About this document
This document describes the information security policy including, but not limited to, the following parts:
- Integrity, confidentiality and availability of the information
- Safeguarding of data, including:
- provisions with respect to portable computers and media
- provisions for the disposal of media
- provisions for the disposal of equipment
- Safeguarding of applications
- Safeguarding of equipment
- Safeguarding of networks
- Threat of viruses
- Threat of intrusion
- Data classification system, categorizing data and the respective measures according to its importance
The terms used in this document are the following:
Confidentiality: Privacy or the ability to control or restrict access so that only authorized individuals can view sensitive information. One of the underlying principles of confidentiality is "need-to-know" or "least privilege". In effect, access to vital information should be limited only to those individuals who have a specific need to see or use that information.
Integrity: Information is accurate and reliable and has not been subtly changed or tampered with by an unauthorized party. Integrity includes:
- Authenticity: The ability to verify content has not changed in an unauthorized manner.
- Non-repudiation & Accountability: The origin of any action on the system can be verified and associated with a user.
Availability: Information and other critical assets are accessible to customers and the business when needed. Note, information is unavailable not only when it is lost or destroyed, but also when access to the information is denied or delayed.
Disposal: disposal means the process and outcome by which information including information held on IT equipment is irretrievably destroyed in a manner which maintains the security of the equipment and information during the process and up to the point of irretrievable destruction.
Equipment: equipment means all equipment purchased by or provided by Deiser to store or process information including but not necessarily limited to desktop computers, servers, printers, copiers, laptops, tablet computers, electronic notebooks, mobile telephones, digital recorders, cameras, USB sticks, DVDs, CDs and other portable devices and removable media.
Information: Information means all information and data held or recorded electronically on equipment or manually held or recorded on paper. For the purpose of this policy, the information held by Deiser can be splited in two categories: non-sensitive and sensitive information. Sensitive information comprises all personal information and all confidential information, the loss of which would, or would be likely to, cause damage or distress to individuals or to Deiser. By default, all information is deemed to be sensitive unless specifically identified as otherwise.
Physical security: Defined as that part of security concerned with physical measures designed to safeguard equipment; to prevent unauthorized access to equipment, installations, material, and documents; and to safeguard against espionage, sabotage, damage, and theft.
HIDS: A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors and analyzes the internals of a computing system. It monitors all or parts of the dynamic behavior and the state of a computer system. Besides such activities like dynamically inspect network packets targeted at this specific host, a HIDS might detect which program accesses what resources and discover that, for example, a word-processor has suddenly and inexplicably started modifying the system password database. One can think of a HIDS as an agent that monitors whether anything or anyone, whether internal or external, has circumvented the system's security policy.
NIDS: Network Intrusion Detection Systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire subnet, and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. An example of an NIDS would be installing it on the subnet where firewalls are located in order to see if someone is trying to break into the firewall. NID Systems are also capable of comparing signatures for similar packets to link and drop harmful detected packets which have a signature matching the records in the NIDS.
Integrity, confidentiality and availability of the information
First, about the availability, there are two ways to interact with the data in Deiser's plugins. The first is by using a Database Management System (DBMS) to access the database node/s. The second one is by using the Deiser's plugins interface.
Only selected Deiser employees use DBMS to interact with the data. To manipulate the information in the database servers it is mandatory to be authenticated and authorized. The credentials are stored in the given MyMySQL, which is responsible of giving access or not to the corresponding applicant. MySQL is also responsible of assuring the confidentiality of the sensible data stored in the given credential tables. One of our database administrators configure the permissions related with every account registered in the system. This is our way of handling the access control via DBMS. There are strict rules to maintain the confidentiality of this information and prevent our employees from sharing credentials or abusing them. It is important to remark that every employee has his/her own credentials for every environment so we can audit every action done in the platform and when an employee leaves the company, there is a policy that dictates that these credentials must be disabled to avoid unauthorized access. In addition, we have an enforce password expiration policy to assure that if the credentials are compromised at least the attacker will not be able to use it forever. There is an enforcement every month.
Regarding with the access through the plugin interface the communication between the front side and the backend is direct and made by SQL queries.
Safeguarding of the data
The plugins we provide in the Atlassian Marketplace are hosted in the cloud, specifically in DigitalOcean. All the data hosted in their data centers is under our control. In addition, DigitalOcean has a code of practice for cloud privacy ISO/IIEC 27018, ISO27001 and SOC1/2/3 certified company. This adherence provides transparency about policies regarding the return, transfer, and deletion of personal information stored in their datacenters.
Safeguarding of applications
In order to safeguard production applications, Deiser has a Continuous Integration Server that packs the software and run tests over the generated binary. If all tests pass, that binary file is stored in a binaries server which is the only one (along with a reduced number of administrators) allowed to write in. Developers can read from that repository but they cannot write.
About using external libraries, Deiser proceeds in the same way: Continuous Integration Server is the only one that can publish them and they will only be used after they are analyzed by an anti-virus software and after QA team approves them. Also, they are read-only by developers and production environments.
Safeguarding of equipment
Regarding the physical safeguard of the DigitalOcean datacenter equipment, we do not own any responsibility. DigitalOcean guarantees this safeguard.
Safeguarding of networks
There are two networks in Deiser. One for the employees which we will call internal and another for guests.
To access the internal network using WiFi or local Ethernet it is necessary to introduce valid credentials recognized into the domain. To access the network via remote connectivity the employee must do the same. The VPN provides confidentiality, authentication and integrity by using SSL/TLS. Every device that wants to connect to this network must have his MAC in the MAC whitelist of the network.
To access the guests network the guest must inform the network password. The traffic is associated with the given MAC. There is a quality of service implemented for this network so every user connected can consume a maximum of 10Mbps and peer to peer traffic is not allowed.
Talking about the production environment network, we are using DigitalOcean. DigitalOcean networking provides the infrastructure necessary to securely connect VMs to one another and to connect on-site datacenters with DigitalOcean VMs. DigitalOcean blocks unauthorized traffic to and within DigitalOcean data centers, using a variety of technologies such as firewalls, partitioned local area networks (LANs), VPNs and the physical separation of back-end servers from public-facing interfaces.
Threat of viruses
In Deiser, every computer has McAfee VirusScan and AntiSpyware Enterprise antivirus software installed, which constantly protects against any malware type.
Every Deiser staff is educated about viruses in the following ways:
- They are not allowed to use their own removable media storage tools.
- Use the antivirus program to examine the entire file that comes from the outside.
- Not download from the Internet free software, demos and generally software that comes from a source other than the company´s authorized providers.
- Software installation is strictly prohibited if unauthorized, including the one that was acquired by the user. The installation of software and / or systems must only be executed by the Support department, as they will perform the technical tests of the installation as well as maintenance and backups.
For the production virtual machines allocated in the DigitalOcean cloud a DigitalOcean exists and runs in background scanning and reporting to the system administrators.
Threat of intrusion
In order to prevent intrusion, Deiser uses the security systems provided by the cloud provider, DigitalOcean. It is necessary to identify yourself with valid credentials in order to access the cloud environment. DigitalOcean is able to monitor and report to the end user about intrusions by using their own HIDS and NIDS techniques.
All the machines and services (complete Deiser's plugings) run on a private network provided by DigitalOcean. These private networks use encryption to prevent intrusion from external parties.
To prevent unauthorized access to our network from one of the employees computer, computers in Deiser are configured so that after five minutes of inactivity, the screen saver is activated and the access to the computer is locked. It is necessary to enter the password again to resume activity.
In addition, everybody in the Deiser staff is educated on the following points:
- To lock their computer by pressing the Windows + L keys, whenever absent from his/her post.
- To use equipment, applications, mail, etc., for professional activities and not for other purposes
- Not to connect to the Deiser network any computers or portable network electronics owned by the employees.
- Prohibited from using their own removable media storage tools.
- To use the antivirus program to examine every entire file that comes from the outside.
- Not to download from the Internet free software, demos and generally software that comes from a source other than the company´s authorized providers.
- Not to save their password in a readable form on disk files, and neither should they write passwords on paper and leave it in places where it can be found. If there is reason to believe that a password has been compromised, then password must be changed immediately. The system is configured with the following requirements:
- New passwords cannot be equals to previous passwords used by that user.
- Every 42 days, user must change the password.
- Passwords have a minimum length of 7 characters, and they must contain at least one uppercase letter, one lowercase letter and one number.
- Software installation is strictly prohibited if unauthorized, including software legitimately acquired by the user. Support department is the only one that can install software or systems, as they will perform the technical tests of the installation as well as maintenance and backups.
Data Classification System
Deiser’s data classification system is divided into four sections:
- Public: Information that may or must be open to the general public. It is defined as information with no existing local, national, or international legal restrictions on access or usage. Public data is available to all Deiser employees and all individuals or entities external to the corporation.
- Internal: Information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protection. Internal Data is information that is restricted to personnel who have a legitimate reason to access it.
- Confidential: Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know. Explicit authorization by the Data Administrator is required for access because of legal, contractual, privacy, or other constraints. Confidential data have a very high level of sensitivity.
- Regulatory Data Classification: Information protected by statutes and regulations, and governed by a regulatory body or council regarding the investigation, response, reporting and handling of incidents. Regulatory Data is sensitive in nature, and access is restricted. Disclosure is limited to individuals on a need-to-know basis.