Consider the following categories when evaluating which non-integrated tools should be included in your audit scope:

Internal Platforms and Applications

Any internally developed platforms or applications that:​

• Store, process, or transmit customer or sensitive data.

• Provide administrative or write access to customer data.​support.secureframe.com+4support.secureframe.com+4support.secureframe.com+4support.secureframe.com+8support.secureframe.com+8support.secureframe.com+8

Ensure that access rights for internal users, whether administrative or write access, are appropriately managed and documented.​

Third-Party Tools and Services

Tools and services that, while not integrated with Secureframe, still interact with customer data or critical systems:​

• Customer-facing platforms managed by your organization.

• Third-party services with write access to data or configurations.​

Determine if your organization manages access for these tools and whether they have the ability to change configurations or access customer data.​

Databases and Data Storage

All databases and storage solutions that house customer transaction or master data:​

• Primary databases (e.g., MongoDB, PostgreSQL).

• Secondary storage (e.g., AWS S3 buckets for file uploads).

• Data pipelines and ETL tools (e.g., Fivetran, data warehouses).​

Ensure that all locations where customer data resides are identified and included in your audit scope.​

Infrastructure as Code and Orchestration Tools

Tools that manage your infrastructure and deployment processes:​

• Code repositories for infrastructure management (e.g., Terraform, Ansible).

• Orchestration tools that deploy or manage production environments.​

If your infrastructure isn't managed through a secure code repository, conduct and document a review of baseline configurations at least annually.​

Best Practices for Managing Non-Integrated Tools

• Access Management: Ensure that all users with access to non-integrated tools are properly onboarded, with access rights reviewed regularly.

• Documentation: Maintain clear records of configurations, access logs, and any changes made within these tools.

• Evidence Collection: Gather and store evidence from non-integrated tools manually, ensuring it meets audit requirements.

• Regular Reviews: Periodically assess non-integrated tools to ensure they remain compliant with your organization's security policies.​

For assistance in determining the scope of your non-integrated tools or for guidance on best practices, please reach out to success@secureframe.com