Corporate Data Handling Policy

1. Purpose, scope, and users

This policy aims to define and provide guidelines for data classification, information transfer, and secure data disposal mechanisms to ensure the confidentiality, integrity, and availability of Resolver’s customer data and corporate information.

This document is applied to the entire Information Security Management System (ISMS) scope and all personal data processing activities (PIMS).

Users of this document are all Resolver’s employees: permanent, temporary, contracted staff, and its affiliates and subsidiaries.

2. Reference documents

  • ISO/IEC 27001:2013 standard, controls A.8.3.2, A.11.2.7
  • ISO/IEC 27701:2019 standard clause 6.5.3.2, 6.8.2.7
  • EU GDPR Article 32
  • Information Security and Data Privacy Policy
  • Data Retention Policy

3. Introduction

!!! Resolver implemented Green Office philosophy or paperless approach in document management.!!!

4. Access Control

4.1. Need to Know

Each of the policy requirements outlined in this document is based on the concept of “need to know”. If an IS employee is unclear of how the requirements outlined in this policy should be applied to any particular circumstance, he or she must apply the “need to know” concept – information must be disclosed only to people with a legitimate business need for the information.

4.2. System Access Controls

The proper controls shall be in place to authenticate users’ identity and validate each user’s authorization before allowing the user to access information or services on the system.  Data used for authentication shall be protected from unauthorized access.  Controls shall be in place to ensure that only personnel with the proper authorization and a need to know are granted access to Resolver systems and their resources.  Remote access shall be controlled through identification and authentication mechanisms.

4.3. Access Granting Decisions

Access to Resolver sensitive information must be provided only after the written authorization of the Data Owner has been obtained.  Access requests will be presented to the data owner using the Access Request template.  Custodians of the involved information must refer all requests for access to the relevant Owners or their delegates.  Special needs for other access privileges will be dealt with on a request-by-request basis.  The list of individuals with access to Confidential or Restricted data must be reviewed for accuracy by the relevant Data Owner in accordance with a system review schedule approved by the CISO.

5. Data Classification

5.1. Information Owners and Production

All electronic information at Resolver must have a designated Owner, usually the person or function who created and classified the information. The information owner is typically the best person to determine the classification of their information so, Owners are responsible for assigning appropriate sensitivity classifications as defined below. Ownership and classification may change during the information’s lifecycle. Owners do not legally own the information entrusted to their care. They are instead designated members of the Resolver management team who act as stewards and who supervise the ways in which certain types of information are used and protected.

5.2. Owners and Access Decisions

Data Owners should make decisions about who will be permitted to gain access to information and the uses to which this information will be put. Where the owner cannot be identified, the recipient should use their judgment as to the appropriate classification.

IS must take steps to ensure that appropriate controls are utilized in the storage, handling, distribution, and regular usage of electronic information.

5.3. Resolver’s information Classification levels and Rules.

  • Always label Confidential information as such and handle it accordingly.
  • More detailed data labeling guidelines – based on business application utilized to store and process Customer Confidential, Confidential and Internal information can be found here: List of Resolver’s sub-processors contains confidential/critical data and/or connected to Resolver’s systems.
  • If you create information, including documents and emails, you are the Information Owner, and it is your responsibility to determine the classification of the information and handle it appropriately.
  • If you receive information from a Customer for which the classification is unclear, confirm the classification with the Information Owner; otherwise, you should use these guidelines to decide how to handle it appropriately.
  • If you receive information from a third party, handle it according to its equivalent Resolver classification.
  • Sending Confidential emails or files to personal email or public webmail providers (e.g., Gmail, Hotmail, Live, Outlook, Yahoo) accounts is prohibited.
Information CategoryClassification criteriaExamples
PublicInformation is not confidential and can be made public without any implications for the company. Loss of availability due to system downtime is an acceptable risk. Integrity is important but not vital. These documents may be redistributed outside of the organization with no restriction.·       Product brochures widely distributed.

·       Marketing material for public release.

·       Information widely available in the public domain, including publicly available company web site areas, external vacancy notifications.

·       Newsletters for external transmission.

InternalInformation is restricted to management approved internal access and protected from external access. Unauthorized access could influence the Company’s operational effectiveness, cause an important financial loss, provide a significant gain to a competitor, or cause a major drop in customer confidence. Disclosure if this information to anyone outside of Resolver requires management authorization.·       Most corporate information falls into this category.

·       Information on corporate security procedures.

·       Know-how used to process client information.

·       Departmental memos, meetings notes, information on internal bulletin boards, internal training materials, policies, operating procedures, work instructions, guidelines, marketing information (prior to public release), investment options. transaction data, productivity reports, disciplinary reports, contracts, internal vacancy notices, intranet Web pages.

·       Standard Operating Procedures used in all parts of the company’s business.

ConfidentialInformation collected and used by the company in the conduct of its business to employ people, to log and fulfill customer orders, and to manage all aspects of corporate finance.

Access to this information is very restricted within the company. The highest possible levels of integrity, confidentiality, and restricted availability are vital.

·       Any corporate user accounts, credentials, passwords, or identities.

·       Resolver Intellectual Property.

·       All company-developed software code, whether used internally or made available to customers.

·       Salaries, PII, PHI, SIN, and other sensitive personnel data.

·       Accounting data and internal financial reports.

·       Confidential customer business data and confidential contracts.

·       Agreements with customer\vendors.

·       Company business plans.

·       Information on corporate security procedures.

·       Know-how used to process customer information.

Customer ConfidentialInformation received from customers in any form for processing in Resolver products in production environments hosted on the Cloud and managed by Resolver. The original copy of such information must not be changed in any way. The highest possible levels of integrity, confidentiality, and restricted availability are vital.·       Personally Identifiable Information (PII).

·       Customer media.

·       Electronic transmissions from customers.

·       Data entered by Customers to Resolver’s hosted in the Cloud production systems.

·       Product information generated for the customer by Company production activities as specified by the customer.

5.4. Reclassification

Asset owners must review the confidentiality level of their information assets every three years and assess whether the confidentiality level can be changed.  If possible, the confidentiality level should be lowered.

6. Data Deletion Policy

6.1. Production Customers Data:

Customer data is retained for 31 days after deactivation/termination/cancelation. After that time, Resolver will delete the database backup image containing the customer’s data. Once this is done, the data cannot be recovered.

Resolver conducts 3rd party risk assessment, where we evaluate appropriate risks related to our third-party vendors based on their 3rd part compliance audits. Resolver evaluates their SOC2 reports or appropriate/alternative 3rd part compliance certifications, like ISO 27001 / 2 / 17 / 18, etc.

For greater detailed information, please refer to the “A.11.2_Resolver_Disposal_and_Destruction_Policy” document

7. Records Retention

7.1. Production Customers Data:

By default, if it’s not specially stipulated in MSA/ SLA or other agreement, the customer’s data is retained for  31 days after deactivation/termination/cancelation. After that time, Resolver will delete the database backup image containing your data. Once this is done, the data cannot be recovered.

By default, after such a thirty-one (31) day period, we will have no obligation to maintain or provide any Customer Data and We will, unless legally prohibited, delete or destroy all Customer Data in Our systems or otherwise in Our possession or under Our control. At Your written request, an officer of Resolver will certify the delivery of and/or deletion or destruction of Customer Data following termination.

For greater detailed information, please see Resolver “Terms of Service” at http://www.resolver.com/legal/

8. Object Reuse and Disposal

Or secure Deletion

Storage media containing sensitive (i.e. restricted or confidential) information shall be completely empty before reassigning that medium to a different user or disposing of it when no longer used.  Simply deleting the data from the media is not sufficient.  A method must be used that completely erases all data. When disposing of media containing data that cannot be completely erased, it must be destroyed in a manner approved by the Director of IS Security.

Sensitive paper documents must be disposed of by shredding. (Resolver uses the services of a company providing secure off-site shredding.)

For more detailed information, please refer to “A.11.2_Resolver_Disposal_and_Destruction_Policy.

9. Physical Security

For more info, please see the “A.11_Resolver_Corporate_Physical_Security_Policy”

10. Special Considerations for Restricted Information

!!! Avoid storing data on external and removable storage devices!!!

!! When absolutely necessary in offline information transportation on removable storage devices data should be encrypted by IT approved tools and utilizing IT approved Encryption Algorithms!!

! Utilize Box services!

 

Removable devices or/and Removable storage devices

  • USB devices:
  • external hard disk drive or optical disc drives such as the following but not limited to CD, DVD, and Zip Drive that plug into the USB port disk.
  • A device that spins, reads and writes a removable medium such as a CD, DVD, hard disk, or floppy disk. The medium may be bare or encased in a cartridge inserted into the drive’s slot.
  • SD Card, MMC, USB flash, USB key, or any other type of memory cards/sticks or drives.
  • A Solid-State storage (SSD) module that plugs into the computer’s USB port. Using flash memory chips that hold up to one terabyte of data, the SSD USB drive emulates a hard disk.

If Restricted information is going to be stored on a personal computer, portable computer, personal digital assistant, or any other single-user system, the system must conform to data access control safeguards approved by IS and Corporate senior management.  When these users are not currently accessing or otherwise actively using the restricted information on such a machine, they must not leave the machine without logging off, invoking a password-protected screen saver, or otherwise restricting access to the restricted information.

Data Encryption Software

Resolver employees and vendors must not install encryption software to encrypt files or folders without the express written consent of Information Security.

Resolver employees should utilize corporate Box services https://resolver.app.box.com to save all documents.

11. Information Transfer

11.1. Data Transmission Over Networks

Internal document management should be fully managed to utilize box service; communication/data transfer to and from box service is encrypted utilizing the highest encryption standards; HTTPS over TLS v1.2 or v1.3 with ECDH_RSA with P-256 and AES-256-GCM (Cipher Suites supporting Authentication Encryption with Associated Data (AEAD))

If Resolver Restricted data is to be transmitted over any external communication network, it must be sent only in encrypted form over secure communication channels. Such networks include electronic mail systems, the Internet, etc. All such transmissions must use a virtual public network or similar software as approved by the Information Security Team.

11.2. Data Transfer to Another Computer

Before any Restricted information may be transferred from one computer to another, the person making the transfer must ensure that access controls on the destination computer are commensurate with access controls on the originating computer. The information must not be transferred if comparable security cannot be provided with the destination system’s access controls.

11.3. Data Transfer via Physical Media Outside of the Resolver Facilities

Data transfer outside of Resolver’s facilities should be avoided. If necessary, this transfer should be coordinated with the IT department to ensure the data is encrypted and transferred in accordance with the standards set out in section A.10 Resolver Corporate Cryptography Policy and Standards

12. Software Security

12.1. Secure Storage of object and source code

Object and source code for system software shall be securely stored when not in use by the developer. Developers must not have access to modify program files that actually run in production. Changes made by developers must be implemented into production by Technical Operations. Unless access is routed through an application interface, no developer shall have more than reading access to production data.  Further, any changes to production applications must follow the change management process.

12.2. Backups

Sensitive data shall be backed up regularly, and the backup media shall be stored in a secure environment.

For greater detailed information, please see Resolver:

A.12.3_Resolver Corporate BackUp&Restore policy and A.10 Resolver Corporate Cryptography Policy and Standards.

13. Production Hosted environments disposal process

DevOps department is responsible for erasing customer’s data from production environments.

  !!! all customer’s data considered as confidential data!!!

!!! The customer must be notified about the date of final disposal in written and with the request to response and approval!!!

Please refer to the “A.11.2_Resolver_Disposal_and_Destruction_Policy” document for more detailed information.

14. Non-Conformance

All policies require the participation of staff and contractors to be successful. Any employee or contractor found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

15. Validity and document management

This document is valid as of August 2023.

The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • The number of incidents arising from the unclear definition of the ISMS scope.

EFFECTIVE ON: August 2023

REVIEW CYCLE: Annual at least and as needed