CYBER, DATA, NETWORK SECURITY, & IP POLICY
Ensure optimal security and best-in-class industry practices are followed for all projects, from web development to data analysis work.Recovery/contingency plans in place to avoid business interruption due to IT systems failures: We have a 3rd party providing daily backups (ManageWP). We also may keep a redundancy on the same server and/or on a local hard drive on a monthly basis. Our IT and Data Security Policy also serves to notify data owners immediately following identification should there be an issue.Disaster recovery or information security incident response plan
- Tested with regular, daily backups with ManageWP (off site)
- Encryption technologies utilized to protect information
- Let’s Encrypt
- SFTP
- Infrastructure– 3rd parties includes Closte (Google Cloud Platform), with the Scope of Service: https://closte.com/support/general/scope-of-support. In some instances, we utilize: OVH- East North-America Datacenter (BHS, Quebec)
- Identify all relevant regulatory and industry compliance frameworks that are applicable to the organization
- User revocation procedures on user accounts and inventoried recovery of all information assets following employment termination
- Ensure and/or establish procedures for ensuring the deletion of all sensitive data from systems and devices prior to their disposal from the company:
- Upon client handoff, ensure passwords on our end are changed and that they have full admin access. If, however a client opts-in for ongoing maintenance, we will ensure that we have a client added to ManageWP for 3rd party, off-site backups with recovery options.
- On the public-facing site, ensure a privacy statement is in place
- The user deletion process:
- Accessible in the WordPress backend under Tools > Erase Personal Data
- An email will be sent to the user at this email address asking them to verify the request
- Delete the user if they have an actual login, closing the loop to ensure complete user security
- Access control procedures and hard drive encryption are in force to prevent unauthorized exposure of data on all company laptops, phones, and home based PC’s
- Access given is controlled solely based on needs. Team members receive secure transmissions via Google and GSuite services (Gmail, Google Drive, Google Hangouts, Google Analytics, Google Tag Manager, Google Data Studio, Google Optimize), DropBox, Trello, Office 365, and access web-based systems via their encrypted WordPress logins.
- Ensure that all wireless networks have protected access
- Network utilizes an encrypted Comcast router
- Ensure an established procedure for determining the severity of a potential data security breach and a notification procedure to all individuals who may be adversely affected by such exposures exists
- When a security incident is detected or reported, key first steps are to (1) contain the incident, (2) initiate an investigation of its scope and origins, and (3) decide if it qualifies as a Breach. If High Risk Data (identifiable customer data) or GDPR Data is present on the compromised system, the following Critical Incident Response (CIR) is followed. Upon a data breach, our process is to:
- Immediately identify the severity of the breach
- Immediately notify the owner of the data of the breach
- Immediately quarantine and survey points of failure and patch software, licenses, networks and platforms wherever it is within our responsibility
- Verify that the compromise is genuine and present sufficient risk to engage the CIR process:
- Classify: The CIR must be initiated if…
- The system owner or system administrator indicates that the system is a High Criticality System according to the Electronic Data and System Risk Classification Policy.
- or the system owner or system administrator asserts that the system contains High Risk Data as defined by the Electronic Data and System Risk Classification Policy, or GDPR Data.
- or someone of appropriate authority (for example, an Admin) with input that determines that the system poses a unique risk that warrants investigation.
- Verify: The CIR process should be initiated only if…
- The incident handler verifies that the triggering alert is not a false positive. The incident handler will double-check the triggering alert, and correlate it against other alerting systems when possible.
- and the type of data or system at risk is verified to be of an appropriate classification, as determined above. The system owner or system administrator should provide a detailed description of the data at risk, including approximate numbers of unique data elements at risk, and the number, location, and type of files it is stored in.
- The order of the steps above can vary from incident to incident, but for the CIR process to be initiated the criticality of the asset must be confirmed, and it must be confirmed that the triggering event is not a false positive. In cases where the CIR process is not required, the incident handler can resolve the case as follows:
- Produce a ticket in Trello and correspondence to follow up– documenting that the system has no High Risk Data or GDPR Data and is not a high-criticality asset.
- Contain: The containment phase represents the beginning of the CIR workflow and has the following goals:
- If the host cannot immediately be removed from the network, the incident handler will initiate a full-content network dump to monitor the attacker’s activities and to determine whether interesting data is leaking during the investigation.
- Eliminate attacker access: Whenever possible, this is done via the incident handler performing network quarantine at the time of detection and by the system administrator unplugging the network cable. In rare cases, the incident handler may request that network operations staff implement a port-block to eliminate attacker access. In cases where the impact of system downtime is very high, the incident handler will work with system administrators to determine the level of attacker privilege and eliminate their access safely.
- The incident handler will collect data from system administrators in order to quickly assess the scope of the incident, including:
- Preliminary list of compromised systems
- Preliminary list of storage media that may contain evidence
- Preliminary attack timeline based on initially available evidence
- Preserve forensic evidence:
- System administrators will capture first responder data if the system is turned on. The incident handler will provide instructions for capturing this data to the individual performing that task.
- The incident handler will capture disk images for all media that are suspected of containing evidence, including external hard drives and flash drives. System administrators will deliver the system to a working state either after the first responder data is captured; disk imaging and analysis may occur. The system owner should expect to have it returned within five (5) business days.
- The incident handler will dump network flow data and other sensor data for the system. iv. The incident handler will create an analysis plan to guide the next phase of the investigation.
- Analyze– The analysis phase is where in-depth investigation of the available network-based and host-based evidence occurs. The primary goal of analysis is to establish whether there is reasonable belief that the attacker(s) successfully accessed High Risk Data or GDPR Data on the compromised system. Secondary goals are to generate an attack timeline and ascertain the attackers’ actions. All analysis steps are primarily driven by the incident handler, who coordinates communications between other stakeholders, including system owners, system administrators, and relevant compliance officers. Questions that are relevant to making a determination about whether data was accessed without authorization include:
- Suspicious Network Traffic: Is there any suspicious or unaccounted for network traffic that may indicate data exfiltration occurred?
- Attacker Access to Data: Did attackers have privileges to access the data or was the data encrypted in a way that would have prevented reading?
- Evidence that Data was Accessed: Are file access audit logs available or are file system mactimes intact that show whether the files have been accessed post-compromise?
- Length of Compromise: How long was the host compromised and online?
- Method of Attack: Was a human involved in executing the attack or was an automated “drive-by” attack suite employed? Did the tools found have capabilities useful in finding or exfiltrating data?
- Attacker Profile: Is there any indication that the attackers were data-thieves or motivated by different goals?
- In the case of a potential GDPR Breach, this analysis will include the entire System. The analysis will include an evaluation of the likelihood of risk to data subjects, including, for example, risks related to identity theft or fraud, financial loss, damage to reputation, and discrimination. The analysis should include whether the data has been encrypted, coded, or protected through other technological controls from use by an unauthorized person. The process and facts considered in reaching a determination as to the likely risks to data subjects must be documented.
- Classify: The CIR must be initiated if…
- When a security incident is detected or reported, key first steps are to (1) contain the incident, (2) initiate an investigation of its scope and origins, and (3) decide if it qualifies as a Breach. If High Risk Data (identifiable customer data) or GDPR Data is present on the compromised system, the following Critical Incident Response (CIR) is followed. Upon a data breach, our process is to:
Network security policy
- Firewall (CloudLinux w/ CSF and/or Sucuri)
- Google Cloud Platform, OVH, or LaunchVPS
- Daily security monitoring– automated
- Protected against systems intrusion, tampering, hacking and data theft by following security hardening best practices from WordPress codex and industry best-practice.
- Office computers: firewalls and anti-virus software, with back up data frequently, and physically secure equipment that hold Electronic Data
Intellectual Property
- We educate new employees about the importance of copyright law, with clear restrictions against using material developed for previous employers.
- employees asked to sign an affidavit committing to this (to create)– All Key Medium contractors produce ‘Work for Hire’ and Key Medium retains exclusive ownership of all IP where applicable per our Independent Contractor agreements.
- All employees (one- Ali) formally assigns intellectual property rights to any materials developed during their period of employment to Key Medium
- Subcontractors and independent contractors formally assign rights to all work made for hire to Key Medium
- All software products (including packaging) formally reviewed for infringement against competitor’s offerings by an internal team or third party prior to launch
- We ensure a survey of all IP used in the furnishing of a web design prior to beginning development or design.
- Copyright clearance letters obtained via electronic licensing through:
- Stock.adobe.com licensing, freepik.com premium license, goodui.org monthly subscription, divi.space licensing
- We safeguard and enforce against infringing intellectual property rights of others by educating anyone — employees and subcontractors — and this is emphasized through our agreements, guidelines, and/or policies
- When in doubt use google.com/patents to search for existing patent, copyright, and trademark potential infringements.
Employee and Subcontractor Guidelines
- Supervision of data sent to and from
- Ensure strong WP passwords if given access
- Regular check-in
- Privacy statement
- Terms of Use
- Signed Agreement with Confidentiality and Non-