eventuosity Information Security Policy

GENERAL

This Information Security Policy is in service of the goals of:
• Confidentiality;
• Integrity; and
• Availablity

of the data and information stored in the eventuosity system and the system and applications themselves.

This policy relates to all eventuosity web servers, application servers, database servers, development environments and any machine, resource or account related to the development, deployment, maintenance, support, reporting or analysis of the eventuosity web and mobile applications and data or information related thereto.

This policy is put forth to ensure the activities of eventuosity employees, contractors, vendors and any other person, entity, system or application with access to eventuosity resources is in accordance with the achievement and maintenance of the three goals stated above. Access to eventuosity systems, applications or data is contingent upon strict adherence to this Security Policy.

• Persons with responsibilities for the creation, administration, maintenance, supoort or storage of data or information or the development of any application, script, procedure or other resource that achieves the creation, administration, maintenance, supoort or storage of data or information are responsible for ensuring that such data or information is properly classified according to an appropriate level of confidentiality.
• Information will be protected against unauthorized access in accordance with its level of classification.
• Information will be protected against loss or corruption using at least the minimum standards of accepted best practices.
• Access to information shall be made solely in furtherance of the responsibilities of any person or in accordance with the intended functionality of an application system or resource.
• Unauthorized access or access in excess of authorization to any system or data shall be immediately reported to eventuosity management.
• Any event that does or reasonably may compromise the confidentiality, integrity or availability of any system or data shall be immediately reported to eventuosity management.

Failure to adhere to this policy shall provide eventuosity the right to terminate, cancel or modify the employment, contractual or other relevant relationship between eventuosity and the non-conforming party and the right to pursue all available legal and equitable remedies.

PASSWORD, ACCESS AND AUTHORIZATION POLICY

Access rights to eventuosity electronic resources will be accorded following the principles of least privilege and need-to-know. The allocation of access/authorization rights (e.g. local administrator, domain administrator, super-user, root access) shall therefore be restricted and controlled. Authorization shall be provided only by the system administrator, who shall notify eventuosity’s management or project manager of the addition of each new user and the scope of access and level of authorization granted. All users granted access to eventuosity resources shall be made aware of the confidentiality provisions of all relevant agreements.

To prevent breach of confidentiality technical teams shall not issue single-level authorization rights to entire teams unless a compelling reason is presented to and approved by eventuosity management.

All users, including contractors and vendors with access to eventuosity systems or system resources, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

• Access shall be provided by the provisioning of a unique user account and complex password
• Access to Confidential, Restricted and Protected information will be limited to authorized persons whose job responsibilities require it, as determined by the data owner or their designated representative. Requests for access or authorization permission to be granted, changed or revoked must be made in writing.
• No authorized system user may disclose their username and password information to another person and this information shall be treated as sensitive, confidential information.
• Passwords may never be communicated by telephone and may only be communicated by electronic mail if the password provided is temporary and is required to be changed upon initial login.
• No password may reside in the main, executing body of the program’s source code in clear text or in a location that can be accessed through a web server.
• All user-level accounts for any employee, contractor or other person with access to any system must be deactivated immediately upon the completion of that person’s need for access and no later than the time of termination of that person’s engagement.

DATABASE SECURITY POLICY

In order to maintain the security of eventuosity’s internal databases, access by software programs must be granted only after authentication with credentials. The credentials used for this authentication must not reside in the main, executing body of the program’s source code in clear text. Database credentials must not be stored in a location that can be accessed through a web server.

• Database administrator passwords must be issued only on a single-user basis and multiple users should not share login credentials.
• Database passwords used by applications or other source code initiated connections must be unique between applications and may not be identical to the credentials of the user account of a human system user.

Pass through authentication must not allow access to the database based solely upon a remote user’s authentication on the remote host.

Developer groups must have a process in place to ensure that database passwords are controlled and changed in accordance with this policy. This process must include a method for restricting knowledge of database passwords to a need-to-know basis. Passwords must be immediately changed upon the departure of any employee or contractor with knowledge of the password.

DATA ACCESS AND INTEGRITY POLICY

No person shall make direct access to system data, including but not limited to user information, except as necessary to achieve their legitimate and assigned business purpose and within the properly granted scope of their authorization.

No eventuosity system shall permit a system user to access unencrypted user passwords.

To preserve the integrity of the eventuosity data, redundant backups shall be created on a daily basis and maintained, preferably across multiple geographic storage locations. These multiple storage locations shall be selected in accordance with the Physical Security Policy.

PHYSICAL SECURITY POLICY

Data from the eventuosity applications and systems shall reside solely on the Amazon Web Services servers, where it shall be appropriately replicated for the purposes of data restoration or recovery. No eventuosity data – including user information – shall be copied to or stored on any other physical medium, except in the course of and to the extent necessary to successfully complete development and deployment of the applications or support of an application user, in accordance with all other policies herein. In the event that any data is transferred or copied to any computing device, deemed necessary as described above, that device must be capable of remote disabling in the event of physical loss.

Eventuosity data may never be transferred or copied to a portable hard drive, CD, DVD or similar medium.

Eventuosity source code shall reside solely on computing devices and servers necessary for the development, deployment, maintenance and support of the eventuosity applications and systems. In the event that any source code is transferred or copied to any portable computing device (e.g. laptop computer), deemed necessary as described above, that device must be capable of remote disabling in the event of physical loss. Access to any such server or device, including collaboration platforms such as GitHub, shall be administered in accordance with all of the policies contained in this Information Security Policy.

DATA TRANSMISSION POLICY

All user/customer data transmitted between the eventuosity web and mobile applications and any server, including web servers, database servers and servers providing notifications or email services, shall use 256-bit SSL (Secure Sockets Layer) encryption. Transfers of customer data to or from any third party resource, such as Google Docs, Dropbox or Evernote shall also be made using SSL.

The eventuosity system will at all times maintain multiple firewalls controlling access at, at least, the point of initiation of communication between a client application and the eventuosity servers and between the web servers and databases or database servers.