MGA Internal Control Questionnaire – IT

MGA:
Source:

IT QUESTIONNAIRE & DOCUMENT REQUEST

DRAFT – FOR INTERNAL USE ONLY

Hardware

1. List all production hardware such as servers, storage devices, switches and firewalls.

Sigo is fully cloud-based (Google Cloud Platform - GCP).

- Kubernetes
- Databases (SQL and PostgreSQL)
- Redis
- Serverless application (infrastructure managed by GCP).
- Storage service
- Secret manager

*region: it is a specific geographical location where you can host your resources.
*zone: it is a deployment area within a region.

2. List all redundant/disaster recovery hardware such as servers, storage devices, switches and firewalls.

Description of Google Cloud services employed:

Cloud Description Monthly Uptime Reference
Service Percentage
Cloud SQL They count with High Availability >= 99.95% https://cloud.google.com/
configuration enabled. That sql/sla
protects from common failures by
replicating data, and by providing
an automatic failover to a replica.
Kubernetes A Kubernetes cluster is hosted >= 99.95% https://cloud.google.com/
cluster across multiple zones. If one zone kubernetes-engine/sla
experiences failure, the other ones (check Autopilot Cluster
will be available. This ensures the covered service)
continuity of the application hosted
in the Kubernetes cluster.
Redis It counts with High Availability >= 99.9% https://cloud.google.com/
configuration enabled. That memorystore/sla
protects from common failures by
replicating data to several replicas,
and by providing an automatic
failover to a replica.

Cloud The infrastructure that runs a Cloud >= 99.95% https://cloud.google.com/

2020 Page 1 of 7
MGA Internal Control Questionnaire – IT
MGA:
Functions Function is located in a specific functions/sla
*region and is managed by Google
to be redundantly available across
all *zones within that region.
Cloud All data is redundant across >= 99.95% https://cloud.google.com/
Storage multiple regions and multiple zones storage/sla
within a *region (check Standard storage class
in a multi-region or dual-
region covered service)
Secret Each secret is replicated >= 99.95% https://cloud.google.com/
Manager automatically in a different region. secret-manager/sla

*region: it is a specific geographical location where you can host your resources.
*zone: it is a deployment area within a region.

Network and Infrastructure

1. Provide a network diagram showing network entry points, firewalls, servers etc.

2. Document listing critical applications with ranking/prioritization.

● Socotra
● Sigo Admin App
● Go E Merchant
● Verisk
● Hubspot
● JustCall
● CustomerIO
● HelloSign
● VinAudit

2020 Page 2 of 7
MGA Internal Control Questionnaire – IT
MGA:
● LOB
● Google Analytics
● Mixpanel

MV to share diagram

3. List and describe database software utilized, including the version.

PostgreSQL version 11.16

Firestore (no version number)
Redis version 5.0
MySQL (for blog) version 5.7.37

4. List ISP’s & telecom - production & redundant lines and throughput size.

Sigo is fully cloud-based and the redundant network services are managed by Google Cloud.
Sigo’s VOIP phone tool is JustCall.io

5. Describe the current server / hosting environment. Is it hosted in-house, via a third party, etc.? Describe
the use of any cloud-based resources such as Amazon Web Services or Microsoft Windows Azure.

Sigo uses Google Cloud Platform. Google Cloud resources in use are the following:
- GKE - Google Kubernetes Engine
- Secret Manager
- Cloud Functions
- Cloud Storage
- Cloud SQL (MySQL and PostgreSQL)
- Cloud MemoryStore

6. Describe any redundancies built into the hosting platform and hardware.

The following table explains the redundancy/replication that Google Cloud provides:
Cloud Service Description
Cloud SQL They count with High Availability configuration
enabled. That protects from common failures by
replicating data, and by providing an automatic
failover to a replica.
Kubernetes A Kubernetes cluster is hosted across multiple
cluster zones. If one zone experiences failure, the other
ones will be available. This ensures the
continuity of the application hosted in the
Kubernetes cluster.
Redis It counts with High Availability configuration

2020 Page 3 of 7
MGA Internal Control Questionnaire – IT
MGA:
enabled. That protects from common failures by
replicating data to several replicas, and by
providing an automatic failover to a replica.

Cloud Functions The infrastructure that runs a Cloud Function is

located in a specific *region and is managed by
Google to be redundantly available across all
*zones within that region.
Cloud Storage All data is redundant across multiple regions and
multiple zones within a *region
Secret Manager Each secret is replicated automatically in a
different region.

Backup and Recovery

1. Describe your backup process and tools utilized.

Databases: Google Cloud automatically performs backups on a daily basis.

Storage: Google Cloud automatically replicates data across multiple regions and multiple zones within a
region.

2. Provide copies of any backup policies, and details regarding how long they have been in place.

Automated Backup policy:

Frequency Window Start Backup Kind Retention time Location
Time
Daily 5:00-9:00 PM CT Full 7 days Multi-region (us)
Monthly Each first day of Full 30 days Multi-region (us)
the month.
5:00-9:00 PM CT

3. Provide copies of any existing disaster recovery plans.

We don’t have a disaster recovery plan yet.
4. Provide copies of any existing business continuity plans.
We don’t have a business continuity plan yet.
5. Provide copies of any existing incident response plans.
We don’t have an incident response plan yet.
6. Provide the test results from your most recent disaster recovery test.
We haven’t performed a disaster recovery test yet.

2020 Page 4 of 7
MGA Internal Control Questionnaire – IT
MGA:

7. Copies of any hardware maintenance or support agreements.

. Sigo is fully cloud-based. The following table shows the Monthly Uptime Percentage per service used:
Cloud Service Monthly Uptime Percentage
Cloud SQL >= 99.95%
Kubernetes >= 99.95%
cluster
Redis >= 99.9%
Cloud Functions >= 99.95%
Cloud Storage >= 99.95%

Security

1. Do you use multi-factor authentication?

Yes – the following list shows the application that implements two-factor-authentication.

- CloudFlare
- OpenVPN
- Google Cloud Platform

2. Have you undergone any security risk assessments or penetration testing?

Not as of Jun 30th 2022

3. Does the firewall contain Intrusion Prevention System and Intrusion Detection Systems?

Currently, we have an Intrusion Detection System implemented. This job is done by the Wazuh
platform.

4. How are you monitoring systems for unusual behavior, abnormal traffic, malicious coding and
anything that would look like an intrusion by a hacker being attempted?

Yes - we use Wazuh. This platform provides the following capabilities:

- Security Analysis
- Intrusion Detection
- Log Data Analysis
- File Integrity Monitoring
- Vulnerability Detection

2020 Page 5 of 7
MGA Internal Control Questionnaire – IT
MGA:

- Configuration Assessment
- Incident Response
- Cloud Security

5. Encryption – do you encrypt data at rest, data in transit, emails, servers, desktops, laptops or
smartphones?

Data in our database is encrypted at rest and in transit.

Sigo uses Google G Suite as email service provider. All emails sent are encrypted in transit.

Laptops and smartphones are protected with the device’s own login tools

OpenVPN

6. Is email protected by mail security – Encryption? Phishing, Spam, Threat Detection from
Advanced Persistent Threats, including botnets, malware, viruses and others?

Sigo uses Google G Suite as email service provider. G Suite provides the following protection measures:
- Encrypted emails.
- Prevents phishing attacks.
- Advanced phishing and malware protection.
- Use TLS certificate for secure transport.
- Ciphers for TLS connections.

2020 Page 6 of 7
MGA Internal Control Questionnaire – IT
MGA:

2020 Page 7 of 7