We are working with external vendors to both assess the current state, and put documentation, data transfer contracts, training and procedures in place as required. At Small Improvements, our policy is that our Security Lead leads the effort, but everyone at the company is responsible for Information Security.
We have security policies in place to address:
- Limiting data access to data and admin accounts
- Guarding against attacks
- A protocol for responding to incidents (including a “drop everything” priority)
These security policies are reviewed yearly. We are currently working on developing a formal Information Security Program as part of our GDPR preparation.
- Recurring training is being developed as part of our GDPR prep.
- To ensure our information security policies are complied with, the development team have several safe-guards in place to ensure high code quality and to minimize the risk of security vulnerabilities, as well as to spread a security awareness among all developers.
- All non-trivial code is reviewed by at least one developer through the use of "pull requests". In addition to this, we have weekly developer exchange meetings, where code is shown and discussed with the whole development team, it is discussed from both a code quality and security perspective. We also have bi-weekly security meetings, which are entirely focused on resolving any known security issues and discuss any improvements we can implement to keep our application secure.
We also have a Hackerone program that runs continuously where external security researchers are identifying and reporting errors. Employees that violate these policies and procedures are subject to standard disciplinary action including the option to terminate the employment contract. In addition we are developing a Code of Conduct as part of our GDPR preparation.
Access to our physical premises is restricted to employees. All machines and storage devices are encrypted. Our software and customer data is hosted on the Google Cloud, Google‘s security measures apply. When employees work remote, VPN connections are used and firewall usage is mandatory.
- To guard against IT vulnerabilities, staff are responsible for keeping their own devices up to date. We inform about this during the onboarding. In addition to this, we inform everyone about high-profile vulnerabilities using Slack. Our application and data is hosted on Google App Engine and Cloud. Google ensures that the infrastructure is kept secure, and that systems and media used for data storage are destroyed securely. See https://cloud.google.com/security/ for more information.
- Locally, we perform network security testing and require encryption of all storage devices and computers.
- To protect access to data we use 2FA where available. Our policy requires giving as few people as possible access to admin accounts with access to sensitive data as possible on a need-to-know basis. We revisit access levels regularly and choose the minimum levels possible. Accounts have unique IDs and we use 2FA where available. All storage devices and computers need to be encrypted. No personal data is stored on local computers unless specifally required for troubleshooting a customer issue, and is removed it immediately afterwards.
On our servers we encrypt all sensitive textual content using AES256, and hash passwords using bcrypt with plans to upgrade encryption levels in 2018. In terms of external audits and review we underwent a successful audit by Security Compass in 2017, use Google’s security analysis and are continuously under review in the HackerOne program.
While we do not have a formal Cyber Security Program we do continuously assess risks across all areas of Cyber Security as they are essential to our business success. Both security (hacking our systems and stealing information) as well as a breach in data protection (providing access to personal information that should be confidential) are our key security risks and are addressed with this priority.
- Training our staff happens in our internal developer exchange forum and by attending conferences. We’re developing onboarding material for staff as part of GDPR preparation in addition.
- We have a cyber security incident response plan (IRP) in place that clearly defines actions to be taken, reporting the incident internally, which events should trigger it’s use including their priority. Any report of a potential breach of security or exposure of private data is treated with a “drop everything” critical priority and as a small company, everyone including our CEO is involved immediately.
- We aim to inform any company affected or at risk of being affected within 8h. We run postmortems on any incident, infrastructure or security.
We have so far experienced no successful cyber attacks.
Business Continuity and Disaster Recovery
We host in Google‘s infrastructure, Google‘s measures to protect continuity and recovery apply. While our data backups are stored in independent services and data centers, allowing for higher resilience.
Our take is that every single team is responsible for data protection, not just our Data Protection Officer. In the process of preparing for GDPR we’re extending our current policies and training protocols to create a formal Data Protection Program.
To ensure data is only accessible on a need-to-know basis. We have internal role-based permissions to restrict access to the only those who need to be able to access a set of information. We review role and group- membership of staff on an ongoing basis, and also each time we hire or off-board a person.
Access to functionality like large-scale exports within our tool is only available to existing users with the role of HR Admin, and must be made available manually by our Customer Success team.
Data Transfer and Hosting
As we are one legal entity no intra-group transfers of data take place. We typically host data and our application on Google servers in the US, but can also host them on a EU datacenter if requested by the customer.
We work with Google Cloud hosting, Intercom and Hubspot for CRM, Sendgrid for emails, elastic.co for our activity stream. We make sure to only share the least possible amount of data needed to achieve essential business goals. For example, with Intercom we share only admin and company high level data so we can communicate news effectively, and we only share names and email addresses with Mailchimp in order to send our newsletter.
We only work with highly respected vendors that have been in the business for years and have a good track record regarding outages, breaches and overall behaviour. Most vendors are working on their GDPR compliance too, but some are already sharing results.