Information Security Policy v2

Information Security Policy

1. PURPOSE

The purpose of this Policy is to safeguard information belonging to CloudCard and its stakeholders (including third parties, clients or customers and the general public), within a secure environment.

This Policy informs CloudCard’s staff and other individuals entitled to use CloudCard facilities, of the principles governing the holding, use and disposal of information.

Partnership with Amazon Web Services:

CloudCard uses Amazon Web Services (“AWS”) to deliver a premium software as a service experience to its customers. AWS built their entire product suite with security as the highest priority. They the clear market leader and are poised to maintain this position indefinitely. All of the servers used by CloudCard are hosted in secure AWS facilities. Therefore, we rely heavily on the environment security best practices the AWS management team has established and maintained for their products and services. As a result, we will frequently reference AWS audits, whitepapers, and reports in this Security Policy. CloudCard takes every reasonable measure to follow the configuration best practices, set forth by AWS, for their products and services.

It is the goal of CloudCard that:

• Information will be protected against unauthorized access or misuse.

• Confidentiality of information will be secured.

• Integrity of information will be maintained.

• Availability of information / information systems is maintained for service delivery.

• Business continuity planning processes will be maintained.

• Regulatory, contractual and legal requirements will be complied with.

• Physical, logical, environmental and communications security will be maintained.

• Infringement of this Policy may result in disciplinary action or criminal prosecution.

• When information is no longer of use, it is disposed of in a suitable manner.

• All information security incidents will be reported to the Managing Director and investigated through the appropriate management channel. These reports will be brought to the Product Owner in order to address the current problem and devise a new plan.

Information relates to:

• Electronic information systems (software, computers, and peripherals) owned by CloudCard whether deployed or accessed on or off campus.

• CloudCard’s computer network, both in the cloud and on campus.

• Hardware, software and data owned by CloudCard.

• Paper-based materials.

• Electronic recording devices (i.e. camera systems).

• Customer data obtained by CloudCard

2. INFORMATION & SECURITY OBJECTIVES

CloudCard’s information security policy has a simple objective: keep our information and data secure. We will accomplish this through the use of the CIA Triad:

• Confidentiality - data and information are protected from unauthorized access

• Integrity - Data is intact, complete and accurate

• Availability - IT systems are available when needed

3. DATA SENSITIVITY & CLASSIFICATIONS

Data is classified in CloudCard based on its sensitivity. This helps CloudCard manage what type of data authorized employees are able to access.

3.1 Access control handles what level of access and type of authority certain

individuals have over information. There are three levels of data:

• Level 1 - information that’s available to the general public

• Level 2 - data shared with CloudCard that may or may not be publicly accessible. Disclosure of this information would not cause material harm.

• Level 3 - data shared with CloudCard that is not publicly accessible and may result in a moderate level of risk if disclosed in error. This type of data includes PII.

3.2 CloudCard will take every reasonable precaution to protect customer data from

potential threats. Likewise, AWS has taken extensive measures to certify the information security of their environment.

4. AUTHORIZED USERS OF INFORMATION SYSTEMS

In order for the information and security policy to be effective, CloudCard must determine who has the authority to decide what data can and cannot be shared. CloudCard requires all users to exercise a duty of care in relation to the operation and use of its information systems.

4.1 With the exception of information published for public consumption, all users of

CloudCard information systems must be formally authorized by appointment

as a member of staff or by other process specifically authorized by the Product Owner. Authorized users will be in possession of a unique user identity. Any password associated with a user identity must be strong passwords and must not be disclosed to any other person. Authorized personnel must use multi-factor authentication to access any AWS services.

• Password requirements are strict for access to Level 2 and Level 3 data. Passwords must include an uppercase letter, a lower case letter, a special character, a number, and a minimum of 16 characters. Multi-factor authentication is needed to access Level 2 and Level 3 data.

• All Employees are contractually bound through non-disclosure agreements, vetted through background checks, and required to complete security awareness training if their job allows access to any customer data.

4.2 Authorized users will pay due care and attention to protect CloudCard

information in their personal possession. Confidential, personal or private

information must not be copied or transported without consideration of:

• permission of the information owner

• the risks associated with loss or falling into the wrong hands

• how the information will be secured during transport and at its destination.

4.3 Authorized users of information systems are not given rights of privacy in

relation to their use of CloudCard information systems. Duly authorised

officers of CloudCard may access or monitor personal data contained in any CloudCard information system (mailboxes, web access logs, file-store etc).

Background checks must be completed for employees who have access to any customer data

4.4 Individuals in breach of this policy are subject to disciplinary procedures at the

instigation of the Manager with responsibility for the relevant information

system, including referral to the Police where appropriate. CloudCard will take

legal action to ensure that its information systems are not used by

unauthorised persons.

5. DATA SUPPORTS AND OPERATIONS

In order to ensure sensitive data is handled with care and responsibility, CloudCard must determine how the different levels of data will be handled. The following components make up our comprehensive approach:

5.1 CloudCard will abide by strict data protection regulations

• Photos and Supporting Documents are encrypted at rest using Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), each object is encrypted with a unique key. As an additional safeguard, the key itself is encrypted with a master key that is regularly rotated. The server-side encryption uses 256-bit Advanced Encryption Standard (AES-256), to encrypt all data. For more information, see Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3).

• All photo metadata stored at rest in the underlying storage is encrypted, as are all automated backups, read replicas, and snapshots using AES-256 encryption algorithm.

• Photos, photo metadata, and supporting documents are encrypted in transit using HTTPS and requires clients to support TLS 1.2 encryption or higher.

• All data is securely deleted using the techniques detailed in or NIST 800-88 (“Guidelines for Media Sanitization”) as part of the decommissioning process. Refer to AWS Overview of Security Processes Whitepaper for additional details - available at http://aws.amazon.com/security

• CloudCard adheres to industry best practices in regards to data protection, following the recommendations set forth by Amazon Web Services (see AWS Security Best Practices).

• All CloudCard servers enable automatic minor and patch updates during weekly update windows.

5.2 CloudCard adheres to strict backup requirements through the use of Amazon Web

Services tools and controls

• CloudCard uses the premium database product from AWS,Amazon Aurora Database - which makes six copies of the data and distributes it across 3 different availability zones, continuously backed up to S3.

• Real time backups are available to customers upon request

• CloudCard is prepared to use a “pilot light” to keep a minimal version of an environment running in the cloud, should a disaster occur (see Business Continuity Plan).

• Infrastructure elements for the pilot light itself include our Amazon RDS database servers, which are replicated to a different availability zone using a multi-AZ deployment as well as our Amazon S3 files, which replicates data across availability zones to preserve data (see Business Continuity Plan).

5.3 Amazon Web Services complies with strict data protection best practices. The

following certifications and audits are outlined below:

Amazon Web Services compliance documents

6. SECURITY AWARENESS TRAINING

The best security plan in the world is useless if no one follows it. Staff must understand exactly what is required of them in order to ensure the Information Security Policy is followed when working with customer data.

6.1 Employees will undergo security awareness training

• All employees of CloudCard LLC will attend security awareness training to ensure the proper handling of sensitive data and information. After completing their awareness training, all employees must sign the Security Awareness Training form, verifying their participation and commitment to follow best practices in regards to security and information.

• Employees will be trained on social engineering scams. They will learn how to identify phishing, spear phishing, and other popular social engineering cyber attacks.

• Employees will be trained on a clean desk policy. When an employee leaves work for the day their desk should be clean. There should be no sensitive documents left on their desk when they leave.

6.2 An Information Security Policy can only be implemented if it’s understood by

the parties who are required to follow the policy

• Basic understanding of the Information Security Policy training will be reviewed annually to support comprehension

• The Product Owner will review this policy annually and the Managing Director will ensure all personnel are properly applying and adhering to it.

7. RESPONSIBILITIES AND DUTIES OF EMPLOYEES

CloudCard has appointed the Product Owner to oversee the maintenance of the Information Security Policy. The Product Owner has direct responsibility for providing guidance and advice on its implementation. The Managing Director is responsible for the implementation of the Information Security Policy.

7.1 Employees understand and agree to the following:

• Participation in the Annual review of the Information Security Policy

• Participation in the Annual review of the Business Continuity Plan

• Participation in the Annual review of the Disaster Recovery Plan

• Participation in the Annual review of the Data Breach Response Plan

• Reporting all information vulnerabilities or threats to Managing Director

7.2 CloudCard realizes that the information security policy must be operationalized in

order to be effective. Therefore, it has appointed the Managing Director to

implement and ensure the policy is followed by employees. The Managing Director will ensure the following:

• Annual review of the Information Security Policy

• Annual review of the Business Continuity Plan

• Annual review of the Disaster Recovery Plan

• Annual review of the Data Breach Response Plan

• Employee correction and review when the policy is not followed.

7.3 The CloudCard Product Owner is required to ensure the following:

• Systems are adequately protected from unauthorised access.

• Systems are secured against theft and damage to a level that is cost-effective.

• Adequate steps are taken to ensure the availability of the information system, commensurate with its importance (Business Continuity).

• Electronic data can be recovered in the event of loss of the primary source. I.e. failure or loss of a computer system. It is incumbent on all system owners to backup data and to be able to restore data to a level commensurate with its importance (see Disaster Recovery Plan).

• Data is maintained with a high degree of accuracy.

• Systems are used for their intended purpose and that procedures are in place to rectify discovered or notified misuse.

• Any electronic access logs are only retained for a justifiable period to ensure compliance with the data protection, investigatory powers and freedom of information acts.

• Any third parties entrusted with CloudCard data understand their responsibilities with respect to maintaining its security.

• Perform and document risk assessments on an annual basis.

• Web server access and error logs are reviewed for anomalies that could indicate a compromise.