over what and how much data is provided as the data controller.
- Is customer data encrypted at rest? Yes
- Is customer data encrypted in transit? Yes
- Are encryption standards and key management practices defined and documented? Yes
Data Residency and Location
- In which geographic regions is customer data stored and processed? AWS-US-East-1 region leveraging AWS RDS backup in AWS – US- East 2
- Does HARVARD BUSINESS IMPACT support EU-based or region-specific data hosting options? In the near future, we will offer HBR Spark customers the option to store PII in our EU datacenter however PI and web application infrastructure will remain in our US datacenter. Additionally, customer user profile data may be written to logs to support operations by information security and application development for troubleshooting, maintenance and cybersecurity. These logs must be stored within the HBP logging environment in the US and may not be copied outside of that environment.
- Are access and support controls aligned with applicable data residency requirements? No
Identity and Access Management
- Are role-based access controls enforced for systems handling customer data? Yes
- Is multi-factor authentication required for administrative access? Yes
- Are user access rights reviewed periodically? Yes
Monitoring, Logging, and Vulnerability Management
- Are security-relevant events logged in cloud environments? Yes
- Does HARVARD BUSINESS IMPACT monitor systems for suspicious or anomalous activity? Yes
- Is there a formal vulnerability management program in place? Yes
Secure Development
- Does HARVARD BUSINESS IMPACT follow secure software development lifecycle (SDLC) practices? Yes
- Are security reviews or testing performed before releasing changes to production? Yes
Incident Response and Resilience
- Does HARVARD BUSINESS IMPACT maintain a documented incident response plan? Yes
- Are customers notified of security incidents in accordance with contractual or regulatory requirements? Yes
- Are backups performed for systems containing customer data? Yes
- Are business continuity (BCP) and disaster recovery plans (DRP) maintained? Yes
Third Parties and Compliance
- Are vendors and subprocessors subject to security due diligence? Yes
- Are independent security audits or assessments conducted? Yes
Data Retention and Customer Responsibilities
- Does HARVARD BUSINESS IMPACT maintain documented data retention and deletion policies? Yes
- Are customers responsible for managing user access within the HARVARD BUSINESS IMPACT platform? No