company_application_and_data_security
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
company_application_and_data_security [2018/08/16 14:44] – [Vulnerability management] lucy | company_application_and_data_security [2018/08/16 15:49] – [Roles and responsibilities] lucy | ||
---|---|---|---|
Line 5: | Line 5: | ||
==== Organization of Risk & Information Security ==== | ==== Organization of Risk & Information Security ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
- | | Is there a comprehensive, | + | | Is there a comprehensive, |
| Are the policies communicated to all individuals with access to IT systems or access to tenants data? | yes | Personal information, | | Are the policies communicated to all individuals with access to IT systems or access to tenants data? | yes | Personal information, | ||
| Is there a comprehensive, | | Is there a comprehensive, | ||
| Is a risk management process implemented dealing with the periodical identification, | | Is a risk management process implemented dealing with the periodical identification, | ||
- | | Is a periodic assessment conducted of how well the security policies and procedures are respected within the company? | partialy | + | | Is a periodic assessment conducted of how well the security policies and procedures are respected within the company? | partialy | We have two roles DPO & CSRO (chief sec and risk officer). There' |
==== Allocation of information security responsibilities ==== | ==== Allocation of information security responsibilities ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Do you have a dedicated person or team that is formally chartered with responsibility for information security? | yes | dpo at lucysecurity dot com | | | Do you have a dedicated person or team that is formally chartered with responsibility for information security? | yes | dpo at lucysecurity dot com | | ||
==== Allocation of IT risk management responsibilities ==== | ==== Allocation of IT risk management responsibilities ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
- | | Do you have a dedicated person or team that is formally chartered with responsibility for IT risk management? | yes | see above | | + | | Do you have a dedicated person or team that is formally chartered with responsibility for IT risk management? | yes | dpo at lucysecurity dot com | |
==== Security Audits ==== | ==== Security Audits ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Do you regularly conduct internal/ | | Do you regularly conduct internal/ | ||
Line 33: | Line 33: | ||
==== Physical entry controls ==== | ==== Physical entry controls ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Is physical access to buildings that house critical IT facilities restricted to authorized individuals? | | Is physical access to buildings that house critical IT facilities restricted to authorized individuals? | ||
==== Policy for DC and IT System access ==== | ==== Policy for DC and IT System access ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Are policies and procedures implemented to specify proper use of and access to IT systems and network components. | yes | Access to Routers / Network components is only possible through a separate VPN network. Authentication on Firewalls / Routers is only possible through SSH-Key. All Logs are stored on an separate logging device, all configuration changes are monitored, saved and alerted. Physical Access is only possible for certified network admins. | | | Are policies and procedures implemented to specify proper use of and access to IT systems and network components. | yes | Access to Routers / Network components is only possible through a separate VPN network. Authentication on Firewalls / Routers is only possible through SSH-Key. All Logs are stored on an separate logging device, all configuration changes are monitored, saved and alerted. Physical Access is only possible for certified network admins. | | ||
==== Secure disposal or re-use of IT equipment ==== | ==== Secure disposal or re-use of IT equipment ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Is a secure decommissioning process in place? (E.g. wiping data from old hard drives, secure deletion of network configurations from routers.) | yes | We don't apply secure deletion. When applying dedicated deletion orders it is done with an overwrite routine using shred (Linux Software). | | | Is a secure decommissioning process in place? (E.g. wiping data from old hard drives, secure deletion of network configurations from routers.) | yes | We don't apply secure deletion. When applying dedicated deletion orders it is done with an overwrite routine using shred (Linux Software). | | ||
Line 50: | Line 50: | ||
==== Roles and responsibilities ==== | ==== Roles and responsibilities ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
- | | Are security roles and responsibilities of employees defined and documented? | yes | CSRO, Chief security and risk officer - is assigned (forgot him, sorry) | + | | Are security roles and responsibilities of employees defined and documented? | yes | A member of the top management. |
==== Security awareness of LUCY staff ==== | ==== Security awareness of LUCY staff ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Is staff made aware of the key elements of information security and why it is needed (i.e. segregation of duties, need to know)? | yes | All staff that has any relation to the software code and our infrastructure (software engineers, QA engineers, support engineers, system admins, etc) pass internal information security courses. | | | Is staff made aware of the key elements of information security and why it is needed (i.e. segregation of duties, need to know)? | yes | All staff that has any relation to the software code and our infrastructure (software engineers, QA engineers, support engineers, system admins, etc) pass internal information security courses. | | ||
| Are service administrators properly educated on their responsibilities with regard to security? | yes | All employees are getting internal lesson on cyber security and passing security courses that include basic vulnerabilities overview, penetration technologies, | | Are service administrators properly educated on their responsibilities with regard to security? | yes | All employees are getting internal lesson on cyber security and passing security courses that include basic vulnerabilities overview, penetration technologies, | ||
Line 63: | Line 63: | ||
==== Authentication ==== | ==== Authentication ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Which method is used to authenticate a user against the provided service (user ID/ | | Which method is used to authenticate a user against the provided service (user ID/ | ||
==== Access control policy ==== | ==== Access control policy ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Is the access to the service and data restricted to authorized individuals and based on an established access control policy? | yes | Physical access is protected with fingerprint in addition to an rfid key card and the keys of the rack. " | | Is the access to the service and data restricted to authorized individuals and based on an established access control policy? | yes | Physical access is protected with fingerprint in addition to an rfid key card and the keys of the rack. " | ||
| Do access control arrangements restrict access to only approved system capabilities? | | Do access control arrangements restrict access to only approved system capabilities? | ||
Line 74: | Line 74: | ||
==== Data access ==== | ==== Data access ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
- | | Is a Data Loss Prevention System in use? Who has the ability to accesses tenant data? | no | No DLP System is in place and no alerting system is used | | + | | Is a Data Loss Prevention System in use? Who has the ability to accesses tenant data? | no | NO DLP System is in place and no alerting system is used at LUCYs promises |
==== Data integrity ==== | ==== Data integrity ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
- | | Are controls implemented to confirm that customer data has not been improperly altered or destroyed | yes | See above | | + | | Are controls implemented to confirm that customer data has not been improperly altered or destroyed | yes | NO DLP System is in place and no alerting system is used at LUCYs promises |
==== Password policy ==== | ==== Password policy ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
- | | Will the allocation of passwords be controlled through a formal password policy process? | partialy | + | | Will the allocation of passwords be controlled through a formal password policy process? | partialy | When chosing passwords they need to have more than 8 characters and they must be a mix of capital/ |
==== User registration & management ==== | ==== User registration & management ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Is there a formal user registration and de-registration procedure in place for granting and revoking access to all systems and services and to tenants data? | yes | An engineer may obtain an access to a single tenants data only in case there is a need for maintenance, | | Is there a formal user registration and de-registration procedure in place for granting and revoking access to all systems and services and to tenants data? | yes | An engineer may obtain an access to a single tenants data only in case there is a need for maintenance, | ||
| Is a user management process in place (creation, revocation, provisioning and termination of rights, etc.)? | yes | After contract termination the LUCY Server Instance is safely reset. This is a built in and secure feature in LUCY Server. https:// | | Is a user management process in place (creation, revocation, provisioning and termination of rights, etc.)? | yes | After contract termination the LUCY Server Instance is safely reset. This is a built in and secure feature in LUCY Server. https:// | ||
Line 95: | Line 95: | ||
==== Session time-out ==== | ==== Session time-out ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Do inactive end-user sessions shut down after a defined period of inactivity? | yes | The end-user session terminates after 1 hour of inactivity | | | Do inactive end-user sessions shut down after a defined period of inactivity? | yes | The end-user session terminates after 1 hour of inactivity | | ||
Line 102: | Line 102: | ||
==== Alerting ==== | ==== Alerting ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Do you have an easily way for externals to report security vulnerabilities in your systems? | yes | Write a mail to support@lucysecurity.com or dpo@lucysecurity.com . Every employee needs to react as stated in the GDPR code of contact | | | Do you have an easily way for externals to report security vulnerabilities in your systems? | yes | Write a mail to support@lucysecurity.com or dpo@lucysecurity.com . Every employee needs to react as stated in the GDPR code of contact | | ||
==== Information about inappropriate access ==== | ==== Information about inappropriate access ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Will you share user entitlement remediation and certification reports with your tenants, if inappropriate access may have been allowed to tenant data? | yes | With a dedicated form, within 72 hours after discovery | | | Will you share user entitlement remediation and certification reports with your tenants, if inappropriate access may have been allowed to tenant data? | yes | With a dedicated form, within 72 hours after discovery | | ||
==== Notification of customers ==== | ==== Notification of customers ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Do you inform your customers about vulnerabilities in your products once you had a chance to address them, regardless of whether they were discovered internally, or reported to you? | yes | with a dedicated form and a direct mailing put in place already | | | Do you inform your customers about vulnerabilities in your products once you had a chance to address them, regardless of whether they were discovered internally, or reported to you? | yes | with a dedicated form and a direct mailing put in place already | | ||
Line 119: | Line 119: | ||
==== Separation of development, | ==== Separation of development, | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Are development, | | Are development, | ||
==== Network hardening ==== | ==== Network hardening ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Is hardening for Firewalls and Routers performed? | yes | On all routers and firewalls, management access is only possible via VPN. There are separate users for monitoring and configuration. All configuration changes are automatically reported and saved. In general, all firewalls and routers only run SSH for management access and otherwise only the necessary routing processes such as BGP, OSPF or just the firewall software. | | | Is hardening for Firewalls and Routers performed? | yes | On all routers and firewalls, management access is only possible via VPN. There are separate users for monitoring and configuration. All configuration changes are automatically reported and saved. In general, all firewalls and routers only run SSH for management access and otherwise only the necessary routing processes such as BGP, OSPF or just the firewall software. | | ||
==== Operating system hardening ==== | ==== Operating system hardening ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Is a operating system hardening performed for all systems involved? | yes | OS is protected by internal firewall (iptables), SSH access keys are randomly generated, removed USB/ | | Is a operating system hardening performed for all systems involved? | yes | OS is protected by internal firewall (iptables), SSH access keys are randomly generated, removed USB/ | ||
==== Application Server hardening ==== | ==== Application Server hardening ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Is hardening performed for all relevant application server? | yes | App servers are hardened using common approaches: proper file permissions, | | Is hardening performed for all relevant application server? | yes | App servers are hardened using common approaches: proper file permissions, | ||
==== Database hardening ==== | ==== Database hardening ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Is hardening performed for all relevant database management systems? | yes | Only local connections are allowed and the system partially conforms to "CIS PostgreSQL 9.5" checklist (50% conformance), | | Is hardening performed for all relevant database management systems? | yes | Only local connections are allowed and the system partially conforms to "CIS PostgreSQL 9.5" checklist (50% conformance), | ||
==== Security Updates ==== | ==== Security Updates ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Is a process in place to install emergency patches outside of the regular patching schedule for security updates that address high-risk vulnerabilities? | | Is a process in place to install emergency patches outside of the regular patching schedule for security updates that address high-risk vulnerabilities? | ||
==== Vulnerability management ==== | ==== Vulnerability management ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Do you regularly perform penetration tests on all systems relevant to your service? | yes | We use various web application vulnerability scanners and OS security auditing tools (Burp Suite, OpenVAS, Lynis, Nessus). Even though we've done our own human-based penetration tests in the past we do not perform human-based penetration assessment on a regular basis. | | | Do you regularly perform penetration tests on all systems relevant to your service? | yes | We use various web application vulnerability scanners and OS security auditing tools (Burp Suite, OpenVAS, Lynis, Nessus). Even though we've done our own human-based penetration tests in the past we do not perform human-based penetration assessment on a regular basis. | | ||
| How often are penetration tests done for the above scope (on average)? | yes | LUCY software is not a classic SaaS Plattform or Software. We do not perform penetration tests on client production instances. We release new Major updates of the software every 1-2 months, the software is mostly distributed as a virtual appliance (VMWare ESXi or Amazon image) and the process of automated penetration testing is tied to the release process - we perform such testing on the final stage of the release lifecycle. The set of application versions and software configurations of the version we are going to roll out exactly corresponds to the state of all systems after they migrate to the new version. For example, we are preparing version 5.0 for release and run penetration tests against it, within a virtual appliance. After all tests passed and all vulnerabilities are closed, we release the update, which is distributed over all existing software installations on different servers. All existing installations switch their state (install all required packages, remove old ones, change configuration, | | How often are penetration tests done for the above scope (on average)? | yes | LUCY software is not a classic SaaS Plattform or Software. We do not perform penetration tests on client production instances. We release new Major updates of the software every 1-2 months, the software is mostly distributed as a virtual appliance (VMWare ESXi or Amazon image) and the process of automated penetration testing is tied to the release process - we perform such testing on the final stage of the release lifecycle. The set of application versions and software configurations of the version we are going to roll out exactly corresponds to the state of all systems after they migrate to the new version. For example, we are preparing version 5.0 for release and run penetration tests against it, within a virtual appliance. After all tests passed and all vulnerabilities are closed, we release the update, which is distributed over all existing software installations on different servers. All existing installations switch their state (install all required packages, remove old ones, change configuration, | ||
Line 155: | Line 155: | ||
==== Security incident detection and correlation ==== | ==== Security incident detection and correlation ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Does your infrastructure include a capability for security incident detection e.g. file integrity (host) and network intrusion detection (IDS) tools? | partially | These tools are used on infrastructure servers. Workstation installations do not have file integrity or IDS tools installed. | | | Does your infrastructure include a capability for security incident detection e.g. file integrity (host) and network intrusion detection (IDS) tools? | partially | These tools are used on infrastructure servers. Workstation installations do not have file integrity or IDS tools installed. | | ||
==== Protection of data storage media ==== | ==== Protection of data storage media ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Is tenets data held on data storage media (including magnetic tapes, disks, printed results, and stationery) protected against corruption, loss or disclosure? | yes | Tenants data is entirely stored on a disk on the server, and the only measure against data loss we perform _by default_ is a local daily database backup, which can help to prevent minor data loss. As an additional measure, we can set up RAID0 or RAID5 array, which can add an additional layer of protection against data loss or corruption. There is no access to other storage media from the server. The information in DB is encrypted using AES-256 (so it's stored int he encrypted form) and the key is built into the application, | | Is tenets data held on data storage media (including magnetic tapes, disks, printed results, and stationery) protected against corruption, loss or disclosure? | yes | Tenants data is entirely stored on a disk on the server, and the only measure against data loss we perform _by default_ is a local daily database backup, which can help to prevent minor data loss. As an additional measure, we can set up RAID0 or RAID5 array, which can add an additional layer of protection against data loss or corruption. There is no access to other storage media from the server. The information in DB is encrypted using AES-256 (so it's stored int he encrypted form) and the key is built into the application, | ||
==== Malware/ Defacement ==== | ==== Malware/ Defacement ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Are controls in place to protect the service and our tenants from malware? | yes | Infrastructure servers have anti-malware software installed. | | | Are controls in place to protect the service and our tenants from malware? | yes | Infrastructure servers have anti-malware software installed. | | ||
==== Security gateways ==== | ==== Security gateways ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Is network traffic routed through security gateways like web application firewalls or reverse proxies, prior to being allowed access to target service? | partially | WAFs and reverse proxies are used on infrastructure servers, though that is not the case on workstation installations. | | | Is network traffic routed through security gateways like web application firewalls or reverse proxies, prior to being allowed access to target service? | partially | WAFs and reverse proxies are used on infrastructure servers, though that is not the case on workstation installations. | | ||
==== Data encryption ==== | ==== Data encryption ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Do you encrypt tenant data in storage and server side? | yes | Data is encrypted using AES-256. The application server gets data over HTTP/ | | Do you encrypt tenant data in storage and server side? | yes | Data is encrypted using AES-256. The application server gets data over HTTP/ | ||
==== Network encryption ==== | ==== Network encryption ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Do you encrypt tenant data in transit (network - e.g. TLS)? | yes | The system uses TLSv1.1+ | | | Do you encrypt tenant data in transit (network - e.g. TLS)? | yes | The system uses TLSv1.1+ | | ||
==== Logging & Monitoring ==== | ==== Logging & Monitoring ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Are a process and audit trails in place to monitor and record exceptions and other security-relevant events to assist in investigations and in access control monitoring? | yes | All actions are monitored and logged in order to help investigating any incidents. | | | Are a process and audit trails in place to monitor and record exceptions and other security-relevant events to assist in investigations and in access control monitoring? | yes | All actions are monitored and logged in order to help investigating any incidents. | | ||
Line 192: | Line 192: | ||
==== Data input and output validation ==== | ==== Data input and output validation ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Do you provide secure software development training to your engineers, that teaches them about common threats and counter measures related to the software they are writing? | yes | Software engineers are trained to avoid OWASP top 10 vulnerabilitiesl identify any existing vulnerabilities and mitigate them during the software development. | | | Do you provide secure software development training to your engineers, that teaches them about common threats and counter measures related to the software they are writing? | yes | Software engineers are trained to avoid OWASP top 10 vulnerabilitiesl identify any existing vulnerabilities and mitigate them during the software development. | | ||
==== Use of productive Data for test purpose ==== | ==== Use of productive Data for test purpose ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Will you use tenant data for testing purposes? | no | | | | Will you use tenant data for testing purposes? | no | | | ||
==== Data input and output validation ==== | ==== Data input and output validation ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Are data input and output integrity routines (i.e., reconciliation and edit checks) implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data? | yes | Build in validations in the application | | | Are data input and output integrity routines (i.e., reconciliation and edit checks) implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data? | yes | Build in validations in the application | | ||
Line 209: | Line 209: | ||
==== Plans and procedures ==== | ==== Plans and procedures ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Has the provider a defined and documented method for coping with a business continuity situation? | no | The software has not mission criticality for the business | | | Has the provider a defined and documented method for coping with a business continuity situation? | no | The software has not mission criticality for the business | | ||
==== Plans and procedures ==== | ==== Plans and procedures ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Has the provider implemented, | | Has the provider implemented, | ||
==== Data and production recovery ==== | ==== Data and production recovery ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
| Is the data security ensured by redundant systems? | no | The software has not mission criticality for the business | | | Is the data security ensured by redundant systems? | no | The software has not mission criticality for the business | | ||
==== Crisis management ==== | ==== Crisis management ==== | ||
- | ^ Questions ^ Response ^ Supplier | + | ^ Questions ^ Response ^ Comments ^ |
- | | Does the provider have an emergency and crisis management with defined contact people? | yes | It's in LUCYs Management Handbook Security Policy. Paragraph xx. | | + | | Does the provider have an emergency and crisis management with defined contact people? | yes | It's in LUCYs Management Handbook Security Policy. | |
company_application_and_data_security.txt · Last modified: 2021/09/01 15:11 by lucy