A.5 Resolver Information Security Policy

1. Purpose, scope, and users

This top-level Policy document defines the purpose, direction, principles, and basic rules for information security management and contains rules, constraints, and standards for individual access and individual use of systems, data storage, and data protection with respect to Resolver’s Hosted Platforms.

There are multiple types of critical data: customer data (including PII – Personally Identifiable Information, PCI –Payment Card Industry, and PHI – Protected Health Information).

Resolver is committed to safeguarding the confidentiality, integrity, and availability of the company’s systems and information including customer, employee, and service provider information. Information is an important business asset of significant value to the company and needs to be protected from threats that could potentially disrupt business continuity.

The Information Security Policy is in place to set an underlying framework to meet the requirements of the International Organization for the Standardization standard ISO/IEC 27001:2013.

A critical aspect of the Information Security Policy is reporting potential Data Breaches and Security Incidents. This is described in more detail later in this document.  Reporting incidents or potential incidents is an aspect of every employee’s job function.

Users of this document are all Resolver’s employees; permanent, temporary, contracted staff, and its affiliates and subsidiaries.

2. Basic information security terminology

Confidentiality – characteristic of the information by which it is available only to authorized persons or systems.

Integrity – characteristic of the information by which it is changed only by authorized persons or systems in an allowed way.

Availability – characteristic of the information by which it can be accessed by authorized persons when it is needed.

Information security – preservation of confidentiality, integrity, and availability of information.

Information Security Management System (ISMS) – part of overall management processes that take care of planning, implementing, maintaining, reviewing, and improving information security.

3. Objectives

Resolver’s hosted platforms’ information is an asset protected from prohibited disclosure, revision, use, and destruction. Prudent and practical steps are taken to ensure that data integrity, the confidentiality of information, and application/data availability are not compromised.

Security tools and processes are implemented and configured to enable adequate and proper restriction of access to programs, data, and other information resources. Physical access measures are also incorporated and implemented to ensure that only authorized individuals can access or use information resources.

General objectives for the ISMS are:

  • Creating a better market image and reducing the damage caused by potential incidents and compliance with the EU GDPR.
  • Ensure the goals are outlined in the: “6.2 Resolver Corporate ISMS Objectives” document are in line with the organization’s business objectives, strategy, and business plans.

THE company CISO is responsible for reviewing these general ISMS objectives and setting new ones.

Objectives for individual security controls or groups of controls are proposed by the Developer Director, IT Manager, and Information Security Analyst and approved by CISO in the Statement of Applicability.

All the objectives must be reviewed at least once a year.

Resolver will measure the fulfillment of all the objectives. CISO is responsible for setting the methods for measuring the achievement of the objectives – the measurements will be performed at least once a year and the Information Security Analyst will analyze and evaluate the measurement results and report them to CISO as input materials for the Management review.

The Information Security Analyst is responsible to record the details about measurement methods, periodicities, and results in the Measurement Report.

4. Scope of policy

This Policy is applied to the entire ISMS as defined in the ISMS Scope Document, and to any activity that involves the access to, use, or modification of Resolver’s Hosted Platforms information and/or resources.

Users of this document are all Resolver’s employees, as well as relevant external parties.

The scope or impact is any access, logical or physical, that has the potential to affect Resolver’s Hosted Platforms negatively. Areas that are managed include, but are not limited to:

Physical securityLogical security
Network security and monitoringApplication security
Segregation of dutiesEstablishing, editing, and terminating user access
Backup and recoveryBusiness continuity
Incident ResponseThird-party security
Security education and awarenessData storage
Handling and distribution of dataConfidential information
Password policiesSecurity monitoring
Access to customer dataThreat reporting and response

4.1 Risks addressed

The risks addressed are prohibited or unauthorized use, modification, and/or destruction of Resolver’s Hosted Platforms’ information and/or resources.

5. Reference documents

  • ISO/IEC 27001:2013 standard clauses 5.2 and 5.3
  • ISMS Scope Document
  • Risk Assessment and Risk Treatment Methodology
  • Statement of Applicability
  • List of Legal, Regulatory, and Contractual Obligations
  • Data Breach Response and Notification Procedure

6. Policy statement

The right to use Resolver’s Hosted Platforms’ information systems and computing resources are based on each user’s access privileges. Access privileges are granted based on specific business needs and on a “need to know” basis. Access controls ensure that legitimate users cannot access information unless they are authorized to do so. All of Resolver’s Hosted Platforms resources, systems, and applications have access controls implemented.

All confidential data/information should be encrypted at rest and in transition.

  • Production and customer data must never be copied, transferred, ported, or otherwise leave the Production environment unless requested by the customer via written authorization addressed to Resolver and signed by a duly authorized representative of the customer.

Production environments must be physically (if possible) or logically (VLAN, VPC) separated from development and QE / Test environments with available access controls (separate AWS account).

Development and QA/test staff must not be permitted access to Production systems/environments unless required by their respective job duties/descriptions accompanied and controlled by DevOps person.

Resolver’s employees, “temps”, contractors, consultants, and other workers including all personnel affiliated with third parties, are responsible for and can participate in maintaining and securing access to Resolver’s Hosted Platforms resources. Resolver’s management provides guidance in creating this secure access environment by establishing access management policies, approving roles, responsibilities, and providing consistent coordination of security efforts across Resolver.

The Security Policies and Procedures listed below are approved by management and act to govern the information environment at Resolver.

6.1 Policy update/review and notification

  • Resolver reserves the right to revise the conditions of this policy at any time. Adequate notification of updates will be provided to all employees. Employees are responsible for understanding or seeking clarification of any rules outlined in this document and for familiarizing themselves with the most current version of this policy.
  • All policy and procedure documentation including but not limited to:
    • Information Security Policies, Standards, and Process documentation.
    • HR and HR process documentation.
  • Must be periodically reviewed at least once a year (annually)

7. Roles and responsibilities

  • Chief Informational Security Officer (CISO, ISWG team member/leadership team): The CISO is the owner and the main person in charge of the overall developing and implementing an information security program.
  • General Counsel / Privacy Officer (ISWG team member): General Counsel is responsible for corporate governance and keeping the organization aligned with laws and regulations.
  • Informational Security Analyst (ISWG team member/leadership team): Responsible for overall monitoring and investigation of detected vulnerabilities and providing the risk assessment (In collaboration with asset owner) and mitigation steps.
  • Chief Technology Officer (CTO, ISWG team member): Responsible to develop Resolver’s technical strategy in the Engineering department (Development, Quality Engineering, and DevOps).
  • IT System Engineer (ISWG team member): IT Department, responsible for implementing remediating actions defined as a result of detected vulnerabilities for Resolver’s Corporate networks attached assets.
  • DevOps Director (ISWG team member): Responsible to implement remediating actions defined as a result of detected vulnerabilities for Resolver’s Hosted production environments.
  • VP, Customer Success (ISWG team member): responsible for customer communication.
  • Asset Owner: Responsible for the IT asset that is scanned by the vulnerability management process. This role should decide whether identified vulnerabilities are mitigated, or their associated risks are accepted.

8. Confidential information plan

For greater detailed information, please refer to the “A.8.2 Resolver Corporate Data Handling Policy” document.

8.1 Handling and distribution of data

For greater detailed information, please refer to “A.8.2 Resolver Corporate Data Handling Policy” document

8.2 Data encryption policy

  • Customer data should be encrypted at rest and in transition.
  • All Resolver Confidential information should be encrypted at rest and in transition.

Data encryption should follow the requirements defined in the Resolver Corporate Cryptography Standards Policy document.

8.3 Resolver’s Hosted Platforms data breach notification policy

8.3.1 Reporting of Data Breach

In the event a data breach has occurred or is suspected, employees are required to notify their supervisor immediately.

Supervisors are required to immediately report the event to the CISO or CTO.

Evaluation regarding whether there has been a data breach will follow after a breach notification.  Senior management will make the determination about subsequent notification to customers and authorities.

9. Security policies and procedures

9.1 Employee position change

A form of issuance or electronic notification is required when an employee changes positions within the organization at Resolver. All employee position change notifications should include the following to allow application and systems owners to update logical and physical access accordingly, if appropriate:

  • Title change
  • Department Transfer
  • Physical Location Change
  • Access Establishment Requirements
  • Access Termination Requirements

Human Resources will only initiate employee change notifications.

9.1.1 Terminating access

When an employee is terminated voluntarily or involuntarily and exits Resolver, a notification will be sent to all applicable parties. Human Resources issue the termination notification immediately upon termination.

Resolver Helpdesk, Operations, Physical Facilities, Accounting, and Human Resources will all receive the notification. Upon receipt of a termination notification, all domain and application/systems access is immediately disabled.

The terminated employee will return all Resolver equipment and property including laptop, PDA, phone, access cards, etc. to their supervisor or a Senior Human Resources representative.

9.1.2 Network access

Resolver’s Hosted Platforms reside in Tier 1 Colocations and/or the Cloud. Network access is restricted to approved Resolver employees.

9.1.3 Resolver’s Hosted Platforms applications access

All requests for access require a written or electronic form with appropriate management approval.  Access requires a profile including a valid username and password. Group permissions are reflective of job requirements and are audited quarterly.

9.2 Physical access

Resolver’s Hosted Platforms reside in Tier 1 Colocations and/or the Cloud. Colocation data center access is restricted to approved Resolver employees.

9.3 Authenticating a user

9.3.1 Unique application and systems users

All usernames assigned to users in order to access Resolver’s Hosted Platforms information systems and/or computer resources will be unique to that information system or computer resource and unique to each user.

9.3.2 Restricted access devices

All of Resolver’s Hosted Platforms systems utilize complex usernames and passwords.

9.3.3 Password policy settings

All employees accessing Resolver’s Hosted Platforms infrastructure must change their application and/or systems passwords according to the Resolver Corporate Password Policy document.

9.4 Access Methods

9.4.1 LAN (Local Area Network)

Resolver’s Hosted Platforms reside in Tier 1 Colocations and/or the Cloud. Colocation network access is restricted to approve Resolver employees.

9.4.2 Remote access

Resolver’s Hosted Platforms’ resources remote access should follow the requirements defined in Resolver’s Hosted Platform Remote Access Policy document.

9.5 Protection of data

9.5.1 Backups

Backups of all essential electronically stored business data are routinely created.

9.5.2 Antivirus policy

All computers attached to any Resolver networks must run supported anti-virus software.

This software must be active and configured as follow:

  • Real-Time protection must be turned on.
  • Scheduled scans must be configured to perform virus checks at least once a day.
  • A full antivirus scan must run at least once a month.
  • Virus definition files must be kept up to date, configured for an automatic update once a day.

If an employee receives what he/she believes to be a virus, or suspects that a computer is infected with a virus, it must be reported to the IT department immediately at it@resolver.com or Information Security Department at infosec@resolver.com.

The report should include as much detail as possible: virus name, the extent of the infection, source of the virus, and potential recipients of infected material.

Any virus-infected computer will be removed from the network until it is verified as virus-free.

9.6 Disposal of data

For more detailed information please refer to the “A.11.2 Resolver Disposal and Destruction Policy” document.

9.7 System/Application logging requirements

Resolver’s Hosted Platforms infrastructure maintains and appropriately stores operation logs for 90 days. These logs are subject to regular, independent reviews and include:

  • System Logs
  • Security Logs
  • Application Logs
  • System errors
  • Successful and unsuccessful logins 

9.8 Personal device usage for business purposes

Personnel is prohibited to use personal devices not managed by Resolver’s corporate IT department for performing business tasks except:

  • e-mail services usage: send/receive/read / write through the web interface: https://login.microsoftonline.com or using a mobile email app.
  • Slack or other approved by Resolver IT Instant messaging (IM) application.

If you are utilizing a Microsoft Outlook client and storing offline e-mail correspondence in your local drive-in OST or PST format, you must encrypt your local drive utilizing Bitlocker in Microsoft Windows platforms and Filevault 2 in Apple macOS X platform.

10. Communication

The Information Security team will communicate:

  • Internally via email and Slack #infosec_announcement or/and general #announsment channels about upcoming changes or updates in information security management system e.g:
    • information security policy update
    • upcoming certification effort
    • Employee surveys
    • updates in existing Information Security Awareness training program or kick off new Awareness training
  • Externally via email or publication at https://www.resolver.com/trust/
    • about upcoming changes in information security management system

11. Exceptions

Any exceptions to this policy can only be granted in accordance with the company CISO or Resolver’s Information Security Department’s written approval.

12. Validity and document management

This document is valid as of July 2020.

The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • A number of incidents arising from the unclear definition of the ISMS scope.
  • A number of corrective actions taken due to an inadequately defined ISMS scope.
  • Time put in by employees implementing the ISMS to resolve dilemmas concerning the unclear scope.

EFFECTIVE ON: September 2020

REVIEW CYCLE: Annual at least and as needed

REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.