Data Security Policy Panenco BVBA
(Last update: November 28th, 2019)

Purpose

Panenco restricts access to confidential and sensitive data to protect it from being lost or compromised in order to avoid adversely impacting our customers, incurring penalties for non-compliance and suffering damage to our reputation. At the same time, we must ensure users can access data as required for them to work effectively.

It is not anticipated that this policy can eliminate all malicious data theft. Rather, its primary objective is to increase user awareness and avoid accidental loss scenarios, so it outlines the requirements for data leakage prevention.

Scope
In Scope

This data security policy applies to all customer data, personal data, or other company data defined as sensitive by Panenco's privacy policy. Therefore, it applies to every server, database and IT system that handles such data, including any device that is regularly used for email, web access or other work-related tasks. Every user who interacts with Panenco's IT services is also subject to this policy.

Out of Scope

Information that is classified as Public is not subject to this policy. Other data can be excluded from the policy by company management based on specific business needs, such as that the protection of the data is too costly or too complex.

Policy

Principles

Panenco provides all employees and contracted third parties with access to the information they need to carry out their responsibilities in as effective and efficient manner as possible.

General

  1. Each user shall be identified by a unique user ID so that individuals can be held accountable for their actions.

  2. The use of shared identities is permitted only where they are suitable, such as training accounts or service accounts.

  3. Each user shall read this data security policy and the login and logoff guidelines.

  4. Records of user access may be used to provide evidence for security incident investigations.

  5. Access shall be granted based on the principle of least privilege, which means that each program and user will be granted the fewest privileges necessary to complete their tasks.

Access Control Authorization

Access to company IT resources and services will be given through the provision of a unique user account and complex password. Accounts are provided by the organisation administrator on the basis of records in the employment register (including subcontractors).

Passwords are managed by the organisation administrator. Requirements for password length, complexity and expiration are stated in Panenco password policy.

Role-based access control (RBAC) will be used to secure access to all file-based resources in Active Directory domains.

User Responsibilities

  1. All users must lock their screens whenever they leave their desks to reduce the risk of unauthorized access.

  2. All users must keep their workplace clear of any sensitive or confidential information when they leave.

  3. All users must keep their passwords confidential and not share them.

Application and Information Access

  1. All company staff and contractors shall be granted access to the data and applications required for their job roles.

  2. All company staff and contractors shall access sensitive data and systems only if there is a business need to do so and they have approval from higher management.

  3. Sensitive systems shall be physically or logically isolated in order to restrict access to authorized personnel only.

Access to Confidential, Restricted information

  1. Access to data classified as 'Confidential' or 'Restricted' shall be limited to authorized persons whose job responsibilities require it, as determined by the Data Security Policy or higher management.

  2. The responsibility to implement access restrictions lies with the IT Security department.

Technical Guidelines

Access control methods to be used include:

  • Role-based access model
  • Server access rights
    • DigitalOcean: 2-factor authentication enabled. Only the organisation admin can assign additional users to any given droplet. SSH keys are managed centrally and checked weekly to verify that no users have access they shouldn't have.
    • Heroku: 2-factor authentication enabled. We don't make use of SSH for all projects that are hosted on Heroku, only via HTTPS Git Transport will we deploy new version of the software to Heroku
  • Firewall permissions
  • Web authentication rights (2-factor authentication for all services where possible)
  • Database access rights and ACLs
  • Encryption at rest and in flight
  • Access control applies to all networks, servers, workstations, laptops, mobile devices, web applications and websites, cloud storages, and services.

Ownership and Responsibilities

Data owners are employees or subcontractors who have primary responsibility for maintaining information that they own, such as an executive, department manager or team leader.

Information Security Administrator is an employee who provides administrative support for the implementation, oversight and coordination of security procedures and systems with respect to specific information resources.

Users include everyone who has access to information resources, such as employees, trustees, contractors, consultants, trials, temporary employees and volunteers.

Enforcement

Any user found in violation of this policy is subject to disciplinary action, up to and including termination of employment. Any third-party partner or contractor found in violation may have their contract terminated.

Definitions

  • Access control list (ACL) — A list of access control entries (ACEs) or rules. Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied or audited for that trustee.

  • Database — An organized collection of data, generally stored and accessed electronically from a computer system.

  • Encryption—The process of encoding a message or other information so that only authorized parties can access it.

  • Firewall — A way of isolating one network from another. Firewalls can be standalone systems or can be included in other devices, such as routers or servers.
  • Role-based access control (RBAC) — A policy-neutral access-control mechanism defined around roles and privileges.

  • Server — A computer program or a device that provides functionality for other programs or devices, called clients.

Panenco bvba preserves the right to make changes to this Security Policy, and will reflect the data of the last changes at the top of the document.

Related Documents