Versions Compared

Version Old Version 11 New Version Current
Changes made by

Bruno Belizario

Bruno Belizario

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Properties

Version

...

2.0

Owner

CTO

Last Updated On

...

Last Updated by

Bruno Belizario

Approved by

...

Raphael Santos

Last Review

...

Purpose

To ensure the correct and secure operation of information processing systems and facilities.

...

Pre, beta, and staging environments shall be strictly segregated from production SaaS environments to reduce the risks of unauthorized access or changes to the operational environment. Confidential production customer data must not be used in the development or test environments without the express approval of the CCOCTO.

Refer to the Data Management Policy for a description of Confidential data. If production customer data is approved for use during development or testing, it shall be scrubbed of any such sensitive information whenever feasible.

...

  • Log user log-in and log-out

  • Log CRUD (create, read, update, delete) operations on application and system users and objects

  • Log security settings changes (including disabling or modifying logging)

  • Log application owner or administrator access to customer data (i.e. Access Transparency)

  • Logs must include user ID, IP address, valid timestamp, type of action performed, and object of this action.

  • Logs must be stored for at least 30 days, and should not contain sensitive data or payloads

Protection of Log Information

Logging facilities and log information shall be protected against tampering and unauthorized access.

Administrator & Operator Logs

System administrator and system operator activities shall be logged and reviewed and/or alerted in accordance with the system classification and criticality.

Data Restore Logs

In the event the company needs to restore production data containing PII from backups, either for the purposes of providing services or for testing purposes, shall be logged or tracked in auditable tickets.

...

The installation of software on production systems shall follow the change management requirements defined in this policy.

Threat Intelligence

Information relating to information security threats should be collected and analyzed to produce threat intelligence.

Collection: Draw from diverse sources, such as blogs, news articles, vendor updates, public databases, and industry communities.

Analysis: Examine the data to derive actionable insights and enable proactive response initiatives. Report any actionable insights or specific threats to the DevOps Team.

Dissemination: Ensure effective communication of threat intelligence to pertinent teams for effective action. The DevOps Team shall disseminate actionable information via communication channels, such as Google Chat, email and emergency alerts.

Feedback: Cultivate continuous improvement by leveraging feedback for policy enhancements. Integrate feedback into policy amendments and conduct regular policy reviews.

Technical Vulnerability Management

...