Security and Privacy Policy

This cyber security policy is for our employees, vendors and partners to refer to when they need advice and guidelines related to cyber law and cyber crime. Having this cyber secruity policy we are trying to protect Touchling’s's data and technology infrastructure. 

This policy applies to all of Touchling’s employees, contractors, volunteers, vendors and anyone else who may have any type of access to Touchling's systems, software and hardware. 

 

Information Classification and Protection

Information will be classified into different levels of sensitivity:

  1. Non-sensitive or Publicly available data – low security

  2. Confidential data – high security

Some of the common examples of confidential data include: 

·            Classified financial information 

·            Customer data

·            Data about partners

·            Data about vendors

·            Patents, formulas or new technologies

For all confidential data, all available measures must be taken to ensure the security – both cyber and physical - and confidentiality of the data is protected.

 

Security in Human Resources

When hiring new employees, we will undertake a vetting process to determine where possible the integrity and trustworthiness of the employee.  We will seek references and undertake due diligence background checks to ensure the new hire does not have a history of unprofessional conduct.  

New hire orientation should include cyber security policy documentation and instruction. Provide regular cyber security training to ensure that employees understand and remember security policies. A fun way to make sure that employees understand the policy is to have a quiz that will test their actions in example situations.

Employees with access to confidential or sensitive information will be provided job descriptions outlining their responsibilities.

Employees will only be provided access to confidential and sensitive information when it is necessary for them to carry out their role.

If the role becomes redundant or the employee leaves the company, all access to company information will be blocked.  

Educate employees about various kinds of phishing emails and scams, and how to spot something fishy. If employees receive an email that looks out of the ordinary, even if it looks like an internal email sent by another employee, they must check with the sender first before opening attachments or clicking on links. It is best to verify with the sender via phone or in person. When email accounts are hijacked it will be the attacker replying to an inquiry about the validity of the information contained in the email. Whenever possible, go to the company website instead of clicking on a link in an email. 

Inform employees that it is highly recommended to apply maximum privacy settings on their social media accounts such as Facebook, and Twitter. Ask them to make sure that only their contacts can see their personal information such as birth date, location, etc. Limiting the amount of personal information that is available online will reduce the effectiveness of spearphishing attacks. Be especially vigilant about noticing anything even slightly suspicious coming from a LinkedIn contact. A compromised LinkedIn contact’s account can allow for some of the most sophisticated social engineering attacks.

 

Physical Security Requirements

Device Security

Logging in to any of company's accounts for personal devices such as mobile phones, tablets or laptops, can put our company's data at risk. [company name] does not recommend accessing any company's data from personal devices. If so is inevitable, employees are obligated to keep their devices in a safe place, not exposed to anyone else. 

We recommend employees to follow these best practices:

·            Lock our computers when leaving the desk

·            Don't ever leave our devices unprotected and exposed

·            Keep all electronic devices' password secured and protected 

·            Logging into company's accounts should be done only through safe networks 

·            Install security updates on a regular basis

·            Upgrade antivirus software on a regular basis

Premises

The security of the premises is also paramount in preventing information breaches.  Doors need to be double locked when leaving premises and alarms fitted and checked where appropriate.

 

Acceptable use of information and IT devices

At this start-up phase of the business, the Directors have liberty to use their devices appropriately in the interest of developing and growing the business.  The directors have ownership over the company’s IT assets and devices.

As the company grows and hardware and software are provided to employees, the below set of principles will be adhered to:

Breaches of unacceptable and forbidden activity will result in written warnings and instant dismissal respectively from the company.

 

Confidential Data

Acceptable  

· Access only if it explicitly allows it within the job description

  •  For business use only and handled under strict conditions and guidelines

  •  All personal data must be managed in accordance with GDPR regulations  


Unacceptable  

· Leaving any device unlocked on which confidential data is available  

Forbidden  

· Unauthorised access to confidential data

· Handling confidential and personal data in a manner that compromises the security of the data and beaches GDPR requirements.

 

Use of the Internet  

Acceptable  

· Accessing business related web sites in relation to the user's job  

· Accessing web sites (OTHER than those containing pornographic, offensive or  
obscene material) for non-business related reasons during lunch hours and before or after the working day   


Unacceptable  

· Spending any period of the working day looking at non-business related Internet  
sites;  

· Tying up large proportions of Internet resources on non-business related activity, 

· Making our password available for other people to use the Internet service 

· Using someone else's personal id and password to access the Internet;  

· Downloading any copyright material without the owner's permission  

Forbidden  

· Downloading software used for hacking or cracking passwords.  

· Deliberately accessing sites containing pornographic, offensive or obscene material  
· Downloading pornographic, offensive or obscene material.  

Use of Email  
Acceptable  

· Communication in connection with company business  

· Occasional personal use during lunch hours and before or after the working day  
· Management access to read employees' mail boxes where there is a legitimate  business need to do so (e.g. if a person is absent and important email is expected.)  

 

Unacceptable  

• Using email for personal, non-business related communication during working hours.  

· Overuse of services for personal, non-business related communication during break  
times or after hours, e.g. > 5 non-business related e-mail items per day OR  

· Sending non-business related email directly to large distribution groups OR 

· Sending files with attachments (e.g. compressed files, executable code, video  

streams, audio streams, or graphical images) to internal or external parties  
· Subscribing to non-business related mailing lists  

 

Forbidden  

· Sending messages or files through internal email, or via the external mail gateways  

that contain discriminatory, abusive, pornographic, obscene, illegal, offensive,  
potentially libellous or defamatory content. 

· 

NOTE: Unsolicited receipt of discriminatory, abusive, pornographic, obscene, illegal,  
offensive, or defamatory email is clearly not a disciplinary offence

 

Use of servers, PCs, notebook PCs, Smartphones, Tablets Devices (including iPADs) and portable storage devices  

While the Touchling reserves the right to recover the costs of personal data usage – this is  
intrusive and expensive and to avoid this, staff are expected to curtail personal use.  

Where possible iPad users should always use Wi-Fi rather than 3G.  
Acceptable  

· Storing corporate data 

· Running company supplied software  

· Loading text and images in connection with normal business  

· Storing limited amounts of personal data  

· Reporting any accidental damage or loss immediately

 

 

Unacceptable  

· Loading unauthorised or untested software, i.e. software not supplied through the  

formal procurement process.  

· Loading any software without the prior consent 

· Storing corporate data solely on local drives or devices (which are not  

· backed up)  

· Making our password(s) available for other people  

· Using someone else's personal id and password  

· Moving (static) equipment without agreement from the ICT Helpdesk  

· Re-allocating equipment to other members of staff

· Surrender of equipment not in working order, with undue 'wear and tear' or with  

accessories missing  

· Connecting devices (including USB devices - flash storage, cameras etc) to ICT  

equipment or the network that are not authorised.  

Forbidden  

· Loading files containing discriminatory, abusive, pornographic, obscene, illegal or  

offensive content, whether in text, image, video or audio format.  

 

Information Systems Access

Whilst Touchling is a new start-up, this formal policy has been developed to provide guidance and direction of how access needs to be managed both currently and as we grow.

Where Off-the-shelf software is used, this access policy must be read in conjunction with the access and security policies of the relevant software maker.

Only authorized users are granted access to information systems, and users are 
limited to specific defined, documented and approved applications and levels of 
access rights. Computer and communication system access control is to be

achieved via user IDs that are unique to each individual user to provide 
individual accountability.

Who is Affected: This policy affects all employees of Touchling and all contractors, consultants, temporary employees and business partners.  Employees who deliberately violate this policy will be subject disciplinary action up to and including termination.

Affected Systems: This policy applies to all computer and communication 
systems owned or operated by Touchling. 
Similarly, this policy applies to all platforms (operating systems) and all 
application systems.

Entity Authentication: Any User (remote or internal), accessing Touchling’s networks and systems, must be authenticated.  The level of 
authentication must be appropriate to the data classification and transport 
medium.  Entity authentication includes but is not limited to:

• Automatic logoff

• And Unique user identifier

• At least one of the following:

• Biometric identification

• Password

•    Personal identification number 
• A telephone callback procedure 
• Token

                              

 

Workstation Access Control System: All workstations used for this Touchling business activity, no matter where they are located, must use an access 
control system approved by Touchling.  In most cases this will 
involve password-enabled screen-savers with a time-out-after-no-activity feature and a power on password for the CPU and BIOs.  Active workstations are not to be left unattended for prolonged periods of time, where appropriate. When a 
user leaves a workstation, that user is expected to properly log out of all applications and networks. Users will be held responsible for all actions taken 
under their sign-on. Where appropriate, inactive workstations will be reset after a period of inactivity (typically 30 minutes). Users will then be required to re-log on to continue usage. This minimizes the opportunity for unauthorized users to assume the privileges of the intended user during the authorized user’s absence.

 

Disclosure Notice: A notice warning that those should only access the system 
with proper authority will be displayed initially before signing on to the system. The warning message will make clear that the system is a private network or 
application and those unauthorized users should disconnect or log off 
immediately.

 

System Access Controls: Access controls will be applied to all computer-resident information based on its’ Data Classification to ensure that it is not improperly 
disclosed, modified, deleted, or rendered unavailable.

 

Access Approval: System access will not be granted to any user without 
appropriate approval. Management is to immediately notify the Security 
Administrator and report all significant changes in end-user duties or 
employment status. User access is to be immediately revoked if the individual 
has been terminated. In addition, user privileges are to be appropriately changed if the user is transferred to a different job.

 

Limiting User Access: Touchling approved access controls, such as 
user logon scripts, menus, session managers and other access controls will be 
used to limit user access to only those network applications and functions for 
which they have been authorized.

 

Need-to-Know:  Users will be granted access to information on a “need-to- 
know” basis. That is, users will only receive access to the minimum applications 
and privileges required performing their jobs.

Compliance Statements: User’s who access to this Touchling’s 
information systems must sign a compliance statement prior to issuance of a 
user-ID.  A signature on this compliance statement indicates the user 
understands and agrees to abide by these Touchling policies and 
procedures related to computers and information systems.  Annual 
confirmations will be required of all system users.

Audit Trails and Logging: Logging and auditing trails are based on the Data 


Classification of the systems.

Confidential Systems: Access to confidential systems will be logged and audited in a manner that allows the following information to be deduced:

• Access time

• User account

• Method of access

• All privileged commands must be traceable to specific user accounts

 

In addition logs of all inbound access into Touchling‘s internal 
network by systems outside of its defined network perimeter must be 
maintained.

 Audit trails for confidential systems should be backed up and stored in 
accordance with   Touchling back-up and disaster recovery plans.  All system and application logs must be maintained in a form that cannot readily be viewed by unauthorized persons.  All logs must be audited on a periodic basis. 
Audit results should be included in periodic management reports.

Access for Non-Employees: Individuals who are not employees, contractors, 
consultants, or business partners must not be granted a user-ID or otherwise be given privileges to use the Touchling computers or information 
systems unless the written approval of the Department Head has first been 
obtained.  Before any third party or business partner is given access to this 
Touchling computers or information systems, a chain of trust 
agreement defining the terms and conditions of such access must have been 
signed by a responsible manager at the third party organization.

Unauthorized Access: Employees are prohibited from gaining unauthorized 
access to any other information systems or in any way damaging, altering, or 
disrupting the operations of these systems. System privileges allowing the 
modification of ‘production data’ must be restricted to ‘production’ applications.

Remote Access: Remote access must conform at least minimally to all statutory 
requirements including but not limited to HCFA, HRS-323C, and HIPAA.

 

 

Password Policy 

User Authentication: All systems will require a valid user ID and password. All 
unnecessary operating system or application user IDs not assigned to an 
individual user will be deleted or disabled.

Password Storage: Passwords will not be stored in readable form without access control or in other locations where unauthorized persons might discover them. All such passwords are to be strictly controlled using either physical security or computer security controls.

Application Passwords Required: All programs, including third party purchased software and applications developed internally by this Touchling 
must be password protected.

Choosing Passwords: 

High -risk data:  All user-chosen passwords must contain at least one 
alphabetic and one non-alphabetic character.  The use of control characters and 
other non-printing characters are prohibited. All users must be automatically 
forced to change their passwords appropriate to the classification level of 
information. To obtain a new password, a user must present suitable 
identification.

Low-Risk data:  For access to low-risk data, eg for construction workers accessing general, non-sensitive site information a simple 3-letter user-name and 4-number password may be used.  This password can remain the same during the period the worker is on the site.

 

Changing Passwords: All passwords must be promptly changed if they are 
suspected of being disclosed, or known to have been disclosed to unauthorized parties.  All users must be forced to change their passwords for access to medium / high risk      data at least once every sixty- (60) days.

 

Password Constraints: The display and printing of passwords should be masked, suppressed, or otherwise obscured so that unauthorized parties will not be able to observe or subsequently recover them.  After three unsuccessful attempts to enter a password, the involved user-ID must be either: (a) suspended until reset by a system administrator, (b) temporarily disabled for no less than three 
minutes, or (c) if dial-up or other external network connections are involved, 
disconnected.

 

Software Development Principles

Software development must adhere to best practices for secure software development that reflect the experience and expertise of several stakeholders of the software development life-cycle (SDLC). These stakeholders include analysts, architects, coders, testers, auditors, operational personnel and management.

  1. Brand Protection

Software development must utilise the most current methods to stay a step ahead of the cyber criminals as we will be held responsible for security breaches.

Breaches leading to disclosure of customer information, denial of service, and threats to the continuity of business operations can have dire financial consequences. Yet the real cost to our company will be the loss of customer trust and confidence in the brand.

Such a loss may be irreparable and impossible to quantify in mere monetary terms. Fundamentally, the recognition that our company is obligated to protect the customers should powerfully motivate our company in creating more secure software.

2. Secure solutions

The answer to the question - 'Why were brakes invented?' could be answered in two ways, 'To prevent the vehicle from an accident' or 'To allow the vehicle to go faster'. Similarly, security can prevent the business from a crash or allow the business to go faster.

One must work with a thorough understanding of the business, to help in the identification of regulatory and compliance requirements, applicable risk, architectures to be used, technical controls to be incorporated, and the users to be trained or educated.

3. Understanding the technology

A thorough understanding of the existing infrastructural components such as: network segregation, hardened hosts, public key infrastructure, to name a few, is necessary to ensure that the introduction of the software, when deployed, will at first be operationally functional and then not weaken the security of the existing computing environment.

Understanding the interplay of technological components with the software is essential to determine the impact on overall security and support decisions that improve security of the software. Further, when procuring software, it is vital to recognise vendor claims on the 'security' features, and also verify implementation feasibility within our organisation.

4. Ensure compliance to governance, regulations and privacy

Software must adhere to governance, risk and compliance (GRC) as a means to meeting the regulatory and privacy requirements.

One must understand the internal and external policies that govern the business, its mapping to necessary security controls, the residual risk post implementation of security controls in the software, and the compliance aspects to regulations and privacy requirements.

5. Know the basic tenets of software security

When it comes to secure software, there are some tenets with which one must be familiar: protection from disclosure (confidentiality), protection from alteration (integrity), protection from destruction (availability), who is making the request (authentication), what rights and privileges does the requestor have (authorisation), the ability to build historical evidence (auditing) and management of configuration, sessions and exceptions.

Knowledge of these basic tenets and how they can be implemented in software is a must have while they offer a contextual understanding of the mechanisms in place to support them. Some of these mechanisms include encryption, hashing, load balancing and monitoring, password, token or biometric features, logging, configuration and audit controls, and the like.

6. Ensure the protection of sensitive information

Any information upon which our company places a measurable value, which by implication is not in the public domain, and would result in loss, damage or even business collapse, should the information be compromised in any way, could be considered sensitive. While it may be easy to identify the sensitivity of certain data elements like health records and credit card information, others may not be that evident.

One must consider data classification and protection mechanisms against disclosure, alteration or destruction. Data classification is the conscious decision to assign a level of sensitivity to data as it is being created, amended, stored, transmitted, or enhanced, and will determine the extent to which the data needs to be secured. Software that either transports, processes or stores sensitive information must build in necessary security controls.

7. Design software with secure features

When someone is exclusively focused on finding security issues in code, they run the risk of missing out on entire classes of vulnerabilities. Security issues in design and other concerns, such as business logic flaws need to be inspected by performing threat models and abuse cases modeling during the design stage of the software development life-cycle.

Threat modeling, an iterative structured technique is used to identify the threats by identifying the security objectives of the software and profiling it. Attack surface analysis, a subset of threat modeling can be performed by exposing software to untrusted users.

8. Develop software with secure features

It is imperative that secure features not be ignored when design artifacts are converted into syntax constructs that a compiler or interpreter can understand. Once developed, controls that essentially address the basic tenets of software security must be validated to be in place and effective by security code reviews and security testing. This should complement and be performed at the same time as functionality testing.

Definition of the scope of what is being reviewed, the extent of the review, coding standards, secure coding requirements, code review process with roles and responsibilities and enforcement mechanisms must be pre-defined for a security code review to be effective, while tests should be conducted in testing environments that emulate the configuration of the production environment to mitigate configuration issues that weaken the security of the software.

9. Deploy software with secure features

Secure deployment ensures that the software is functionally operational and secure at the same time. It means that software is deployed with defence-in-depth, and attack surface area is not increased by improper release, change, or configuration management.

It also means that assessment from an attacker's point of view is conducted prior to or immediately upon deployment. Software that works without any issues in development and test environments, when deployed into a more hardened production environment often experiences hiccups.

Post-mortem analyses in a majority of these cases reveal that the development and test environments do not simulate the production environment. Changes therefore made to the production environment should be retrofitted to the development and test environments through proper change management processes.

Release management should also include proper source code control and versioning to avoid a phenomenon one might refer to as "regenerative bugs", whereby software defects reappear in subsequent releases.

The coding defect (bug) is detected and fixed in the testing environment and the software is promoted to production without retrofitting it into the development environment. Further, vulnerability assessment and penetration testing should be conducted in a staging pre-production environment and if need be in the production environment with tight control.

10. Educate ourselves and others on how to build secure software

We will adopt a culture that promotes software security by default through education that changes attitudes. IT security is everyone's job.

 

Incident Management and Response procedures for Security and Privacy incidents

Preparation should be done at regular intervals prior an actual incident occurring, including training, communication protocols and response simulation.

The following is the process to follow once an incident is suspected.

Detection:

  1. The security incident may be detected internally or externally.

  2. Communication protocols will be in place with customers to alert Touchling

  3. Touchling confirms the incident.

  4. Touchling determines the severity of the incident and;

    1. Deals with it internally for low-risk internally developed software

    2. Informs relevant 3rd parties if it involves their software

    3. Works with IT consultants for high-risk incidents where assistance may be required.

  5. Begin the documentation process.

Containment:

  1. Take necessary steps to prevent incident from spreading.

  2. Document containment steps.

Remediation:

  1. Determine incident cause based on information gathered during the detection phase.

  2. Determine how attack was executed.

  3. Remove threat.

  4. Perform a vulnerability assessment and remediate vulnerabilities.

  1. Return systems to trusted state.

Resolution:

  1. Compare system against original baseline gathered during preparation phase.

  2. Test the service/system to verify functionality.

  3. Restore system to production environment.

  4. Perform ongoing system monitoring to ensure system integrity and detect incident recurrence.

Closure:

  1. Finalize incident handling documentation.

  2. Log the incident in the company incident Register

Lessons Learned:

  1. How well and adequately did we perform when dealing with the incident? 

  2.  What information was needed sooner?

  3. What corrective actions can prevent similar incidents in the future?

 

Compliance with Laws and Regulations

 

Touchling is committed to complying with all laws and regulations in the jurisdictions it operates, eg. the GDPR laws and regulations in Europe.

Best practice will be adoped with cyber-security and physical security of confidential data and personal information to protect this data from breaches.

Touchling has a certificate of registration for GDPR in the UK.

Training will be provided for all employees in order to keep up to date with any changes to regulations.

 

Retention and Destruction of Data

 

Touchling will keep tight control of the storage of data and will only keep it in specified locations that remain secure from 3rd parties.  Storage process and procedures are established to prevent data from being scattered in various directories in an uncontrolled manner.  Back-ups of data will be done on a daily basis.

Deletion of redundant or expired information shall be done in a manner that does not leave a residual footprint of the information that could be found and exploited. 

For hard-copies, any confidential information will always be kept locked away when not being used. 

The destruction of hard-copies will always be done using a shredder before disposal.

 

Audits

Internal Audits

Internal audits will be carried out and documented to establish whether documented procedures and processes are being followed.  This will cover the full operational side of the organisation but will especially focus on the cyber-security and privacy aspects.

 

3rd Party Audits 

3rd Party audits will also be arranged when the company is at a stage where a clear demonstration of best practice in terms of data security and protection of privacy is appropriate.  This will be reviewed every 6 months to determine when a 3rd party audit should be done.

3rd party audits will be carried out once / year following the first audit.

 

Management of threats and risks

A risk assessment review process will be carried out every three months to establish the most likely (and unlikely) security threats that will affect our business.

Measures will be put in place in anticipation of these risks to prevent and mitigate against the perceived threats.

It is important to remain current with the latest cyber-threats as it is a constantly evolving situation.  We will constantly research, educate and train to eradicate the most current threats.