Pana’s services are designed with the assumption that certain controls will be implemented by Pana's customers. In certain situations, the application of specific controls at the customer level is necessary to achieve control objectives included in Pana's Information Security Policy. Pana's management makes the following control recommendations to customers and provides the means to implement these controls, in many instances, in the product. Let this serve as best practice guidance to customers regarding control elements outside the sphere of Pana responsibility. This section describes additional controls that should be in operation with a customer to complement Pana's controls. Customer consideration recommendations include:
- Customers should implement sound and consistent internal controls regarding general IT system access and system usage appropriateness for all internal user organization components associated with Pana.
- Customers should practice removal of user accounts for any users who have been terminated and were previously involved in any material functions or activities associated with Pana's services.
- Transactions for companies relating to Pana's services should be appropriately authorized, and transactions should be secure, timely, and complete.
- For customers sending data to Pana, data should be protected by appropriate methods to ensure confidentiality, privacy, integrity, availability, and non-repudiation.
- Customers should implement controls requiring additional approval procedures for critical transactions relating to Pana's services.
- Customers should report to Pana in a timely manner any material changes to their overall control environment that may adversely affect services being performed by Pana.
- Customers are responsible for notifying Pana in a timely manner of any changes to personnel directly involved with services performed by Pana. These personnel may be involved in financial, technical or ancillary administrative functions directly associated with services provided by Pana.
- Customers are responsible for adhering to the terms and conditions stated within their contracts with Pana.
- Customers are responsible for developing, and if necessary, implementing a business continuity and disaster recovery plan (BCDRP) that will aid in the continuation of services provided by Pana.
The list of customer control considerations presented above and those presented with certain specified control objectives do not represent a comprehensive set of all the controls that should be employed by customers. Other controls may be required for the customer. Therefore, each customer's system of internal controls must be evaluated in conjunction with the internal control structure described in Pana's Information Security Policy.