Versions Compared

Version Old Version 6 New Version 7
Changes made by

Leo Díaz Murillo

Leo Díaz Murillo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Equipment: equipment means all equipment purchased by or provided by Deiser DEISER to store or process information including but not necessarily limited to desktop computers, servers, printers, copiers, laptops, tablet computers, electronic notebooks, mobile telephones, digital recorders, cameras, USB sticks, DVDs, CDs and other portable devices and removable media.

Information: Information means all information and data held or recorded electronically on equipment or manually held or recorded on paper. For the purpose of this policy, the information held by Deiser DEISER can be splited in two categories: non-sensitive and sensitive information. Sensitive information comprises all personal information and all confidential information, the loss of which would, or would be likely to, cause damage or distress to individuals or to DeiserDEISER. By default, all information is deemed to be sensitive unless specifically identified as otherwise.

...

First, about the availability, there are two ways to interact with the data in DeiserDEISER's plugins. The first is by using a Database Management System (DBMS) to access the database node/s. The second one is by using the DeiserDEISER's plugins interface.

Only selected Deiser DEISER employees use DBMS to interact with the data. To manipulate the information in the database servers it is mandatory to be authenticated and authorized. These DBAs are responsibles of giving access or not to the corresponding applicant. DBA is also responsible of assuring the confidentiality of the sensible data stored in the given credential tables. One of our DBA configure the permissions related with every account registered in the system. This is our way of handling the access control via DBMS. There are strict rules to maintain the confidentiality of this information and prevent  our employees from sharing credentials or abusing them. It is important to remark that every employee has his/her own credentials for every environment so we can audit every action done in the platform and when an employee leaves the company, there is a policy that dictates that these credentials must be disabled to avoid unauthorized access. In addition, we have an enforce password expiration policy to assure that if the credentials are compromised at least the attacker will not be able to use it forever. There is an enforcement every month.

...

In order to safeguard production applications, Deiser DEISER has a Continuous Integration Server that packs the software and run tests over the generated binary. If all tests pass, that binary file is stored in a binaries server which is the only one (along with a reduced number of administrators) allowed to write in. Developers can read from that repository but they cannot write.

About using external libraries, Deiser DEISER proceeds in the same way: Continuous Integration Server is the only one that can publish them and they will only be used after they are analyzed by an anti-virus software and after QA team approves them. Also, they are read-only by developers and production environments.

...

There are two networks in DeiserDEISER. One for the employees which we will call internal and another for guests.

...

Talking about the production environment network, we are using DigitalOcean. DigitalOcean networking provides the infrastructure necessary to securely connect VMs to one another and to connect on-site datacenters with DigitalOcean VMs. DigitalOcean blocks unauthorized traffic to and within DigitalOcean data centers, using a variety of technologies such as firewalls, partitioned local area networks (LANs), VPNs and the physical separation of back-end servers from public-facing interfaces.

Threat of viruses

In DeiserDEISER, every computer has McAfee VirusScan and AntiSpyware Enterprise antivirus software installed, which constantly protects against any malware type.

Every Deiser DEISER staff is educated about viruses in the following ways:

...

In order to prevent intrusion, Deiser DEISER uses the security systems provided by the cloud provider, DigitalOcean. It is necessary to identify yourself with valid credentials in order to access the cloud environment. DigitalOcean is able to monitor and report to the end user about intrusions by using their own HIDS and NIDS techniques.

All the machines and services (complete DeiserDEISER's plugings) run on a private network provided by DigitalOcean. These private networks use encryption to prevent intrusion from external parties.

To prevent unauthorized access to our network from one of the employees computer, computers in Deiser DEISER are configured so that after five minutes of inactivity, the screen saver is activated and the access to the computer is locked. It is necessary to enter the password again to resume activity.

In addition, everybody in the Deiser DEISER staff is educated on the following points:

  • To lock their computer by pressing the Windows + L keys, whenever absent from his/her post.
  • To use equipment, applications, mail, etc., for professional activities and not for other purposes
  • Not to connect to the Deiser DEISER network any computers or portable network electronics owned by the employees.
  • Prohibited from using their own removable media storage tools.
  • To use the antivirus program to examine every entire file that comes from the outside.
  • Not to download from the Internet free software, demos and generally software that comes from a source other than the company´s authorized providers.
  • Not to save their password in a readable form on disk files, and neither should they write passwords on paper and leave it in places where it can be found. If there is reason to believe that a password has been compromised, then password must be changed immediately. The system is configured with the following requirements:
    • New passwords cannot be equals to previous passwords used by that user.
    • Every 42 days, user must change the password.
    • Passwords have a minimum length of 7 characters, and they must contain at least one uppercase letter, one lowercase letter and one number.
  • Software installation is strictly prohibited if unauthorized, including software legitimately acquired by the user. Support department is the only one that can install software or systems, as they will perform the technical tests of the installation as well as maintenance and backups.

Data Classification System

Deiser’s DEISER’s data classification system is divided into four sections:

  • Public: Information that may or must be open to the general public. It is defined as information with no existing local, national, or international legal restrictions on access or usage. Public data is available to all Deiser DEISER employees and all individuals or entities external to the corporation.
  • Internal: Information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protection. Internal Data is information that is restricted to personnel who have a legitimate reason to access it.
  • Confidential: Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know. Explicit authorization by the Data Administrator is required for access because of legal, contractual, privacy, or other constraints. Confidential data have a very high level of sensitivity.
  • Regulatory Data Classification: Information protected by statutes and regulations, and governed by a regulatory body or council regarding the investigation, response, reporting and handling of incidents. Regulatory Data is sensitive in nature, and access is restricted. Disclosure is limited to individuals on a need-to-know basis. 

...