Key Corporate Policies

Last Updated: 08/17/2021
Effective: 09/17/2021
Last Reviewed: 8/17/2021

Although Sycorr does not provide details of our key policies for public consumption, this notice outlines vital aspects of policy and guidelines approved to be distributed publicly. As a matter of standard business practice, Sycorr’s has the following policies in place with key elements of each policy highlighted below. All policies are reviewed, at minimum, on an annual basis. The executive team is responsible for verifying compliance with all policies.

  • Disaster Recovery/Business Continuity
    • All critical internal systems and processes have a recovery time objective (RTO) and recovery point objective (RPO) of one business day.
    • Non-critical systems and processes have a maximum RTO of five business days and RPO of one business day.
    • Communication, succession, equipment replacement, criticality of service, data breach, and other key elements are contained within the policy, guidance, or plans.
    • Any client systems (SaaS) will have RTO/RPO’s outline within their specific Agreement(s).
  • Backup Policy
    • All production systems, servers, and workstations must have an offsite & encrypted backup that meets the minimum of a one business day RPO.
  • General Use Policies & Guidance
    • General use, ownership, email, social media, software installation, third-party library use, and other acceptable use are contained within policy, guidance, legal agreements, or team member handbooks.
  • Internal System Security, Encryption, and Practices
    • Password, clean desk, anti-malware, patch management, network, remote access, are contained within policy, guidance, or best practices.
    • Policies, procedures, and tools are in place to prevent, detect, and eliminate cyber threats. 
    • All mobile workstations must have full disk encryption.
    • Any “sensitive” marked data must be encrypted in transit or at rest within Sycorr products or internal systems.
    • Vendor review practices for all third-party tools or systems.
  • Confidentiality, Non-Disclosure, & Privacy
    • Confidentiality and privacy of Sycorr clients is held to a high standard due to the nature of working closely with financial institutions.
    • All team members review and are trained in best practices on initial hire and remedial training.
    • All client data marked “confidential” or “sensitive” will only be used for the required purpose and immediately removed from Sycorr’s systems after it is no longer required.
  • Client Security Notices
    • In the event of a successful security breach or cyber incident Sycorr will notify clients within 24 hours. 
    • In the event of a confirmed vulnerability within a Sycorr product, Sycorr will notify clients within 24 hours.
  • Development Security
    • Sycorr takes the security of our products seriously with our internal engineering policies and guidance aligning to current best practices, including but not limited to:
      • weekly penetration testing of all current/supported versions of products; 
      • scanning of all third-party libraries for open CVEs;
      • review of Mitre and OWASP top CWE definitions per release;
      • review and gating (approval) of third-party and internal libraries before allowed for use in products;
      • peer review of code;
      • the publication of all third-party libraries, including version, used within our products;
      • and security training for development staff.

For further questions regarding Sycorr policies, please email to compliance@sycorr.com, submit a ticket via our support channels, or reach out via our contact page.

Secured By miniOrange