Information Security Policy
Purpose
Information security is the protection of information assets and its objective is to protect the confidentiality, integrity and availability of the information technology resources and information assets in the organization’s possession.
Scope
This Information Security Policy applies to all information technology resources used for the storage, processing and/or transmission of customer data and to all customer data within the organization which could include data and information that is:
Stored in databases
Stored on computers
Transmitted across internal and public networks
Printed or handwritten on paper, whiteboards etc.
Sent by facsimile (fax) or other communications method
Stored on removable media such as CD-ROMs, hard disks, tapes, and other similar media
Stored on fixed media such as hard disks and disk sub-systems
Held on film or microfiche
Presented on slides, overhead projectors, using visual and audio media
Spoken during telephone calls and meetings or conveyed by any other method
Policy
Section 1: Protect customer data
1.1 Keep customer data storage to a minimum by implementing data retention and disposal policies, procedures and processes.
1.2 Sensitive authentication data must never be stored after authorization. Refer to the Data Protection Policy
1.3 Sensitive customer data must be rendered unreadable anywhere it is stored, including on portable digital media, backup media, in logs, by using any of the following approaches:
One-way hashes based on strong cryptography
Truncation
Index tokens and pads
Strong cryptography with associated key-management processes and procedures
1.4 The cryptographic keys used for encryption of customer data must be protected against both disclosure and misuse. All key-management processes and procedures for cryptographic keys used for encryption of customer data must be fully documented and implemented.
1.5 Customer data (whether that be screenshots or files) may not be sent as attachments in emails to customers. Instead, we use Dropbox Transfer in order to securely send these files. If you do not have a Remio Dropbox account, but require one in order to send customer data, please reach out to Derrick (derrick@remiovr.com). If you require to send customer data internally, please use Google Drive and share with the team member as needed or via Keybase if you are sharing any sort of credentials.
1.6 All User IDs and passwords are prohibited from being hardcoded or stored in application code. If User IDs or passwords are required to be leveraged in the application, they should be set as environment variables or accessed via another secure protocol.
1.7 When working in areas accessible to the public (e.g. Banking Centers, public transit, coffee shops) please take the necessary steps in order to protect customer data from being seen or accessed by unauthorized individuals.
1.8 Customer data may not be stored on laptops or mobile devices.
1.9 Confidential/customer information should be safeguarded if you’re in an open workspace or your desk is unattended. Make sure to clean up any workspaces or meeting spaces so that there is no confidential/customer information after you leave.
1.10 We require 2FA for all user data processing services. Passwords must be at least 8 characters, and contain both uppercase and lowercase letters, one special character, and one number.
Section 2: Encrypt transmission of customer data across open, public networks
2.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive customer data during transmission over open, public networks.
Section 3: Use and regularly update anti-virus software or programs
3.1 Anti-virus software must be deployed on all personal computers. Ensure that the anti-virus software is capable of detecting, removing, and protecting against all known types of malicious software.
3.2 All anti-virus mechanisms must be current, actively running, and capable of generating audit logs.
Section 4: Develop and maintain security systems and applications
4.1 A process to identify newly discovered security vulnerabilities, using outside sources for security vulnerability information, must be established.
4.2 Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes. As industry best practices for vulnerability management are updated (for example, the OWASPGuide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used.
4.3 For public-facing web applications, new threats and vulnerabilities must be addressed on an ongoing basis and these applications must be protected against known attacks by either of the following methods:
Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
Installing a web-application firewall in front of public-facing web applications
Section 5: Restrict access to customer data by businesses need to know
5.1 Access to system components and customer data must be limited to only those individuals whose job requires such access. An access control system for systems components with multiple users must be established that restricts access based on a user’s need to know, and is set to "deny all" unless specifically allowed.
Section 6: Assign a unique ID to each person with computer access
6.1 All users must be assigned a unique ID before allowing them to access system components or customer data. In addition to assigning a unique ID, at least one of the following methods to authenticate all users must be employed:
Something you know, such as a password or passphrase
Something you have, such as a token device or smart card
Something you are, such as a biometric
6.2 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (For example, remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.)
Note: Two-factor authentication requires that two of the three authentication methods (see Section 8.1 above for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication.
6.3 All passwords must be rendered unreadable during transmission and storage on all system components using strong cryptography.
6.4 Proper user authentication and password management must be implemented for non-consumer users and administrators on all system components.
6.5 Verify a user's identity before communicating initial and temporary passwords and when initiating a password reset.
6.6 Initial passwords should be sent securely either via the application directly, encrypted, or sent via a secure means (i.e. Dropbox Transfer, Keybase or our internal password manager).
6.7 Users are required to change their initial/temporary passwords on first login. 6.8 Users are required to authenticate before changing their passwords.
Section 7: Track and monitor all access to network resources and customer data
7.1 A process must be established for linking all access to system components, i.e., any network component, server, or application included in or connected to the production environment (especially access done with administrative privileges such as root) to each individual user. Automated audit trails must be implemented for all system components to reconstruct specific events and record at least the following audit trail entries for all system components for each event:
User identification
Type of event
Date and time
Success or failure indication
Origination of event
Identity or name of affected data, system component, or resource 7.2 All critical system clocks and times must be synchronized.
7.3 Audit trails must be secured so they cannot be altered.
7.4 Audit trail history must be retained for at least one year, with a minimum of three months immediately available for analysis.
Section 8: Maintain a policy that addresses information security for employees and contractors
8.1 This Information Security Policy must be established, published, maintained, and disseminated. This policy must be reviewed at least once a year and updated when the environment changes.
8.2 An annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment must be conducted annually.
8.3 Daily operational security procedures must be developed and implemented
8.4 Usage policies for critical employee-facing technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants (PDAs), e-mail usage and Internet usage) must be developed and implemented to define proper use of these technologies for all employees and contractors
8.5 Security policies and procedures must clearly define information security responsibilities for all personnel.
8.6 An individual or team must be assigned the following information security management responsibilities:
Establish, document, and distribute security policies and procedures.
Monitor and analyze security alerts and information, and distribute to appropriate personnel.
Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
Administer user accounts, including additions, deletions, and modifications ● Monitor and control all access to data.
8.7 A formal security awareness program must be implemented to make all personnel aware of the importance of customer data security and include:
Educate personnel upon hire and at least annually.
Require personnel to acknowledge at least annually that they have read and understood the company’s security policy and procedures.
8.8 Potential personnel must be screened prior to hire to minimize the risk of attacks from internal sources.
8.9 Implement an Incident Response Plan and be prepared to respond immediately to a system breach.
8.10 All employees must encrypt their work computers.
8.11 All employee & contractor access is revoked within 3 business days of termination.
Definitions
Demilitarized zone (DMZ) is the physical or logical sub-network that provides an additional layer of security to an organization’s internal private network. The DMZ adds an additional layer of network security between the Internet and an organization’s internal network so that external parties only have direct connections to devices in the DMZ rather than the entire internal network.
Risk assessment is a process that identifies valuable system resources and threats; quantifies loss exposures (that is, loss potential) based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure.
Sensitive Customer Data is client-owned data requiring additional protection due to contractual agreements, client requests or regulatory compliance requirements.
Stateful inspection also called “dynamic packet filtering,” is a firewall capability that provides enhanced security by keeping track of communications packets. Only incoming packets with a proper response (“established connections”) are allowed through the firewall.
System component is any network component, server, or application included in or connected to the production environment.
Two-factor authentication is a method of authenticating a user whereby two or more factors are verified. Two-factor authentication requires that two of the three following factors are used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication.
Something you know, such as a password or passphrase
Something you have, such as a token device or smart card
Something you are, such as a biometric
Approval
This policy has been approved by Remio’s CEO, Jos van der Westhuizen.
Signed pdf.