...
This document describes the information security policy including, but not limited to, the following parts:
Integrity, confidentiality and availability of the information
Safeguarding of data, including:
provisions with respect to portable computers and media
provisions for the disposal of media
provisions for the disposal of equipment
Safeguarding of applications
Safeguarding of equipment
Safeguarding of networks
Threat of viruses
Threat of intrusion
Data classification system, categorizing data and the respective measures according to its importance
Definitions
The terms used in this document are the following:
...
Integrity: Information is accurate and reliable and has not been subtly changed or tampered with by an unauthorized party. Integrity includes:
Authenticity: The ability to verify content has not changed in an unauthorized manner.
Non-repudiation &
AccountabilityAccountability: The origin of any action on the system can be verified and associated with a user.
Availability: Information and other critical assets are accessible to customers and the business when needed. Note, information is unavailable not only when it is lost or destroyed, but also when access to the information is denied or delayed.
...
Equipment: equipment means all equipment purchased by or provided by Deiser DEISER to store or process information including but not necessarily limited to desktop computers, servers, printers, copiers, laptops, tablet computers, electronic notebooks, mobile telephones, digital recorders, cameras, USB sticks, DVDs, CDs and other portable devices and removable media.
Information: Information means all information and data held or recorded electronically on equipment or manually held or recorded on paper. For the purpose of this policy, the information held by Deiser DEISER can be splited in two categories: non-sensitive and sensitive information. Sensitive information comprises all personal information and all confidential information, the loss of which would, or would be likely to, cause damage or distress to individuals or to DeiserDEISER. By default, all information is deemed to be sensitive unless specifically identified as otherwise.
...
First, about the availability, there are two ways to interact with the data in DeiserDEISER's plugins. The first is by using a Database Management System (DBMS) to access the database node/s. The second one is by using the DeiserDEISER's plugins interface.
Only selected Deiser DEISER employees use DBMS to interact with the data. To manipulate the information in the database servers it is mandatory to be authenticated and authorized. These DBAs are responsibles of giving access or not to the corresponding applicant. DBA is also responsible of assuring the confidentiality of the sensible data stored in the given credential tables. One of our DBA configure the permissions related with every account registered in the system. This is our way of handling the access control via DBMS. There are strict rules to maintain the confidentiality of this information and prevent our employees from sharing credentials or abusing them. It is important to remark that every employee has his/her own credentials for every environment so we can audit every action done in the platform and when an employee leaves the company, there is a policy that dictates that these credentials must be disabled to avoid unauthorized access. In addition, we have an enforce password expiration policy to assure that if the credentials are compromised at least the attacker will not be able to use it forever. There is an enforcement every month.
Regarding with the access through the plugin interface the communication between the front side and the backend is direct and made by SQL queries.
We collect the following categories of information, which may be considered Personal Information when maintained in an identifiable format:
Account registration information:
...
When you register or purchase Products or Services, we may collect your and/or your Administrator’s full name, email address, phone numbers, and account log-in credentials, if applicable.
Content and information that you submit through the Sites: Information submitted through the Sites may include, for example, the information you provide when you participate in any interactive features, research studies, or surveys, and any information you submit when filing a customer support ticket or as part of any other form submissions on the Sites.
Content and information voluntarily provided through the Services: We collect any information you provide to us voluntarily via the Services. Annex 1 outlines the categories of Personal Information in greater detail that we collect and that may be submitted through the Sites and/or Services.
Technical product usage data, logs, metrics, metadata, and device information: We automatically generate and retain records of how users interact with our Sites and Services. This may include information such as your Internet Protocol (“IP”) address, device identifiers, device information (such as OS type or browser type), cookie IDs, referring / exit pages and URLs, interaction information (such as clickstream data), domain names, pages viewed, crash data, and other similar technical data. We may use technologies such as cookies and/or scripts to collect this information.
Location information: We may use the IP address received from your browser or mobile device to determine your approximate physical location, such as city and country.
Information collected from third party or public sources: DEISER may receive information from third-party sources, such as business partners, the Atlassian Marketplace, Affiliates, marketing service providers, third-party data aggregators, or publicly available sources, that we use to make our own information better or more useful. We may collect an Authorized User’s name, email address, and phone number.
Safeguarding of the data
The plugins we provide in the Atlassian Marketplace are hosted in the cloud, specifically in DigitalOcean and Gooogle Cloud Platform. All the data hosted in their data centers is under our control. In addition, DigitalOcean has a code of practice for cloud privacy ISO/IIEC 27018, ISO27001 and SOC1/2/3 certified company. This adherence provides transparency about policies regarding the return, transfer, and deletion of personal information stored in their datacenters.
...
In order to safeguard production applications, Deiser DEISER has a Continuous Integration Server that packs the software and run tests over the generated binary. If all tests pass, that binary file is stored in a binaries server which is the only one (along with a reduced number of administrators) allowed to write in. Developers can read from that repository but they cannot write.
About using external libraries, Deiser DEISER proceeds in the same way: Continuous Integration Server is the only one that can publish them and they will only be used after they are analyzed by an anti-virus software and after QA team approves them. Also, they are read-only by developers and production environments.
...
There are two networks in DeiserDEISER. One for the employees which we will call internal and another for guests.
...
Talking about the production environment network, we are using DigitalOcean. DigitalOcean networking provides the infrastructure necessary to securely connect VMs to one another and to connect on-site datacenters with DigitalOcean VMs. DigitalOcean blocks unauthorized traffic to and within DigitalOcean data centers, using a variety of technologies such as firewalls, partitioned local area networks (LANs), VPNs and the physical separation of back-end servers from public-facing interfaces.
Threat of viruses
In DeiserDEISER, every computer has McAfee VirusScan and AntiSpyware Enterprise antivirus software installed, which constantly protects against any malware type.
Every Deiser DEISER staff is educated about viruses in the following ways:
They are not allowed to use their own removable media storage tools.
Use the antivirus program to examine the entire file that comes from the outside.
Not download from the Internet free software, demos and generally software that comes from a source other than the company´s authorized providers.
Software installation is strictly prohibited if unauthorized, including the one that was acquired by the user. The installation of software and / or systems must only be executed by the Support department, as they will perform the technical tests of the installation as well as maintenance and backups.
For the production virtual machines allocated in the DigitalOcean cloud a DigitalOcean exists and runs in background scanning and reporting to the system administrators.
...
In order to prevent intrusion, Deiser DEISER uses the security systems provided by the cloud provider, DigitalOcean. It is necessary to identify yourself with valid credentials in order to access the cloud environment. DigitalOcean is able to monitor and report to the end user about intrusions by using their own HIDS and NIDS techniques.
All the machines and services (complete DeiserDEISER's plugings) run on a private network provided by DigitalOcean. These private networks use encryption to prevent intrusion from external parties.
To prevent unauthorized access to our network from one of the employees computer, computers in Deiser DEISER are configured so that after five minutes of inactivity, the screen saver is activated and the access to the computer is locked. It is necessary to enter the password again to resume activity.
In addition, everybody in the Deiser DEISER staff is educated on the following points:
To lock their computer by pressing the Windows + L keys, whenever absent from his/her post.
To use equipment, applications, mail, etc., for professional activities and not for other purposes
Not to connect to the
DeiserDEISER network any computers or portable network electronics owned by the employees.
Prohibited from using their own removable media storage tools.
To use the antivirus program to examine every entire file that comes from the outside.
Not to download from the Internet free software, demos and generally software that comes from a source other than the company´s authorized providers.
Not to save their password in a readable form on disk files, and neither should they write passwords on paper and leave it in places where it can be found. If there is reason to believe that a password has been compromised, then password must be changed immediately. The system is configured with the following requirements:
New passwords cannot be equals to previous passwords used by that user.
Every 42 days, user must change the password.
Passwords have a minimum length of 7 characters, and they must contain at least one uppercase letter, one lowercase letter and one number.
Software installation is strictly prohibited if unauthorized, including software legitimately acquired by the user. Support department is the only one that can install software or systems, as they will perform the technical tests of the installation as well as maintenance and backups.
Data Classification System
Deiser’s DEISER’s data classification system is divided into four sections:
Public: Information that may or must be open to the general public. It is defined as information with no existing local, national, or international legal restrictions on access or usage. Public data is available to all
DeiserDEISER employees and all individuals or entities external to the corporation.
Internal: Information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protection. Internal Data is information that is restricted to personnel who have a legitimate reason to access it.
Confidential: Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know. Explicit authorization by the Data Administrator is required for access because of legal, contractual, privacy, or other constraints. Confidential data have a very high level of sensitivity.
Regulatory Data Classification: Information protected by statutes and regulations, and governed by a regulatory body or council regarding the investigation, response, reporting and handling of incidents. Regulatory Data is sensitive in nature, and access is restricted. Disclosure is limited to individuals on a need-to-know basis.