=====Organizational Authority & Governance===== ====Control Satisfaction Matrix==== ^Standard^Category^Controls Satisfied^800-53r4 Controls^ISO/SEC 27001^Audit Controls^ |NIST 800-171|Governance|N/A|N/A|N/A| ===Major Document History=== ^ Date ^ Comment ^ Who ^ | 5/1/2019 | Initial Doc | Tharp | | 8/13/2019 | Satisfaction Matrix | Tharp | | 8/29/2019 | Copied Content For IS-1 SOC submission | Tharp | | 10/6/2021 | Policy's Reviewed for Audit | Tharp | ---- ====Business Structure==== **DLZP Group** is a Limited Liability Company, Headquartered in Richmond Tx ====Integrity & Ethics==== The Directors and Executives of DLZP Group aspire to and demonstrate standards of ethics and integrity consistent with professional norms in American business environments. Chief among these standards is a commitment to honesty in interactions with and among managers, directors, employees, contractors, and our valued customers. ===Business Segment=== DLZP Group is a for-profit company that provides Software Development, Cloud Hosting, Migrations and PeopleSoft ERP Solutions Support as its principle businesses. We also provide Specialty Consulting and Security Services. We are responsible for hosting or caring for other entity data systems and data. Therefore, we must maintain the highest standards of IT and Data Governance to protect entity data assets and from both internal and external data corruptions or breaches within our domain of control. Accordingly, we have implemented internal processes and practices across our functional teams Fig 1., Table 1. and business delivery processes Fig 3. ==== Functional Organization Alignment==== ===FIG 1=== {{:corpgov:functionalorg-800-171.png?800|}} ===Management Objectives=== Work is distributed to each division via Objectives set by our respective division lead, in collaboration with our President. === Corporate Non-Technical=== Provides back-office and sales support for DLZP Group. Our Human Resources team is responsible for the vetting of full-time employees and contractors. === Security - CISO=== Provides foundational security policies and processes, tracks vulnerabilities and is a vital part of any necessary security response. This team also provides consulting and other special security services to our clients. === Operations === Provides day-to-day oversight, management and maintenance of our client hosted cloud environments as well as the data systems DLZP Group maintains to support its business. ===Engineering=== Provides the design, build, and implementation services for all new client environments. DLZP Cloud solutions are built with code, this team ensure that security practices and configurations are built into our solutions. ===Audit Control=== DLZP uses AWS best practices, peer review, testing and we implement the appropriate security monitoring and management services to ensure control of our implementations. Third party auditors will be hired validate the strength of our processes. ====Authority and Accountability==== DLZP Group chooses to use the NIST 800-53 rev.4 framework as its reference to validate and improve our internal processes. This is required for the management of all Federal Information systems and it is becoming the de facto standard that most non-federal public entities as well as many private businesses are using as their security framework. Our Security Team has done an extensive review of that framework and aligned the controls within the various NIST Control Families to our functional organization. Our President then holds our functional team owners accountable for ensuring compliance to the controls mapped to their organizations. Security is crucial to maintain our integrity as well as customer trust. Therefore, team members are encouraged and expected to raise any security red-flag they observe. Those changes would then be documented and tracked via task or incident in our Zoho Project system. Specifically in the DLZP Internal - Admin Project. ===Table 1 - Compliance Framework Mapping=== ^Division ^SECURITY REQUIREMENTS^ |Operations |3.1 ACCESS CONTROL| |Security |3.2 AWARENESS AND TRAINING| |Audit Control |3.3 AUDIT AND ACCOUNTABILITY| |Operations |3.4 CONFIGURATION MANAGEMENT| |Engineering |3.5 IDENTIFICATION AND AUTHENTICATION| |Operations |3.6 INCIDENT RESPONSE| |Operations |3.7 MAINTENANCE| |Corporate |3.8 MEDIA PROTECTION| |Corporate |3.9 PERSONNEL SECURITY see HR Policies| |Corporate |3.10 PHYSICAL PROTECTION| |Security |3.11 RISK ASSESSMENT| |Security |3.12 SECURITY ASSESSMENT| |Engineering |3.13 SYSTEM AND COMMUNICATIONS PROTECTION| |Engineering |3.14 SYSTEM AND INFORMATION INTEGRITY| As we drill deeper into the actual NIST controls we parsed them further into policies, infrastructure controls, configuration items and logging/monitoring. * Policies – address Organizational Standards and Processes based on Industry Accountability Norms * Infrastructure Controls – are broad standards and/or tools that manage the technology environment * Configuration Items – are applied at the system and application level * Logging/Monitoring – builds in control and provides the meta data to maintain standards compliance By examining these additional sub-groups we are able to build cogent and precise patterns to align our business and security processes and methods to the NIST Framework. As well as the software code used to build cloud environments whether it be for internal use or application hosting services for our clients. ==== Delivery of Services ==== ===Fig 3=== {{:corpgov:pasted:20190418-162658.png?600}}