External and Internal Reporting

1. The email address [email protected] will be advertised, available and monitored for incoming security reports.
2. When security issues are found/reported:
   • Issues will be immediately investigated and classified as High, Medium, or Low. SLA for classification of an issue is 72 hours.
   • Security issues will be investigated and resolved within the following SLAs based on their classification:
     • High: 15 days
     • Medium: 30 days
     • Low: 60 days

Physical Security

1. Documents containing sensitive information, Company or customer related, must be secured and not left in public spaces when an employee is not around.

Laptop Security

1. Employees must use a secure web browser for work-related activities (eg. Chrome or Safari).
2. Employees must encrypt their laptops and devices used for work-related activities whether they are company-provided or not.
3. Employees must lock computers with password protection when not physically present at their computer.
4. Employees will turn on device location features for devices they use for work-related activities whether they are company-provided or not.
5. Employees should notify/forward suspicious activity and potential phishing emails to [email protected].

Accounts and Passwords

1. Employees must use 1Password as a password manager for generating and storing company passwords and secrets
2. Employees will not use the same password for more than one service
3. Employee master passwords for 1Password must be reasonably secure
   • Tips for generating a master password: https://support.1password.com/strong-master-password/
   • It is recommended to choose a secure password that will make you smile: https://xkcd.com/936/
4. Employees must enable multi-factor authentication on every system it is offered on.
5. Employees must use their Company-provided maven-labs.com email for all services that support the company.
6. Do not “remember master password” for 1Password

Data Privacy

1. Partner or customer data must never be shared or stored with third-party companies that are not used directly in the implementation or support of the AMI application.
2. Employees must notify senior staff whenever data is to be stored or shared in a new system for use in the AMI application for engineering, security, and legal review.
3. Employees will only access production data for legitimate business purposes, such as metrics aggregation and customer support.

Security Week

1. Every 120 days, the entire company dedicates a week to the review of company-wide security policies
   
   • Company Review of individual security practices
   • Personal Password and Secrets Rotation

Continuous Software Security

1. All code changes must be submitted as a Pull Request via Github and should be reviewed by a fellow Engineer
   • All code reviews must include a focus on the security impact of the changes
2. All code commits and releases should have their tests run and pass on the continuous integration service (CI)
   • CI tests must include static analysis to prevent all well-known security flaws and insecure dependencies

Recurring Software Security

1. Every 120 day, as a part of Security Week, the Engineering team includes the following to the company-wide policy to improve application security:
   • Full Codebase and Architecture Security Code Review
   • Review all uses of cryptography for invalid, outdated, and/or broken techniques
   • Application Penetration Testing
   • Application password and secrets rotation
   • Test application backups for restorability
2. Twice a year, application penetration testing will be performed by an independent security organization.

Logging

1. All software application logs must be centralized into a read-only real-time logging service (Logz.io).
2. All long term software application logs must be permanently archived for long term storage (Amazon S3).
3. Personally identifying information (PII) should not be logged. If logging is specific to a user, the user’s unique ID should be logged for reference.
4. Sensitive information, such as passwords and API tokens, must never be logged

Documentation

1. All PII and sensitive information that is stored for the AMI application must be documented in the Company's primary documentation system (Notion) on where that data is located.

Cryptography

1. All customer data must be encrypted at rest (eg. disk encryption).
2. All customer data must be encrypted in transit (eg. HTTPS, TLS, and SSL ).
3. All secrets that do not need to be directly recoverable (e.g. application passwords) should use a one-way hashing algorithm.
4. All code that involves cryptography must be documented and reviewed by at least 2 Company engineers for proper use of cryptographic techniques.
5. When implementing and reviewing uses of cryptography, the security of the implemented algorithm should be evaluated for vulnerabilities discovered since implementation.
6. When using cryptographic functions as a part of a feature, a well tested and industry-standard library must be used.