Enable maintains an Information Security Management System (or “Enable ISMS”) that defines Enable policies, standards, guidelines, and procedures as part of Enable’s documented information security program, covering the management of information security for the Subscription Services and all related Enable internal operations. Enable ISMS is designed to:
• Establish directives and principles for action regarding information security;
• Document and maintain compliance with statutory, regulatory, and contractual requirements, including but not limited to: SOC1, SOC2, GDPR, ISO 9001 and ISO 27001; and
• Monitor, evaluate and adjust, as appropriate, considering relevant changes in technology, threats to Enable or to Customer data and security and privacy regulations applicable to Enable.
This Exhibit describes the current policies, standards, guidelines, and procedures under Enable ISMS. Enable may update or enhance the ISMS and this Exhibit at its discretion to reflect ongoing changes in law, regulation, or industry best practice there will be no material impact on the level of security described herein. .
Risk Management. Enable ISMS operates a risk management program under which Enable conducts regular risk assessments at the enterprise, customer and change level intended to anticipate threats to the security of customer data using qualitative and quantitative measures. The risks will be reviewed and updated in line with a documented schedule and expanded on as the business grows.
Change Management. Enable ISMS comprises a change management program to govern all changes to Enable production Subscription Service systems, applications, and databases, including (i) documentation, testing, and approval of all changes; (ii) security assessments of all changes prior to deployment into production; and (iii) security patching in a timely manner based on risk analysis. In addition, Enable will require all changes to Customer production environments to be documented on an approved change request prior to deployment.
Testing. At least annually, Enable reviews, audits and tests key controls, systems, and procedures of Enable ISMS to validate that they are properly implemented and effective in addressing identified threats and risks. Non-conformities are documented centrally and discussed during regular management reviews.
Asset Management. Enable ISMS retains an asset management program for all Enable assets. Each asset is identified, tagged, and registered by Enable in an asset inventory before it can be used for any business activity related to the Subscription Service. Enable classifies and labels each asset based on relevant criteria.
Business Continuity & Disaster Recovery. Enable ISMS maintains a business continuity framework designed to mitigate the risk of single points of failure and provide a resilient environment to support Subscription Service continuity and performance. Enable administers comprehensive plans for crisis management and communication, supply chain management and individualized department action strategies designed to prevent interruption of critical business functions. Enable conducts formal disaster recovery plans and cyber security incident response designed to minimize disruption to critical business operations and customer systems. Enable maintains production and disaster recovery environments to support failover procedures and redundancy requirements, as well as proactive protection and detection methods designed to limit damage from disaster events.
Incident Response. Enable ISMS operates a security incident response plan to be followed in the event of any unauthorized exposure, corruption, or loss of Customer Data (each a “Security Incident”). The Security Incident response plan defines personnel roles and responsibilities, as well as procedures related to Security Incident identification, containment, investigation, communication, forensic analysis, recovery and remediation, documentation, and reporting. If Enable verifies that any Customer data is impacted by a confirmed Security Incident, Enable will notify the affected Customer without undue delay to the extent permitted by law.
B. Certifications & Audits
The Enable ISMS governance controls are designed to align to the ISO 27001 framework as well as the Trust Services Criteria of SOC 1 and 2. Enable maintain an internal audit program and require annual independent third-party assessments for continued certification purposes. An independent third party will audit the Subscription Services annually for compliance with the following standards (or their successor equivalents):
• SOC 1 Type II
• SOC 2 Type II
• ISO 9001; and
• ISO 27001.
Enable will provide the active customer, upon request, with a copy of the relevant ISO certificate or SOC Report.
Enable conducts internal audits designed to monitor Enable ISMS compliance on an ongoing basis. Enable will review and modify internal audit controls based on a risk-based approach that impact assesses changes in legislation, regulations, certification standards, internal audit findings, observations and industry best practices.
C. Personnel
Confidentiality & Ethics. Enable will require all Enable employees to
(i) sign a confidentiality agreement as a condition of employment, and
(ii) annually confirm compliance with all relevant laws, regulations, corporate policies, and industry best practices for ethical corporate interactions by signing the Enable Code of Business Conduct and Ethics within the employment terms and conditions. Enable ISMS requires contractors with access to Enable systems or Customer data to be subject to the same confidentiality and ethical obligations as those required of Enable employees.
Training. Enable ISMS conducts mandatory security awareness and training programs for all Enable personnel at induction with tailored training sessions on a quarterly basis, specifically designed to promote a culture of security awareness. Enable provides additional role-based security training to Enable personnel as appropriate. Enable trains employees who have access to sensitive data in relevant laws and regulations. Enable ISMS requires contractors with access to Enable systems or customer data to complete the same security awareness training and commitment to Enable information security policies as those required for Enable employees.