The Shared Responsibility Model (SRM) is the natural capturing, identifying, and dividing of responsibilities between customers and providers.
It specifically identifies the person or team responsible for any given security control; most importantly, the responsibility needs to be agreed upon and reflected in contracts or service level agreements.
OEM Customers (Customers who self-host our Products/Solutions)
If you are running our products by self-hosting (via physical hardware, virtualization or cloud), then you do everything. You're responsible for physical security and all the way up to software and applications.
SaaS Customers (Customers who host our Products/Solutions directly with us)
If you were just consuming software applications as a service (SaaS), everything except for what is inside of that application is the responsibility of the provider.
| Responsibility | Entity |
|---|---|
| Information and Data Customers are responsible for the data they upload, store, and process, and also ensuring any authorized personnel that access the data are adequately trained around the protection of the customer’s data. Customers are responsible for the accuracy of the data entered. Customers are also responsible for compliance with any applicable laws, regulations or standards. | Customer |
| Usage and Configuration Customers are responsible for properly configuring the applications settings and parameters as per the operational needs. to ensure adherence to their specific security, compliance and corporate needs. | Customer |
| Accounts and Identities MathCraft will provide the customer with the ability to provision and deprovision users, manage their access entitlements, and audit their actions. Customers have a responsibility to ensure that they only give their authorized employees the proper access, regularly conduct audits on their entitlements and actions, and deprovision their employees when they should no longer have access. | Customer |
| Application Development and Maintenance MathCraft will develop and maintain the web application, including updates and bug fixes. MathCraft will ensure the security standards are met, best practices are followed and providing timely patches to address vulnerabilities. | MathCraft |
| Infrastructure Security MathCraft will secure underlying infrastructure components of the application that are within MathCraft's control. MathCraft will also implement controls to protect against common threats such as DDoS attacks, malware, etc. | MathCraft |
| Data Protection MathCraft will implement data encryption in transit and at rest according to industry standards. MathCraft will also backup the data and disaster recovery at the infrastructure level. | MathCraft |
| Compliance MathCraft will ensure the products are in compliance with NISPOM guidelines and industry standards. | MathCraft |
| Physical Infrastructure The CSP is responsible for securing the physical data centers, including power, cooling and network infrastructure. | Cloud Service Provider (CSP) |
| Platform and Network Security The CSP is responsible for securing the platform and network infrastructure hosting the application. The CSP will also manage the network traffic and ensure the availability and resilience of the cloud services. | Cloud Service Provider (CSP) |