App La Carte Information Security Policies and Guidelines

Table of Contents


NDA Required


This is the Table of Contents for the official App La Carte (ALC or Putti) Information Security Policies and Guidelines document. It is meant to be provided to parties requesting it.

0 – Introduction

00 – Acceptable Use of Information Resources Policy

1 – Access Control

  • 101 – Access Rights Administration
    • 101-01 – Access Control Policy
    • 101-02 – User Registration Account Policy
    • 101-03 – User Password Management Policy
    • 101-04 – Access Rights Review Policy
    • 101-05 – Third Party Access Policy
  • 102 – Network
    • 102-01 – Network Installation and Administration Policy
    • 102-02 – Network Security Policy
    • 102-03 – Wireless Networking Policy
    • 102-04 – Firewall Management Policy
    • 102-05 – VPN Policy
    • 102-06 – VPN Site-to-Site Policy
    • 102-07 – Server Security Policy
    • 102-08 – Log Management Policy
    • 102-09 – Time Synchronization Policy
  • 103 – Exchange of Information
    • 103-01 – Internet Use Policy
    • 103-02 – Email Use Policy
    • 103-03 – Social Media Use Policy

2 – Physical and Environmental Protection

  • 201 – Secure Areas
    • 201-01 – Physical Entry Policy
    • 201-02 – Securing Facilities Policy
    • 201-03 – Clear Desk Policy
  • 202 – Media Handling
    • 202-01 – Removable Media Policy
    • 202-02 – Data Backup and Archive Policy
    • 202-03 – Records Management and Retention Policy
    • 202-04 – Disposal of Media Policy

3 – Communications and Operations Management

  • 301 – Controls to Protect Against Malicious Code
    • 301-01 – Virus Prevention Policy
    • 301-02 – Software Patch Management Policy
    • 301-03 – Protection Against Malicious Software Policy
  • 302 – Cryptographic Controls
    • 302-01 – Encryption and Key Management Policy
  • 303 – Change Control
    • 303-01 – Change Control Policy

4 – Personnel Security

  • 401 – Security in Job Definition and Resources
    • 401-01 – Background Check Policy
    • 401-02 – Non-Disclosure Policy
    • 401-03 – Dual Control Policy
    • 401-04 – Termination Policy
  • 402 – Training
    • 402-01 – Security Awareness Policy
  • 403 – Security Incidents and Malfunctions
    • 403-01 – Incident Management Policy
    • 403-02 – Emergency Access and Termination Policy
    • 403-05 – Employee Sanctions For Noncompliance

5 – Service Provider Oversight

  • 501 – Service Provider Oversight
    • 501-01 – Third Party Contracts Policy
    • 501-02 – Service Provider Policy

6 – Business Continuity

  • 601 – Business Continuity Plan
    • 601-01 – Business Continuity Plan Policy

7 – Data Classification

  • 701 – Data Classification
    • 701-01 – Data Classification Policy
  • 702 – Confidential Information
    • 702-01 – Confidential Information Policy
    • 702-02 – Client Confidential Information Policy
    • 702-03 – Exceptions to Client Confidential Information Policy

8 – Compliance

  • 801 – Audit and External Governance
    • 801-01 – Audit Policy
    • 801-02 – External Governance and Compliance Policy
    • 801-03 – HIPAA and PCI Incident Management Policy
    • 801-04 – Exceptions to Policy
  • 802 – ALC GDPR Compliance Statement

9 – Information Security

  • 901 – Information Security
    • 901-01 – Risk Assessment Policy
    • 901-02 – Counterparty Trust and Non-Repudiation Policy
    • 901-03 – Information Security Policy

Putti Security

Putti Mantra

Putti by App La Carte Ltd. has a robust IT Security Program, that includes policies, procedures, training, risk assessments etc. to properly secure confidential information to the extent that Putti has access.  This includes system and audit logging, Incident Response and proactive internal vulnerability scanning. Putti hosting centers are certified as SSAE 16 or ISO/IEC 27001:2005. It must also be noted that Putti does not merchant any client or customer data.

Key Security Statements

Today Putti has over 300 mobile clients and 50% of them have a transactional component to their web sites and/or native app or are concerned with PHI data,  our policy is to ensure our approach is always secure. The following key points elaborate on this:

          Putti uses Microsoft Azure Data Centers that are secure and certified to SSAE 16 or ISO  27001:2005 compliance. They are also PCI DSS compliant/certified.

          Putti has annual penetration tests, quarterly internal vulnerability scans.

          ALC does not merchant any client or customer data.

          Putti does not share any data with any third party.

          Putti follows W3C Mobile Web Best Practices and follows OWASP guidelines.

          Putti web sites enter HTTPS sessions whenever confidential, or financial, information is used.

          Putti utilizes Google Analytics for traffic and flow analysis. The data collected does NOT include any client or customer data, especially no personal, or commerce information. Putti has chosen to NOT allow Google to share any ALC data with other website operators.

In support of this Putti has a robust IT Security Program, that includes policies, procedures, training, Risk Assessments etc. to properly secure confidential information to the extent that Putti has access. This includes system and audit logging, Incident Response and proactive internal and vulnerability scanning. To emphasize, Putti does not merchant any client or customer data.

Data Centers Compliance

Details about Microsoft Azure Compliance



Information Security is a critical process to safeguard App La Carte Ltd (ALC) assets. A focused effort is necessary to protect information resources from unauthorized modification, disclosure, or destruction, whether accidental or intentional, and comply with external regulations.

ALC has created this “ALC Information Security Policies and Guidelines” (ALCISPG) framework to establish roles and responsibilities over information assets and disciplinary actions in case of violations to the policies.


The objective of ALCISPG is to achieve and maintain:

          Confidentiality – Ensure that information is accessible only to those with authorized access;

          Integrity – Safeguard the accuracy and completeness of information and processing methods;

          Availability – Ensure that authorized users have access to information assets when required;

          Accountability – Ensure clear accountability for the processes, policies, and controls to trace actions to their source; and

        Assurance – Ensure that the processes, policies, and controls provide technical and operational security of intended work. 



The ALCISPG supports effective information security throughout the company and mitigates potential risks from unauthorized access to information, assets, and resources by:

  • Integrating security standards required by ALC personnel, business and technology partners, technology service providers, and customers, to protect ALC information assets;
  • Aligning the standards with external regulation references designed to protect the privacy and integrity of the company’s data, information, resources, and services

The ALCISPG applies to all ALC-owned data in storage or transport in all systems and locations, including all:

          Platforms, networks, and operating systems;

          Servers, printers, remote access products, and end-user computing devices;

          Application systems (in-house or purchased from third parties).


Board of Directors and Executive Oversight

ALC’s Board of Directors shall be responsible for review and approval of the ALC Information Security Policies and Guidelines (ALCISPG), and to oversee the implementation of the policy.

Policy development and maintenance is the responsibility of the Chief Security Officer (CSO). The CSO shall assess all proposed policy changes, determine which changes to implement, facilitate Board approval of material changes, and control the policy version change records and publication.

All material policy changes shall be referred to the Board of Directors and communicated to personnel in writing.


Information Security Roles

Everyone at ALC has a role in maintaining the security of information resources. Each policy specifies the particular responsibilities that are assigned to each one of the following roles, as needed:

          Information Users: personnel with access to ALC systems, including contractors, vendors and visitors.

          Managers and Team Leads: personnel who supervise ALC staff and resources.

          Business Owners: personnel with the responsibility over a business area and its responsibility to maintain or administer information resources.

          Information Technology Teams (IT): personnel responsible to implement and support the technology infrastructure.

          Information Security Team (InfoSec): personnel responsible to manage the information security program.

          Information Security Officer: person responsible for establishing and maintaining the ALC information security program (currently the CISO)


Exceptions to Policy

Exceptions to the ALCISPG can be granted if documented and approved according to the Security Exception Policy described in the ALCISPG.

The exception can become a permanent change to the ALCISPG if approved by the Board of Directors.


Got any questions for us?