Information security protects information from a wide range of threats in order to minimise business damage, ensure business continuity and maximise return on investments and business opportunities. Evercam is committed to safeguarding the confidentiality, integrity and availability of all physical and electronic information assets and ensuring all legal, regulatory and contractual requirements are fulfilled in doing so. Information held by Evercam includes (in paper and electronic form) information on customers, investments, financial transactions and employee information.
Information Security is vital to the long-term survival of Evercam, safeguarding our information assets ensures:
The information security objectives of Evercam are to;
Evercam is committed to managing information security to the highest possible standards in order to safeguard the confidentiality, integrity and availability of information.
The management of Evercam will at all times support the goals and principles of information security while striving to deliver the business objectives.
Every user of Evercam’s information systems shall comply with this information security policy. Violation of this policy and of relevant security requirements will therefore constitute a breach of trust between the user and Evercam, and may have consequences for employment or contractual relationships.
All contracts with service providers will clearly state Evercam’s information security needs and requirements and this schedule of requirements will be maintained. Responsibility for information security will be clear and reflected in all individual job descriptions.
Evercam will ensure that the necessary resources are made available to those accountable and responsible for information security.
Evercam will also ensure that the necessary competence is acquired by training and education or the hiring or contracting of competent persons.
Evercam will conduct internal audits at planned intervals to verify that it is conforming to its own policy and requirements. Evercam is committed to the continual improvement of its information security practices.
This policy will be reviewed and updated as required on an at least annual basis or in the event of a significant change of circumstances.
To ensure that information security is addressed in all key activities of Evercam the following framework will be used in setting control objectives and in assessing compliance with the information security goals of Evercam.
The CEO will act as or appoint the “Information Security Officer” who is accountable for ensuring information security is managed across all activities. The information security officer shall;
In order to reduce the risks of human error, theft, fraud or misuse of facilities information security controls will be put in place that include the following;
Evercam maintains information assets to provide services to customers and to operate its business effectively. These information assets are classified, and access to all assets is managed to support the classification level.
Classifying information assets gives the people who deal with information guidance on how to handle, secure and protect it. Appropriate controls can be applied to information assets, once they have been classified, and access controls can be applied that reflect the classification
Evercam will identify all organisational assets and define appropriate protection responsibilities.
A register of assets associated with information and information processing facilities is maintained. All assets are listed under the following asset types:
Each asset is classified according to the classification criteria. The asset register and classification criteria are reviewed every 6 months and updated appropriately.
A business manager, listed against each asset, has approved management responsibility responsible for the asset, including the accuracy and completeness of the item, as listed in the inventory.
The asset owner should:
Rules for the acceptable use of information and assets associated with information have been defined and documented in the Evercam Acceptable Use Policy (AUP).
All employees and external party users should return all of the organisational assets in their possession upon termination of their employment, contract or agreement.
The owner assigned to each asset is accountable for the information classification of the asset. The classification should reflect the value of the asset, and the sensitivity and importance to Evercam.
Hardware information assets, including desktop systems, laptops, and mobile devices, will also be classified, based on the type of data hosted on the device.
To ensure that these information assets receive an appropriate level of protection the following classification shall apply:
All information, including publicly available information, will be treated as confidential within the Evercam environment.
Where it is reasonable to do so, information assets will be tagged with the classification level they have been assigned. Where it is not feasible to tag information assets, they will remain untagged and assumed to have a classification level of confidential.
Information assets may be paper based or stored electronically. Hardware assets include desktops, laptops and other mobile devices.
Paper based information assets
Paper based assets are stored in locked filing cabinets, in secured locations, with access controlled by management. All paper-based assets are classified as confidential.
Information assets stored electronically
Most information assets are stored electronically on various media. Access to these assets is managed by credential-based access and Public Key Infrastructure (PKI), depending on the asset classification.
Assets classified as Confidential
Access to assets classified as confidential is via authenticated username/password credential pair. Usernames and passwords are managed with appropriate policies.
Confidential assets, accessible by credential pair, may be stored on the following media:
Assets classified as Customer Confidential
Information assets, owned by customers, and hosted by Evercam for provision of service, are managed in a dedicated security domain, and restricted to operations users. Access is via PKI, with each user assigned dedicated key pairs.
Assets classified as Customer Confidential, accessible by PKI, may be stored on the following media:
The operations teams are responsible for maintaining the hardware asset register. When a new hardware item is received by the company, the operations team will update the asset register with details of the item and assign an owner.
The asset owner is responsible for the classification of the device, and will take into account the classification of any data hosted on the device. For clarity all hardware devices will have a default classification of Confidential.
Access to removable media is blocked by policy on all user workstations. Temporary exceptions to the policy can be granted on request to the security manager.
Access to information should be controlled on the basis of security requirements. Accordingly the following requirements apply;
Access to information and information facilities is controlled and limited appropriately.
Asset owners are responsible for approving access to the information asset under their control. Access requests are assessed by the asset owner and if approved, access is scheduled using the Evercam change management process. Once a change request is approved the operations team will configure the asset for the required level of access.
Access to all information assets, including user accounts, assigned privileges and rights are reviewed quarterly and any resulting changes, such as account suspension and withdrawal of privileges, are tracked via the change management process.
Accounts for users accessing data classified as Confidential will not be configured with elevated rights or privileges. Use of elevated rights will be restricted to accounts for operations users.
Accounts for users accessing data classified as Customer Confidential will not be configured with elevated rights by default. Users will be able to assume the role of an admin user, and when doing so the event will be recorded in an audit log.
Where possible access to systems should be role based and controlled by managing assignment of appropriate roles and rights to the Evercam domain account for the user. Legacy applications may not support this and user access to legacy applications and systems may require administration of new system-specific user records.
Access to Evercam’s internal business systems and information assets is provided by the core network. Access to the core services network is restricted to the following:
Guest WiFi, available on a logically separate network with authentication, provides internet connectivity for non-corporate devices, with no access to the core network services.
Access to Evercam’s customer-facing services and assets is provided by cloud-based network and network services in various cloud providers. Access is restricted to the operations and infrastructure teams.
Access to all network services is managed via change control. A change request is raised for any network access requests. The required access can be configured by the operations team on receipts of a change request approved by CAB.
Measures are in place to ensure that authorised users have appropriate access, and to prevent unauthorised access to systems and services.
The primary authentication for users is their Evercam Zoho account.
The internal Change Management process is used to track and manage user account creation, modification, and deletion. Change requests, approved by CAB, are required to add, modify, or remove user records.
All new user accounts are created on Zoho with a generic password and configured to enforce a password change at first logon.
Naming standards are in place to ensure the consistent allocation of unique User ID’s.
The internal Change Management process is used to track and manage access provisioning for all users. Requests for access to a system or service are sent to the asset owner, who will raise a change request. When approved by CAB, the operations team will action the access request and configure the user for access to the system or service.
Elevated rights should not be granted to general users. Role based access control should be used where possible, to grant the minimum required rights for the user to carry out any required tasks.
Elevated rights are generally confined to the operations team to provide access consistent with user creation and management. Where possible operations users should access systems with normal user access and temporarily gain privileged access to complete the required administration task.
Where elevated rights are required by a user the assignment and removal of rights is managed via the change control procedure and implemented following approval of an approved change request.
When elevated rights are invoked by a user the use should be recorded against an identifiable user. The use of generic login ID’s in general, and their use for operations requiring elevated rights, is to be avoided where possible.
Credentials for generic user and administration accounts are managed to maintain the security of such credentials.
Users are required to sign a standard Non-Disclosure Agreement (NDA) which includes clauses requiring users to keep personal secret authentication information confidential and to keep shared secret authentication information within the members of the group.
Access to data classified as customer confidential is managed using Public Key Infrastructure (PKI). Each user is assigned 2 private/public key pairs, with 1 pair used for secure shell access to bastion servers, and the other pair used for secure shell access from the bastion server to internal endpoints. Users are responsible for managing and securing the private keys appropriately. Access is controlled by system administrators through appropriate installation of the public keys for these 2 key pairs.
Users’ access rights, including privileged access, are reviewed by asset owners at least on a quarterly basis and are updated appropriately. All access rights updates are tracked via the standard change control process.
Users’ access rights are reviewed by asset owners following any personnel changes. Access is removed for users leaving the organisation and are updated appropriately as users change job function. All access rights are tracked via the standard change control process.
Users are accountable for safeguarding their authentication information
Users are required to follow Evercam’s practices for the use of secret authentication information.
Users are required to:
Measures are in place to prevent unauthorised access to systems and applications.
Access to information and application system functions are restricted in accordance with the access control policy.
The Confidential classification is the default classification level for internal Evercam information. To access information at this level authentication against the Evercam Zoho account is required.
Access to individual information assets at the same classification is managed independently. Users may therefore need to authenticate again against individual applications and assets at the same classification level.
Strong authentication and identity verification is required for access to Customer Confidential data. Access to information assets classified as Customer Confidential is managed using PKI key pairs. Assets with this classification are maintained in a separate security domain and access is restricted to operations personnel.
Many cloud service providers require the use of an admin level account, which is used to administer the service. It is acceptable to use generic login name (i.e. not a named individual) for this purpose, provided:
Many network devices have root level credentials used for device setup and management. It is acceptable to use generic login name (i.e. not a named individual) for this purpose, provided:
Where required by the access control policy, access to systems and applications should be controlled by a secure log-on procedure.
Multiple user accounts may be required to provide the required access across multiple applications for a user. Where a user is required to interactively authenticate against an application or system the logon process should follow these guidelines as far as possible:
The primary authentication platform, Evercam’s Zoho account, is configured to enforce Evercam’s password complexity requirements.
Secondary authentication platforms should comply as far as possible with these complexity requirements. Secondary authentication platforms include:
Passwords will have a minimum length of 10 characters, and a maximum length of 256 characters.
Each password shall have 3 out of the following character types:
Where possible the same complexity requirements should be applied to user and admin account passwords being managed on other platforms, including:
Password history is maintained, and users are prohibited from re-using previous passwords.
Passwords are not currently set to expire as complexity rules should be sufficient.
New passwords are checked against a global banned password list, and prohibited if matched.
Guidelines for users when selecting a password
Users should not base their password on obvious or easily guessable information, such as the following:
The use of utility programs that may be capable of changing or overriding system and application security control is restricted and subject to change control.
Access to program source code is restricted and managed appropriately. The following measures are in place to manage access to program source code:
In order to ensure adequate protection of data, data in flight and at rest will be appropriately encrypted. Any applied cryptography will be appropriate to the classification of the data, and the source and destination of any data in-flight.
Information security must also be extended to physical protection, to prevent unauthorised access, damage or interference to systems and information. Accordingly the following controls apply;
To ensure the correct and secure operation of information processing facilities certain processes and procedures need to be in place, these include;
Networks must be structured and managed to ensure the security of information assets and applications. Any transfer of data to 3rd parties must be monitored, logged, and take place under a formal agreement. The following controls will be implemented for internal and outsourced networks:
Measures are in place to ensure the protection of information in Evercam’s networks and supporting information processing facilities.
Measures are in place to ensure the protection of information in networks, and its supporting information processing facilities.
Networks are managed and controlled to protect information within systems and applications, and controls are in place to ensure appropriate levels of protection.
The operations team are responsible for the operation of all on-premises network equipment, and networks hosted by 3rd party suppliers.
All changes to on-premises network equipment and 3rd party hosted networks, are subject to change control and can only be implemented following approval from CAB.
All data transferred between Evercam’s internal networks and cloud service providers and other 3rd parties is encrypted during transfer.
Certificate based authentication is used to verify the identity of all service-providing endpoints.
Network devices, servers and user endpoints are configured to log critical network activity for forensic analysis purposes.
Alerting systems, dashboards and event reporting provide information on network performance to the management team, who work to optimise the service to customers and end-users.
The management team, through the change control process, reviews and approves all proposed changes to the physical and logical network systems. This ensures a consistent approach to the implementation of controls across the information processing infrastructure.
Laptop systems, tablets and phones connecting remotely require multi-factor authentication (MFA) to connect to services.
PKI certificates are used on all servers to verify the identity of the server to any connecting endpoint.
Network devices are authenticated using credential-based access.
Physical access to the corporate network is restricted to devices physically located in Evercam’s offices, connecting over an ethernet connection.
Connectivity is also supported over corporate WiFi and restricted to known endpoints, whose MAC addresses are whitelisted.
Access to the corporate network is also provided to users outside the physical premises using a Virtual Private Network (VPC) connection.
Network service agreements have been compiled, detailing management, technical and service requirements for all network services. These agreements are in force for internal teams and external 3rd party suppliers.
The corporate network is segregated into an internal network zone, accessible by physical or WiFI connection, and a visitor zone, accessible via WiFi only. The corporate zone provides access to all corporate services, and the visitor zone provides internet connectivity only.
Networks hosting customer-facing services are segregated into test, operations, and production zones. Whitelisting of traffic on selected ports allows servers in the operations zone to collect log and monitoring information, and to provide other operations services. There is no connectivity between test and production zones.
Measures are in place to maintain the security of information transferred within Evercam, and between Evercam and any external 3rd party.
The Evercam Acceptable Usage Policy (UAP) provides for the transfer of data using cryptographic and authentication controls to ensure the confidentiality and integrity of the transferred data.
Information asset owners will identify any requirements additional to those in the Acceptable Usage Policy. Additional policies will be maintained to support these requirements.
Security measures have been implemented to protect the availability, confidentiality, and integrity of electronic messaging services. These include but are not limited to:
Prior to the transfer of information with external organisations, a formal and appropriate SLA with an adequate level of security controls shall be defined. This agreement shall cover, but not be limited to:
Requirements relating to confidentiality and non-disclosure commitments for Evercam personnel and contractors shall be identified and regularly reviewed. As such Evercam shall:
Confidentiality and non-disclosure commitments shall consider legally enforceable terms to address the requirement to protect Evercam’s assets.
To ensure the required level of information security during the development and procurement cycle the following controls will be put in place:
Controls are implemented to ensure that information security is an integral part of information systems across the entire lifecycle. This includes systems developed internally and systems and services procured from 3rd party suppliers.
Information security requirements will be identified for all information systems early in the procurement or development process as appropriate. Requirements will be identified through a risk analysis on the information involved. Other inputs used to identify requirements include:
The information security requirements will be formally documented and approved by all stakeholders.
Product and service procurement processes will include a formal assessment against the documented information security requirements. Where the product or service does not meet a requirement, the risk will be assessed prior to procurement.
Information in application services traversing public networks should be protected from fraudulent activity, contract dispute and unauthorised disclosure and modification.
To provide this level of security all applications with interfaces for collecting storing and processing information will comply with the following:
Any non-compliance will require a risk analysis of the relevant information system, and identification of mitigating controls and procedures. Applications or services may apply additional security measures, depending on the risk assessment of the information assets.
Information involved in application service transactions should be protected to prevent incomplete transmission, misrouting, unauthorised message alteration, unauthorised disclosure, unauthorised message duplication or replay.
To provide this level of security the following controls are considered for all applications with interfaces for collecting storing and processing information:
Dual diverse firewall layers control network traffic based on predetermined security rules. Access to endpoints or network protocols can be managed based on content of the network packet.
The ability to uniquely identify users and processes that are attempting to access the system or its data. Supported authentication methods include credentials, PKI keys, access tokens and secret keys.
Features to allow only appropriate access to data, based on its sensitivity and who should have access to it.
Auditing and logging
The ability to record attempts to access system information, and other events relevant to securing the asset or service. Logging is provided as an infrastructure service, independent of the application or service. Consolidation of log data to a central repository is available, aligned with data retention standards and processes.
Data communications between different system components, such as web servers, API and databases, is encrypted. This is provided independently of the application or service, using PKI keys and cryptography.
A structured network environment allowing segregation, with API, databases, and other storage components hosted in isolated network layers and not exposed to the public internet.
Integrated PKI management
Repeatable, secured procedures are used to manage all Public Key Infrastructure (PKI) keys, certificates and components independent of the application or service.
Options to deploy applications or components in tier 1, tier 2 or tier 3 data centres with corresponding levels of resilience against outages due to single points of failure.
Information security is designed and implemented within the development lifecycle of information systems.
Rules for the development of software and systems have been established and applied to projects developing applications with interfaces for collecting, storing and processing information. Projects are managed by Evercam and resourced using local development teams or 3rd party companies or contractors.
The development environment is isolated from production and pre-production test environments. Development servers and environments are permitted to run a less restrictive security configuration than production, they should be aligned with production when practical to do so.
When releasing software components from the development environments, only the updated component, along with any libraries and other dependencies, will be transferred to code repository development branches.
Prior to release into the pre-production test environment all code is subject to a code review to ensure the code conforms to standard coding techniques and security standards.
The specification for development of the application component will contain any relevant security requirements derived from the information security specification approved by stakeholders during project initiation.
Security checkpoints are integrated into all project plans as a milestone, to ensure that all requirements are satisfied. Additional project milestones may be required to formally establish test criteria to ensure all security requirements are tested and verified.
All software is stored in a secured code repository, which acts as a single source of truth for all software developed internally. Processes are in place to manage software releases to the repository, and to deploy software to test and production environments.
New and updated modules are uploaded to a separate repository branch on release from development. This branch acts as the repository source for the modules as they are installed in the pre-production test environment
Operational and application changes occurring within the development lifecycle are controlled using Evercam’s formal change control procedures. Key features of the change process include:
When operating platforms are changed, business critical applications are reviewed and tested to ensure there is no adverse impact on organisational operations or security.
Proposed changes are first deployed to a pre-production test environment for integration testing against operational platforms. The environment is subject to a standard battery of test scripts, along with any functional tests required to exercise new functionality.
Following successful testing in the pre-production environment a change request is raised. When approved the deployment to production is scheduled, implemented, and tested.
Modifications to vendor supplied software packages are discouraged, limited to necessary changes and all changes should be strictly controlled.
Principles for engineering secure systems are established, documented, maintained
and applied to any information system implementation efforts.
Establish a sound security policy as a foundation for design
The security policy encapsulates Evercam’s basic commitment to information security formulated as a general policy statement. The policy identifies objectives for confidentiality, integrity, availability of information assets. These objectives guide the procedures, standards and controls used in the design of security architecture for application and infrastructure.
Treat security as an integral part of the overall system design.
It is difficult and costly to implement security measures successfully after a system has been developed and should be integrated fully into the system life-cycle process.
Assume that external systems are insecure.
An external domain is one that is not under Evercam’s direct control. It should be assumed that security measures of an external system are different from those of a trusted internal system and security measures designed accordingly.
Protect information while being processed, in transit, and in storage.
Security measures should be implemented to protect the integrity, confidentiality, and availability of information assets while the information is being processed, in transit, and in storage.
Protect against all likely threat types
Any threat type that results in unacceptable risk needs to be mitigated. Examples of threat types are: Passive monitoring, active network attacks, exploitation by insiders, attacks requiring physical access or proximity, and the insertion of backdoors and malicious code during software development and deployment.
Where possible, base security on open standards
Modern systems are highly distributed. For security measures to be effective in environments where information is distributed across multiple providers, they need to be portable and interoperate with different vendor platforms.
Implement layered security
Security designs should consider a layered approach to protect against a specific threat, to mitigate against single points of vulnerability.
Use unique identities to ensure accountability.
Unique identities should be assigned to all users and processes, to support access control decisions, user accountability, and provide for non-repudiation.
Implement least privilege
Limit system access to provide no more authorisations than necessary to perform required functions.
Evercam has established and appropriately protected secure development environments for system development and integration efforts that cover the entire system development lifecycle.
The development environments are maintained in approved Virtual Private Compute (VPC) cloud services providers.
Only approved development staff have access to the development environments.
Production data is not available in development environments.
Formal code reviews are conducted as part of the release process from development to integration testing environments.
Development code repositories are maintained independently of the current production code base.
Code release consists of developed modules and any dependent system libraries only.
Integration test environments
Pre-production test environments are maintained as a full replica of, and subject to the same security measures as the production environments.
Following the release from development the codebase is updated on the deployment systems from the updated development repository. The release is deployed to the pre-production test environment via a formal deployment process.
Evercam supervise and monitors the activity of outsourced system development.
A small amount of development work is outsourced on an ad-hoc basis to service requirements for skill sets not available in house. External developments are subject to the same release process as internal developments.
Testing of security functionality is carried out during development.
Initial testing of security features takes place in the development environment where custom tests are performed to exercise the required functionality and verify results.
Security features are again tested in the integration test environment following deployment of the release from development. A standard set of tests is performed, along with custom tests to verify the required security functionality.
Acceptance testing programs and related criteria are established for new information systems, upgrades and new versions.
Acceptance testing takes place in the integration test environment following deployment of the release from development. A standard set of tests is performed, along with custom tests to verify the required application functionality.
Test data is selected carefully, protected and controlled.A permanent set of test data is maintained in the pre-production test environment. This data is a full set of pseudo-customer data, available in a replica of the production environment.
Some IT services are provided by third party service providers. Information security employed must be of a standard that equals or is higher than that provided internally. The following controls will be put in place for all IT services that are provided by third parties;
To minimise exposure as a result of a security incident, an Incident Management plan exists to guide the initial response. The plan includes the following;
Business Continuity management plans are to be put in place to counteract disruptions to business activities and to protect critical processes and systems from the effects of major failures and disasters. The plans should address the following items;
A key objective of information security management is to avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligation. Accordingly the following controls will be implemented and monitored;
Mobile devices such as laptops, tablets and smartphones are a potential means of intrusion into the network and also data leakage from Evercam. Accordingly robust controls will be put in place to protect Evercam from both these threats including the following;
Information Security performance will be measured by a combination of;
Managers, at all levels, are required to create an environment where the management of information security is accepted as the personal responsibility of all employees, and contractors. The Managers are accountable for the implementation and maintenance of sound processes within their area of responsibility in conformity with this information security policy.
The Information Security Officer is responsible for the provision of advice and service assistance to all areas on information security matters.
The Information Security Officer is also responsible for reporting to the Board on a quarterly basis regarding information security performance relative to objectives, the status of any planned activities and on any incidents that may have occurred.
The quarterly report will be reviewed by the General Manager in terms of endorsing the actions undertaken or proposed, and by the Board in terms of the appropriateness of actions and compliance with the Information Security Policy.
The training manager is responsible for the development and provision of sufficient information security awareness training as well as specific training and education on information security threats, both existing and emerging. Training and education is to address the needs of all directors and employees including senior management.
This policy will be reviewed by the Board of Directors on an (at least) annual basis taking any information security incidents into account and feedback from personnel. Any revisions to the policy will be communicated to all personnel and third party service providers.