Versions Compared

Old Version 3

changes.mady.by.user Bruno Belizario

Saved on

compared with

New Version Current

changes.mady.by.user Bruno Belizario

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Version

1.

0

2

Owner

Head of Engineering

CTO

Last Updated On

Last Updated by

Bruno Belizario

Approved by

Sean Oldfield

Last Review

Purpose

Ensure the protection of the organization's data and assets that are shared with, access to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery in line with supplier agreements.

...

ecoPortal shall not share or transmit Confidential data to a third party without first performing a third-party risk assessment and fully executing a written contract, statement of work, or service agreement that describes expected service levels and any specific information security requirements.

Information security for the use of cloud services

This section outlines the fundamental parameters for managing and mitigating risks related to cloud service usage.

Responsibilities and Risk Management:

Security Requirements and Control:

  • The company shall be responsible for all customer controls as defined in cloud service providers’ responsibility matrices.

Service Selection and Usage Scope:

  • Reviews of cloud service agreements for inherently high risk providers shall be performed annually to ensure they align with company requirements.

Incident Management:

  • Information security incidents related to cloud services managed in accordance with the Incident Response Plan.

Service Review and Exit Strategy:

  • Risks related to exit and vendor lock-in should be evaluated prior to the acquisition as part of the vendor security assessment.

Provider and Customer Agreement:

  • Agreements with cloud service providers will specify protections for ecoPortal’s data and service availability, even though they might be predefined and non-negotiable.

  • Where possible, ecoPortal will seek advance notification from providers concerning substantive changes in service delivery, including changes in technical infrastructure, data storage location, or usage of sub-contractors.

Ongoing Management and Assurance:

  • Information regarding how to obtain and utilise information security capabilities provided by the cloud service provider should be assessed as part of the vendor review at the time of acquisition.

Third-Party Security Standards

All third parties must maintain reasonable organizational organisational and technical controls as assessed by ecoPortal.

...

  • Protection of customer data, organizational records, and records retention and disposition

  • Privacy of Personally Identifiable Information (PII)

Customer Data Transfer Procedure

ecoPortal has designed and created an SFTP server that caters to clients and organizations. Ensuring the secure and reliable transfer of sensitive data, protecting data confidentiality, integrity, and availability during transfers, implementing access controls and permissions to manage file transfer activities, and monitoring and auditing file transfer activities for compliance and security purposes.

Each organization has its own file system /sftp/<org_name> and user /home/<org_username>under their own respective organization names.

Depending on the configuration, clients have defined IN and OUT folders for inbound and outbound traffic, respectively. An additional layer of PROD and UAT or DEV folders may be provided to supplement change management in the system.

Data transfer will be completed in accordance with the following steps:

  1. File Preparation: Prepare the file(s) for transfer, ensuring encryption, compression, or other necessary security measures are applied.

  2. SFTP Connection: Establish a secure connection to the SFTP server using SSH key-based authentication provided by ecoPortal will be established.

  3. File Upload: The file(s) will be uploaded from the local system to the SFTP server, ensuring data integrity and encryption during transit.

  4. File Download: The file(s) will be downloaded from the SFTP server after a secure connection to the intended recipient's system is established, maintaining data confidentiality and integrity.

  5. Verification: File integrities will be verified after the successful transfer of the file(s) and, if required, any additional validation checks.

  6. File Removal: The file(s) will be removed from the SFTP server periodically, ensuring secure deletion or archiving as per organizational requirements.

Where SFTP is not configured for a third party, information will be shared by encrypted and password-protected .zip folders, with passwords provided in a separate communication to the folder distribution.

Exceptions

Requests for an exception to this Policy must be submitted to the COO for approval.

...