MGA Internal Control Questionnaire – IT

MGA:
Source:

IT QUESTIONNAIRE & DOCUMENT REQUEST

DRAFT – FOR INTERNAL USE ONLY

Hardware

1. List all production hardware such as servers, storage devices, switches and firewalls.

Sigo is fully cloud-based (Google Cloud Platform - GCP).

N Service
1 Kubernetes Engine
2 Cloud SQL
3 Memorystore (Redis)
4 Cloud Functions
5 Cloud Storage
6 Secret Manager
Description
System for automating deployments, scaling, and management of
containerized applications.
A fully managed service that makes it easy to set up, manage, and
administer relational databases.
Provides the two most popular open-source caching engines: Redis
and Memcached.
Serverless environment to run applications in different languages.
Store any amount of data.
Securely store API keys, passwords, certificates, and other sensitive
data

Kubernetes
Databases (SQL and PostgreSQL)
Redis
Serverless application (infrastructure managed by GCP).
Storage service
Secret manager

*region: it is a specific geographical location where you can host your resources.
*zone: it is a deployment area within a region.

2. List all redundant/disaster recovery hardware such as servers, storage devices, switches and firewalls.

Description of Google Cloud services employed:

Cloud Service Description Monthly Uptime Reference
Percentage
Cloud SQL High Availability configuration >= 99.95% https://
enabled. That protects from cloud.google.com/sql/sla
common failures by replicating
data, and by providing an
automatic failover to a replica.
Kubernetes Each Kubernetes Node Pool is >= 99.95% https://
cluster replicated across three different cloud.google.com/

2020 Page 1 of 10
MGA Internal Control Questionnaire – IT
MGA:
zones in the same region.A kubernetes-engine/sla
Kubernetes cluster is hosted (check Autopilot Cluster
across multiple zones. If one zone covered service)
experiences failure, the other
ones will be available. This
ensures the continuity of the
application hosted in the
Kubernetes cluster.
All ingress traffic towards the
Kubernetes cluster is filtered by a
Virtual Private Cloud Firewall.
Redis High Availability configuration >= 99.9% https://
enabled. That protects from cloud.google.com/
common failures by replicating memorystore/sla
data to several replicas, and by
providing an automatic failover
to a replica.

Cloud The infrastructure that runs a >= 99.95% https://

Functions Cloud Function is located in a cloud.google.com/
specific *region and is managed functions/sla
by Google to be redundantly
available across all *zones within
that region.
Cloud Storage All data is redundant across >= 99.95% https://
multiple regions and multiple cloud.google.com/
zones within a *region storage/sla
(check Standard storage
class in a multi-region or
dual-region covered
service)
Secret Each secret is replicated >= 99.95% https://
Manager automatically in a different cloud.google.com/secret-
region. manager/sla

*region: it is a specific geographical location where you can host your resources.
*zone: it is a deployment area within a region.

Network and Infrastructure

1. Provide a network diagram showing network entry points, firewalls, servers etc.
See Appendix A.

2020 Page 2 of 10
MGA Internal Control Questionnaire – IT
MGA:

2. Document listing critical applications with ranking/prioritization.

● Socotra
● Sigo Admin App
● Go E Merchant
● Verisk
● Hubspot
● JustCall
● CustomerIO
● HelloSign
● VinAudit
● LOB
● Google Analytics
● Mixpanel

[[MV to share diagram]] To see the diagram refers to Appendix B.

3. List and describe database software utilized, including the version.

PostgreSQL version 11.16

Firestore (no version number)
Redis version 5.0

2020 Page 3 of 10
MGA Internal Control Questionnaire – IT
MGA:
MySQL (for blog) version 5.7.37

4. List ISP’s & telecom - production & redundant lines and throughput size.

Sigo is fully cloud-based and the redundant network services are managed by Google Cloud.
The Google Cloud Network provides high performance, scale, and redundancy for customers through
globally distributed entrypoints. Google’s cloud network architecture consists of 22 regions, 67 zones,
and 140 network locations. For more information visit:
https://cloud.google.com/about/locations#network
Sigo’s VOIP phone tool is JustCall.io

5. Describe the current server / hosting environment. Is it hosted in-house, via a third party, etc.? Describe
the use of any cloud-based resources such as Amazon Web Services or Microsoft Windows Azure.

Sigo uses Google Cloud Platform. Google Cloud resources in use are the following:
N Service Description
1 Kubernetes Engine System for automating deployments, scaling, and management of
containerized applications.
2 Cloud SQL A fully managed service that makes it easy to set up, manage, and
administer relational databases.
3 Memorystore (Redis) Provides the two most popular open-source caching engines: Redis
and Memcached.
4 Cloud Functions Serverless environment to run applications in different languages.
5 Cloud Storage Store any amount of data.
6 Secret Manager Securely store API keys, passwords, certificates, and other sensitive
data
- GKE - Google Kubernetes Engine
- Secret Manager
- Cloud Functions
- Cloud Storage
- Cloud SQL (MySQL and PostgreSQL)
- Cloud MemoryStore

6. Describe any redundancies built into the hosting platform and hardware.

The following table explains the redundancy/replication that Google Cloud provides:
Cloud Service Description
Cloud SQL They count with High Availability configuration
enabled. That protects from common failures by
replicating data, and by providing an automatic
failover to a replica.
Kubernetes A Kubernetes cluster is hosted across multiple
cluster zones. If one zone experiences failure, the other
ones will be available. This ensures the

2020 Page 4 of 10
MGA Internal Control Questionnaire – IT
MGA:
continuity of the application hosted in the
Kubernetes cluster.
Redis It counts with High Availability configuration
enabled. That protects from common failures by
replicating data to several replicas, and by
providing an automatic failover to a replica.

Cloud Functions The infrastructure that runs a Cloud Function is

located in a specific *region and is managed by
Google to be redundantly available across all
*zones within that region.
Cloud Storage All data is redundant across multiple regions and
multiple zones within a *region
Secret Manager Each secret is replicated automatically in a
different region.

Backup and Recovery

1. Describe your backup process and tools utilized.

Databases: Google Cloud automatically performs backups on a daily basis.

Storage: Google Cloud automatically replicates data across multiple regions and multiple zones within a
region.

2. Provide copies of any backup policies, and details regarding how long they have been in place.

Automated Backup policy:

Instances: PostgreSQL and MySQL databases.
Backups implemented since the database creation.

Frequency Window Start Backup Kind Retention time Location

Time
Daily 5:00-9:00 PM CT Full 7 days Multi-region (us)
Monthly Each first day of Full 30 days Multi-region (us)
the month.
5:00-9:00 PM CT

3. Provide copies of any existing disaster recovery plans.

We don’t have a disaster recovery plan yet.
4. Provide copies of any existing business continuity plans.
We don’t have a business continuity plan yet.
5. Provide copies of any existing incident response plans.
We don’t have an incident response plan yet.
6. Provide the test results from your most recent disaster recovery test.

2020 Page 5 of 10
MGA Internal Control Questionnaire – IT
MGA:
We haven’t performed a disaster recovery test yet.

7. Copies of any hardware maintenance or support agreements.

. Sigo is fully cloud-based. The following table shows the Monthly Uptime Percentage per service used:
Cloud Service Monthly Uptime Percentage
Cloud SQL >= 99.95%
Kubernetes >= 99.95%
cluster
Redis >= 99.9%
Cloud Functions >= 99.95%
Cloud Storage >= 99.95%

Security

1. Do you use multi-factor authentication?

Yes – the following list shows the application that implements two-factor-authentication.

- CloudFlare
- OpenVPN
- Google Cloud Platform

2. Have you undergone any security risk assessments or penetration testing?

Not as of Jun 30th 2022

3. Does the firewall contain Intrusion Prevention System and Intrusion Detection Systems?

Currently, We are using the Wazuh platform that provides the Intrusion Detection System. The
Wazuh’s server component uses a signature-based approach to intrusion detection, using its regular
expression engine to analyze collected log data and look for indicators of compromise.

Wazuh is used for threat prevention, detection, and response. It is capable of protecting workloads
across on-premises, virtualized, containerized, and cloud-based environments.

For more information:

https://wazuh.com/platform/

2020 Page 6 of 10
MGA Internal Control Questionnaire – IT
MGA:

https://documentation.wazuh.com/current/index.html

we have an Intrusion Detection System implemented. This job is done by the Wazuh platform.

4. How are you monitoring systems for unusual behavior, abnormal traffic, malicious coding and
anything that would look like an intrusion by a hacker being attempted?

Yes - we use Wazuh. This platform provides the following capabilities:

- Security Analysis
- Intrusion Detection
- Log Data Analysis
- File Integrity Monitoring
- Vulnerability Detection
- Configuration Assessment
- Incident Response
- Cloud Security

5. Encryption – do you encrypt data at rest, data in transit, emails, servers, desktops, laptops or
smartphones?

Data in our database is encrypted at rest and in transit.

Sigo uses Google G Suite as email service provider. All emails sent are encrypted in transit.

Connections to our private network, in Google Cloud Platform, through the internet are protected
and encrypted by OpenVPN tool.

Laptops and smartphones are protected with the device’s own login tools

OpenVPN

6. Is email protected by mail security – Encryption? Phishing, Spam, Threat Detection from
Advanced Persistent Threats, including botnets, malware, viruses and others?

Sigo uses Google G Suite as email service provider. G Suite provides the following protection measures:
- Encrypted emails.
- Prevents phishing attacks.
- Advanced phishing and malware protection.
- Use TLS certificate for secure transport.
- Ciphers for TLS connections.

2020 Page 7 of 10
MGA Internal Control Questionnaire – IT
MGA:
APPENDICES

APPENDIX A:
INFRASTRUCTURE
DIAGRAM

2020 Page 8 of 10
MGA Internal Control Questionnaire – IT
MGA:

APPENDIX B: GENERAL ARCHITECTURE DIAGRAM

2020 Page 9 of 10
MGA Internal Control Questionnaire – IT
MGA:

2020 Page 10 of 10