Security

Introduction

  1. Purpose and Scope

    1. This security policy outlines the measures and practices to ensure the security and confidentiality of Semsto's data, systems, and resources.

  2. Policy Compliance

    1. All employees, contractors, and third-party users must adhere to this policy. Non-compliance may result in disciplinary action.

Information Security

  1. Data Classification

    1. Define the classification levels of data (e.g., confidential, sensitive, public) and the appropriate handling procedures for each.

  2. Data Access Control

    1. Establish access controls based on roles and responsibilities. Implement strong authentication mechanisms and user permissions.

  3. Data Encryption

    1. Implement encryption protocols for data at rest and in transit to protect sensitive information.

  4. Client Data Protection

    1. Give special attention to securing client data, ensuring its confidentiality and integrity. Implement additional safeguards and access controls for client-specific information.

  5. Data Security

    1. Implement comprehensive measures for data storage, transfer, access, backup, monitoring, testing, and periodic reviews.

  6. Data Privacy

    1. Ensure strict data ownership and privacy guidelines, prohibiting the sale or misuse of customer data. For more detail refer our privacy page.

  7. Access Controls

    1. Utilize multi-layered security controls to prevent unauthorized access and potential data breaches.

  8. Database Access

    1. Limit database access to senior personnel with rigorous authentication processes.

  9. Support Access

    1. Require explicit permission for customer support to access data.

  10. Cloud Infrastructure

    1. Use a reliable cloud service like Amazon AWS for data storage, avoiding on-premises vulnerabilities.

Vulnerability Testing

Vulnerability testing, also known as vulnerability assessment, is a crucial process in the field of cybersecurity. It involves identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. The primary goal of vulnerability testing is to detect weaknesses in a system's defences before attackers can exploit them. This process is essential for maintaining the security and integrity of an organization's information systems.

Key Components of Vulnerability Testing:

  1. Scanning for Vulnerabilities: This involves the use of automated tools to scan systems, networks, and applications for known vulnerabilities. These tools can range from basic free utilities to complex enterprise-level solutions.

  2. Penetration Testing: Often combined with vulnerability testing, penetration testing involves simulating cyber-attacks to exploit vulnerabilities in a system. Unlike vulnerability scanning, penetration testing is more about testing the effectiveness of the defensive mechanisms in place.

  3. Assessment of Security Posture: This includes evaluating the existing security measures and understanding how vulnerable the system is to different types of cyber-attacks.

  4. Manual Review and Analysis: In addition to automated tools, a manual review of the system, including code inspection and system configuration checks, is performed to identify potential security flaws.

Types of Vulnerabilities:

Vulnerability testing seeks to identify various types of weaknesses, including but not limited to:

  1. Software bugs

  2. Misconfigurations

  3. Inadequate security controls

  4. Flaws in operational processes

  5. Unpatched systems

  6. Weak encryption

  7. Insecure APIs

Process of Vulnerability Testing:

  1. Preparation: Define the scope and goals of the assessment, including which systems and networks to test.

  2. Vulnerability Detection: Use automated tools and manual techniques to identify vulnerabilities.

  3. Vulnerability Analysis: Determine the nature of the vulnerabilities, their potential impact, and the likelihood of exploitation.

  4. Risk Assessment: Prioritize the vulnerabilities based on risk, considering factors such as the value of the affected asset and the feasibility of an attack.

  5. Reporting: Document the findings and provide detailed reports for different stakeholders, including technical teams and management.

  6. Remediation: Develop a plan to address and mitigate the identified vulnerabilities.

  7. Reassessment: Re-test to ensure vulnerabilities are effectively remediated.

Importance:

  1. Proactive Security: Identifies weaknesses before they can be exploited by attackers.

  2. Compliance: Helps in meeting regulatory and compliance requirements.

  3. Risk Management: Assists in prioritizing security efforts and resource allocation.

  4. Trust and Reputation: Enhances customer and stakeholder trust in an organization’s commitment to security.

Vulnerability testing is an ongoing process, not a one-time event, as new vulnerabilities emerge constantly. Regular assessments are crucial for maintaining the security of any organization in the evolving landscape of cyber threats.

System Security

  1. System Access Control

    1. Enforce secure login practices, account management, and password policies.

  2. Patch Management

    1. Regularly update and patch all software and systems to address vulnerabilities.

  3. Network Security

    1. Implement firewall rules, intrusion detection/prevention systems, and network segmentation to protect against unauthorized access.

Employee Security

  1. Training and Awareness

    1. Conduct security awareness training for all employees and contractors to promote a security-conscious culture.

  2. Incident Reporting

    1. Establish a clear process for reporting security incidents and breaches promptly.

Physical Security

  1. Data Center Security

    1. Ensure physical security measures are in place to protect data centres and servers.

Business Continuity and Disaster Recovery

Develop and maintain a comprehensive business continuity and disaster recovery plan to ensure the continuity of operations in case of disruptions.

Vendor Management

Assess and monitor third-party vendors' security practices to ensure they meet security standards.

Compliance and Auditing

Regularly audit and assess compliance with this security policy and relevant industry standards and regulations.

Security Incident Response

Establish an incident response team and procedures to address and mitigate security incidents.

Review and Revision

Periodically review and update the security policy to adapt to evolving threats and technologies.

Enforcement and Consequences

Clearly define consequences for policy violations and unauthorized actions.

Data Deletion Policy and Consequences

Our Data Deletion Policy mandates that if a client does not renew their subscription, their data is retained for 90 days before permanent deletion. During this period, clients are notified and have the option to renew their subscription to prevent data loss. In cases where a client requests data deletion, we comply by securely eradicating their data within 24 hours of the request. This policy ensures adherence to data protection laws while respecting client preferences, maintaining a balance between data security and client autonomy.

Disaster Recovery

Our Disaster Recovery Plan is designed to ensure robustness and resilience in the face of unexpected disasters. In the event of a disaster, we are prepared to restore full operations and achieve complete data recovery within a 12–15-hour timeframe. This comprehensive recovery strategy encompasses data backups, infrastructure redundancy, and a well-coordinated response protocol. By prioritizing rapid recovery, we minimize downtime and data loss, ensuring that our services remain reliable and secure even under challenging circumstances. This commitment is a testament to our dedication to maintaining uninterrupted service and safeguarding our clients' critical data.