Data and Information Management Policy

April 15, 2021: version 0.1 

PURPOSE 

The purpose of this policy is to set out requirements for the design and operation of robust Information Technology systems to support KI Design services. It is also designed to provide rules, direction, and support for KI Design security personnel, in accordance with business requirements and relevant laws and regulations.  

This policy covers three discrete areas: 

  • Information Technology 
  • Data Retention and Disposal 
  • Security 

INFORMATION TECHNOLOGY 

SCOPE 

This policy applies to all associates who have access to KI Design assets: including, but not limited to, data/information, hardware (e.g., computer equipment, computer networks) and software (e.g., operating systems, application software, telephone systems, videoconferencing systems, wireless mobile assets, and storage media) whether on-site or from remote locations.  

DEFINITIONS 

  • BaaS: Backend as a Service.  
  • Cloud computing: Enables ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 
  • Cloud Service Provider: Provides cloud services, including but not limited to software, hardware, and licencing, based on any of the models listed here: SaaS, IaaS, DaaS, BaaS,   and ITMaaS.    
  • DaaS: Desktop as a Service.  
  • Hosted software: A third-party manages and operates software on behalf of KI Design off-premises, within privately-owned data centres. 
  • IaaS: Infrastructure as a Service.  
  • ITMaaS: Information Technology Management as a Service. 
  • KI Design assets: All physical assets (such as buildings, computers, mobile devices) or virtual assets (such as software, databases, data, computing logic, and cloud applications). 
  • Managed Software: A third party manages and operates software on behalf of KI Design on-premises, within KI Design-owned data centres. 
  • PaaS: Platform as a Service.  
  • Protected data: Any personal information, as defined by applicable Canadian privacy legislation, is included in this term. 
  • PSR: The KI Design Privacy, Security, & Risk team, consisting of the Privacy and Security Officers. 
  • SaaS: Software as a Service is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted.  
  • Service Provider: Service providers manage, develop, or maintain systems, data, or bricks-and-mortar services.  
  • Users: Associates who have access to KI Design resources. 

HUMAN RESOURCES 

  • The information security responsibilities of all users with access to KI Design systems must be clearly defined. Associate functions and roles that may not be appropriate candidates for a BYOD program should be clearly specified. 
  • Roles must be documented according to job functions and segregation of duties. 
  • Third parties must only be given access privileges to IT assets upon approval by the director. These access privileges must be enabled only for the time period required to accomplish approved tasks and then promptly disabled upon completion of the approved tasks. 

ROLES AND RESPONSIBILITIES 

  • KI Design must enforce separation of job duties, require commercially reasonable non-disclosure agreements, and limit associate knowledge of KI Design’s data to that which is absolutely needed to perform work duties. 
  • User access privileges must be assigned in accordance with the principle of least privilege (i.e., only the minimum privileges necessary to complete required tasks must be assigned to an individual). 

CHANGE AND CHANGE MANAGEMENT 

  • The IT team must give 5 days’ advance notice to application users prior to any major upgrade or system changes that the IT team will be performing.  
  • Access to KI Design Information technology resources must be controlled to ensure that: 
  • All requests for creation, modification, and/or deletion of user accounts must be authorized by a director as per documented security requirements;  
  • Expired user account/ID must not be assigned to new users (to prevent expired privileges being provided to users who do not require them);  
  • Upon termination of an associate, user access privileges must immediately be revoked (i.e., deactivated or removed) by KI Design system administrators;  
  • User access privileges must be re-evaluated by the IT lead on a regular basis to determine whether currently-enabled system privileges are needed to perform the associate’s job duties; and  
  • A log of all requests for access must be maintained. 
  • To manage user access, an automated access control system must be implemented and maintained.  The system must be configured to “deny all” unless specifically allowed and  restrict access based on a user’s credentials. 
  • Access must be granted only after identification, authentication, and authorization procedures are complete.  

DATA MANAGEMENT 

  • Data which either belongs to or is intended for the use of KI Design associates can under no circumstances be copied, disclosed, or retained for subsequent use in any transaction that does not include KI Design. 
  • Third party service providers must not use any data collected from KI Design in connection with the services performed for any other purpose other than fulfilling the service. 

DATA PROTECTION 

  • Protection of personal privacy and sensitive data must be an integral part of the organizational activities of KI Design to ensure that there is no inappropriate or unauthorized use of Ki Design’s data at any time. To this end, a service provider must safeguard the confidentiality, integrity, and availability of KI Design’s information. 
  • Administrative access to network or Operating System infrastructure is restricted to authorized personnel.  

DEVICES 

  • The IT lead must create a listing of allowable and prohibited devices, operating systems, operating system versions, and cloud services. 
  • The PSR, in collaboration with the IT lead, must specify which classes, categories, or types of information are not appropriate to be handled off-premises. 
  • The IT team must ensure that all IT assets are in good repair. 
  • The IT team must define the process of sanitizing equipment prior to sending to or receiving from an associate. 
  • The IT team must establish guidance to associates using KI Design equipment, or their own equipment for work-related purposes, while off-premises. These guidelines should include returning hardware to IT when not in use; not to leave devices unattended (in car, coffee-shop, or other locations); and prohibiting sharing devices with family members. 

CONTRACT MANAGEMENT 

  • The IT team should create a listing of networking, data, voice, and cloud services.  
  • The IT team should maintain a copy of all identity and access credentials for any procured services. 

GENERAL ACCESS CONTROLS 

  • Access to physical locations, networks, Operating Systems, and databases is restricted to authorized personnel.  
  • All users who require access to KI Design systems must be identified. 
  • Access control systems must be implemented on KI Design systems. The access control system must have authentication and authorization capabilities that: 
  • Identify and authenticate individual persons or information systems; 
  • Limit or restrict access to an information system’s resources, objects, data, and/or files; 
  • Access to and use of KI Design systems with a user ID must be traceable to a single person and that access to and use of KI Design with a Service ID is traceable to an information system.  
  • Access control and identity management systems must be configured to deny access by default to KI Design (i.e., access must be explicitly authorized). 
  • Users may not install any code that circumvents the access control mechanisms found in operating systems or access control packages. 

Authentication 

  • Systems and applications must be configured to authenticate each user, including the privileged users, services, and applications with the correct credentials prior to granting access to KI Design IT resources.  
  • Multi-factor authentication (e.g., token, IP-blocking, etc.) should be used when accessing systems with privileged or administrator privileges.  
  • Authentication credentials should not be coded into programs or queries unless they are encrypted, and only when no other reasonable options exist. 
  • Authentication methods that employ the criteria of “something you have” (e.g., digital certificate, SecureID token) must permit the unique identification of each person and are not used concurrently by multiple users. 
  • Initial passwords or passphrases (“passwords”) must be communicated securely. Where an ID has been communicated through email, the associated password must be communicated through an alternative communication channel (e.g., via phone). 
  • Initial passwords must be set to prompt the user to change their password at initial login or must ensure that the user is manually instructed to change their password at initial login. 
  • All passwords must be masked or concealed on entry; i.e., represented on the screen by a special character such as an asterisk. 
  • All information systems must be technically capable of accepting all passwords that meet the requirements and ensure compliance with the account lockout, lockout duration, history, and minimum age requirements for passwords used to access KI Design.  
  • A password may only be reset after the user’s identity has been successfully verified.  
  • Passwords must be encrypted in transmission.  
  • Passwords must be protected in storage. Where passwords stored in files cannot be encrypted, passwords must not indicate the information system or ID for which they are associated.  
  • Unencrypted passwords must not be cached. 
  • Hard-coded clear text passwords may not be used in applications or configurations, or stored in batch files.   
  • Clear text passwords must not be embedded in any automated login process, or stored in a macro or function key.  
  • All paper-based passwords used for backup or contingency purposes must be stored using the principle of dual control or split knowledge.  
  • All default passwords, including null passwords, must be changed or set prior to deployment in a production environment and as soon as reasonably possible in a non-production environment.   

Remote Access 

Remote access to KI Design’s sensitive resources must abide by the following rules: 

  • All remote access must be authenticated and encrypted through a KI Design-approved encryption mechanism (e.g., SSL, VPN, etc.). 
  • Remote System Administrative access must use multi-factor authentication and bastion or jump servers. 
  • Access to KI Design’s internal network from untrusted networks must use multifactor authentication or additional compensating factors. 
  • A record of all users and parties that have authorized administrative remote access to systems must be maintained. At a minimum, the record should contain: 
    • The user ID; 
    • The full name; 
    • The date of creation; 
    • The level of entitlement granted; and 
    • The full name and position of the person who authorized the request. 
  • Cryptographic solutions must be deployed to maintain session confidentiality and integrity of all remote access connections.  

Session Management 

  • Personal IDs should not be capable of establishing multiple concurrent interactive sessions. Privileged IDs should not be capable of establishing multiple concurrent interactive sessions. 
  • The state of a session should be established and controlled by the information system providing the services. 
  • Session management mechanisms must be employed to protect session integrity and confidentiality.  
  • Session management identifiers must be unique for each individual session, and be valid only for the duration of the current session or for a predetermined finite time period. 
  • All users should have the ability to end or terminate an active session.  
  • An interruption to a communication link to the source information system must require the person or information system to re-authenticate to the source information system. 
  • Workstations and other user devices that have access to KI Design systems must either: 
  • Have password-protected screen-locks, keyboard-locks or equivalent controls that are set to automatically lock after one hour of inactivity; or  
  • Set sessions to automatically terminate (e.g., sign-off active account) after a maximum period of one hour of inactivity. 

Physical Access Control 

  • Associate access to KI Design office and data centers must be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. 
  • Physical access to KI Design data centers must be limited to KI Design associates and/or approved visitors (e.g., third parties) whose job function or responsibilities requires such access. 

Terminating Access 

  • KI Design reserves the right to block, deny, or discontinue any user’s access to its IT assets at any time upon violation of any security policies. 
  • The IT team should maintain a record of privileged user accounts so that access may be expediently revoked on short notice. 
  • User IDs must have their account privileges suspended after three months inactivity for internal users; special consideration may be made for users on sanctioned leave of absence. 
  • Upon termination of employment, contractual, or other relationship, or a change in job duties or responsibilities, KI Design must review and if necessary request a modification, suspension, or revocation of access privileges.  
  • User IDs that have access to KI Design must be suspended after 180 consecutive days (or 6 months) of inactivity either manually or automatically.  

CLOUD 

  • The IT team must have administrative access to all cloud assets.  
  • KI Design owns all right, title, and interest in its data related to the services provided by the cloud provider. As a result, the responsibility of managing the data is upon KI Design.  
  • KI Design should be able to transfer the data to another cloud service provider with 30 days’ notice to the existing service provider.  
  • KI Design must require that the cloud service provider provide a list of all third-party partners; including but not limited to the subcontractors, entities, and individuals who may be a party to the cloud service.  
  • At the conclusion of a cloud service contract, the cloud provider must provide KI Design, within thirty business days, without charge and without any conditions, a final extract of KI Design’s data in the format specified by KI Design. Further, the cloud provider must certify to KI Design that KI Design data within the possession or control of the cloud provider has been destroyed. Such destruction must only occur after the data has been returned to KI Design.  

DISASTER RECOVERY  

For all IT assets, whether in-house or contracted, the IT team must provide a disaster recovery plan to the PSR. The plan must include, but is not limited to: 

  • How long it would take to recover from a disruption; 
  • How long it will take to switch to a backup site; 
  • The level of service and functionality provided by the backup site;  
  • Within what time frame the IT team will recover the primary data and service; and 
  • A report on how and how often the data are backed up. 

The plan must be updated yearly. 

DATA RETENTION AND DISPOSAL 

PURPOSE 

The purpose of this policy is to outline the time limits and practical mechanisms of data retention and disposal. It includes when data is disposed of, and by whom. 

This policy is service-based. Each service may contain single or multiple data repositories. A service may have repositories on KI Design premises, or be managed offsite by a third-party vendor. 

DATA RETENTION PERIODS 

Social media data will be retained for two years, user account data (logs, queries) will be retained for the duration of the contract. Once the contract expires, there will be a grace period of 15 days after which all user data will be deleted. 

DATA DISPOSAL 

All data to be destroyed must be destroyed in all of its forms; for example, electronic, online, disk, CD, DVD, backup tape, and paper. Data must be permanently deleted and must not be recoverable. 

Data shall be disposed of by the IT team, based either on the expiry of the applicable timeline, or upon request by a service user. 

Protocol for Disposal of Data at Service User’s Request  

  1. Upon receiving a request for data disposal from a service user, validate the identity of the requester. 
  2. Ascertain whether KI Design data can be linked to that service user. 
  3. Dispose of data by removing the records from the database, and from any database back-ups. The removal should prohibit even an administrator from recovering the data. 
  4. Document the removal by specifying the ID of the staff member who performed the removal, the service user ID, and the database name. 

If data deletion is not possible for technical reasons, the IT lead must report the situation to the Privacy, Security, & Risk team. 

Protocol for Disposal of Data when a Retention Period Has Passed 

The KI Design Information Technology team must dispose of data within fifteen days of the conclusion of the retention period. The process is as follows: 

  1. Identify data content for which the retention period has passed. 
  2. Proceed to delete the identified data content from storage, and from any back-ups. The removal should prohibit even an administrator from recovering the data. Exclude any content that is currently under a Freedom of Information request or a KI Design investigation. 
  3. Document the removal by specifying the ID of the staff member who performed the removal, row ID (an identifier given to the stored data), and database name. 

If data deletion is not possible for technical reasons, the IT lead must report the situation to the Privacy, Security, & Risk team. 

Methods of disposal will be determined by the Privacy, Security, & Risk team in consultation with the IT lead.  

INVENTORY DISPOSAL 

Technology 

When technology items are retired, because they are no longer needed, their lease expires, or they cease to function, the IT team must follow secure hardware disposal methods, as outlined below.  

If the drive is being recycled, then a software reset and new installation is sufficient.  

If the hard drive is no longer needed, the following disposal methods should be used: 

  • For hard drives: Degaussing or grinding 
  • For solid state drives: Grinding  

Paper 

It is KI Design policy to reduce and eliminate paper documents that contain protected data.  

Paper records must be destroyed securely via a shredding machine on KI Design premises or via a contracted secure data disposal company. 

DATA BACK-UP 

Backup Plan 

Secure server backups will be performed regularly, at least once a week. The last backup of every month will be considered the monthly backup, and will be kept for two months. Backups must be performed and monitored by a fulltime IT staff member. 

Loss of data 

If loss of data is discovered, evaluation and investigation by IT staff is immediately dispatched. 

In most cases, loss of data is related to file corruption, a virus, or security or human error. 

  • If loss of data is related to data corruption, IT Staff must troubleshoot and determine if the problem is hardware- or software-related, to prevent addition file corruption. 
  • If the loss of data is related to a virus, IT Staff must determine the extent of the virus and remove it, to prevent further loss of data. 

Restoration of data 

Once loss of data is discovered, evaluated and minimized, IT Staff will proceed to restoration of data from backup media. 

  • IT Staff will determine the time and date of the lost data. 
  • IT Staff will determine the appropriate backup media to restore the data. 
  • IT Staff will insert the backup media into the appropriate server. 

All restoration activities must be logged.  

Disaster Recovery 

If a disaster is discovered, IT Staff will determine the extent of the problem and proceed accordingly. If the disaster is hardware related, IT Staff will replace the failed hardware and restore according to the steps outlined above. 

SECURITY 

OBJECTIVES 

Security is vital to the protection of critical infrastructures and the protected data contained in such infrastructures, and is a key enabler to the achievement of KI Design objectives and to the avoidance of or reduction of risks. 

Security serves the specific objectives of reducing the uncertainty and controlling the likelihood, nature, and consequences of potential unwanted events, thereby limiting harm and preserving existing value. 

Security tools and practices will be implemented to appropriately protect information collected, used, stored, transmitted, disclosed, or exchanged by the application and to assure the continued delivery of services through the use of information systems. 

SCOPE AND APPLICATION 

This policy applies to all KI Design activities, including activities undertaken by the vendors, partners, and end users that impact the security of KI Design assets, associates, and consultants, and contractors to KI Design vendors and partners. This policy also applies to all information assets and processes materially impacting the security of KI Design assets. 

POLICY STATEMENT 

All operating procedures, Information Systems or IT platform components, and onboarding of new partner applications, must be reviewed for security compliance.  All changes must include explicit authorization from the PSR, and testing to ensure there is no adverse effect on operations or security. 

Information Security 

KI Design associates, partners, and vendors shall: 

  1. Protect the confidentiality, integrity, and availability of information within KI Design in accordance with legal obligations and organizational requirements. 
  2. Establish accountabilities and implement processes and controls that ensure alignment and compliance with legislative, policy, and operational requirements. 
  3. Make all who are to be granted access to information assets aware of the privacy and security policies and procedures implemented, and require them to acknowledge that they have read, understood, and agree to comply with these privacy and security policies and procedures. 
  4. Ensure that all who are granted access to KI Design resources are aware that any person who violates the privacy or security policies, or any applicable End User Agreement, or any applicable Confidentiality Agreement, could be subject to sanctions up to and including termination of their employment or contractual relationship. 

KI Design shall: 

  1. Ensure that all its associates have signed an agreement with KI Design containing privacy and security provisions; and 
  2. Hold vendors or partners accountable for unauthorized or inappropriate access to protected data and for unauthorized or inappropriate collection, use, disclosure, disposal, modification of, or interference with, protected data and other sensitive information or services (e.g., trade secrets or human resources information systems). 

Identity Management 

  1. The identities of all persons requesting access to KI Design systems must be verified.  
  2. All access must be provisioned based on the requestor’s established needs, in accordance with KI Design privacy policies, and in accordance with the principles of need-to-know and least-privilege.  
  3. All users who require access to KI Design systems must be identified. 
  4. Access control systems must be implemented on KI Design systems. The access control system must have authentication and authorization capabilities that: 
    • Identify and authenticate individual persons or information systems, and 
    • Limit or restrict access to an information system’s resources, objects, data, and/or files. 
  5. Access to and use of KI Design systems with a user ID must be traceable to a single person.  
  6. Access control and identity management systems must be configured to deny access by default to KI Design (i.e., access must be explicitly authorized). 

Security Risk Management 

  1. The PSR, acting on behalf of KI Design, will ensure that residual, security-related organizational risks are consistent with risk appetite and risk tolerance.  
  2. The PSR shall define assets classification and risk tolerance. 
  3. The PSR will make decisions on the management of security-related organizational risks (such as decisions involving the acceptance of residual risks, and allocation of resources for risk mitigation, and for recovering from potential adverse events).  
  4. The PSR will provide relevant information, recommendations, and advice to the CEO to assist with these decisions. Risks will be reported and aggregated upward for review and strategic direction by the CEO. 
  5. The PSR will ensure that each vendor or partner is responsible for managing security-related business risks that directly impact the achievement of KI Design’s objectives.  

Information Security Management 

KI Design associates, partners, and vendors shall ensure that each of the practices below are implemented for those assets and related services in its custody or under its control: 

  1. Security of information assets and related business services will be addressed and analyzed in a holistic manner, with attention to people, process, and technology aspects throughout the information, information and communications technology, and associated services lifecycles.  
  2. Resources will be allocated as per KI Design priorities to ensure alignment of security capabilities and services with corporate needs. 
  3. A reasonable standard of security good practice, commensurate with perceived threats and risks, will be applied to achieve compliance with legal and regulatory requirements to protect the security of information. 
  4. Security controls, designed to defend against threats, preserve value, enable reliable delivery of quality services, and prevent harm, will be implemented through the integrated application of people, processes, and technology. 
  5. Security shall be managed in accordance with applicable legislation, regulations, and international standards. 

The PSR shall: 

  1. Progressively develop and leverage security strategies, mechanisms, and competencies to enhance service offerings and capabilities in aid of meeting organizational objectives. 
  2. Develop and apply security performance metrics, and present reports on status and progress to the CEO on a regular basis. 
  3. Ensure that vendor security leads accept and manage security for the services they provide.  
  4. In collaboration with the IT Security team, develop and implement Information Security standards and guidelines that will support this Policy by documenting specific responsibilities of individuals and specifying the uniform practices to be adopted by KI Design to achieve the outcomes specified in the security objectives. 

Web Security Requirements 

KI Design shall use encrypted communications when data is travelling over the public network.  

  1. Transport security: SSL version 2 or 3. 
  2. Hash technology: Use of secure hashing algorithms SHA-0 to SHA-4. 
  3. Key management security: Ensure that web SSL certificates are procured and managed using a key management system. 
  4. Encryption technologies:  
    • MARS,  
    • RC6,  
    • Rijndael,  
    • Serpent, and 
    • Twofish. 

Patch Security Management 

The IT Security team must ensure that, for any of its assets, it must: 

  1. Identify security patches; 
  2. Test the security patches; 
  3. Deploy the security patches; 
  4. Ensure timely implementation of patches. 

The Security Officer must produce and maintain a Patch Management Standard that defines the minimum information security standards necessary to ensure the protection of KI Design and clients’ information and information resources. These must include the following requirements: 

  1. A risk-informed systems patch cycle for all systems must be scheduled, as appropriate. 
  2. Any emergency patching outside of the routine patching schedule must be done according to level of risk, as determined by the IT Manager. 
  3. Servers, services, or applications must be maintained with current OS, application, or security patch levels, as recommended by the software manufacturer and informed by risk, to protect KI Design data from known information security issues. 

Patch Service Level Agreement: As soon as there is a patch available for the identified vulnerability, KI Design must:  

  1. Where possible, create a backup/archive and verify its integrity by deploying it on a standby system.  
  2. Create a checklist/procedure for patch activities and deploy the patch on the standby system. 
  3. Test the patched standby system for operational functionality and compatibility with other resident applications.  
  4. Swap the patched standby system into production and keep the previous unpatched production system as a standby for emergency patch regression.  
  5. Closely monitor the patched production system for any issues not identified during testing.  
  6. Patch the standby system (old production) after confidence is established with the production unit.  
  7. Update software configuration management plan and related records. At a minimum, backups and archives must be verified and tested.  

Vulnerability Management 

The Security Officer must conduct routine environmental scans of devices, systems, and applications connected to KI Design networks to identify operating system and application vulnerabilities. 

The Security Officer and IT Managers are required to ensure routine initiation and review of the results of vulnerability scans of devices, systems, and applications for which they are responsible and to evaluate, test, and mitigate, where appropriate, identified vulnerabilities. This is done through identifying, evaluating, remediating, and reporting, as set out below. 

Identifying vulnerabilitiesThe IT Security team must ensure that before this process starts there is a complete asset inventory. Any legacy applications and data that are no longer necessary must be eliminated. 

Initially, vulnerabilities which might affect KI Design systems must be identified. Once vulnerabilities, or types of vulnerabilities, are defined, the process of identifying any that are present can begin. The IT Security team should: 

  • Use threat intelligence information and vulnerability databases to identify known threats. 
  • Use vulnerability scanners to identify affected components and create an inventory for use in patch management. 

Evaluating vulnerabilities: After listing any vulnerabilities, the IT Security team shall evaluate the severity of threats, and remediate the most severe vulnerabilities first, in order to reduce the chance that an attack will occur while the rest of the system is being secured. The IT Security team should use a Common Vulnerability Scoring System. 
 
Remediating vulnerabilities: During this phase, the IT Security team can increase monitoring or reduce access to areas identified as at risk, to help prevent successful exploitation of vulnerabilities until patches can be applied or protections permanently increased. After vulnerabilities are addressed, the IT Security team must verify successful remediation. 
 
Reporting vulnerabilities: KI Design will create a record logging any vulnerabilities and when those issues were fixed.  
The IT Security team shall regularly perform penetration testing in order to ensure that no new vulnerabilities emerge.

  • Web scans shall take place once a month. 
  • Penetration testing shall be implemented every six months.  
  • Scans should also be performed each time a change is made that may introduce additional vulnerabilities. 

Secure Software Development Lifecycle 

KI Design follows a secure development methodology that (a) encompasses security principles throughout development and testing, and (b) addresses code vulnerability throughout the software lifecycle.  

KI Design must document, maintain, and apply the following software development policies and practices: 

  1. Source code must be handled and protected securely across the organization. 
  2. Development should follow secure coding and secure-by-design principles. 
  3. Testing of security controls during development. 
  4. System Acceptance Testing. 
  5. Development change control. 

Training: KI Design must provide secure coding training for all personnel that are involved in development. 

The training should be provided by, or at minimum aligned with, a recognized industry body such as Open Web Application Security Project (“OWASP”). 

The training must encompass secure coding principles and how to apply them throughout the software development process. 

Controls: In order to ensure security controls are implemented throughout the development processes, KI Design must ensure the following: 

  • Only authorized personnel may access source code and only from vendor-managed devices that meet the security requirements in this Policy and from locations set forth in the vendor agreement. 
  • Authorized personnel must not transfer or share KI Design source code with other vendors employees or individuals who are not authorized to access or handle source code. 
  • KI Design and its agents must only use encrypted transport protocols (e.g., SFTP, SCP) when transferring, downloading, uploading or otherwise accessing KI Design source code. 
  • A vendor must never store or share KI Design source code using non-KI-Design-approved public/cloud storage/collaboration services. 
  • The vendor is responsible for ensuring that all KI Design source code is stored in a source code repository. KI Design source code must only be accessed and stored on computers located on the vendor’s premises (laptops/desktops) while authorized personnel are actively working on the code. KI Design source code must be transferred and stored in a source code repository at all other times. 
  • The vendor may only store KI Design source code for as long as it is required and for the purpose set forth in the agreement. The vendor must securely delete KI Design source code from all computers and devices, when the services are completed or terminated, unless otherwise agreed upon by KI Design.  
  • The vendor shall keep an accurate and up-to-date inventory for all KI Design source code in the vendor’s possession.  
  • KI Design and its Agents must retain source code repository access and activity records/logs for as long as specified in the vendor Statement of Work. 
  • The operating system and applications installed on the source code repository must be installed, configured and maintained by the vendor in a secure manner.  
  • The vendor must implement system and log monitoring to prevent unauthorized modification of repository content and to monitor access. All changes to the operating system and applications must be controlled by the use of formal change control procedures. 
  • The vendor must perform regular incremental backups and full backups of source code repositories. If a remote backup service is used, all database source code must be encrypted during transfer. All backups must be encrypted when stored on backup systems or media. 

KI Design must ensure that vendor contracts include the stipulations listed above. 

User Account Creation Process 

Access to KI Design Information Technology resources must be controlled to ensure that: 

  1. All requests for creation/modification/deletion of user accounts must be authorized by the CEO;  
  2. An expired user account/ID must not be assigned to new users (to prevent expired privileges being provided to users who do not require them);  
  3. Upon termination of an associate, user access privileges must immediately be revoked; (i.e., deactivated or removed) by KI Design system administrators; and 
  4. User access privileges must be re-evaluated by the system owner on a regular basis to determine whether currently-enabled system privileges are needed to perform the associate’s job duties.  

A log of all requests for access must be maintained. 

Access must be granted only after identification, authentication, and authorization procedures are complete.  

IT Managers are responsible for: 

  1. Assigning a credential (i.e., user ID) to uniquely identify the user; 
  2. Creating credentials for third-party vendors who need access to the IT system;  
  3. Changing user access privileges at the CEO’s request; 
  4. Assisting the CEO in the annual review of user access privileges; and 
  5. Terminating user access privileges upon termination of an associate’s employment or contract. 

The IT Manager must maintain a list of all IDs that have access to KI Design information technology systems. The list should include the following:  

  1. The ID;  
  2. The person or information system’s details: Full name, department, location, and contact information (email and telephone where applicable); and 
  3. Privileges associated with that ID. 

MONITORING AND CONTROL 

Each KI Design internal or external service provider or partner will establish and maintain monitoring and control processes in order to ensure this Policy is implemented and followed internally on an ongoing basis. 

Where warranted, the PSR may authorize direct or independent inspection or audit of the compliance of internal or external service providers with this Policy; and may authorize audits of the compliance of individual end users with End User Agreements and/or Confidentiality Agreements. 

The PSR will establish and maintain monitoring and control processes in order to ensure that this Policy is implemented and followed for those activities that require coordinated action among internal parties, vendors, or partners. 

In supporting the function of monitoring and control, capturing and managing audit logs is key. As KI Design uses many disparate applications with varying degrees of audit capabilities, KI Design should create, at a minimum, a process for auditing tools and services, whether it is an internal tool or one provided by a third-party vendor. In the case of tools that have audit logs, these logs must be tamper-resistant, and protected against unauthorized access, or loss of integrity or availability. 

The goals for auditing and monitoring systems and users are to identify, respond, and mitigate:  

  • Insider threat deterrence or fraudulent activity,  
  • External intrusions,  
  • Security risks,  
  • System performance problems and flaws,  

and to capture evidence for taking disciplinary action, forensic analysis, and potential civil and criminal litigation. 

Evaluation and Reporting of Audit Findings  

  • Audit log information must be reviewed daily for suspicious or malicious activity.  
  • Audit findings shall be reported to appropriate operational owners in a timely manner. Significant findings that could indicate a security breach has or is likely to occur shall be immediately reported to the Privacy Officer.  
  • Routine findings shall be documented and reported to operational owners and the Privacy Officer on a monthly basis. False positives must also be addressed; for significant events, potential impact analysis must be conducted for critical information systems.  
  • Reports of audit results shall be limited to internal use on a minimum necessary/need-to-know basis.  
  • Audit results shall not be disclosed externally without the Privacy Officer’s approval.  
  • Security audits could constitute an internal, confidential monitoring practice that will be used to evaluate an associate’s performance.  
  • Care shall be taken to ensure that the results of these types of audits are only provided to the appropriate supervisor.  
  • Audit information that could disclose organizational risks will be shared only with extreme caution.  

EXCEPTIONS 

KI Design Management acknowledges that under rare circumstances, certain associates will need to use assets that are not compliant with these policies. All such instances must be approved in advance by the PSR. The PSR will authorize exceptions only where there is clear justification to do so, and only to the minimum extent necessary to meet the justified need. 

POLICY VIOLATION 

Failure by any associate to comply with this Policy may result in the restriction, suspension, or termination of their relationship with KI Design. 

Depending on the infraction, KI Design may decide to implement a lesser penalty, as per the following: 

  • Corrective actions and training 
  • Official written reprimand 
  • Termination 

Failure by any vendor or partner subject to this Policy to comply with this Policy may result in restriction, suspension, or termination of their participation in or relationship with KI Design. Depending on the circumstances, KI Design may seek legal recourse through civil courts.