Introduction

This document outlines the technical standards and procedures applied to the cloud and on-premise environments. The policies aim to uphold information security, adhering to organizational standards and external requirements.

 

Objectives

• To protect the data and information stored within the cloud and on-premise environment.
• To ensure the confidentiality, integrity, and availability of the data.
• To maintain standards and procedures that align with the information security management program requirements.
• To implement network segregation based on trust, sensitivity, and criticality.

 

Scope

This policy applies to all employees and systems within the cloud and on-premise environment. It is the responsibility of all employees to comply with this policy.

 

Standard

Cloud Service Provider

• The cloud and on-premise environment is owned and managed by the organization, with no third-party involvement.
• The environment is hosted in the European region only, and all other regions are disabled.
• Access to the cloud and on-premise environment is limited to authorized employees, with their accounts subject to the default cloud service provider's password policy and MFA.
• Access to the cloud and on-premise environment is defined based on the "Account Management Standards/Procedures."

 

Access to Cloud Services

• Only authorized employees (IT, information security team representatives, and management) are allowed access to the cloud and on-premise environment.
• Their accounts must have applied the default cloud service provider's password policy and MFA.
• Their accounts must clearly relate to their names and surnames.
• Access is defined based on the "Account Management Standards/Procedures."
• When token-based access is required, tokens must be rotated every 180 days.

 

Cloud Infrastructure Standards

• All computing is done on cloud and on-premise instances using Ubuntu.
• Ubuntu servers are reviewed and updated regularly.
• Updates are automatically monitored every week using Apticron notifications.
• All servers have two volumes, one for data (encrypted) and one for the OS.
• Strong password policies are enforced on all servers.
• All changes on the servers are subject to Change Management.
• All servers are limited in terms of what can connect to them using security groups.
• SSH access to these servers is done through a bastion server only.

 

Network Security Standards

• A single dedicated VPC is used for production and development environments.
• All HTTP/HTTPS services must be exposed through a cloud service provider's application load balancer and WAF.
• SSH access to the cloud environment is limited to the bastion server, with only specific IP addresses defined by administrators on Slack allowed to connect.
• Identify and implement necessary security measures for network services, including security features and service levels.
• Ensure that internal and external network service providers implement the agreed security measures. Regularly monitor their ability to manage services securely.
• Establish the right to audit network service providers, ensuring adherence to security requirements.
• Consider attestations from service providers demonstrating appropriate security measures.
• Formulate and implement rules on the use of networks and network services, covering:
• Allowed networks and services.
• Authentication requirements for network services.
• Authorization procedures for network and service access.
• Network management and technological controls for protecting network connections and services.
• Means of access (e.g., VPN, wireless networks).
• User attributes like time and location during access.
• Monitoring usage of network services.
• Evaluate technology for network service security, including authentication, encryption, and network connection controls. Assess technical parameters for secured connections and caching parameters in line with performance and confidentiality requirements.
• Implement procedures to restrict access to network services or applications where necessary.
• Segregate network domains based on levels of trust, sensitivity, and criticality. This includes creating separate network segments for different organizational units or functions.
• Use physical or logical network separation techniques to enhance security within these domains.
• Control inter-domain communication through secure gateways, such as firewalls or filtering routers, based on a detailed assessment of each domain’s security requirements.
• Special measures for wireless networks: Adjust radio coverage for segregation and treat all wireless access as external connections until they pass through a secured gateway.
• Segregate wireless network access for guests from the internal networks, ensuring the guest Wi-Fi complies with organizational security policies and has restrictions at least as stringent as those for personnel Wi-Fi.
• Confirm devices are not susceptible to any known exploits for those protocols, maintaining and verifying documentation (e.g., vendor documentation, system/network configuration details). This extends to ensuring immediate updates in response to new vulnerabilities to maintain POS POI terminal security.

 

Database Security Standards

• All production databases must run RDS databases in the selected region.
• Drives are encrypted using the cloud service provider's native encryption.
• MySQL is used for database engines.
• Every database has a dedicated username and password.
• The database is backed up every day, and a 15-day retention policy is maintained.

 

Cryptographic Key Management

• The cryptographic keys used for encryption within the cloud environment are managed using the cloud service provider's Key Management Service (KMS).
• The keys are stored securely and are only accessible by authorized personnel.

 

Cryptographic Control and Encryption

• All data stored within the cloud and on-premise environments is encrypted using AES-256 encryption.
• The encryption of data in transit and at rest is managed and controlled through cloud service provider's security protocols and standards.

 

Patch Management

• All systems and applications within the cloud environment are subject to regular patch management procedures on a monthly cycle.
• Patches are applied to address security vulnerabilities and maintain system stability.
• A schedule for the implementation of patches is established and adhered to.

 

Vulnerabilities Management

• Regular Vulnerability Scanning: All systems, applications, and databases within the cloud environment are subject to regular vulnerability scanning procedures to identify and assess security risks.
• Vulnerability Assessment Tools: Vulnerability scanning will utilize industry-standard tools and methodologies to ensure a comprehensive assessment.
• Response to Identified Vulnerabilities: Once vulnerabilities are identified, a remediation plan will be developed, and relevant patches or configurations will be applied within a set timeframe. High-risk vulnerabilities will receive immediate attention.

 

Penetration Testing

• Regular Penetration Testing: To assess the resilience of the systems and applications, penetration tests will be conducted annually or after significant changes to the environment.
• Penetration Testing Methodology: Tests will follow recognized industry standards and methodologies, performed by certified personnel or third-party vendors.
• Response to Penetration Test Findings: Findings will be documented, and a remediation plan will be established to address identified gaps. Management will be informed of critical findings promptly.

Digital Operational Resilience Testing Programme

Our organization has established, maintains, and regularly reviews a comprehensive digital operational resilience testing programme as an integral part of our ICT risk management framework. This programme includes a variety of assessments, tests, methodologies, practices, and tools, ensuring compliance with relevant regulations.

We follow a risk-based approach, taking into account evolving ICT risks, specific threats, the criticality of information assets, and other relevant factors. All tests are conducted by independent parties, whether internal or external, to maintain objectivity and thoroughness.

To prioritize, classify, and address issues identified during tests, we have established detailed procedures and policies. These ensure that all weaknesses, deficiencies, or gaps are promptly and fully addressed. All critical ICT systems and applications undergo annual testing to maintain robust security and operational resilience.
 

Scope of Digital Operational Resilience Testing

Our testing programme encompasses a full range of appropriate tests, including but not limited to:

• Vulnerability assessments and scans
• Open source analyses
• Network security assessments
• Gap analyses
• Physical security reviews
• Questionnaires and scanning software solutions
• Source code reviews
• Scenario-based tests
• Compatibility testing
• Performance testing
• End-to-end testing
• Penetration testing

We conduct vulnerability assessments before deploying or redeploying services that support critical functions, ensuring that all potential weaknesses are addressed proactively.

Advanced Threat Led Penetration Testing

We conduct advanced testing through threat led penetration testing at least every three years. These tests cover critical functions and services using live production systems. The scope of each test, based on our critical functions and services, is validated by competent authorities. We identify all relevant underlying ICT processes, systems, and technologies, including those outsourced, to ensure comprehensive testing.

Effective risk management controls are applied to mitigate risks to data, assets, and critical services. After each test, we provide documentation to competent authorities, confirming compliance with requirements for validation and attestation.

Criteria for Testers

We ensure that only highly suitable and reputable testers, certified by an accreditation body in a Member State or adhering to formal ethical frameworks, are used for our testing. External testers provide independent assurance or audit reports and possess relevant professional indemnity insurances. Agreements with external testers include provisions for the sound management of testing results, ensuring no risks to our organization.

Data Leakage Prevention

• Implement measures to identify and classify sensitive information (e.g., personal data, proprietary information) across the cloud and on-premise environments to protect against unauthorized leakage.
• Monitor potential channels of data leakage, such as email, file transfers, mobile devices, and portable storage devices, to detect and prevent unauthorized data dissemination.
• Employ data leakage prevention tools to:
• Identify and monitor sensitive information at risk.
• Detect the disclosure of sensitive information.
• Block actions or transmissions that risk exposing sensitive data.
• Evaluate and, where necessary, restrict user abilities to copy, paste, and upload data to external services. This includes considering the configuration of tools to allow remote viewing and manipulation of data while preventing external data transfer.
• If data export is necessary, implement procedures for data owners to approve the export and hold users accountable for their actions.
• Address the risk of data leakage via screenshots or photographs through terms and conditions of use, training, and auditing.
• Ensure sensitive information in backups is protected with encryption, access control, and physical security measures.

 

Threat Intelligence

The organization actively engages in the collection, analysis, and sharing of threat intelligence from various sources such as GitHub feedback, Ubuntu patch updates, and TechTarget to identify and understand potential cyber threats and vulnerabilities that may impact information security and to make informed decisions to protect assets, data, and services.

 

Monitoring and Review

• Regular audits for compliance with the policy.
• Periodic reviews of access controls and permissions.
• Monitoring of system logs and security events for anomalies.
• Regular vulnerability assessments and penetration testing.
• Review of the policy in response to changes in the environment or security threats.
• The information security team oversees the process and ensures relevant personnel are trained. Issues or violations should be reported to the information security team immediately. The process will be reviewed and updated as necessary to protect information security.