Security
Introduction
-
Purpose and Scope
This security policy outlines the measures and practices to ensure the security and confidentiality of Semsto's data, systems, and resources.
-
Policy Compliance
All employees, contractors, and third-party users must adhere to this policy. Non-compliance may result in disciplinary action.
Information Security
-
Data Classification
Define the classification levels of data (e.g., confidential, sensitive, public) and the appropriate handling procedures for each.
-
Data Access Control
Establish access controls based on roles and responsibilities. Implement strong authentication mechanisms and user permissions.
-
Data Encryption
Implement encryption protocols for data at rest and in transit to protect sensitive information.
-
Client Data Protection
Give special attention to securing client data, ensuring its confidentiality and integrity. Implement additional safeguards and access controls for client-specific information.
-
Data Security
Implement comprehensive measures for data storage, transfer, access, backup, monitoring, testing, and periodic reviews.
-
Data Privacy
Ensure strict data ownership and privacy guidelines, prohibiting the sale or misuse of customer data. For more detail refer our privacy page.
-
Access Controls
Utilize multi-layered security controls to prevent unauthorized access and potential data breaches.
-
Database Access
Limit database access to senior personnel with rigorous authentication processes.
-
Support Access
Require explicit permission for customer support to access data.
-
Cloud Infrastructure
Use a reliable cloud service like Amazon AWS for data storage, avoiding on-premises vulnerabilities.
Vulnerability Testing
Vulnerability testing, also known as vulnerability assessment, is a crucial process in the field of cybersecurity. It involves identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. The primary goal of vulnerability testing is to detect weaknesses in a system's defences before attackers can exploit them. This process is essential for maintaining the security and integrity of an organization's information systems.
Key Components of Vulnerability Testing:
-
Scanning for Vulnerabilities: This involves the use of automated tools to scan systems, networks, and applications for known vulnerabilities. These tools can range from basic free utilities to complex enterprise-level solutions.
-
Penetration Testing: Often combined with vulnerability testing, penetration testing involves simulating cyber-attacks to exploit vulnerabilities in a system. Unlike vulnerability scanning, penetration testing is more about testing the effectiveness of the defensive mechanisms in place.
-
Assessment of Security Posture: This includes evaluating the existing security measures and understanding how vulnerable the system is to different types of cyber-attacks.
-
Manual Review and Analysis: In addition to automated tools, a manual review of the system, including code inspection and system configuration checks, is performed to identify potential security flaws.
Types of Vulnerabilities:
Vulnerability testing seeks to identify various types of weaknesses, including but not limited to:
-
Software bugs
-
Misconfigurations
-
Inadequate security controls
-
Flaws in operational processes
-
Unpatched systems
-
Weak encryption
-
Insecure APIs
Process of Vulnerability Testing:
-
Preparation: Define the scope and goals of the assessment, including which systems and networks to test.
-
Vulnerability Detection: Use automated tools and manual techniques to identify vulnerabilities.
-
Vulnerability Analysis: Determine the nature of the vulnerabilities, their potential impact, and the likelihood of exploitation.
-
Risk Assessment: Prioritize the vulnerabilities based on risk, considering factors such as the value of the affected asset and the feasibility of an attack.
-
Reporting: Document the findings and provide detailed reports for different stakeholders, including technical teams and management.
-
Remediation: Develop a plan to address and mitigate the identified vulnerabilities.
-
Reassessment: Re-test to ensure vulnerabilities are effectively remediated.
Importance:
-
Proactive Security: Identifies weaknesses before they can be exploited by attackers.
-
Compliance: Helps in meeting regulatory and compliance requirements.
-
Risk Management: Assists in prioritizing security efforts and resource allocation.
-
Trust and Reputation: Enhances customer and stakeholder trust in an organization’s commitment to security.
Vulnerability testing is an ongoing process, not a one-time event, as new vulnerabilities emerge constantly. Regular assessments are crucial for maintaining the security of any organization in the evolving landscape of cyber threats.
System Security
-
System Access Control
Enforce secure login practices, account management, and password policies.
-
Patch Management
Regularly update and patch all software and systems to address vulnerabilities.
-
Network Security
Implement firewall rules, intrusion detection/prevention systems, and network segmentation to protect against unauthorized access.
Employee Security
-
Training and Awareness
Conduct security awareness training for all employees and contractors to promote a security-conscious culture.
-
Incident Reporting
Establish a clear process for reporting security incidents and breaches promptly.
Physical Security
-
Data Center Security
Ensure physical security measures are in place to protect data centres and servers.
Business Continuity and Disaster Recovery
Develop and maintain a comprehensive business continuity and disaster recovery plan to ensure the continuity of operations in case of disruptions.
Vendor Management
Assess and monitor third-party vendors' security practices to ensure they meet security standards.
Compliance and Auditing
Regularly audit and assess compliance with this security policy and relevant industry standards and regulations.
Security Incident Response
Establish an incident response team and procedures to address and mitigate security incidents.
Review and Revision
Periodically review and update the security policy to adapt to evolving threats and technologies.
Enforcement and Consequences
Clearly define consequences for policy violations and unauthorized actions.
Data Deletion Policy and Consequences
Our Data Deletion Policy mandates that if a client does not renew their subscription, their data is retained for 90 days before permanent deletion. During this period, clients are notified and have the option to renew their subscription to prevent data loss. In cases where a client requests data deletion, we comply by securely eradicating their data within 24 hours of the request. This policy ensures adherence to data protection laws while respecting client preferences, maintaining a balance between data security and client autonomy.
Disaster Recovery
Our Disaster Recovery Plan is designed to ensure robustness and resilience in the face of unexpected disasters. In the event of a disaster, we are prepared to restore full operations and achieve complete data recovery within a 12–15-hour timeframe. This comprehensive recovery strategy encompasses data backups, infrastructure redundancy, and a well-coordinated response protocol. By prioritizing rapid recovery, we minimize downtime and data loss, ensuring that our services remain reliable and secure even under challenging circumstances. This commitment is a testament to our dedication to maintaining uninterrupted service and safeguarding our clients' critical data.