Information Security Policy
Company-wide Policies
External and Internal Reporting
- The email address [email protected] will be advertised, available and monitored for incoming security reports.
- When security issues are found/reported:
- Issues will be immediately investigated and classified as High, Medium, or Low. SLA for classification of an issue is 72 hours.
- Security issues will be investigated and resolved within the following SLAs based on their classification:
- High: 15 days
- Medium: 30 days
- Low: 60 days
Physical Security
- Documents containing sensitive information, Company or customer related, must be secured and not left in public spaces when an employee is not around.
Laptop Security
- Employees must use a secure web browser for work-related activities (eg. Chrome or Safari).
- Employees must encrypt their laptops and devices used for work-related activities whether they are company-provided or not.
- Employees must lock computers with password protection when not physically present at their computer.
- Employees will turn on device location features for devices they use for work-related activities whether they are company-provided or not.
- Employees should notify/forward suspicious activity and potential phishing emails to [email protected].
Accounts and Passwords
- Employees must use 1Password as a password manager for generating and storing company passwords and secrets
- Employees will not use the same password for more than one service
- Employee master passwords for 1Password must be reasonably secure
- Tips for generating a master password: https://support.1password.com/strong-master-password/
- It is recommended to choose a secure password that will make you smile: https://xkcd.com/936/
- Employees must enable multi-factor authentication on every system it is offered on.
- Employees must use their Company-provided maven-labs.com email for all services that support the company.
- Do not “remember master password” for 1Password
Data Privacy
- Partner or customer data must never be shared or stored with third-party companies that are not used directly in the implementation or support of the AMI application.
- Employees must notify senior staff whenever data is to be stored or shared in a new system for use in the AMI application for engineering, security, and legal review.
- Employees will only access production data for legitimate business purposes, such as metrics aggregation and customer support.
Security Week
- Every 120 days, the entire company dedicates a week to the review of company-wide security policies
- Company Review of individual security practices
- Personal Password and Secrets Rotation
Engineering Policies
Continuous Software Security
- All code changes must be submitted as a Pull Request via Github and should be reviewed by a fellow Engineer
- All code reviews must include a focus on the security impact of the changes
- All code commits and releases should have their tests run and pass on the continuous integration service (CI)
- CI tests must include static analysis to prevent all well-known security flaws and insecure dependencies
Recurring Software Security
- Every 120 day, as a part of Security Week, the Engineering team includes the following to the company-wide policy to improve application security:
- Full Codebase and Architecture Security Code Review
- Review all uses of cryptography for invalid, outdated, and/or broken techniques
- Application Penetration Testing
- Application password and secrets rotation
- Test application backups for restorability
- Twice a year, application penetration testing will be performed by an independent security organization.
Logging
- All software application logs must be centralized into a read-only real-time logging service (Logz.io).
- All long term software application logs must be permanently archived for long term storage (Amazon S3).
- Personally identifying information (PII) should not be logged. If logging is specific to a user, the user’s unique ID should be logged for reference.
- Sensitive information, such as passwords and API tokens, must never be logged
Documentation
- All PII and sensitive information that is stored for the AMI application must be documented in the Company's primary documentation system (Notion) on where that data is located.
Cryptography
- All customer data must be encrypted at rest (eg. disk encryption).
- All customer data must be encrypted in transit (eg. HTTPS, TLS, and SSL ).
- All secrets that do not need to be directly recoverable (e.g. application passwords) should use a one-way hashing algorithm.
- All code that involves cryptography must be documented and reviewed by at least 2 Company engineers for proper use of cryptographic techniques.
- When implementing and reviewing uses of cryptography, the security of the implemented algorithm should be evaluated for vulnerabilities discovered since implementation.
- When using cryptographic functions as a part of a feature, a well tested and industry-standard library must be used.