Professional Documents
Culture Documents
Non-Standardized External Apps Guidelines v.1.3
Non-Standardized External Apps Guidelines v.1.3
1.2 January 2023 Approved Applications Dashboard added & GIST Martin Rodriguez
Ownership criteria items
Page 1 of 6
GLOBANT INFORMATION SECURITY TEAM (GIST)
Contents
Introduction 3
General Requirements 3
User Management 3
Password Management and MFA 3
GIST follow up 4
Page 2 of 6
GLOBANT INFORMATION SECURITY TEAM (GIST)
Introduction
This document is a guideline to standardize a new tool or an existing tool to be approved by
GIST. You can find all the available applications in the following link.
In this document, you will find the general requirements and then the specific requirements
provided by the various GIST areas. All requirements are necessary and mandatory in order to
obtain the approval of the GIST area.
General Requirements
User Management
All users must authenticate in the application with a SSO solution. The possible alternatives are:
● Google Solution: You need to contact the Google administrator
● Azure Solution: You need to contact the Windows team
In case external users have to access the application (e.g providers or clients), they need to use
a Globant provided user (external mail or external AD user) .
Page 3 of 6
GLOBANT INFORMATION SECURITY TEAM (GIST)
GIST follow up
● A GDoc must be created by GIST to follow up the revision detailed on this policy.
● The Drive folder created for the revision must contain all the documentation related to
this revision, such as certifications, architecture diagrams, and permissions matrix,
among others.
Ticket request
There are two possible scenarios:
Option 1: If you need to request an exception for your project or yourself create a ticket on the
next category:
Security > Information Security > Exception & Approvals
Option 2: In case you require an application that is not on the list and is needed by all globers
please create a ticket at Invgate within the next category:
Security > Applications > Vendor Applications
Certifications
The application owner must ask the provider for one or more of the following:
- ISO 27001
- SOC 2 / 3
- Personal Data Certification - if required depending on the information handled
- Health information Report - depending on the information handled
- PCI - depending in the information handled
Page 4 of 6
GLOBANT INFORMATION SECURITY TEAM (GIST)
GIST Compliance will define if the application must be SOX Compliance or not. If the tool will be
a SOX tool or in case it will be affected by audit controls, some information will be asked to
comply with the first control revision. If it is not SOX the tool can be asked to have some internal
controls. The GIST Compliance team will help the area owner or will guide them to ensure the
application is controlled.
Some documents are defined to help the involved area
- (Tool) Standard Policy
- ABM guideline
- Change Management guideline
Page 5 of 6
GLOBANT INFORMATION SECURITY TEAM (GIST)
Required items
1. Architecture components
2. Support for SSO integration (Google and Azure)
3. MFA support
4. Certifications that the platform may have such as ISO 27001, SOC1-2, GDPR, CCPA,
HIPAA, etc.
5. Privacy Policy
6. Privilege access management
7. Most recent vulnerability report (3 months at least).
8. Pentest executed (current year)
9. An NDA must be signed by the vendor and legal support to allow us to ask the vendor
for several documents (SDLC, quality and cybersecurity).
10. Internal Ownership Roles (management): GIST Team will determine the ownership of the
product based on business needs. The owner of the application will be responsible for
their management and control of the application and might respond to all related events.
11. Internal Ownership roles (Internal Responsible). Who will be responsible for the
Administration.
12. Internal Ownership roles (Control). Who will be responsible for the roles and
privileges audit.
13. Log information detailed + SOC Integration (Splunk cloud).
14. Incident Response
15. Extras: Roles and privileges Matrix, etc.
The GIST Vulnerability team can ask for all the mentioned items and also for any other extra
elements that can be accurate to the case under consideration.
Page 6 of 6