This top-level Policy document defines the purpose, direction, principles, and basic rules for information security management and contains rules, constraints, and standards for individual access and individual use of systems, data storage, and data protection with respect to Resolver’s Hosted Platforms.
There are multiple types of critical data: customer data (including PII – Personally Identifiable Information, PCI –Payment Card Industry, and PHI – Protected Health Information).
Resolver is committed to safeguarding the confidentiality, integrity, and availability of the company’s systems and information including customer, employee, and service provider information. Information is an important business asset of significant value to the company and needs to be protected from threats that could potentially disrupt business continuity.
The Information Security Policy is in place to set an underlying framework to meet the requirements of the International Organization for the Standardization standard ISO/IEC 27001:2013.
A critical aspect of the Information Security Policy is reporting potential Data Breaches and Security Incidents. This is described in more detail later in this document. Reporting incidents or potential incidents is an aspect of every employee’s job function.
Users of this document are all Resolver’s employees; permanent, temporary, contracted staff, and its affiliates and subsidiaries.
Confidentiality – characteristic of the information by which it is available only to authorized persons or systems.
Integrity – characteristic of the information by which it is changed only by authorized persons or systems in an allowed way.
Availability – characteristic of the information by which it can be accessed by authorized persons when it is needed.
Information security – preservation of confidentiality, integrity, and availability of information.
Information Security Management System (ISMS) – part of overall management processes that take care of planning, implementing, maintaining, reviewing, and improving information security.
Resolver’s hosted platforms’ information is an asset protected from prohibited disclosure, revision, use, and destruction. Prudent and practical steps are taken to ensure that data integrity, the confidentiality of information, and application/data availability are not compromised.
Security tools and processes are implemented and configured to enable adequate and proper restriction of access to programs, data, and other information resources. Physical access measures are also incorporated and implemented to ensure that only authorized individuals can access or use information resources.
General objectives for the ISMS are:
THE company CISO is responsible for reviewing these general ISMS objectives and setting new ones.
Objectives for individual security controls or groups of controls are proposed by the Developer Director, IT Manager, and Information Security Analyst and approved by CISO in the Statement of Applicability.
All the objectives must be reviewed at least once a year.
Resolver will measure the fulfillment of all the objectives. CISO is responsible for setting the methods for measuring the achievement of the objectives – the measurements will be performed at least once a year and the Information Security Analyst will analyze and evaluate the measurement results and report them to CISO as input materials for the Management review.
The Information Security Analyst is responsible to record the details about measurement methods, periodicities, and results in the Measurement Report.
This Policy is applied to the entire ISMS as defined in the ISMS Scope Document, and to any activity that involves the access to, use, or modification of Resolver’s Hosted Platforms information and/or resources.
Users of this document are all Resolver’s employees, as well as relevant external parties.
The scope or impact is any access, logical or physical, that has the potential to affect Resolver’s Hosted Platforms negatively. Areas that are managed include, but are not limited to:
|Physical security||Logical security|
|Network security and monitoring||Application security|
|Segregation of duties||Establishing, editing, and terminating user access|
|Backup and recovery||Business continuity|
|Incident Response||Third-party security|
|Security education and awareness||Data storage|
|Handling and distribution of data||Confidential information|
|Password policies||Security monitoring|
|Access to customer data||Threat reporting and response|
The risks addressed are prohibited or unauthorized use, modification, and/or destruction of Resolver’s Hosted Platforms’ information and/or resources.
The right to use Resolver’s Hosted Platforms’ information systems and computing resources are based on each user’s access privileges. Access privileges are granted based on specific business needs and on a “need to know” basis. Access controls ensure that legitimate users cannot access information unless they are authorized to do so. All of Resolver’s Hosted Platforms resources, systems, and applications have access controls implemented.
All confidential data/information should be encrypted at rest and in transition.
Production environments must be physically (if possible) or logically (VLAN, VPC) separated from development and QE / Test environments with available access controls (separate AWS account).
Development and QA/test staff must not be permitted access to Production systems/environments unless required by their respective job duties/descriptions accompanied and controlled by DevOps person.
Resolver’s employees, “temps”, contractors, consultants, and other workers including all personnel affiliated with third parties, are responsible for and can participate in maintaining and securing access to Resolver’s Hosted Platforms resources. Resolver’s management provides guidance in creating this secure access environment by establishing access management policies, approving roles, responsibilities, and providing consistent coordination of security efforts across Resolver.
The Security Policies and Procedures listed below are approved by management and act to govern the information environment at Resolver.
For greater detailed information, please refer to the “A.8.2 Resolver Corporate Data Handling Policy” document.
For greater detailed information, please refer to “A.8.2 Resolver Corporate Data Handling Policy” document
Data encryption should follow the requirements defined in the Resolver Corporate Cryptography Standards Policy document.
In the event a data breach has occurred or is suspected, employees are required to notify their supervisor immediately.
Supervisors are required to immediately report the event to the CISO or CTO.
Evaluation regarding whether there has been a data breach will follow after a breach notification. Senior management will make the determination about subsequent notification to customers and authorities.
A form of issuance or electronic notification is required when an employee changes positions within the organization at Resolver. All employee position change notifications should include the following to allow application and systems owners to update logical and physical access accordingly, if appropriate:
Human Resources will only initiate employee change notifications.
When an employee is terminated voluntarily or involuntarily and exits Resolver, a notification will be sent to all applicable parties. Human Resources issue the termination notification immediately upon termination.
Resolver Helpdesk, Operations, Physical Facilities, Accounting, and Human Resources will all receive the notification. Upon receipt of a termination notification, all domain and application/systems access is immediately disabled.
The terminated employee will return all Resolver equipment and property including laptop, PDA, phone, access cards, etc. to their supervisor or a Senior Human Resources representative.
Resolver’s Hosted Platforms reside in Tier 1 Colocations and/or the Cloud. Network access is restricted to approved Resolver employees.
All requests for access require a written or electronic form with appropriate management approval. Access requires a profile including a valid username and password. Group permissions are reflective of job requirements and are audited quarterly.
Resolver’s Hosted Platforms reside in Tier 1 Colocations and/or the Cloud. Colocation data center access is restricted to approved Resolver employees.
All usernames assigned to users in order to access Resolver’s Hosted Platforms information systems and/or computer resources will be unique to that information system or computer resource and unique to each user.
All of Resolver’s Hosted Platforms systems utilize complex usernames and passwords.
All employees accessing Resolver’s Hosted Platforms infrastructure must change their application and/or systems passwords according to the Resolver Corporate Password Policy document.
Resolver’s Hosted Platforms reside in Tier 1 Colocations and/or the Cloud. Colocation network access is restricted to approve Resolver employees.
Resolver’s Hosted Platforms’ resources remote access should follow the requirements defined in Resolver’s Hosted Platform Remote Access Policy document.
Backups of all essential electronically stored business data are routinely created.
All computers attached to any Resolver networks must run supported anti-virus software.
This software must be active and configured as follow:
If an employee receives what he/she believes to be a virus, or suspects that a computer is infected with a virus, it must be reported to the IT department immediately at email@example.com or Information Security Department at firstname.lastname@example.org.
The report should include as much detail as possible: virus name, the extent of the infection, source of the virus, and potential recipients of infected material.
Any virus-infected computer will be removed from the network until it is verified as virus-free.
For more detailed information please refer to the “A.11.2 Resolver Disposal and Destruction Policy” document.
Resolver’s Hosted Platforms infrastructure maintains and appropriately stores operation logs for 90 days. These logs are subject to regular, independent reviews and include:
Personnel is prohibited to use personal devices not managed by Resolver’s corporate IT department for performing business tasks except:
If you are utilizing a Microsoft Outlook client and storing offline e-mail correspondence in your local drive-in OST or PST format, you must encrypt your local drive utilizing Bitlocker in Microsoft Windows platforms and Filevault 2 in Apple macOS X platform.
The Information Security team will communicate:
Any exceptions to this policy can only be granted in accordance with the company CISO or Resolver’s Information Security Department’s written approval.
This document is valid as of July 2020.
The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
EFFECTIVE ON: September 2020
REVIEW CYCLE: Annual at least and as needed
REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.