Cyber Security FAQ
Overview
This document provides answers to the most frequently asked questions regarding our Cyber Security policies, practices and certifications. It is intended to help clients and stakeholders understand how Skills Workflow ensures the confidentiality, integrity and availability of its systems and client data.
Certifications and Compliance
- 
Does Skills Workflow hold third-party certifications such as ISO 27001 or SOC 2? 
 Yes. We have third-party security certificates.
- 
Are there security audits or penetration tests? 
 Yes. We perform annual third-party penetration testing and conduct regular static code analysis.
- 
Do you follow a formal SDLC with security reviews? 
 Yes. Security is integrated throughout our SDLC, including secure code reviews and vulnerability remediation before production deployment.
Data Protection
- 
Is client data used in development or testing environments? 
 No. Client data is never used outside the production environment.
- 
Are development, test and production environments segregated? 
 Yes. We maintain strict separation of environments to reduce risk and ensure stability.
- 
Is data at rest encrypted? 
 Yes. Microsoft Azure uses Transparent Data Encryption (TDE) to secure all data at rest.
- 
Is data in transit encrypted? 
 Yes. All data in transit is encrypted using HTTPS and TLS 1.3.
- 
Is client data logically separated from other clients’ data? 
 Yes. Each client’s data is logically segregated to ensure privacy and isolation.
- 
Are backups encrypted and securely managed? 
 Yes. Backups are encrypted and managed by Microsoft Azure according to their compliance and security standards.
Access Control
- 
Are user access rights reviewed periodically? 
 Yes. Access rights are reviewed regularly and adjusted based on role and business need.
- 
Is there a password policy enforced across systems? 
 Yes. Our password policy defines minimum complexity, expiration, and reset requirements.
Employee Awareness & HR Policies
- 
Are employees required to attend security awareness training? 
 Yes. All employees complete security onboarding and attend periodic training sessions.
- 
Are HR policies reviewed and approved by management? 
 Yes. HR policies are maintained, reviewed and approved at multiple levels including HR, department heads and executive leadership.
- 
Are background checks part of the hiring process? 
 Yes. All new hires undergo screening as part of the recruitment process.
Secure Development
- 
Are applications reviewed from a security perspective before release? 
 Yes. All releases follow security review checkpoints defined in our SDLC.
- 
Is secure coding practiced and verified? 
 Yes. We use static code analysis and perform secure code reviews.
- 
What happens if vulnerabilities are found before deployment? 
 Any high or critical vulnerability will block promotion to production until resolved.
- 
Are infrastructure and OS updates managed internally? 
 No. Infrastructure updates are managed by Microsoft Azure. Clients configure their own features within the application.
Policies and Governance
- 
Do you have an asset management policy? 
 Yes. All employee equipment and assets are tracked and governed by internal policy.
- 
Is information classified based on sensitivity or regulatory requirements? 
 Yes. Internal documentation follows a tiered classification model. Clients are responsible for classifying their data within the system.
- 
Are there formal change management controls? 
 Yes. All changes to the codebase follow a documented change control process. Client-side configurations are managed by each client independently.
Additional Questions?
If your organization requires a custom security questionnaire, specific policy documents or third-party attestations, please contact our compliance team at security@skillsworkflow.com.