Information Security Policy
Information security policy
- Overview of the service
- Protected user data
- Software development methodology
- Production environment
- Incident response
- Secure disposal policy
Overview of the service
The company provides a hosted Software as a Service product which allows user contributed content to be solicited, moderated and published to public websites. The service is offered to client organisations (clients).
Members of the public (end users) submit contributions (text, images and videos) via public websites and mobile apps to a specific client's instance of the system. These contributions are reviewed by members of the client's staff (moderators) before been made public.
The vast majority of the system's contents is intended for public display. The end user's expectation is that their submissions are intended for eventual public display but their personal details, contact details and the correspondence with the moderators should not be made public.
The end user's contact details may be disclosed to the client's staff to assist with verification.
It's is envisioned that end users have a relationship with clients rather than the company itself.
Protected user data
The following data held in the system is not intended for public disclosure:
Original, unreviewed original submissions received from end users
Raw submissions may contain the following potentially sensitive information:
- Media file metadata. Potentially sensitive location information may be contained in original files submitted by the user. Original media files must not be made public. Metadata must be stripped from any approved submissions published from the system.
- Connection metadata. The IP address which the submission was received from. If this information was made public it could potentially be used by 3rd parties to identify an end user.
- User supplied contact details. The user may have supplied their real name and contact details in their original submission. These should not be made public. A publicly visible user id and display name of the users choosing is allowed to be displayed.
Internal moderation work flow
The system records the internal moderation workflow leading up to a submission been approved or rejected. This history includes text moderation notes applied by moderators and the internal email addresses of the individual moderators. Details of correspondence between the end user and moderators may also be held in the system.
Client and social media supplied contact details for end users
The system allows users to identify themselves via a client's identity system or via 3rd party social media accounts (such as Facebook and Twitter). In this case the system may display the 3rd party user id publicly.
Contact details (including real name and email address) may be retrieved from the 3rd party system. The 3rd party credientials required to do this may be persisted within the system. The retrieved 3rd party contact details may not be permentatly persisted in the system
Software development methodology
The company's core product is a hosted software system. The core component is an Internet accessible API. To function, this API must be assessible over the public Internet.
Approved submissions and public data are accessible over HTTP with no credentials. Access to private data (such as unapproved submissions and moderation functions) requires API requests to be authenticated. Authenticated requests must be made over HTTPS. Access to authenticated resources is not permitted over unencrypted HTTP.
Software developers working on the system are aware of the OWASP guidelines.
New releases of the software must pass a series of automated acceptance tests in a development environment before being released to production. These tests include regression tests around access control and the visiblity of protected resources. The development system is regularly subjected to scans from an automated integrated penetration testing tool. These scans are periodically performed on the live system.
The application and data are stored on Contribly servers, Amazon EC2 and Google Cloud.
The live system components and persisted user data reside in the Amazon EC2 EU-WEST-1 region (Republic of Ireland) and the Google Cloud EUROPE-WEST2 region (England).
An encrypted, offline backup of the user data is held at an address in England.
All staff and contractors (excluding suppliers) involved in the day to day operation of the system are located in England.
All persisted user data is held with the European Economic Area (EEA) EEA.
Network access to data
HTTP, HTTPS and WS (Websockets) are the the only services publicly exposed by the system.
Operations staff have secure shell access to all nodes of the production environment via a trusted jump off machine. Operations staff have access to the production environment via the EC2 console. No unencrypted shell connections to live systems are permitted.
The following restrictions are placed on access to production systems and data:
- Production ssh keys must be pass phase protected and are not permitted on portable devices unless full disk encyrtption is implemented on those devices.
- All access to the EC2 console must be via a 2FA enabled account.
- Production snapshots are not permitted be loaded into development environments.
- Snapshots of the production database may be stored offline for backup proposes but must be encrypted before leaving the production environment.
The decryption keys for these backup files are not stored on a network connected machine.
Contact information for relevant team members is to be available during non business hours should an incident occur and escalation be required. This contact does not need to be a member of development staff but must be provided with an escalation contact within the development team.
Incident reports should be forwarded to development staff for initial assessment. Development staff should review monitoring, logs and the relevant application code. Development are authorised to suspend the service immediately if it is suspected that a possible incident is in progress.
Identified mitigations and testing
The results of the initial triage should be discussed with development. In the event that a confirmed vulnerability is identified this vulnerability must be patched before service may resume. Patches must go through the normal regression testing and deployment pipeline.
Mitigation and remediation timelines
Incident reports must be brought to the attention of development within 24 hours. An acknowledgement must be returned to the reporter within 1 working day of receipt. The results of initial triage and the an expected resolution timeframe should follow as soon as possible but within 24 hours of the initial acknowledgement in all cases.
Confirmed incidents must be reported to the effected clients. Those client have the option of notifying their end users in accordence with their own policies. Confirmed incidents of unauthorised disclosure of personal data must be notified to the Information Commissioners Office (ICO) within 1 week.
Secure disposal policy
Technology equipment often contains parts which cannot simply be thrown away. Proper disposal of equipment is both environmentally responsible and often required by law. In addition, hard drives, USB drives, CDROMs and other storage media contain various kinds of client and end user data, some of which is considered sensitive. In order to protect our client's and end user's data, all storage mediums must be properly erased before being disposed of. For the avoidance of doubt all company owned technology should be refered to the nominated member of development staff for disposal.
This policy applies to any computer/technology equipment or peripheral devices that are no longer needed within Contribly including, but not limited to the following: personal computers, servers, hard drives, laptops, mainframes, smart phones, or handheld computers ( i.e., Windows Mobile, iOS or Android based devices), peripherals (i.e., keyboards, mice, speakers), printers, scanners, typewriters, compact and floppy discs, portable storage devices (i.e. USB drives), backup tapes, printed materials.
- When Technology assets have reached the end of their useful life they should be sent to the development team for assessment and proper disposal.
- The development team will securely erase all storage mediums in accordance with current industry best practices.
- All data including, all files and licensed software shall be removed from equipment using disk sanitizing software that cleans the media overwriting each and every disk sector of the machine with zero filled blocks, meeting Department of Defecne standards.
- No computer equipment should be disposed of via skips, dumps, landfill etc.
- All electronic drives must be degaussed or overwritten with a commercially available disk cleaning program. Hard drives may also be removed and rendered unreadable (drilling, crushing or other demolition methods).
- The development team will place a sticker on the equipment case indicating the disk wipe has been performed. The sticker will include the date and the initials of the technician who performed the disk wipe.