This document aims to define Rainforest QA's approach to information security management
Information Security Policy
Keeping Rainforest QA’s (RFQA) information’s confidentiality, integrity and availability, in all its forms, is critical to the ongoing development, growth, and sustainability of the company. Failing to correctly secure the information we hold increases the risk of financial and reputation losses as well as legal prosecution from which it may be difficult to recover.
This document aims to define RFQA’s approach to information security management. It provides guidelines and responsibilities to safeguard the security of the company’s and customer’s information. Supporting policies, codes of practice, procedures and guidelines provide further details.
The main purposes of this policy are to:
- Ensure the protection of all RFQA’s information systems (including but not limited to all computers, mobile devices, networking equipment, software, data and physical documents) and to mitigate the risk associated with the theft, loss, misuse, damage or abuse of these systems.
- Make sure that users are aware of and comply with all current and relevant international standards and US legislation.
- Ensure that RFQA’s personnel understands their own responsibilities for protecting the confidentiality and integrity of RFQA data
- Respond to feedback and update as appropriate in a cycle of continuous improvement.
This policy is applicable to, and will be communicated to, all RFQA’s employees, contractors and any other individual and/or organization granted authorization to interact with information held by RFQA and the information systems used to access, store, and process that information. This includes, but is not limited to: systems managed by RFQA; computers or mobile devices used to connect to RFQA’s network or hold RFQA data; data over which RFQA holds intellectual property rights; data generated by RFQA on behalf of its customers; data over which RFQA is the data owner or data custodian; communications sent to or from RFQA; RFQA’s customer information.
RFQA’s data, for the purposes of this policy, is data owned, processed or held by RFQA, whether primary or secondary, irrespective of storage location. It is used interchangeably with the term ‘information’.
Information Security Principles
The following principles provide a framework for the security and management of information at RFQA:
- Information should be classified according to the Information Classification scale according to its level of confidentiality, integrity, and availability, as well any relevant legislative, regulatory and contractual requirements and RFQA policy and registered on the RFQA information assets inventory.
- Staff assigned to handle information (See Responsibilities) are ultimately responsible for ensuring said information has the correct classification, that is handled in accordance with its classification level and for any policies, procedures or systems for meeting those responsibilities as well as for ensuring said information Risk Analysis has been performed and registered on the Risk Register in compliance with the +Risk Management Policy and the +Risk Assessment Procedure .
- Each individual covered by this policy is required to handle information appropriately and in accordance with its classification level.
- In the spirit of maintaining information security and availability to those with a legitimate need for access according to its classification level, RFQA will base access grants on least privilege and need to know.
- Information will be protected against unauthorized access and processing in accordance with its classification level.
- Breaches of this policy must be reported as defined in Compliance and Incident Handling sections of this document.
Data Retention and Disposal
Data must be retained for an unlimited time. However in cases where this is not possible a Data Retention Exception or Data Disposal Form must be filed and signed off by the Information Security Team and VP of Engineering.
Legal & Regulatory Obligations
RFQA has a responsibility to abide by and adhere to all current US legislation as well as a variety of regulatory and contractual requirements.
Selected customer accounts might also generate information regulated under the Health Insurance Portability and Accountability Act (HIPAA). Every system, process or data storage that can potentially hold or generate such data will be required to comply with said regulation.
Third Party Security expectations
In accordance with HIPAA § 164.314(a), any third party vendor that will potentially create, receive, maintain, or transmit electronic protected health information must comply with the applicable requirements of this subpart. Therefore proof that the subcontractor will appropriately safeguard the information must be presented to the Information Security Team during the vendor selection process in written form.
Bring your own Device mobile
A personal mobile device, such as phones or tablets, must not be connected to the RFQA network without prior written consent of the Information Security Team. If needed, the Guest network provided in the office should be used.
To access RFQA systems, such as email, the phone must be encrypted and password protected.
Compliance, Policy Awareness, and Disciplinary Procedures
A security breach at RFQA might lead to loss of confidentiality, integrity, and availability of confidential or private data stored on the company’s information systems. The loss or breach of confidentiality of personal data might result in criminal or civil action against RFQA.
The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties or criminal or civil action against RFQA. Therefore it is crucial that all RFQA personnel adhere to the Information Security Policy and its supporting policies listed on the Supporting Policies, Codes of Practice, Procedures and Guidelines section of this document.
Every member of RFQA, as defined by this document’s scope, will be informed of the existence of this policy and the availability of supporting policies, codes of practice and guidelines.
Any security breach will be handled in accordance with the relevant company policies and the appropriate disciplinary policies.
Any information security incident needs to be reported to RFQA security team via electronic mail at the address firstname.lastname@example.org.
If necessary, an anonymous form can be used at Peakon, using the “consider” function and directing it to the security official.
Once reported the security team is responsible for conducting a full review of the compromised systems, determine the impact of said breach, if any, mitigate the breach to ensure it never occurs again and perform a post-mortem report containing all findings. During the time this work is in progress, the security team must provide a daily report to the executive team on the findings and status of said breach.
Supporting Policies, Codes of Practice, Procedures, and Guidelines
RFQA supporting policies have been developed in conjunction with this document to reinforce and strengthen it. These, associated codes of practice, procedures and guidelines can be found at +Security. This includes:
- +Workstation Security Policy
- +Information Handling Policies and Procedures for HIPAA Regulated Customers
- +Information Classification Standards
- +Data Backup Policy
- +Rainforest QA Business Continuity And Disaster Recovery Plan
- +Security Operations Run book
- +Risk Management Policy
- +Risk Assessment Procedure
- +Logging and Monitoring Policy
- +Password Protection Policy
- +Wireless Communication policy
- +Portable Workstation Encryption Policy
- +Password Construction Guidelines
- +Accountability Matrix
Every individual that is granted access to RFQA systems of information is required to familiarize themselves with these document and comply with them in the working environment.
Review and Development
This policy, as well as its supporting documents, shall be reviewed by the Information Security team and updated constantly to ensure they remain valid as the organizational policies, contractual obligations, law and regulations evolve and/or change. This will at minimum happen once per quarter.
Additional regulations may be created to cover specific areas.
The Information Security Responsible will determine the appropriate levels of security measures applied to all new information systems, as well as oversee changes and/or adjustments to current ones.
All RFQA Staff members, third parties and collaborators will be users of RFQA information. This carries with it the responsibility to abide by this policy and its principles and relevant legislation, supporting policies, procedures and guidance. No individual should be able to access information to which they do not have a legitimate access right. Notwithstanding systems in place to prevent this, no individual should knowingly contravene this policy, nor allow others to do so. To report policy contraventions, please see the section: Incident Handling.
Some members of RFQA staff have specific or umbrella responsibilities for safeguarding the confidentiality and availability of information. This includes ensuring that data is appropriately stored, that the risks to data are appropriately understood and either mitigated or explicitly accepted, that the correct access rights have been put in place, with data only accessible to the right people, and ensuring there are appropriate backup, retention, disaster recovery and disposal mechanisms in place. These include:
- Responsible for maintaining the security of information produced, provided or held by RFQA information systems that are created or modified in the course of projects they lead.
Head of Departments and/or VPs:
- Responsible for the information systems (e.g. HR/Finance) both manual and electronic that support RFQA operations.
Line Managers and/or Team Leads:
- Responsible for a specific area of RFQA work, including all the supporting information and documentation that may include working documents, contracts or staff information.
Physical Security Responsibilities:
Responsibilities for Physical security of information holding devices as well as work areas where those are held.
- Escort all guests around the office at all times.
- Block off work station areas when hosting events, parties, etc.
- Make sure all doors and windows are securely shut/locked at the end of the night (front door, sliding windows, patio windows, and door).
- If the last person in the office, enter the designated code to activate the office’s security alarm.
- In the event items are lost or stolen, report to the Office Manager:
- What items were taken.
- Value of each item taken.
- What sensitive data may have been stored on the device.
- In the event a key fob is lost or stolen, please report it to the person who issues the key fobs so they can deactivate it immediately.
Information Security Responsibilities:
Responsibilities for this and subsequent information security policies and will provide specialist advice throughout the Company on information security issues.
Information Technology Committee
Responsible for approving information security policies.