This document describes the information security policy including, but not limited to, the following parts:
The terms used in this document are the following:
Confidentiality: Privacy or the ability to control or restrict access so that only authorized individuals can view sensitive information. One of the underlying principles of confidentiality is "need-to-know" or "least privilege". In effect, access to vital information should be limited only to those individuals who have a specific need to see or use that information.
Integrity: Information is accurate and reliable and has not been subtly changed or tampered with by an unauthorized party. Integrity includes:
Availability: Information and other critical assets are accessible to customers and the business when needed. Note, information is unavailable not only when it is lost or destroyed, but also when access to the information is denied or delayed.
Disposal: disposal means the process and outcome by which information including information held on IT equipment is irretrievably destroyed in a manner which maintains the security of the equipment and information during the process and up to the point of irretrievable destruction.
Equipment: equipment means all equipment purchased by or provided by Deiser to store or process information including but not necessarily limited to desktop computers, servers, printers, copiers, laptops, tablet computers, electronic notebooks, mobile telephones, digital recorders, cameras, USB sticks, DVDs, CDs and other portable devices and removable media.
Information: Information means all information and data held or recorded electronically on equipment or manually held or recorded on paper. For the purpose of this policy, the information held by Deiser can be splited in two categories: non-sensitive and sensitive information. Sensitive information comprises all personal information and all confidential information, the loss of which would, or would be likely to, cause damage or distress to individuals or to Deiser. By default, all information is deemed to be sensitive unless specifically identified as otherwise.
Physical security: Defined as that part of security concerned with physical measures designed to safeguard equipment; to prevent unauthorized access to equipment, installations, material, and documents; and to safeguard against espionage, sabotage, damage, and theft.
HIDS: A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors and analyzes the internals of a computing system. It monitors all or parts of the dynamic behavior and the state of a computer system. Besides such activities like dynamically inspect network packets targeted at this specific host, a HIDS might detect which program accesses what resources and discover that, for example, a word-processor has suddenly and inexplicably started modifying the system password database. One can think of a HIDS as an agent that monitors whether anything or anyone, whether internal or external, has circumvented the system's security policy.
NIDS: Network Intrusion Detection Systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire subnet, and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. An example of an NIDS would be installing it on the subnet where firewalls are located in order to see if someone is trying to break into the firewall. NID Systems are also capable of comparing signatures for similar packets to link and drop harmful detected packets which have a signature matching the records in the NIDS.
First, about the availability, there are two ways to interact with the data in Deiser's plugins. The first is by using a Database Management System (DBMS) to access the database node/s. The second one is by using the Deiser's plugins interface.
Only selected Deiser employees use DBMS to interact with the data. To manipulate the information in the database servers it is mandatory to be authenticated and authorized. The credentials are stored in the given MyMySQL, which is responsible of giving access or not to the corresponding applicant. MySQL is also responsible of assuring the confidentiality of the sensible data stored in the given credential tables. One of our database administrators configure the permissions related with every account registered in the system. This is our way of handling the access control via DBMS. There are strict rules to maintain the confidentiality of this information and prevent our employees from sharing credentials or abusing them. It is important to remark that every employee has his/her own credentials for every environment so we can audit every action done in the platform and when an employee leaves the company, there is a policy that dictates that these credentials must be disabled to avoid unauthorized access. In addition, we have an enforce password expiration policy to assure that if the credentials are compromised at least the attacker will not be able to use it forever. There is an enforcement every month.
Regarding with the access through the plugin interface the communication between the front side and the backend is direct and made by SQL queries.
The plugins we provide in the Atlassian Marketplace are hosted in the cloud, specifically in DigitalOcean and Gooogle Cloud Platform. All the data hosted in their data centers is under our control. In addition, DigitalOcean has a code of practice for cloud privacy ISO/IIEC 27018, ISO27001 and SOC1/2/3 certified company. This adherence provides transparency about policies regarding the return, transfer, and deletion of personal information stored in their datacenters.
In order to safeguard production applications, Deiser has a Continuous Integration Server that packs the software and run tests over the generated binary. If all tests pass, that binary file is stored in a binaries server which is the only one (along with a reduced number of administrators) allowed to write in. Developers can read from that repository but they cannot write.
About using external libraries, Deiser proceeds in the same way: Continuous Integration Server is the only one that can publish them and they will only be used after they are analyzed by an anti-virus software and after QA team approves them. Also, they are read-only by developers and production environments.
Regarding the physical safeguard of the DigitalOcean datacenter equipment, we do not own any responsibility. DigitalOcean guarantees this safeguard.
There are two networks in Deiser. One for the employees which we will call internal and another for guests.
To access the internal network using WiFi or local Ethernet it is necessary to introduce valid credentials recognized into the domain. To access the network via remote connectivity the employee must do the same. The VPN provides confidentiality, authentication and integrity by using SSL/TLS. Every device that wants to connect to this network must have his MAC in the MAC whitelist of the network.
To access the guests network the guest must inform the network password. The traffic is associated with the given MAC. There is a quality of service implemented for this network so every user connected can consume a maximum of 10Mbps and peer to peer traffic is not allowed.
Talking about the production environment network, we are using DigitalOcean. DigitalOcean networking provides the infrastructure necessary to securely connect VMs to one another and to connect on-site datacenters with DigitalOcean VMs. DigitalOcean blocks unauthorized traffic to and within DigitalOcean data centers, using a variety of technologies such as firewalls, partitioned local area networks (LANs), VPNs and the physical separation of back-end servers from public-facing interfaces.
In Deiser, every computer has McAfee VirusScan and AntiSpyware Enterprise antivirus software installed, which constantly protects against any malware type.
Every Deiser staff is educated about viruses in the following ways:
For the production virtual machines allocated in the DigitalOcean cloud a DigitalOcean exists and runs in background scanning and reporting to the system administrators.
In order to prevent intrusion, Deiser uses the security systems provided by the cloud provider, DigitalOcean. It is necessary to identify yourself with valid credentials in order to access the cloud environment. DigitalOcean is able to monitor and report to the end user about intrusions by using their own HIDS and NIDS techniques.
All the machines and services (complete Deiser's plugings) run on a private network provided by DigitalOcean. These private networks use encryption to prevent intrusion from external parties.
To prevent unauthorized access to our network from one of the employees computer, computers in Deiser are configured so that after five minutes of inactivity, the screen saver is activated and the access to the computer is locked. It is necessary to enter the password again to resume activity.
In addition, everybody in the Deiser staff is educated on the following points:
Deiser’s data classification system is divided into four sections: