Select Page

Baseline Security Standards

The ISOutsource Baseline Security Standards define the minimum cybersecurity requirements that must be in place for ISOutsource to provide services safely, responsibly, and in a manner that supports Client’s business operations.

These standards exist to reduce the likelihood and potential impact of security incidents that can disrupt business operations, result in data loss, create regulatory or legal exposure, damage reputation, and lead to financial loss. While no information security program, cybersecurity control, or technology platform can eliminate all risk, maintaining these baseline standards provides a foundational layer of protection and supports a broader, defense-in-depth approach to security.

These standards represent a baseline level of security. They are not aspirational, optional, or dependent on organizational size or technical maturity. When these requirements are not met, the risk introduced may make it impracticable, imprudent, or unreasonable for ISOutsource to continue providing services.

  1. Identity and Access Management

    Clients must maintain the following access controls:

    • Unique user accounts for all users. Shared user accounts are not permitted
    • Multi-factor authentication enabled for:
      • Remote access
      • Cloud services
      • Administrative and privileged accounts
    • Separate accounts for administrative access. Day-to-day user accounts must not be used for Domain Admin, Global Administrator, or equivalent privileged access
    • Access removed promptly when a user no longer requires it due to termination or role change
  2. Endpoint and Server Protection
    All endpoints and servers must meet the following requirements:

    • Endpoint Detection and Response software installed and active on all supported endpoints and servers
    • Operating systems and software must be vendor-supported and not end-of-life
    • Administrative privileges restricted to authorized accounts only
    • Security controls must not be intentionally disabled or bypassed
  3. Patch and Vulnerability Management
    Clients must:

    • Apply security patches and updates for operating systems, applications, and firmware in a timely manner
    • Remediate known critical vulnerabilities that materially increase the risk of compromise
    • Not knowingly operate systems with unmitigated critical security vulnerabilities
  4. Network and Remote Access Security
    Clients must maintain:

    • Firewall protection or equivalent network security controls
    • Secure remote access using encrypted connections
    • Wireless networks secured using modern encryption standards
  5. Logging, Monitoring, and Incident Notification
    Clients must ensure that:

    • Monitoring is enabled on all production systems within the scope of services
    • Security-related events are logged in a manner appropriate to the system
    • ISOutsource is notified within twenty-four (24) hours of suspected or confirmed security incidents that may impact systems supported or managed by ISOutsource
  6. Acceptable Use and Security Safeguards
    Clients must not:

    • Disable or interfere with security controls required to meet these standards
    • Use systems for unlawful, malicious, or abusive activity
    • Introduce unmanaged or unauthorized systems into environments supported by ISOutsource
  7. Enforcement and Partnership

    ISOutsource understands that, from time to time, business, technical, or operational constraints may require temporary deviations from these Baseline Security Standards.

    When a deviation is necessary, Client is required to engage with ISOutsource to document the deviation, outline the associated risk, and define a reasonable path forward. Transparency and collaboration are required. Unilateral decisions to ignore or bypass these standards are not acceptable.

    ISOutsource’s role is not only to enforce minimum requirements, but to help Clients meet and exceed them. ISOutsource can assist by designing and implementing security programs, updating systems and platforms, and building practical security controls that meet these Baseline Security Standards while supporting day-to-day business operations.

    ISOutsource recognizes that effective security requires balance. Security controls should reduce risk without unnecessarily hindering usability or productivity. ISOutsource works with Clients to achieve this balance and promote a security-first approach that is both practical and sustainable.

    Persistent failure to engage, document deviations, or remediate material security deficiencies may result in ISOutsource determining that continued service is impracticable, imprudent, or unreasonable, resulting in ISOutsource suspending and or terminating services with Client at the sole discretion of ISOutsource.