This cyber security policy is for our employees, vendors and partners to refer to when they need advice and guidelines related to cyber law and cyber crime. Having this cyber secruity policy we are trying to protect Touchling’s's data and technology infrastructure.
This policy applies to all of Touchling’s employees, contractors, volunteers, vendors and anyone else who may have any type of access to Touchling's systems, software and hardware.
Information Classification and Protection
Information will be classified into different levels of sensitivity:
Non-sensitive or Publicly available data – low security
Confidential data – high security
Some of the common examples of confidential data include:
· Classified financial information
· Customer data
· Data about partners
· Data about vendors
· Patents, formulas or new technologies
For all confidential data, all available measures must be taken to ensure the security – both cyber and physical - and confidentiality of the data is protected.
Security in Human Resources
When hiring new employees, we will undertake a vetting process to determine where possible the integrity and trustworthiness of the employee. We will seek references and undertake due diligence background checks to ensure the new hire does not have a history of unprofessional conduct.
New hire orientation should include cyber security policy documentation and instruction. Provide regular cyber security training to ensure that employees understand and remember security policies. A fun way to make sure that employees understand the policy is to have a quiz that will test their actions in example situations.
Employees with access to confidential or sensitive information will be provided job descriptions outlining their responsibilities.
Employees will only be provided access to confidential and sensitive information when it is necessary for them to carry out their role.
If the role becomes redundant or the employee leaves the company, all access to company information will be blocked.
Educate employees about various kinds of phishing emails and scams, and how to spot something fishy. If employees receive an email that looks out of the ordinary, even if it looks like an internal email sent by another employee, they must check with the sender first before opening attachments or clicking on links. It is best to verify with the sender via phone or in person. When email accounts are hijacked it will be the attacker replying to an inquiry about the validity of the information contained in the email. Whenever possible, go to the company website instead of clicking on a link in an email.
Inform employees that it is highly recommended to apply maximum privacy settings on their social media accounts such as Facebook, and Twitter. Ask them to make sure that only their contacts can see their personal information such as birth date, location, etc. Limiting the amount of personal information that is available online will reduce the effectiveness of spearphishing attacks. Be especially vigilant about noticing anything even slightly suspicious coming from a LinkedIn contact. A compromised LinkedIn contact’s account can allow for some of the most sophisticated social engineering attacks.
Physical Security Requirements
Logging in to any of company's accounts for personal devices such as mobile phones, tablets or laptops, can put our company's data at risk. [company name] does not recommend accessing any company's data from personal devices. If so is inevitable, employees are obligated to keep their devices in a safe place, not exposed to anyone else.
We recommend employees to follow these best practices:
· Lock our computers when leaving the desk
· Don't ever leave our devices unprotected and exposed
· Keep all electronic devices' password secured and protected
· Logging into company's accounts should be done only through safe networks
· Install security updates on a regular basis
· Upgrade antivirus software on a regular basis
The security of the premises is also paramount in preventing information breaches. Doors need to be double locked when leaving premises and alarms fitted and checked where appropriate.
Acceptable use of information and IT devices
At this start-up phase of the business, the Directors have liberty to use their devices appropriately in the interest of developing and growing the business. The directors have ownership over the company’s IT assets and devices.
As the company grows and hardware and software are provided to employees, the below set of principles will be adhered to:
Breaches of unacceptable and forbidden activity will result in written warnings and instant dismissal respectively from the company.
· Access only if it explicitly allows it within the job description
For business use only and handled under strict conditions and guidelines
All personal data must be managed in accordance with GDPR regulations
· Leaving any device unlocked on which confidential data is available
· Unauthorised access to confidential data
· Handling confidential and personal data in a manner that compromises the security of the data and beaches GDPR requirements.
Use of the Internet
· Accessing business related web sites in relation to the user's job
· Accessing web sites (OTHER than those containing pornographic, offensive or
obscene material) for non-business related reasons during lunch hours and before or after the working day
· Spending any period of the working day looking at non-business related Internet
· Tying up large proportions of Internet resources on non-business related activity,
· Making our password available for other people to use the Internet service
· Using someone else's personal id and password to access the Internet;
· Downloading any copyright material without the owner's permission
· Downloading software used for hacking or cracking passwords.
· Deliberately accessing sites containing pornographic, offensive or obscene material
· Downloading pornographic, offensive or obscene material.
Use of Email
· Communication in connection with company business
· Occasional personal use during lunch hours and before or after the working day
· Management access to read employees' mail boxes where there is a legitimate business need to do so (e.g. if a person is absent and important email is expected.)
• Using email for personal, non-business related communication during working hours.
· Overuse of services for personal, non-business related communication during break
times or after hours, e.g. > 5 non-business related e-mail items per day OR
· Sending non-business related email directly to large distribution groups OR
· Sending files with attachments (e.g. compressed files, executable code, video
streams, audio streams, or graphical images) to internal or external parties
· Subscribing to non-business related mailing lists
· Sending messages or files through internal email, or via the external mail gateways
that contain discriminatory, abusive, pornographic, obscene, illegal, offensive,
potentially libellous or defamatory content.
NOTE: Unsolicited receipt of discriminatory, abusive, pornographic, obscene, illegal,
offensive, or defamatory email is clearly not a disciplinary offence
Use of servers, PCs, notebook PCs, Smartphones, Tablets Devices (including iPADs) and portable storage devices
While the Touchling reserves the right to recover the costs of personal data usage – this is
intrusive and expensive and to avoid this, staff are expected to curtail personal use.
Where possible iPad users should always use Wi-Fi rather than 3G.
· Storing corporate data
· Running company supplied software
· Loading text and images in connection with normal business
· Storing limited amounts of personal data
· Reporting any accidental damage or loss immediately
· Loading unauthorised or untested software, i.e. software not supplied through the
formal procurement process.
· Loading any software without the prior consent
· Storing corporate data solely on local drives or devices (which are not
· backed up)
· Making our password(s) available for other people
· Using someone else's personal id and password
· Moving (static) equipment without agreement from the ICT Helpdesk
· Re-allocating equipment to other members of staff
· Surrender of equipment not in working order, with undue 'wear and tear' or with
· Connecting devices (including USB devices - flash storage, cameras etc) to ICT
equipment or the network that are not authorised.
· Loading files containing discriminatory, abusive, pornographic, obscene, illegal or
offensive content, whether in text, image, video or audio format.
Information Systems Access
Whilst Touchling is a new start-up, this formal policy has been developed to provide guidance and direction of how access needs to be managed both currently and as we grow.
Where Off-the-shelf software is used, this access policy must be read in conjunction with the access and security policies of the relevant software maker.
Only authorized users are granted access to information systems, and users are
limited to specific defined, documented and approved applications and levels of
access rights. Computer and communication system access control is to be
achieved via user IDs that are unique to each individual user to provide
Who is Affected: This policy affects all employees of Touchling and all contractors, consultants, temporary employees and business partners. Employees who deliberately violate this policy will be subject disciplinary action up to and including termination.
Affected Systems: This policy applies to all computer and communication
systems owned or operated by Touchling.
Similarly, this policy applies to all platforms (operating systems) and all
Entity Authentication: Any User (remote or internal), accessing Touchling’s networks and systems, must be authenticated. The level of
authentication must be appropriate to the data classification and transport
medium. Entity authentication includes but is not limited to:
• Automatic logoff
• And Unique user identifier
• At least one of the following:
• Biometric identification
• Personal identification number
• A telephone callback procedure
Workstation Access Control System: All workstations used for this Touchling business activity, no matter where they are located, must use an access
control system approved by Touchling. In most cases this will
involve password-enabled screen-savers with a time-out-after-no-activity feature and a power on password for the CPU and BIOs. Active workstations are not to be left unattended for prolonged periods of time, where appropriate. When a
user leaves a workstation, that user is expected to properly log out of all applications and networks. Users will be held responsible for all actions taken
under their sign-on. Where appropriate, inactive workstations will be reset after a period of inactivity (typically 30 minutes). Users will then be required to re-log on to continue usage. This minimizes the opportunity for unauthorized users to assume the privileges of the intended user during the authorized user’s absence.
Disclosure Notice: A notice warning that those should only access the system
with proper authority will be displayed initially before signing on to the system. The warning message will make clear that the system is a private network or
application and those unauthorized users should disconnect or log off
System Access Controls: Access controls will be applied to all computer-resident information based on its’ Data Classification to ensure that it is not improperly
disclosed, modified, deleted, or rendered unavailable.
Access Approval: System access will not be granted to any user without
appropriate approval. Management is to immediately notify the Security
Administrator and report all significant changes in end-user duties or
employment status. User access is to be immediately revoked if the individual
has been terminated. In addition, user privileges are to be appropriately changed if the user is transferred to a different job.
Limiting User Access: Touchling approved access controls, such as
user logon scripts, menus, session managers and other access controls will be
used to limit user access to only those network applications and functions for
which they have been authorized.
Need-to-Know: Users will be granted access to information on a “need-to-
know” basis. That is, users will only receive access to the minimum applications
and privileges required performing their jobs.
Compliance Statements: User’s who access to this Touchling’s
information systems must sign a compliance statement prior to issuance of a
user-ID. A signature on this compliance statement indicates the user
understands and agrees to abide by these Touchling policies and
procedures related to computers and information systems. Annual
confirmations will be required of all system users.
Audit Trails and Logging: Logging and auditing trails are based on the Data
Classification of the systems.
Confidential Systems: Access to confidential systems will be logged and audited in a manner that allows the following information to be deduced:
• Access time
• User account
• Method of access
• All privileged commands must be traceable to specific user accounts
In addition logs of all inbound access into Touchling‘s internal
network by systems outside of its defined network perimeter must be
Audit trails for confidential systems should be backed up and stored in
accordance with Touchling back-up and disaster recovery plans. All system and application logs must be maintained in a form that cannot readily be viewed by unauthorized persons. All logs must be audited on a periodic basis.
Audit results should be included in periodic management reports.
Access for Non-Employees: Individuals who are not employees, contractors,
consultants, or business partners must not be granted a user-ID or otherwise be given privileges to use the Touchling computers or information
systems unless the written approval of the Department Head has first been
obtained. Before any third party or business partner is given access to this
Touchling computers or information systems, a chain of trust
agreement defining the terms and conditions of such access must have been
signed by a responsible manager at the third party organization.
Unauthorized Access: Employees are prohibited from gaining unauthorized
access to any other information systems or in any way damaging, altering, or
disrupting the operations of these systems. System privileges allowing the
modification of ‘production data’ must be restricted to ‘production’ applications.
Remote Access: Remote access must conform at least minimally to all statutory
requirements including but not limited to HCFA, HRS-323C, and HIPAA.
User Authentication: All systems will require a valid user ID and password. All
unnecessary operating system or application user IDs not assigned to an
individual user will be deleted or disabled.
Password Storage: Passwords will not be stored in readable form without access control or in other locations where unauthorized persons might discover them. All such passwords are to be strictly controlled using either physical security or computer security controls.
Application Passwords Required: All programs, including third party purchased software and applications developed internally by this Touchling
must be password protected.
High -risk data: All user-chosen passwords must contain at least one
alphabetic and one non-alphabetic character. The use of control characters and
other non-printing characters are prohibited. All users must be automatically
forced to change their passwords appropriate to the classification level of
information. To obtain a new password, a user must present suitable
Low-Risk data: For access to low-risk data, eg for construction workers accessing general, non-sensitive site information a simple 3-letter user-name and 4-number password may be used. This password can remain the same during the period the worker is on the site.
Changing Passwords: All passwords must be promptly changed if they are
suspected of being disclosed, or known to have been disclosed to unauthorized parties. All users must be forced to change their passwords for access to medium / high risk data at least once every sixty- (60) days.
Password Constraints: The display and printing of passwords should be masked, suppressed, or otherwise obscured so that unauthorized parties will not be able to observe or subsequently recover them. After three unsuccessful attempts to enter a password, the involved user-ID must be either: (a) suspended until reset by a system administrator, (b) temporarily disabled for no less than three
minutes, or (c) if dial-up or other external network connections are involved,
Software Development Principles
Software development must adhere to best practices for secure software development that reflect the experience and expertise of several stakeholders of the software development life-cycle (SDLC). These stakeholders include analysts, architects, coders, testers, auditors, operational personnel and management.
Software development must utilise the most current methods to stay a step ahead of the cyber criminals as we will be held responsible for security breaches.
Breaches leading to disclosure of customer information, denial of service, and threats to the continuity of business operations can have dire financial consequences. Yet the real cost to our company will be the loss of customer trust and confidence in the brand.
Such a loss may be irreparable and impossible to quantify in mere monetary terms. Fundamentally, the recognition that our company is obligated to protect the customers should powerfully motivate our company in creating more secure software.
2. Secure solutions
The answer to the question - 'Why were brakes invented?' could be answered in two ways, 'To prevent the vehicle from an accident' or 'To allow the vehicle to go faster'. Similarly, security can prevent the business from a crash or allow the business to go faster.
One must work with a thorough understanding of the business, to help in the identification of regulatory and compliance requirements, applicable risk, architectures to be used, technical controls to be incorporated, and the users to be trained or educated.
3. Understanding the technology
A thorough understanding of the existing infrastructural components such as: network segregation, hardened hosts, public key infrastructure, to name a few, is necessary to ensure that the introduction of the software, when deployed, will at first be operationally functional and then not weaken the security of the existing computing environment.
Understanding the interplay of technological components with the software is essential to determine the impact on overall security and support decisions that improve security of the software. Further, when procuring software, it is vital to recognise vendor claims on the 'security' features, and also verify implementation feasibility within our organisation.
4. Ensure compliance to governance, regulations and privacy
Software must adhere to governance, risk and compliance (GRC) as a means to meeting the regulatory and privacy requirements.
One must understand the internal and external policies that govern the business, its mapping to necessary security controls, the residual risk post implementation of security controls in the software, and the compliance aspects to regulations and privacy requirements.
5. Know the basic tenets of software security
When it comes to secure software, there are some tenets with which one must be familiar: protection from disclosure (confidentiality), protection from alteration (integrity), protection from destruction (availability), who is making the request (authentication), what rights and privileges does the requestor have (authorisation), the ability to build historical evidence (auditing) and management of configuration, sessions and exceptions.
Knowledge of these basic tenets and how they can be implemented in software is a must have while they offer a contextual understanding of the mechanisms in place to support them. Some of these mechanisms include encryption, hashing, load balancing and monitoring, password, token or biometric features, logging, configuration and audit controls, and the like.
6. Ensure the protection of sensitive information
Any information upon which our company places a measurable value, which by implication is not in the public domain, and would result in loss, damage or even business collapse, should the information be compromised in any way, could be considered sensitive. While it may be easy to identify the sensitivity of certain data elements like health records and credit card information, others may not be that evident.
One must consider data classification and protection mechanisms against disclosure, alteration or destruction. Data classification is the conscious decision to assign a level of sensitivity to data as it is being created, amended, stored, transmitted, or enhanced, and will determine the extent to which the data needs to be secured. Software that either transports, processes or stores sensitive information must build in necessary security controls.
7. Design software with secure features
When someone is exclusively focused on finding security issues in code, they run the risk of missing out on entire classes of vulnerabilities. Security issues in design and other concerns, such as business logic flaws need to be inspected by performing threat models and abuse cases modeling during the design stage of the software development life-cycle.
Threat modeling, an iterative structured technique is used to identify the threats by identifying the security objectives of the software and profiling it. Attack surface analysis, a subset of threat modeling can be performed by exposing software to untrusted users.
8. Develop software with secure features
It is imperative that secure features not be ignored when design artifacts are converted into syntax constructs that a compiler or interpreter can understand. Once developed, controls that essentially address the basic tenets of software security must be validated to be in place and effective by security code reviews and security testing. This should complement and be performed at the same time as functionality testing.
Definition of the scope of what is being reviewed, the extent of the review, coding standards, secure coding requirements, code review process with roles and responsibilities and enforcement mechanisms must be pre-defined for a security code review to be effective, while tests should be conducted in testing environments that emulate the configuration of the production environment to mitigate configuration issues that weaken the security of the software.
9. Deploy software with secure features
Secure deployment ensures that the software is functionally operational and secure at the same time. It means that software is deployed with defence-in-depth, and attack surface area is not increased by improper release, change, or configuration management.
It also means that assessment from an attacker's point of view is conducted prior to or immediately upon deployment. Software that works without any issues in development and test environments, when deployed into a more hardened production environment often experiences hiccups.
Post-mortem analyses in a majority of these cases reveal that the development and test environments do not simulate the production environment. Changes therefore made to the production environment should be retrofitted to the development and test environments through proper change management processes.
Release management should also include proper source code control and versioning to avoid a phenomenon one might refer to as "regenerative bugs", whereby software defects reappear in subsequent releases.
The coding defect (bug) is detected and fixed in the testing environment and the software is promoted to production without retrofitting it into the development environment. Further, vulnerability assessment and penetration testing should be conducted in a staging pre-production environment and if need be in the production environment with tight control.
10. Educate ourselves and others on how to build secure software
We will adopt a culture that promotes software security by default through education that changes attitudes. IT security is everyone's job.
Incident Management and Response procedures for Security and Privacy incidents
Preparation should be done at regular intervals prior an actual incident occurring, including training, communication protocols and response simulation.
The following is the process to follow once an incident is suspected.
The security incident may be detected internally or externally.
Communication protocols will be in place with customers to alert Touchling
Touchling confirms the incident.
Touchling determines the severity of the incident and;
Deals with it internally for low-risk internally developed software
Informs relevant 3rd parties if it involves their software
Works with IT consultants for high-risk incidents where assistance may be required.
Begin the documentation process.
Take necessary steps to prevent incident from spreading.
Document containment steps.
Determine incident cause based on information gathered during the detection phase.
Determine how attack was executed.
Perform a vulnerability assessment and remediate vulnerabilities.
Return systems to trusted state.
Compare system against original baseline gathered during preparation phase.
Test the service/system to verify functionality.
Restore system to production environment.
Perform ongoing system monitoring to ensure system integrity and detect incident recurrence.
Finalize incident handling documentation.
Log the incident in the company incident Register
How well and adequately did we perform when dealing with the incident?
What information was needed sooner?
What corrective actions can prevent similar incidents in the future?
Compliance with Laws and Regulations
Touchling is committed to complying with all laws and regulations in the jurisdictions it operates, eg. the GDPR laws and regulations in Europe.
Best practice will be adoped with cyber-security and physical security of confidential data and personal information to protect this data from breaches.
Touchling has a certificate of registration for GDPR in the UK.
Training will be provided for all employees in order to keep up to date with any changes to regulations.
Retention and Destruction of Data
Touchling will keep tight control of the storage of data and will only keep it in specified locations that remain secure from 3rd parties. Storage process and procedures are established to prevent data from being scattered in various directories in an uncontrolled manner. Back-ups of data will be done on a daily basis.
Deletion of redundant or expired information shall be done in a manner that does not leave a residual footprint of the information that could be found and exploited.
For hard-copies, any confidential information will always be kept locked away when not being used.
The destruction of hard-copies will always be done using a shredder before disposal.
Internal audits will be carried out and documented to establish whether documented procedures and processes are being followed. This will cover the full operational side of the organisation but will especially focus on the cyber-security and privacy aspects.
3rd Party Audits
3rd Party audits will also be arranged when the company is at a stage where a clear demonstration of best practice in terms of data security and protection of privacy is appropriate. This will be reviewed every 6 months to determine when a 3rd party audit should be done.
3rd party audits will be carried out once / year following the first audit.
Management of threats and risks
A risk assessment review process will be carried out every three months to establish the most likely (and unlikely) security threats that will affect our business.
Measures will be put in place in anticipation of these risks to prevent and mitigate against the perceived threats.
It is important to remain current with the latest cyber-threats as it is a constantly evolving situation. We will constantly research, educate and train to eradicate the most current threats.