User Tools

Site Tools


company_application_and_data_security

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
company_application_and_data_security [2019/03/06 13:14] lucycompany_application_and_data_security [2021/09/01 15:11] (current) lucy
Line 11: Line 11:
 | Is a risk management process implemented dealing with the periodical identification, valuation of risks and the implementation of mitigation controls? | yes | It's in Management Handbook Security Policy. Each employee is encouraged to report risks. This applies in particular to IT and Cyber risks. A risk catalog is kept. At least once a year a risk assessment is carried out. The obligation is with the DPO / Chief Security and Risk Officer. | | Is a risk management process implemented dealing with the periodical identification, valuation of risks and the implementation of mitigation controls? | yes | It's in Management Handbook Security Policy. Each employee is encouraged to report risks. This applies in particular to IT and Cyber risks. A risk catalog is kept. At least once a year a risk assessment is carried out. The obligation is with the DPO / Chief Security and Risk Officer. |
 | Is a periodic assessment conducted of how well the security policies and procedures are respected within the company? | partially | We have two roles DPO & CSRO (chief sec and risk officer). There's a regularity done by the CSRO himself. . | | Is a periodic assessment conducted of how well the security policies and procedures are respected within the company? | partially | We have two roles DPO & CSRO (chief sec and risk officer). There's a regularity done by the CSRO himself. . |
 +
 +
 +
 +
  
 ==== Allocation of information security responsibilities ==== ==== Allocation of information security responsibilities ====
Line 58: Line 62:
 | Is staff made aware of the key elements of information security and why it is needed (i.e. segregation of duties, need to know)? | yes | All staff that has any relation to the software code and our infrastructure (software engineers, QA engineers, support engineers, system admins, etc) pass internal information security courses. | | Is staff made aware of the key elements of information security and why it is needed (i.e. segregation of duties, need to know)? | yes | All staff that has any relation to the software code and our infrastructure (software engineers, QA engineers, support engineers, system admins, etc) pass internal information security courses. |
 | Are service administrators properly educated on their responsibilities with regard to security? | yes | All employees are getting an internal lesson on cybersecurity and passing security courses that include basic vulnerabilities overview, penetration technologies, mitigation methods, etc. It is an internal training based on the one-to-one introduction and a combination of Webinars / Practical Laboratory courses using Kali Linux. | | Are service administrators properly educated on their responsibilities with regard to security? | yes | All employees are getting an internal lesson on cybersecurity and passing security courses that include basic vulnerabilities overview, penetration technologies, mitigation methods, etc. It is an internal training based on the one-to-one introduction and a combination of Webinars / Practical Laboratory courses using Kali Linux. |
 +
 +
 +==== Security Policies for LUCY staff ====
 +
 +LUCY employees must agree to the policy at the time they start work on the following topics:
 +
 +  - Responsibility in safe data handling
 +  - Secure Traveling
 +  - Reporting Security Incidents
 +  - Workplace conduct
 +  - Use of email and awareness against cyber risks
 +  - Internet use
 +  - Using passwords
 +  - Data Classification
 +  - Protection from social engineering
 +  - Social Networking
 +  - Virus protection
 +  - Hardware and software measures
 +  - Violation of protective measures and reporting obligation
  
 ===== Identity and Access Management ===== ===== Identity and Access Management =====
Line 114: Line 137:
 ^ Questions ^ Response ^ Comments ^ ^ Questions ^ Response ^ Comments ^
 | Do you inform your customers about vulnerabilities in your products once you had a chance to address them, regardless of whether they were discovered internally, or reported to you? | yes | with a dedicated form and a direct mailing put in place already | | Do you inform your customers about vulnerabilities in your products once you had a chance to address them, regardless of whether they were discovered internally, or reported to you? | yes | with a dedicated form and a direct mailing put in place already |
 +
 +==== Vulnerability Rating====
 +Our vulnerabilities are rated based on CVSS standard (https://www.first.org/cvss/v3-1/cvss-v31-user-guide_r1.pdf)
  
 ===== Operations Management and Security Controls ===== ===== Operations Management and Security Controls =====
Line 152: Line 178:
 | Do you regularly perform penetration tests on all systems relevant to your service? | yes | We use various web application vulnerability scanners and OS security auditing tools (Burp Suite, OpenVAS, Lynis, Nessus). Even though we've done our own human-based penetration tests in the past we do not perform human-based penetration assessment on a regular basis. | | Do you regularly perform penetration tests on all systems relevant to your service? | yes | We use various web application vulnerability scanners and OS security auditing tools (Burp Suite, OpenVAS, Lynis, Nessus). Even though we've done our own human-based penetration tests in the past we do not perform human-based penetration assessment on a regular basis. |
 | How often are penetration tests done for the above scope (on average)? | yes | LUCY software is not a classic SaaS Plattform or Software. We do not perform penetration tests on client production instances. We release new Major updates of the software every 1-2 months, the software is mostly distributed as a virtual appliance (VMWare ESXi or Amazon image) and the process of automated penetration testing is tied to the release process - we perform such testing on the final stage of the release lifecycle. The set of application versions and software configurations of the version we are going to roll out exactly corresponds to the state of all systems after they migrate to the new version. For example, we are preparing version 5.0 for release and run penetration tests against it, within a virtual appliance. After all tests passed and all vulnerabilities are closed, we release the update, which is distributed over all existing software installations on different servers. All existing installations switch their state (install all required packages, remove old ones, change configuration, etc) to the state of the new version automatically, so all vulnerabilities closed on the pre-release stage will be closed on all tenants servers automatically. We never change anything on tenants servers directly. | | How often are penetration tests done for the above scope (on average)? | yes | LUCY software is not a classic SaaS Plattform or Software. We do not perform penetration tests on client production instances. We release new Major updates of the software every 1-2 months, the software is mostly distributed as a virtual appliance (VMWare ESXi or Amazon image) and the process of automated penetration testing is tied to the release process - we perform such testing on the final stage of the release lifecycle. The set of application versions and software configurations of the version we are going to roll out exactly corresponds to the state of all systems after they migrate to the new version. For example, we are preparing version 5.0 for release and run penetration tests against it, within a virtual appliance. After all tests passed and all vulnerabilities are closed, we release the update, which is distributed over all existing software installations on different servers. All existing installations switch their state (install all required packages, remove old ones, change configuration, etc) to the state of the new version automatically, so all vulnerabilities closed on the pre-release stage will be closed on all tenants servers automatically. We never change anything on tenants servers directly. |
 +| On what standards does LUCY perform Penetration tests? | Yes| OSSTMM https://www.isecom.org/OSSTMM.3.pdf |
  
 ==== Security incident detection and correlation ==== ==== Security incident detection and correlation ====
Line 198: Line 225:
  
 ^ Questions ^ Response ^ Comments ^ ^ Questions ^ Response ^ Comments ^
-| Will you use tenant data for testing purposes? | no | |+| Will you use tenant data for testing purposes? | no | Using of tenant data is prohibited in test and development environments |
  
 ==== Data input and output validation ==== ==== Data input and output validation ====
Line 210: Line 237:
  
 ^ Questions ^ Response ^ Comments ^ ^ Questions ^ Response ^ Comments ^
-| Has the provider a defined and documented method for coping with a business continuity situation? | no The software has not mission criticality for the business |+| Has the provider a defined and documented method for coping with a business continuity situation? | yes There is a Business Continuity Plan |
  
 ==== Plans and procedures ==== ==== Plans and procedures ====
  
 ^ Questions ^ Response ^ Comments ^ ^ Questions ^ Response ^ Comments ^
-| Has the provider implemented, tested and documented a set of procedures and actions for a contingency situation? | no The software has not mission criticality for the business |+| Has the provider implemented, tested and documented a set of procedures and actions for a contingency situation? | yes There are tested and documented procedures for a contingency situations |
  
 ==== Data and production recovery ==== ==== Data and production recovery ====
Line 231: Line 258:
  
 Please download our GDPR agreement {{ :gdpr_agreement.docx |here}} Please download our GDPR agreement {{ :gdpr_agreement.docx |here}}
 +
 +
 +==== Auftragsdatenverarbeitungsvertrag (German) ====
 +
 +Please download our Auftragsdatenverarbeitungsvertrag {{ ::auftragsverarbeitung.docx |here}}
  
company_application_and_data_security.1551874466.txt.gz · Last modified: 2019/07/25 12:52 (external edit)