1.1 Information Security Policy
Purpose and Scope
This Information Security Policy addresses the basic information security policy topics which maintain the security, confidentiality, integrity, and availability of Sort applications, systems, infrastructure, and data. From time to time, Sord may update this policy and implement different levels of security controls for different information assets, based on risk and other considerations. This policy is guided by security requirements specific to Sord including compliance with applicable laws and regulations.
This policy applies to all Sord assets utilized by personnel acting on behalf of Sord or accessing its applications, infrastructure, systems or data. All personnel are required to read, accept and follow all Sord policies and plans upon starting and at least annually.
Information Security Communication
Please contact [email protected] if you have any questions about the Sord information security program.
People Security
Background Check
All Sord personnel are required to complete a background check. An authorized member of Sord must review each background check in accordance with local laws.
Confidentiality
Prior to accessing sensitive information, personnel are required to sign an industry-standard confidentiality agreement protecting Sord confidential information.
Security Awareness Training
Sord has a security awareness training program in place to promote the understanding of security policies and procedures. All personnel are required to undergo training following initial employment and annually thereafter. Completion of the training program is logged by Sord.
Secure Coding
Sord promotes the understanding of secure coding to its engineers in order to improve the security and robustness of Sord products.
Physical Security
Clear Desk
Sord personnel are required to ensure that all sensitive information in hard-copy or electronic form is secure in their work area when it is unattended. This requirement extends to both remote and in-office work.
Sord personnel must remove hard-copies of sensitive information from desks and lock the information in a drawer when desks are unoccupied and at the end of the work day. Keys used to access sensitive information must not be left at an unattended desk.
Clear Screen
Sord employees and contractors must be aware of their surroundings at all times and ensure that no unauthorized individuals have access to see or hear sensitive information. All mobile and desktop devices must be locked when unoccupied. Session time-outs and lockouts are enforced through technical controls for all systems containing covered information.
All devices containing sensitive information, including mobile devices, shall be configured to automatically lock after a period of inactivity (e.g. screen saver).
Physical Security
Reference the Physical Security Policy
Remote Work
Any Sord issued devices used to access company applications, systems, infrastructure, or data must be used only by the authorized employee or contractor of such device.
Employees or contractors accessing the Sord network or other cloud-based networks or tools are required to use HTTPS/TLS 1.2+ at a minimum to protect data-in-transit.
If you are in a public space, ensure your sight lines are blocked and do not have customer conversations or other confidential conversations. If someone is close to you, assume they can see and hear everything. Connecting directly to a public wireless network that doesn't employ, at minimum, WPA-2 or an equivalent wireless protocol is prohibited
While working at home, employees and applicable contractors should be mindful when visitors (e.g. maintenance personnel) are at their residences, as visitors could become privy to sensitive information left up on computer screens.
System Access Security
Sord adheres to the principle of least privilege, specifying that team members will be given access to only the information and resources necessary to perform their job functions as determined by management or a designee. Requests for escalation of or changes to privilege and access are documented and require approval by an authorized manager. System access is revoked upon termination or resignation.
Account Audits
Audits of access and privileges to sensitive Sord applications, infrastructure, systems, and data are performed and reviewed by authorized personnel.
Password Security
Unique accounts and passwords are required for all users. Passwords must be kept confidential and not shared with multiple users. Where possible, all user and system accounts must have a minimum of ten characters including alpha (upper and lower case), one numeric and one non-alphanumeric character. All accounts must use unique passwords not used elsewhere.
Rotation Requirements
If a password is suspected to be compromised, the password should be rotated immediately and the security team should be immediately notified.
Storing Passwords
Passwords must only be stored using a Sord approved password manager. Sord does not hard code passwords or embed credentials in static code.
Asset Security
Sord maintains a Configuration and Asset Management Policy designed to track and set standard configurations to protect Sord devices, networks, systems, and data. In compliance with such policy, Sord may provide team members laptops or other devices to perform their job duties effectively.
Data Management
Sord stores and disposes of sensitive data, in a manner that; reasonably safeguards the confidentiality of the data; protects against the unauthorized use or disclosure of the data; and renders the data secure or appropriately destroyed. Data entered into Sord applications must be validated where possible to ensure information quality and mitigate the impacts of web-based attacks on the systems.
Data Classification
Sord defines the handling and security control requirements for each Sord data class.
Data Retention and Disposal Policy
The time periods for which Sord retains customer data depends on the purpose for which it is used. Sord retains customer data for as long as an account is active, as needed to provide services to the customer, or in accordance with the agreement(s) between Sord and the customer, unless Sord is required by law to dispose of it earlier or keep it longer. Sord may retain and use customer data to comply with its legal obligations, resolve disputes, and enforce agreements.
Except as otherwise set forth in the Sord policies, Sord also disposes of customer data when requested by customers.
Sord maintains a sanitization process that is designed to prevent sensitive data from being exposed to unauthorized individuals. Sord hosting and service providers are responsible for ensuring the removal of data from disks allocated to Sord use before they are repurposed and the destruction of decommissioned hardware.
Change and Development Management
To protect against unauthorized changes and the introduction of malicious code, Sord maintains change management procedures that address the types of changes, required documentation for changes, required review and/or approvals for changes, and emergency changes. Changes to Sord production infrastructure, systems and applications are documented, tested, and approved before deployment.
Vulnerability and Patch Management
Sord uses a proactive vulnerability and patch management process that prioritizes and implements patches based on classification. Such classification may include whether the severity is security-related or other additional factors. Sord schedules third party security assessments and penetration tests at least annually.
If you believe you’ve discovered a vulnerability, please email us at [email protected] and we will aim to address a critical issue as soon as possible.
Environment Separation
As necessary, Sord maintains requirements and controls for the separation of development and production environments.
Source Code
Sord controlled directories or repositories containing source code are secured from unauthorized access.
Logging and Monitoring
Sord collects & monitors audit logs and alerts on key events stemming from production systems, applications, databases, servers, message queues, load balancers, and critical services, as well as IAM user and admin activities. Sord manages logging solution(s) and/or SIEM tool(s) to collect event information of the aforementioned systems and activities. Sord implements filters, parameters, and alarms to trigger alerts on logging events that deviate from established system and activity baselines. Logs are securely stored and archived for a minimum of 1 year to assist with potential forensic efforts.
Logs are made available to relevant team members for troubleshooting, auditing, and capacity planning activities. System and user activity logs may be utilized to assess the causes of incidents and problems. Sord utilizes access control to prevent unauthorized access, deletion, or tampering of logging facilities and log information.
When various logging and alerting solutions and mechanisms give rise to events and alerts, Sord correlates those events and alerts across all log sources to identify root causes and formally declare incidents, as necessary, in accordance with the Security Incident Response Policy and Change Management Policy.
Additionally, Sord utilizes threat detection solution(s) to actively monitor and alert on network and application-based threats.
Business Continuity and Disaster Recovery
Sord maintains a plan for continuous business operations if facilities, infrastructure or systems fail. The plan is tested, reviewed and updated at least annually.
Backup Policy
Backups are performed according to the appropriate backup schedules to ensure critical systems, records, and configurations can be recovered in the event of a disaster or media failure.
Security Incident Response
Sord maintains a plan that defines responsibilities, detection, and corrective actions during a security incident. The plan will be followed during the event of a system compromise, or unintended/unauthorized acquisition, access, use or release of non-public information. The plan is tested, reviewed and updated at least annually.
Sord utilizes various monitoring and surveillance tools to detect security threats and incidents, but you may be the first to become aware of a problem. Early detection and response can mitigate damages and minimize further risk to Sord.
A message should be sent to [email protected] if you believe there may be a security incident or threat.
Risk Management
Sord requires risk assessments to be performed at least annually. For risks identified during the process, Sord classifies the risks and develops action plans to mitigate them.
Vendor Management
Sord requires vendor security assessment before third party products or services are used confirming the provider can maintain appropriate security and privacy controls. The review may include gathering applicable compliance audits (SOC 1, SOC 2, PCI, HITRUST, ISO 27001, etc.) or other security compliance evidence. Agreements will be updated and amended as necessary when business, laws, and regulatory requirements change.
Exceptions
Sord business needs, local situations, laws and regulations may occasionally call for an exception to this policy or any other Sord policy. If an exception is needed, Sord management will determine an acceptable alternative approach.
Enforcement
Any violation of this policy or any other Sord policy or procedure may result in disciplinary action, up to and including termination of employment. Sord reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Sord does not consider conduct in violation of this policy to be within an employee’s or contractor’s course and scope of work.
Any employee or contractor who is requested to undertake an activity that he or she believes is in violation of this policy must provide a written or verbal complaint to his or her manager or any other manager of Sord as soon as possible.
The disciplinary process should also be used as a deterrent to prevent employees and contractors in violating organizational security policies and procedures, and any other security breaches.
Responsibility, Review, and Audit
Sord reviews and updates its security policies and plans to maintain organizational security objectives and meet regulatory requirements at least annually. The results are shared with appropriate parties internally and findings are tracked to resolution. Any changes are communicated across the organization.
This document is maintained by Jonathan Gautsch.
This document was last updated on 03/27/2024.
Last updated