This top-level Policy document defines the purpose, direction, principles, and basic rules for information security and privacy management and contains rules, constraints, and standards for individual access and individual use of systems, data storage, and data protection with respect to Resolver’s Hosted Platforms.
There are multiple types of critical data: customer data (including PII – Personally Identifiable Information and PHI – Protected Health Information).
Resolver is committed to safeguarding the confidentiality, integrity, availability, and privacy of the company’s systems and information, including customer, employee, and service provider information. Information is an important business asset of significant value to the company and needs to be protected from threats that could potentially disrupt business continuity and or breach of data privacy.
The Information Security & Privacy Policy is in place to set an underlying framework to meet the requirements of the International Organization for the Standardization standard ISO/IEC 27001:2013 and its Privacy extension ISO 27701:2019.
A critical aspect of the Information Security and Privacy Policy is reporting potential Data Breaches and Security Incidents. This is described in more detail later in this document. Reporting incidents or potential incidents is an aspect of every employee’s job function.
Users of this document are all Resolver’s employees: permanent, temporary, contracted staff, and its affiliates and subsidiaries.
Confidentiality – characteristic of the information by which it is available only to authorized persons or systems.
Integrity – characteristic of the information by which it is changed only by authorized persons or systems in an allowed way.
Availability – characteristic of the information by which it can be accessed by authorized persons when it is needed.
Information security – preservation of confidentiality, integrity, and availability of information.
Information Security Management System (ISMS) – part of overall management processes that plan, implement, maintain, review, and improve information security.
Privacy – Data privacy refers to handling personal data in compliance with data protection laws, regulations, and general privacy best practices.
Personal Data – any information relating to an identified or identifiable natural person.
Privacy Information Management System (PIMS) – Information Security Management System which addresses the protection of privacy as potentially affected by the processing of PII.
Resolver’s hosted platforms’ information is an asset protected from prohibited disclosure, revision, use, and destruction. Prudent and practical steps are taken to ensure that data integrity, the confidentiality of information, application/data availability, and data privacy are not compromised.
Security tools and processes are implemented and configured to enable adequate and proper restriction of access to programs, data, and other information resources. Physical access measures are also incorporated and implemented to ensure that only authorized individuals can access or use information resources.
General objectives for the ISMS are:
Company CISO is responsible for reviewing these general ISMS objectives and setting new ones.
Objectives for individual security controls or groups of controls are proposed by the CTO or Director of Development, IT Manager, and Information Security Analyst and approved by CISO in the Statement of Applicability.
General objectives for the PIMS are:
All the objectives must be reviewed at least once a year.
Resolver will measure the fulfillment of all the objectives. CISO is responsible for setting the methods for measuring the achievement of the objectives – the measurements will be performed at least once a year and the Information Security Analyst will analyze and evaluate the measurement results and report them to CISO as input materials for the Management review.
Information Security Analyst is responsible for recording the details about measurement methods, periodicities, and results in the Measurement Report.
This Policy is applied to the entire ISMS as defined in the ISMS Scope Document and to any activity involving accessing, using, or modifying Resolver’s Hosted Platforms information and/or resources.
Further, this Policy is also applied to PIMS as defined in PIMS Scope Document, and any activity that involves access to, use or modification of Personal Data:
Users of this document are all Resolver’s employees and relevant external parties.
The scope or impact is any access, logical or physical, that has the potential to negatively affect Resolver’s Hosted Platforms and its corporate image. Areas that are managed include, but are not limited to:
Physical security | Logical security |
Network security and monitoring | Application security |
Segregation of duties | Establishing, editing, and terminating user access |
Backup and recovery | Business continuity |
Incident Response | Third-party security |
Security education and awareness | Data storage |
Handling and distribution of data | Confidential information |
Password policies | Security monitoring |
Access to customer data | Threat reporting and response |
The risks addressed are prohibited or unauthorized use, modification, and/or destruction of Resolver’s Corporate and Hosted Platforms’ information, data and resources.
· Must be periodically reviewed at least once a year (annually) |
As a modern, forward-looking business, Resolver recognizes at senior levels the need to ensure that its business operates smoothly and without interruption to benefit its customers, shareholders, and other stakeholders.
In order to provide such a level of continuous operation, Resolver has implemented an Information Security Management System (ISMS) and Privacy Information Management System (PIMS) in line with the International Standard for Information Security, ISO/IEC 27001 and its privacy extension ISO/IEC 27701.
This standard defines the requirements for an ISMS and PIMS based on internationally recognized best practices.
The right to use Resolver’s Hosted Platforms’ information systems and computing resources is based on each user’s access privileges. Access privileges are granted based on specific business needs and on a “need to know” basis. Access controls ensure that legitimate users cannot access information unless they are authorized to do so. Resolver’s Hosted Platforms resources, systems, and applications have access controls implemented.
All confidential data/information should be encrypted at rest and in transition.
· Production and customer data must never be copied, transferred, ported, or otherwise leave the Production environment unless requested by the customer via written authorization addressed to Resolver and signed by a duly authorized representative of the customer. |
Production environments must be physically (if possible) or logically (VLAN, VPC) separated from development and QE / Test environments with available access controls (separate AWS account).
Development and QA/test staff must not be permitted access to Production systems/environments unless required by their respective job duties/descriptions, accompanied and controlled by a DevOps person.
Resolver’s employees, “temps,” contractors, consultants, and other workers, including all personnel affiliated with third parties, are responsible for and can participate in maintaining and securing access to Resolver’s Hosted Platforms resources. Resolver’s management provides guidance in creating this secure access environment by establishing access management policies, approving roles and responsibilities, and providing consistent coordination of security efforts across Resolver.
The Security Policies and Procedures listed below are approved by management and act to govern the information environment at Resolver.
For more detailed information about the roles and responsibilities and organizational structure at Resolver, please refer to https://resolverco.bamboohr.com/employees/orgchart.php?pin
Please refer to the “A.8.2 Resolver Corporate Data Handling Policy” document for more detailed information.
Resolver ensures that the information security and data privacy principles as described below are applied consistently across the management of access to information assets, information systems, business processes, and premises for any activity that involves access to, use or modification of Personal Data:
Consent & Choice: PII Principals shall have the choice whether to allow PII processing or not
Purpose, legitimacy and specification: The purpose of processing shall comply with the law and be communicated to PII principals.
Collection limitation: Data collected shall be limited to what is strictly necessary for the purpose.
Data minimization: PII processing and third parties access to PII shall be minimized.
Use, retention and disclosure limitation: PII shall be used only for specified purpose and, retained only as needed for purpose.
Accuracy and quality: PII shall be maintained as accurate, as complete, as up-to-date, as adequate and relevant for the purpose, as provided by the PII principals.
Openness, transparency and notice: PII principals shall receive sufficient, clear and easy to access information
Individual participation and access: PII principals should be able to access and review PII, as permitted by the law
Accountability: Resolver takes the responsibility for the PII processing.
Information security: Security Controls shall be implemented to protect the confidentiality, integrity and availability of data.
Privacy compliance: Controls shall be implemented, audits, and verifications shall be performed to ensure PII processing meets the compliance requirements.
For greater detailed information, please refer to the “A.8.2 Resolver Corporate Data Handling Policy” document
· Customer data should be encrypted at rest and in transition. · All Resolver Confidential information should be encrypted at rest and in transition. |
Data encryption should follow the requirements defined in the “A.10 Resolver Corporate Cryptography Policy and Standards” document.
In the event a data breach has occurred or is suspected, employees are required to notify their supervisor immediately.
Supervisors are required to report the event to the CISO or CTO immediately.
Evaluation regarding whether there has been a data breach will follow after a breach notification. Senior management will make the determination about subsequent notification to customers and authorities.
Please refer to the “A.16 Resolver Data Breach Response and Notification Procedure GDPR and HIPAA” document for more detailed information.
Issuance or electronic notification is required when an employee changes positions within the organization at Resolver. All employee position change notifications should include the following to allow application and systems owners to update logical and physical access accordingly, if appropriate:
Human Resources will only initiate employee change notifications.
When an employee is terminated voluntarily or involuntarily and exits Resolver, a notification will be sent to all applicable parties. Human Resources issue the termination notification immediately upon termination.
Resolver Helpdesk, Operations, Physical Facilities, Accounting, and Human Resources will all receive the notification. Upon receipt of a termination notification, all domain and application/systems access is immediately disabled.
The terminated employee will return all Resolver equipment and property, including laptop, PDA, phone, access cards, etc., to their supervisor or a Senior Human Resources representative.
Resolver’s Hosted Platforms reside in Tier 1 Colocations and/or the Cloud. Network access is restricted to approved Resolver employees.
All access requests require a written or electronic form with appropriate management approval. Access requires a profile, including a valid username and password. Group permissions are reflective of job requirements and are audited quarterly.
Resolver’s Hosted Platforms reside in Tier 1 Colocations and/or the Cloud. Colocation data center access is restricted to approved Resolver employees.
All usernames assigned to users in order to access Resolver’s Hosted Platforms information systems and/or computer resources will be unique to that information system or computer resource and unique to each user.
All of Resolver’s Hosted Platforms systems utilize complex usernames and passwords.
All employees accessing Resolver’s Hosted Platforms infrastructure must change their application and/or systems passwords according to the Resolver Corporate Password Policy document.
Resolver’s Hosted Platforms reside in Tier 1 Colocations and/or the Cloud. Colocation network access is restricted to approve Resolver employees.
Resolver’s Hosted Platforms’ resources remote access should follow the requirements defined in Resolver’s Hosted Platform Remote Access Policy document.
Backups of all essential electronically stored business data are routinely created.
Please refer to the “A.12.3 Resolver Corporate BackUp and Restore Policy” document for more detailed information.
All computers attached to any Resolver networks must run supported by company IT department anti-virus software.
This software must be active and configured as follows:
If an employee receives what he/she believes to be a virus or suspects that a computer is infected, it must be reported to the IT department immediately at it@resolver.com or the Information Security Department at infosec@resolver.com.
The report should include as much detail as possible: virus name, the extent of the infection, the source of the virus, and potential recipients of infected material.
Any virus-infected computer will be removed from the network until it is verified as virus-free.
Please refer to the “A.11.2 Resolver Disposal and Destruction Policy” document for more detailed information.
Please refer to the “A.12.4 Logging and monitoring policy” document for more detailed information.
Personnel is prohibited from using personal devices not managed by Resolver’s corporate IT department for performing business tasks except:
If you are utilizing a Microsoft Outlook client and storing offline e-mail correspondence in your local drive in OST or PST format, you must encrypt your local drive utilizing Bitlocker in Microsoft Windows platforms and FileVault 2 in Apple macOS X platform.
There are a number of established ISMS and PIMS communication methods in place within Resolver and these will be used where possible. A breakdown of the ways in which the necessary information will be communicated to the relevant interested parties is shown in the following table.
INTERESTED PARTY | SUBJECT OF COMMUNICATION | FREQUENCY | METHOD(S) |
Executive Management | Information Security & Privacy Strategies | Annually | Board briefings |
High level risk management | Monthly | Enterprise Risk Management (ERM) Meetings | |
InfoSec High level reporting | Weekly | InfoSec Lead 1-1 with CISO | |
Information Security and Privacy Policy Updates | Annually | Confluence Portal, Slack channel | |
Departmental Management | Information security and privacy awareness issues and followups | Quarterly | Emails, Slack channel |
Reviews of security and privacy breaches | Adhoc | Specific agenda meetings | |
Review of risks and issues | Weekly | Departmental meetings | |
All Resolver Employees | Communication of Information Security and Privacy Policies | Annually | Confluence portal, Slack channel, Emails |
Security & Privacy related news, updates, breaches and/or announcements | Adhoc | Emails, Slack channels | |
IT staff | Penetration testing | Annually | Departmental meetings, Confluence portal, emails |
Suppliers | Information security and privacy policy | Published Online | Resolver Website |
Contractual requirements | Published Online | Supplier meetings, Project meetings | |
Customers | Information security policies | Published Online | Resolver Website |
Resolver’s Cloud Controls | Published Online | Cloud Security Alliance – Security, Trust, and Assurance Registry | |
Resolver Inc Security Ratings | Published Online | BITSIGHT Security Rating | |
Third Party Risk Assessment | Published Online | CyberGRX |
Any exceptions to this policy can only be granted in accordance with the company CISO or Resolver’s Information Security Department’s written approval.
This document is valid as of August 2023.
The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
EFFECTIVE ON: August 2023
REVIEW CYCLE: Annual at least and as needed