Corporate Policy Information Security Management
Data Protection and Security Agreement
Introduction document
- Purpose
The purpose of the Information Security Management System (ISMS) in BETTASUITE is to ensure the continuity and protection of the business processes and information assets that are considered within the ISMS. The information security needs and objectives are stated in this document to minimize the impact of security incidents on the operations of BETTASUITE and the client database of BETTASUITE .
- Scope
The primary audiences for Corporate Information Security Policy are Senior Management, System and Information Owners, Business and Functional Managers, Chief Information Security Officer (CISO), and IT Security Practitioners of the organization.
- Definition
- 1 Availability Ensure property/Platform is accessible and usable upon demand by an authorized entity
- 2 Asset Anything that has value to the organization (Hardware/Intellectual property /Software Code
- 3 Confidentiality Property/IP/Data Information is not made available or disclosed to unauthorised individuals and/or entities.
- Corporate ISMS Policy
The Information Security Management System of BETTASUITE intends to ensure; protection of
- 1 Integrity of all business processes, information assets, Intellectual property, Client data, information assets and supporting IT assets and processes, through protection from unauthorized modification, hacking, guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity. The unauthorised modification or destruction of information could have severe or catastrophic adverse effects on organizational operations, organisational assets and clients/individuals;
- 2 Availability of all business processes, platform blueprint, information assets and supporting IT assets and processes to authorized users as and when needed, ensuring timely and reliable access to and usage of information. The disruption of access to, or use of, information or an information system could have serious adverse effects on organisational operations, organizational assets, clients/individual;
- 3 Confidentiality of all information assets, Client data, Company code/data (information is not disclosed to any unauthorised persons through deliberate or careless action/s). Preserving authorized restrictions on all information access and disclosure, including means for protecting personal privacy and proprietary information. The unauthorised disclosure of information could have a limited / unlimited adverse effect on organisational operations organisational assets, clients/individuals;
- 4 All IT enabled processes and stakeholders shall follow the rules and regulations including best practice and/or circulars published externally to create awareness within the organisation; remaining one step ahead at all times is our core focus;
- 5 All audit trails and logs, as decided by EXECO and the Management Information Security Forum 9MISF), shall be maintained and monitored by CTU IT Solutions our chosen IT Service Provider;
- 6 All operational and system changes shall be monitored closely, these shall adhere to the change management process at all times;
- 7 BETTASUITE complies with the laws, regulations and contractual obligations which hare applicable to the organisation in general and in particular to its ISMS;
- 8 All applicable information security requirements are satisfied;
- 9 Continual improvements of the information security management system as and when required;
- 10 Continuous monitoring of all IT activities are in place;
- 11 Quarterly testing of backups will take place; checking success of backups (data recovery);
- Applicability
This policy applies to all Manager and staff of BETTASUITE, contractors, and third-party employees under contract, who have any access to, or involvement with, the business processes, information assets, and supporting IT assets and processes covered under the scope of ISMS.
- Responsibility
BETTASUITE shall ensure that all activities required to implement, maintain and review this policy are performed. All personnel, regarded as included in the ISMS scope, must comply with this policy statement and its related security responsibilities defined in the information security policies and procedures that support the corporate information security policy. All personnel, even if not included in the ISMS scope, have a responsibility for reporting security incidents and identified weaknesses, and to contribute to the protection of business processes, information assets, and resources of BETTASUITE.
- Enforcement
BETTASUITE holds the right to monitor the compliance of its personnel to this policy. Manager and staff of BETTASUITE, contractors, and third-party employees, who fail to comply with this policy, may be subjected to appropriate disciplinary actions.
- Ownership and Revision
This policy statement is owned by the Board of Directors of BETTASUITE who has delegated this task to the Chief Information Security Officer (CISO), being our IT Service Provider, CTU IT Solutions. This policy shall be revised once in two years by the CISO and every time that the Board of Directors of FCI, or the MISF, decides to do so.
MISF of BETTASUITE shall consist of the following members
GROUP CEO Information Officer
HOD – Development 2nd Information Officer
CTU IT Consulting – Service Provider
The company is committed in preserving the confidentiality, integrity and availability of ALL information security management systems and documentation at all times, ensuring the company manages information risk, specifically within our business services and products.
We re aligned and adhere to the POPI Act (Conditions 7 & 8 of POPI act compliancy) and ISO standards.
BETTASUITE COMMITMENT
- Ensure that the needs of internal/external clients and the requirements of corporate governance are met;
- Establish confidence that partnership agreements/arrangements involving the exchange and sharing of information are legal and secure
- Ensure that all security features (procedures/policies) are fully implemented, effective and correct
- Be sure that the services and products offered by 3rd party suppliers of information security assurance are adequate. Of the highest standards and fit for purpose
Information security requirements to, establish/implement/maintain and continually improve information security, within a management system, will continue to be aligned with; Company objectives, best practice, GDPR regulations; the ISMS; POPI act and other applicable legislation
The implementation, review and commitment to information and data security compliance will enable all wo work on behalf of the company to work efficiently, effectively and securely. Commitment to the company’s information security requirements will ensure that all electronic /digital operations, exchange of documentation/data, office and remote working is all carried out to an acceptable level, whilst still committing to reducing any information -related risks to an acceptable level.
The Company has documented IMSM objectives which are reviewed at least annually to ensure that the objectives set are being furthered. These objectives are supported by procedures and policies to ensure a high level of quality is maintained and reduce any risk to the security of information within the company’s systems and services provided.
Overarching quality and information security and objectives of the company are as follows;
- Information will be protected against any unauthorized access
- Procedures regarding information security will be regularly reviewed and monitored to ensure confidentiality is maintained at all times, as well as to maintain a high standard of work;
- Regulatory and legislative requirements relevant to the business as a whole and information systems, including the processing of information will be met IE relevant data protection legislation to ensure that the integrity of information is maintained;
- Business Continuity plans are in place, maintained and tested;
- Training is available and compulsory to all staff as well as the provision of all necessary resources and equipment (and any relevant third parties)
- Any breaches, actual or suspected of procedure, policy or security will be reported, investigated;
- Remain compliant with all applicable legislation
- Employees are made aware of their individual obligations in respect of this document and the company as a whole;
- Ensure that management systems will achieve the objectives that are set and seek continual improvement in the effectiveness and performance of the company’s management systems;
Risk Assessment
The Company’s management systems are applicable to the entire business, thus covering; at home workers, customer access and remote access working. Therefore, the company will identify any risk t/from any assets, make decisions about which risks are intolerable and therefore need to be mitigated, as well as manage the residual risks through h carefully conserved procedures and controls;
Further to the information security standard the focus of all risk assessments carried out is to successfully evaluate any risk and ensure that confidentiality, integrity and availability of information which is held is sufficiently safeguarded. This is achieved by ensuring robust processes, contractual agreements and obligations and relevant processes are in place and communicated to all and where relevant to 3rd parties;
Roles and Responsibilities
All roles and responsibilities are reviewed in line with the company needs and the management system requirements on a continuous basis;
The company will review the impact of its partners and 3rd parties on the company’s ability to comply with the quality and information security standards. This is done by the regular reviews of the services offered/provided by third parties and their ability t o ensure they uphold the best information security standards they can, in order to support the company’s in maintaining ISMS.
Monitoring and Review
To ensure the company maintains its awareness for continuous improvement, the ISMS is regularly reviewed by Top Management and IT Service Provider to ensure it remains appropriate and suitable to our business model.
External Auditing
BETTASUITE is committed to data protection and privacy, to ensure we are compliant we do conduct and Audit on our IT Infrastructure holistically by a 3rd party provider. Findings are shared with our client base as and when requested.
Incident Reporting
BETTASUITE monitor and record all incidents of any nature specific to downtime and breaches of Data protection and security should this occur. Clients will be notified immediately and receive a copy of the incident report.
DATA PROTECTION – OVERVIEW
DATA ENCRYPTION
All data within a network should be fully encrypted; this ensures that would-be cybercriminals are unable to decipher the data in the event of a data breach. For data within a network to be fully secured, all data states should be encrypted; failure to encrypt all data states leaves it vulnerable to theft or corruption. The various data states that should be encrypted are:
- Data in use: This is data that is actively being processed by an application; it is being updated, viewed, or generated. This is the most challenging data state to encrypt.
- Data in transit: This is data that is being transmitted from a sender application to a receiver application. This is the most vulnerable data state because the data can be easily hijacked or intercepted before it gets to the intended recipient
- Data at rest: This is data that is not currently in use and is kept in a storage device until when needed.
DATA BACKUP TO THE CLOUD
Backing up your data to the cloud is one of the best ways to guard against data loss. Cloud data backup should be done on a frequent and regular basis; this is especially important for mission-critical data whose loss or corruption can severely hinder normal business processes and operations. Backing up your data to the cloud allows for easy scalability; the size of your cloud data storage can be readily expanded to accommodate your data storage needs.
PASSWORD PROTECTION
Password control is the primary line of defence in safeguarding the data within your network. Sensitive information should be password protected such that only users who know the password can access the data. The password that is used to secure the data should not be used for other applications or tools; it should be strong, with a combination of letter, numbers, and special characters, as well as unique. In addition, the password should be provided only to individuals who need access to the data to carry out their job duties. Furthermore, the password should be changed on a regular basis.
IDENTITY AND ACCESS MANAGEMENT (IAM)
One of the major ways to secure your data is to regulate the users that have access to your network, and by extension, your data. Access to your network should only be granted to individuals who need the relevant data to carry out their job duties; access should be terminated as soon as the data in your network is no longer needed. In addition, each user should have an individual user account; the use of shared accounts should be minimized as much as possible. Furthermore, for users with access to your network, only the minimum rights needed to carry out their job responsibilities should be provided; this is known as the principle of least privilege
INTRUSION DETECTION AND PREVENTION SOFTWARE
Part of keeping your data secure is monitoring and regulating the traffic in and out of your network. Prompt identification of network threats allow for necessary measures to be implemented before any significant data corruption or data loss occurs. Intrusion detection and prevention software are applications that constantly monitor network traffic for well-known threats. These applications can be configured to carry out a host of actions to neutralize any recognized network threats.
SUMMARY OF STRUCTURE
DATA SECURITY CONTROLS
Access:
- SSL
- Usage of MFA (Multi-factor authentication) or SSO through App Office 365
- Password encryption all Software Platforms
- Encryption of server (SQL)
- RDP Guard
- Duo Authentication
- D Dos attack is in place
- Hosting company (Xneelo), firewalls in place
Software:
- Password Encryption on servers and software platforms
- User permissions and User level setups within software platforms limitation of access to data
- No backend access is issued to clients (data secured)
- SQL Database enhancements toward database encryption features – applied 2021
- Mobile Device Management (threats) both server and all workstations/laptops
- Monitoring of all workstations, laptops and servers; software used “observian”
HOSTING
- Webserver hosted – Cloud
- Webservice is secured https each client has separate software platforms with unique URLs and password encryption per user
- SLA is in place with hosting company Xneelo
Legislation can be viewed on Xneelo website
- Down time – maximum experienced 1 hour
Refer to commitment of Xneelo
Should the client be using hosting services of the supplier, the terms and conditions of hosting will fall into the hands of the 3rd party provider selected, Xneelo
Legal page on the Xneelo website clarifies all Privacy, Confidentiality, Security Measures including POPI Compliancy
BACKUP OF DATA
- Data is backed up daily
All services and virtual servers
- Recovery time of data – dependant on volume
- Quarterly tests are run to ensure backups are done successfully
We do offer an option to our clients to host the platform themselves as a preferred option of Data Security (PI) and Compliancy within legislation of their organisation. Should we Host we ensure our policy is adhered to and incorporate the needs of our clients within our structures.
DISASTER RECOVERY PLAN
- Disaster recovery team. A team allocated is responsible for, implementing, and maintaining the DRP. Each member’s responsibilities are defined
- Within the SLA direct contact information of who should be contacted in the event of a disaster or emergency.
- Identify and assess disaster risks. Our disaster recovery team identifies and assess the risks including items related to natural disasters, man-made emergencies, and technology related incidents. We then identify the recovery strategy and resource allocation to recover from disasters within a predetermined and acceptable timeframe.
- Backup and off-site storage procedures are in place
- Test and maintain the DRP.
In summary, WE CREATE a recovery team with a recovery plan that includes identifying and assessing disaster risks, determining critical applications, and specifying backup procedures. Other procedures may be included in the plan based on the organization. The recovery team and organization must then implement the DRP and follow through on the plan procedures. The DRP should be continually tested and maintained to consistently prepare the organization for evolving disasters and emergencies.
All critical applications, documents, and resources are recorded and backups are done in the event of down time or total loss of information the back is activated.
BETTASUITE has a comprehensive enterprise resiliency with orchestration technology to help mitigate business continuity risks,
key AREA of focus within our Disaster recovery:
- To minimize interruptions to normal operations.
- To limit the extent of disruption and damage.
- To minimize the economic impact of the interruption.
- To establish alternative means of operation in advance.
- To train personnel with emergency procedures.
- To provide for smooth and rapid restoration of service.
APR 2021/V1
AUG 2021/V2
TIPS TO OUR CLIENTS;
BEST PRACTICE APPLIED AND RECOMMENDED TO CLIENTS
Keeping your Data safe should be a priority for all parties
Part of our Security incorporates 10 Security measures adopted and recommended for our clients to adopt for best practice.
1) Establish strong passwords This first measure is really easy to put in place. You must put together a combination of capitals, lower-case letters, numbers, and symbols to create a strong password. The more characters you put, the better. With that, you must avoid using your birthday or any personal information and change the password accordingly.
2) Set up a firewall In order to protect your network, firewalls are an important initiative to consider. They are a must-have for any company, as they control the internet traffic coming and leaving your business.
3) Think of antivirus protection Antivirus and anti-malware are indispensable to protecting your Data. They are designed to prevent, search for, detect and remove viruses but also adware, worms, trojans, and so on.
4) Updating is important Your computer must be properly patched and updated. Recent updates allow your Data to be more secured.
5) Secure every laptop Laptops are portable so there is a higher risk that they can be stolen. As a consequence, it is important to take more security measures in order to protect all laptops. A simple solution is to encrypt them. In doing so, without the right password, your computer’s Data is unreadable.
6) Secure mobile phones Mobile phones are even more easily stolen than laptops but they are as valuable for companies. Equally to laptops, phones can be encrypted- you can put a strong password and enable an automatic lock-out. You can also set up a wiping process if the phone is lost or stolen.
7) Schedule backups You can schedule backups to external hard drives or in the cloud in order to keep your data stored safely. The right frequency is weekly but you can do incremental backups every few days.
8) Monitor steadily Data, Software, technologies, everything is moving so fast. Keep track of them, keep in touch with news to see what is new on the market.
9) Be smart with emails and surfing the web Downloading apps or files, opening emails and clicking on links can infect your computer and your network. Be careful with the sources you find online or you receive. Take every “warning box” seriously.
10) Educate your employees about Data Security Prevention is the best way to keep your Data safe. Warned employees will always be more attentive.