CPM periodically evaluates its compliance with security standards, by conducting security risk assessments.

Subcontractors do not have access to customer data - with the exception of AWS whose security processes are outlined in the AWS SOC2 Report.

Risks are identified, quantified, and prioritized and treated to an acceptable level.

CPM conducts a documented assessment of security controls at least annually. The assessment is conducted to determine the extent to which controls are implemented correctly, operating as intended, and producing the desired outcome. Technical and non-technical evaluations are also conducted periodically to identify any new risks or to determine the effectiveness of the Security Policies and Procedures.

All data transmitted and received by the CPM platform in encrypted in transit utilizing TLS 1.2.

Customer data is removed from CPM systems as per contract.

CPM configures all systems housing customer data to encrypt data at rest.  Data is encrypted using the AES-256 encryption algorithm with encryption keys managed by a key management solution.

Penetration testing is performed annually.

Vulnerabilities that are discovered via monthly scans are patched according to criticality.

Our product collects a minimal set of information needed to setup user accounts that utilize the CPM suite of products, as well as for potential customers that request information about your security program.  We will never sell or share your information.

CPM does not collect Protected Health Information.

The CPM team utilizes an industry leading intrusion detection, prevention, and EDR solution on all endpoint devices.

The CPM team utilizes an industry leading intrusion detection, prevention, and EDR solution on all endpoint devices.

CPM configures restrictive AWS the use of private subnets and Security Groups internally and externally to ensure systems cannot communicate with unintended systems.  

Customer data is not stored on mobile devices.

CPM complies with legal requirements to avoid breaches of any law, statutory, regulatory, or contractual obligations and ensures compliance of systems with organizational security policies and standards.

Business Continuity processes have been implemented to counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters and to ensure their timely resumption.

CPM's recovery time objective is 24 hours.

CPM's recovery point objective is 24 hours.

CPM incident response processes ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.  Event reporting and escalation procedures are in place.

Code changes undergo internal code review for completeness and security.  All team members undergo security training provided by a senior security member of our the CPM team.

Operating systems are patched automatically when CPM applications are deployed.  When out of band vulnerabilities are discovered they are patched according to criticality.

Changes can only be applied to our production environment by select senior members of our engineering team and must be reviewed prior to deployment.

Access to information, information processing facilities and business processes is controlled based upon business and security requirements.  Procedures are in place to control the allocation of access rights to information systems and services including networks, operating systems, application, and mobile devices.

Physical security measures prevent unauthorized physical access, damage, and interference to the Myonex, Inc. premises, equipment, and information.

CPM utilizes AWS which provides physical security around their data centers with an overview available here: https://aws.amazon.com/compliance/data-center/controls/

All CPM employees and contractors are required to have a federal and local background check prior to accessing customer data.

When off-boarding an employee, the CPM management team follows an employee dismissal checklist stored in our Human Resources system.

Disciplinary infractions are reviewed by the executive management which decides how the organization should respond as dictated by internal policies.

All employees and contractors must agree to an Employee Agreement and a Mutual Non-Disclosure Agreement prior to working with CPM

CPM addresses staff security:

• Prior to employment to ensure that all staff understand responsibilities and are suitable for their roles; reduce the risk of theft, fraud and or misuse of facilities/resources

• During Employment to ensure that all staff are aware of information security threats and concerns, their responsibilities, and liabilities, and are equipped to support the security policy in the course of their normal work.

• Post Employment by ensuring that all staff exit an organization or change employment in an orderly manner.

Assets are accounted for, and information is classified to indicate the need, priorities and expected degree of protection.

Curtis Fuhriman - Chief Technology Officer - curtisfuhriman@cpm.org

CPM's information security policies are reviewed and updated on an annual basis. 

CPM has an internal Information security policy that is sponsored and approved by management and published to all employees and contractors.