Versions Compared

Version Old Version 1 New Version 2
Changes made by

David Garcia [DEISER]

Carlos Aparicio Hernández

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 

About this document

This document describes the information security policy including, but not limited to, the following parts:

  • Integrity, confidentiality and availability of the information
  • Safeguarding of data, including:
    • provisions with respect to portable computers and media
    • provisions for the disposal of media
    • provisions for the disposal of equipment
  • Safeguarding of applications
  • Safeguarding of equipment
  • Safeguarding of networks
  • Threat of viruses
  • Threat of intrusion
  • Data classification system, categorizing data and the respective measures according to its importance

 

Definitions

The terms used in this document are the following:

...

NIDS: Network Intrusion Detection Systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire subnet, and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. An example of an NIDS would be installing it on the subnet where firewalls are located in order to see if someone is trying to break into the firewall. NID Systems are also capable of comparing signatures for similar packets to link and drop harmful detected packets which have a signature matching the records in the NIDS.

 

Overview

Integrity, confidentiality and availability of the information

First, about the availability, there are two ways to interact with the data in Deiser's plugins. The first is by using a Database Management System (DBMS) to access the database node/s. The second one is by using the Deiser's plugins interface.

...

Regarding with the access through the plugin interface the communication between the front side and the backend is direct and made by SQL queries.

Safeguarding of the data

The plugins we provide in the Atlassian Marketplace are hosted in the cloud, specifically in Amazon Web Services, (AWS). All the data hosted in their data centers is under our control. In addition, Amazon has a code of practice for cloud privacy ISO/IIEC 27018, ISO27001 and SOC1/2/3 certified company. This adherence provides transparency about policies regarding the return, transfer, and deletion of personal information stored in their datacenters.

Safeguarding of applications

In order to safeguard production applications, Deiser has a Continuous Integration Server that packs the software and run tests over the generated binary. If all tests pass, that binary file is stored in a binaries server which is the only one (along with a reduced number of administrators) allowed to write in. Developers can read from that repository but they cannot write.

About using external libraries, Deiser proceeds in the same way: Continuous Integration Server is the only one that can publish them and they will only be used after they are analyzed by an anti-virus software and after QA team approves them. Also, they are read-only by developers and production environments.

Safeguarding of equipment

Regarding the physical safeguard of the Amazon datacenter equipment, we do not own any responsibility. Amazon guarantees this safeguard.

Safeguarding of networks

There are two networks in Deiser. One for the employees which we will call internal and another for guests.

...

Talking about the production environment network, we are using AWS. AWS networking provides the infrastructure necessary to securely connect VMs to one another and to connect on-site datacenters with AWS VMs. AWS blocks unauthorized traffic to and within Amazon data centers, using a variety of technologies such as firewalls, partitioned local area networks (LANs), VPNs and the physical separation of back-end servers from public-facing interfaces.

Threat of viruses

In Deiser, every computer has McAfee VirusScan and AntiSpyware Enterprise antivirus software installed, which constantly protects against any malware type.

...

For the production virtual machines allocated in the AWS cloud a Amazon Antimalware exists and runs in background scanning and reporting to the system administrators.

Threat of intrusion

In order to prevent intrusion, Deiser uses the security systems provided by the cloud provider, AWS. It is necessary to identify yourself with valid credentials in order to access the cloud environment. AWS is able to monitor and report to the end user about intrusions by using their own HIDS and NIDS techniques.

...

  • To lock their computer by pressing the Windows + L keys, whenever absent from his/her post.
  • To use equipment, applications, mail, etc., for professional activities and not for other purposes
  • Not to connect to the Deiser network any computers or portable network electronics owned by the employees.
  • Prohibited from using their own removable media storage tools.
  • To use the antivirus program to examine every entire file that comes from the outside.
  • Not to download from the Internet free software, demos and generally software that comes from a source other than the company´s authorized providers.
  • Not to save their password in a readable form on disk files, and neither should they write passwords on paper and leave it in places where it can be found. If there is reason to believe that a password has been compromised, then password must be changed immediately. The system is configured with the following requirements:
    • New passwords cannot be equals to previous passwords used by that user.
    • Every 42 days, user must change the password.
    • Passwords have a minimum length of 7 characters, and they must contain at least one uppercase letter, one lowercase letter and one number.
  • Software installation is strictly prohibited if unauthorized, including software legitimately acquired by the user. Support department is the only one that can install software or systems, as they will perform the technical tests of the installation as well as maintenance and backups.

Data Classification System

Deiser’s data classification system is divided into four sections:

...