General Security
...
| Note |
|---|
This is a draft document |
| Info |
|---|
This document describes security details of the services provided by Gebsun. |
General Security
|
|
|
|---|
| GS1 | Describe your security incident response process (data breach, malware/viruses, unauthorized access, etc.) | We are available XXXXXXXXXXXX instant backup of: database logs change of passwords |
| GS2 | Does security incident response process include appropriate notifications to affected clients/users? | Yes, we do inform affected customers so they can take appropriate security steps on their side. For security reasons we do not share information outside the company. |
| GS3 | Describe employee security awareness, training and certification process |
For security reasons we do not share such information outside the company| All the employees pass security awareness training and all security incidents are assessed by the whole team responsible for affected service. |
| GS4 | Are documented security policies issued, updated and acknowledged by all employees? |
No| Yes, all employees must pass security awareness training and acknowledge security policy. |
| GS5 | Do you have documented vulnerability management process and procedures? |
No on application level on OS level our infrastructure provider Amazon EC2 has defined vunerability process please readWe rely on our infrastructure providers for vulnerability management (we do not store any data on our own servers): |
aws.amazon |
| GS6 | Do you have a documented Privacy Policy? Is there internal monitoring for compliance with Privacy Policies and procedures? | Yes privacy policy is documented. |
Privacy policy on OS levelXXXX We store data on third-party vendors servers and we rely on their privacy policy: |
redhaten/about/privacy-policyPrivacy poolicy in application levelwww.atlassian-policyNo currently there is no need to monitor compliance with security policy on application level.
On OS level our server provider OpenShift does monitoring please read more about thatopenshiftpolicy/security.html |
| GS7 | If you are based in the U.S. and collect, use or retain personal data from European Union member countries or Switzerland, do you comply with the U.S. - E.U. Safe Harbor Framework and the U.S. - Swiss Safe Harbor Framework? Have you certified that you adhere to the Safe Harbor Privacy Principles of notice, | We |
do not collect any personal data or information| are based in EU. |
| GS8 | Does your infrastructure or your data centers have current security controls certifications, such as SSAE16/SOC1, SOC2, ISO 27001? Upon request can you provide a recent audit report? | We |
use as infrastructure provider Amazon's EC2 through RedHat OpenShift. Please read about Amazon EC2 security...
| do not own datacenter. All the infrastructure and data is managed by third-party providers, i.e. OpenShift, mLab and Atlassian. |
Corporate Security
| | | |
|---|
| CS1 | What physical security controls are implemented to protect unauthorized access to systems and data? | We |
use external infrastructure provide Amazon EC2 (via RedHat OpenShift) please read more about security on Amazon Security Pagerely on our infrastructure providers for security management of the data stored on their servers: |
| CS2 | What network security controls are implemented to protect unauthorized access to systems and data? |
Amazon EC2 security| See above. |
| CS3 | Do you have a process for periodic scanning, identifying and remediating security vulnerabilities on servers, workstations, network equipment and applications? |
Amazon EC2 security| See above. |
| CS4 | Do you conduct regular network and application penetration testing? Upon request can you provide penetration test results or other independent security review results? |
Amazon EC2 security| See above. |
| CS5 | Does your infrastructure or your data centers have current security controls certifications, such as SSAE16/SOC1, SOC2, ISO 27001? Upon request can you provide a recent audit report? |
Amazon EC2 security| See above. |
| CS6 | Describe your password policy to include complexity, expiration, reuse and lockout. |
Password Our password policy conforms to |
high security standards we the highest security standards. We use random generated high quality passwords, fingerprints and encrypted storage for development and daily work. We do not share |
such informationany detailed information when comes to expiration. |
| CS7 | Describe standard employee issued device security configuration/features. (Login Password, Anti-Virus, Full/Whole Disk Encryption, Administrative Privileges, Firewall, etc.) | We do not share security information outside company |
| CS8 | Do you have a policy that requires implementing reasonable access security to lock devices (desktop, laptop, mobile)? (i.e. device inactivity auto lock, failed login attempts lockout, screensaver lock, etc.) | Yes |
| CS9 | Do you expire user sessions after a period of inactivity? | Yes |
| CS10 | What is your mobile device security policy? How is it enforced? | We do not allow to use mobile devices to access infrastructure. |
| CS11 | What is your personal device security policy? How is it enforced? |
|
|
| CS12 | What is your external storage media security policy? How is it enforced? | We use external data storage mLab. Please read more about mLab Privacy Policy |
| CS13 | Is there a formal process to add, delete or modify user accounts, access and access levels? | Yes |
| CS14 | Does employee termination result in access termination within 24 hours? | Yes |
| CS15 | Do you implement network security solutions for network monitoring, internet filtering, and intrusion detection? Please describe. | ? |
| CS16 | Do employees have ability to remotely connect to your protected network? (i.e. VPN) | We do not allow to remotely connect to our intranet. |
| CS17 | Do you use multiple factors for employee user authentication to access your network (local or remote)? | ? |
Production Infrastructure
...
| | | PS1 | What physical security controls are implemented to protect unauthorized access to systems and data? |
Amazon EC2 security | We rely on our infrastructure providers for security management of the data stored on their servers: See also CS6 for detailed information regarding protection of our local systems. |
| PS2 | What network security controls are implemented to protect unauthorized access to systems and data? |
Amazon EC2 security| See above for network |
| PS3 | Do you have a process for periodic scanning, identifying and remediating security vulnerabilities on servers, workstations, network equipment and applications? | Amazon EC2 security |
| PS4 | Do you implement network security solutions for network monitoring, internet filtering, and intrusion detection? Please describe. | Amazon EC2 security |
| PS5 | Do you conduct regular network and application penetration testing? Upon request can you provide penetration test results or other independent security review results? | Amazon EC2 security |
| PS6 | Describe Encryption Policy (rest and transport) |
|
|
| PS7 | Describe Encryption Key handling policy |
|
|
| PS8 | Who has access to the Production Encryption Keys |
|
|
| PS9 | How is access granted to Production Encryption Keys |
|
|
| PS10 | Are systems with access to NerdWallet data segregated from other network zones logically and physically? | We do not hve access to NerdWallet data |
| PS11 | Do you implement network security solutions for network monitoring, internet filtering, and intrusion detection? Please describe. | Amazon EC2 security |
| PS12 | Are audit trails and logs kept for systems and applications with access to NerdWallet data? | No. We do not have access to NerdWallet data |
| PS13 | Do you use multiple factors for employee user authentication to access your network (local or remote)? | ? |
| PS14 | Describe your password policy to include complexity, expiration, reuse and lockout. | We do not share such information for security reasons. We can only make statement that our passwords policy complies to industry standard. |
| PS15 | Are systems with access to NerdWallet data segregated from other network zones logically and physically? | No |