Information Security Policy
- Last Updated: 20 May 2024
- Effective Date: 21 December 2020
- Purpose
The purpose of this Information Security Policy (“Policy”) is to establish a security framework for Vasu International Payment Solutions Inc. (or the “Company”) that will ensure the ongoing protection of VASU information systems, networks, and data from unauthorized access, damage, loss, theft, or disclosure, while still permitting the efficient use of business computing assets globally.
- Scope
This Policy applies to all VASU officers, employees, contractors, affiliates, subsidiaries, partners, contracted third parties, and users of VASU products, systems, networks, or data.
This Policy is intended to protect all data, networks, and information systems used by VASU anywhere in the world, regardless of how, where, or when the information is used, generated, hosted, transmitted, stored, or printed. Information covered by this policy includes all data that is:
- stored in computers, servers, file shares, or databases
- stored in application data repositories,
- transmitted across internal or public networks
- printed or handwritten on any surface, including paper, white boards, and computer screens
- stored on fixed or removable media, including hard drives, floppy drives, CDs, DVDs, tape, portable hard drives, USB and flash drives, camera drives, and backup systems
- stored in the cloud or other third-party environments, including Amazon Web Services (AWS), Google Workspace etc
This Policy supersedes previous VASU security policy documents, and is considered effective on the latest date of approval by the Compliance team, or Board of Directors, as noted within the Change History section of this Policy. Time-sensitive updates to this Policy may also be granted interim approval by the Chief Information Security Officer or Head of Compliance.
This Policy is intended to serve as a broad cybersecurity framework. Other supportive Information Security policies, standards, guidelines, and procedures, which are included here by reference, will be published separately to specify how the requirements in this Policy shall be exercised in greater detail.
- Policy Statement
VASU must develop, adopt, and enforce strategies to mitigate cybersecurity risks that threaten the confidentiality, integrity, and availability of the Company’s information systems and data. An effective Information Security Program will clearly convey the goals, approach, and controls necessary for securing VASU’s information assets.
This Policy serves as a comprehensive approach to information security. It encompasses the following important protocols:
- Ensure the confidentiality, integrity, and availability of information at all times through the proper application of policies, standards, guidelines, procedures, controls, auditing, and monitoring
- Protect information assets from internal, external, deliberate, and accidental threats, including unauthorized access
- Develop Incident Response plans for when defenses are breached
- Develop Business Continuity Plan (BCP) and Disaster Recovery (DR) plans permitting the Company to continue operations, and maintain the confidence of stakeholders and customers, even during or after a disaster
- Satisfy legislative and regulatory cybersecurity requirements globally
- Prohibit the use of VASU information or systems to violate law, breach privacy, compromise performance, or damage VASU’s operations or reputation
The Company will take appropriate action in response to the misuse of Company information assets. Any violation of this Policy may result in legal action and/or disciplinary action under applicable Human Resources policy, up to and including termination.
The Information Security department will conduct annual reviews of this Policy and make necessary corrections to VASU’s security policies, standards, guidelines, and procedures. More frequent interim reviews and updates may also be required any time that security needs change.
- Information Security Program Framework
4.1. Alignment with Global Security Frameworks
VASU information security management, strategies, policies, standards, guidelines, procedures, and controls will draw from, and comply with, the cybersecurity frameworks established by the National Institute of Standards and Technology (NIST), the Federal Financial Institutions Examination Council (FFIEC), and the European Union’s General Data Protection Regulation (GDPR). PCI-compliant network zones will also comply with the Payment Card Industry Data Security Standard (PCI DSS) framework.
If information security scenarios arise that are not addressed by existing VASU policies and standards, NIST and FFIEC guidance should be consulted. See the References section for a list of helpful documents.
4.2. Information Security Management Scope and Responsibilities
The Information Security department is the owner of the Company’s security information systems, and responsible for ensuring that network, computer, and software systems are effectively designed, configured, managed, and maintained to provide optimal confidentiality, integrity, and availability. Information Security is also responsible for writing, publishing, and providing training for, all security policies, standards, guidelines, and procedures required as a result of the publication of this Policy.
The Information Security department has the following responsibilities that include, but are not limited to,
- Implementing and maintaining an Information Security Program
- Identifying, assessing, tracking, and mitigating risks to the Company’s information and cyber assets
- Developing, maintaining, and/or revising information security policies, standards, guidelines, procedures, and contract language
- Creating and maintaining security classifications for Company data
- Selecting, deploying, and monitoring security controls that adhere to established best practice frameworks, and support global Compliance and Legal requirements
- Conducting regular external and internal vulnerability assessments and penetration testing to verify that security controls are working properly, and to identify weaknesses
- Assuring the confidentiality, integrity, availability, and accountability of all information while it is being processed, stored, and/or transmitted electronically, and protecting the security of the resources associated with those processing functions
- Developing, deploying, and monitoring systems and processes for detecting intrusions and malicious code
- Identifying business owners for all systems and information
- Establishing a risk management process for the lifecycle of each critical information system
- Developing, implementing, and testing Business Continuity Plans for critical information systems
- Helping enforce records management policies and standards
- Assisting with external audit exams
- Supplying information security training and awareness globally
Information Security owns VASU’s security governance, the Company’s technical infrastructure is owned by the Information Technology Engineering department. If far-reaching technology changes are required to help Information Security accomplish its mission, Engineering will own the implementation and maintenance.
4.3. VASU Security Policy Framework
This section summarizes the high-level security requirements that shall be applied to VASU systems, processes, data, and behavior. More specific requirements will be conveyed in Information Security standards, guidelines, and procedures that will be published separately, but that are included here by reference.
The requirements below are not exhaustive. More sections will be added when necessary.
4.3.1 Acceptable Use
An Acceptable Use Standard shall establish rules for how VASU computing resources may be used, and how adherence to rules will be monitored and enforced.
VASU employees, contractors, and users must agree to abide by the Acceptable Use Policy and Standard whenever using VASU computing resources, which include VASU-provided or contracted computers, servers, printers, peripherals, appliances, programs, web applications, data, networks, email, and the Internet.
VASU strives to maintain a workplace free of harassment and sensitive to the diversity of its employees. The Company therefore prohibits the use of computers in ways that are disruptive, offensive to others, or harmful to morale.
The Company values information security, which may be compromised by insecure computing practices. Users agree not to use VASU computing systems to download or install unauthorized software, use unapproved third-party services, visit potentially dangerous websites, connect to unapproved hardware devices, or store sensitive information insecurely.
Workplace monitoring may be conducted by VASU to ensure quality control, employee safety, security, and customer satisfaction. While on VASU’s premises or using VASU computing resources, employees have no expectation of privacy in their belongings or in the non-private workplace areas, which include, but are not limited to, offices, cubicles, work locations, VASU-provided or designated parking areas, desks, computers, data storage devices, lockers, rest or eating areas, or vehicles engaged in VASU operations, and any personal belongings on or in any of the above.
In order to secure its computing infrastructure and enforce Acceptable Use, VASU reserves the right to monitor all electronic communications and data stored on, or passing through, its computing resources.
4.3.2 Access Controls
VASU’s access controls shall balance the desire for system access against the Company’s need to defend systems and data from unauthorized access.
All VASU computing resources shall be protected from unauthorized access, use, modification, disclosure, or destruction to satisfy regulatory, legal, corporate, Human Resources, and contractual requirements.
No VASU system or data shall be used to violate local, federal, or international law; run a personal business; engage in gambling; or, access pornography.
Role-based access controls (RBAC) shall be applied to all systems and networks, with roles segregated by Least Privilege and Segregation of Duty principles that inhibit access abuses and collusion, with each role attributed to an individual.
Access to all resources on the network will be controlled by a centralized authenticating mechanism, with exceptions granted to devices that only support local or internal access controls.
Users must agree not to circumvent or disable VASU access controls.
4.3.3 Application & Database Security
Information Security shall publish an Application and Database Security Standard that outlines required best practices and controls for all VASU software and web applications and database systems. Information Security may also recommend additional or custom controls at times, depending on the nature of an application or database, unique threats that may be present, the sensitivity of any data present, and whether systems interface with other networks or third-parties.
Developed, acquired, and purchased applications and database systems, as well as third parties contracted to handle VASU data or interface with VASU systems, must meet the protections required by this Information Security Policy, and by VASU’s Application and Database Security Standard.
At minimum, applications and database systems must be protected by access controls that provide Segregation of Duty and Least Privilege; defenses that prevent Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL Injection (SQLi), buffer overflows, brute forcing, and other common attacks; input filtering of all form, HTTP header, cookie, JSON, XML, Flash, web service, and URL parameter data fields; and, encryption of session tokens, all passwords, and other Confidential data.
Applications shall not contain undocumented features or secret back doors.
Applications and database systems must log all security-related events, and logs must adhere to VASU logging policies and standards.
Prior to production deployment, an application or database must be documented with narratives and diagrams detailing all of its communications, including network perimeters, zones, hosts, ports, protocols, encryption methods, key storage, access control requests, and data requests and responses.
Before production deployment, all applications and database systems must undergo review and testing by Information Security, and all vulnerabilities must be mitigated or managed.
Information Security shall regularly perform scans and penetration tests of all VASU applications, and all critical and major vulnerabilities must be mitigated or managed.
4.3.4 Asset Management
Information Security shall adopt, publish, and promote policies and standards for the continual protection of computing, digital, and paper assets. Users of VASU information systems agree to follow Information Security’s published rules for protecting VASU assets at all times, which include, but are not limited to, computers, servers, files, data, databases, networks, networked devices, printouts, faxes, repositories, financial and other reports, architecture and infrastructure documents, vulnerability lists, Company strategies and plans, privileged legal documents, customer lists, audio recordings, voice and electronic mail, meeting minutes, and video.
VASU information systems shall be managed by the VASU ENGINEERING and Information Security departments.
ENGINEERING and Information Security shall deploy a centralized mechanism for maintaining a current inventory of all VASU systems worldwide.
Each system used for VASU business shall be inventoried by Information Security and ENGINEERING, and have a named System or Data Owner responsible for ensuring that protective controls commensurate with the system’s data classification are applied and enforced, and that the system’s hardware and software are maintained.
Users shall not deploy servers, networks, or network devices for VASU business or personal use without prior permission from Information Security and ENGINEERING.
Information Security and ENGINEERING will perform regular scans of VASU networks to detect assets that have not been inventoried; discovered assets must be either inventoried, or removed from VASU networks.
All users of VASU information systems and data shall undergo security awareness training and agree to follow Information Security policies, prior to being granted access to VASU systems.
4.3.5 Audit & Accountability Controls
4.3.5.1 Security and ENGINEERING Audits
Regular audits are critical for identifying and managing enterprise risks across VASU, and for ensuring accountability.
The ENGINEERING department will conduct an annual internal audit to inventory and assess all known VASU hosts and networked devices, including routers, firewalls, load balancers, switches, wireless devices, IDS systems, servers, and computers, as well as the software stacks installed on each of these. The assessment will identify gaps in inventory lists; pinpoint systems with stability problems; note old or orphaned systems eligible for retirement; detect missing patches that need to be installed; check that local access privileges are appropriate; and, produce a timeline and strategy for fixing findings.
The Information Security department will lead several annual audits, including a VASU-wide review of system access privileges; a penetration test of all perimeters and high-risk systems; and, a cyber risk assessment intended to inform the VASU Board of vital security risks. Any technical findings uncovered will be submitted to ENGINEERING and the CIO for remediation planning.
Audit findings shall be protected as Confidential information.
4.3.5.2 Audit Logs
All VASU computing resources must generate and store audit records concerning all events relevant to security. Authentication attempts, registry or configuration changes, software installation activity, information egress, intrusion and malware detections, and all attempts to access, modify, destroy, or export data are examples of events that should be logged.
Logs shall contain evidence sufficient to establish the facts of an event, including when and where it occurred, the accountable actors involved, and the systems or objects affected.
Logs must be protected against tampering. File permissions shall prohibit unauthorized access, and when possible, logs should be transmitted to a centralized logging system managed by Information Security for protection.
Information Security, together with ENGINEERING, shall deploy a mechanism for correlating, monitoring, and the alarming of important log events.
Procedures will be developed to regularly review audit records for indications of suspicious activities, and to report findings to management for resolution.
Audit logs shall be protected as Internal information.
4.3.5.3 Other Accountability Controls
When technically feasible, computing activity should be attributable to a person in order to establish accountability. Shared accounts and passwords must be avoided for this reason. Users and system administrators will perform computing, administration, and reporting activities using their own individual system administrator accounts, rather than using shared or anonymous accounts.
Any file system or database that houses Confidential information must have audit monitoring and logging enabled in order to identify who operated on sensitive data, when it occurred, and what the operation entailed.
All employee and contractor Internet access shall pass through VASU proxy servers for monitoring and web site blocking. No VASU user shall bypass the Company’s web proxies.
4.3.5.4 Backup and Recovery
Important data must be backed up on a regular basis. Such data includes, but is not limited to, data used by VASU web and wire applications; customer and agent data; financial transaction data; programming source code; software and licenses; decryption keys; assets and instructions needed for Disaster Recovery; Accounting and Human Resources files; business contracts; electronic documents stored locally or in file shares; and, emails.
ENGINEERING will deploy a data backup system capable of backing up all important VASU data globally, and provide users with file server or cloud drives for file storage that are regularly backed up. Information Security will train users how to use drives to store information securely.
Confidential data will be encrypted in backups, in accordance with VASU’s Encryption Standard.
Some backups must be stored offsite; in the event that a VASU data center is destroyed, data should still be recoverable. ENGINEERING will determine the backup frequency required to restore data that will prove reasonably recent enough to permit business operations to continue.
ENGINEERING will conduct recovery tests of backed up data every six months.
4.3.5.5 Business Continuity Plan (BCP) / Disaster Recovery Plan (DR)
BCP and DR plans describe processes and procedures for the protection of VASU’s assets and services from disasters, recovery from service interruptions, and the resumption of key business processes.
ENGINEERING and Information Security shall collaborate to document, publish, and provide training for a global DR plan. The DR plan will describe how to fail over and recover computing operations and services during and after a disaster.
Operations shall document, publish, and provide training for a global BCP plan. The BCP will document how to sustain business operations during and after disasters, which includes human safety factors, management and business process continuity, and communication and PR plans.
The DR and BCP plans will both be updated and tested each year, and participants will undergo training annually.
4.3.5.6 Change Management
Change management is a formal process for making measured and approved changes to ENGINEERING services across VASU in order to increase change awareness, synchronize efforts between I.T. groups, and ensure changes have no disruptive impact on customers or service.
A Change Management Program will be developed to assess, manage, and control all technology changes made to VASU computing resources. The program will include process gates that prevent changes from being made that have not undergone review by ENGINEERING and Information Security, and technical controls to prevent unauthorized changes from being made to systems, applications, configurations, and programming code.
In order to detect rogue changes made to code, web pages, and file systems, VASU will deploy a file integrity monitoring system capable of detecting unauthorized file changes.
4.3.5.7 Cloud Environments
Cloud, leased, and other contracted third-party environments that contain VASU computing resources or data must adhere to VASU’s Information Security policies, standards, and guidelines.
4.3.5.8 Data Classification
Data classification, in the context of information security, is the categorization of data based on its level of sensitivity and the impact to VASU if the data were disclosed, altered or destroyed without authorization.
Data security and classification measures will be implemented commensurate with sensitivity of data, and the risk to VASU if data were to be compromised.
A Data Classification Standard published by Information Security shall provide the framework for classifying and securing data from risks including, but not limited to, unauthorized destruction, modification, disclosure, access, use, and removal. The Standard shall define four data classification categories that include Public, Internal, Confidential, and Privileged.
Each System or Data Owner shall evaluate and classify data for which he/she is responsible, and enforce protective controls recommended by Information Security to guard the data based on its classification level.
4.3.5.9 Data Loss Prevention (DLP)
Data Loss Prevention (DLP) is a comprehensive approach applied to people, processes, and systems for identifying, monitoring, and protecting data while it is stored, in use, or in motion. DLP is used for identifying sensitive data stores; enforcing enterprise data protection policies; validating that defensive controls are sufficient to protect data of varying classifications; detecting both accidental and intentional data leaks across computers, servers, and networks; and, generating data protection reports for auditing and compliance.
VASU shall create and implement a Data Loss Prevention Program.
4.3.5.10 Encryption
Encryption is required for all Confidential and Privileged information that is stored or in transit. Authentication may also need to accompany encryption, if communicating parties require identity assurance in addition to confidentiality.
Perfunctory encryption that does not enforce Segregation of Duty and Least Privilege is insufficient. For example, while whole disk encryption is advisable to prevent a thief from accessing data on a stolen hard drive, it will not prevent a Database Administrator (DBA) from viewing sensitive data fields in a database that should be off limits; Segregation of Duty and Least Privilege would require that field-level encryption also be used in this scenario.
All encryption systems must support the ability to change keys (“rekey” or “rotate keys”). Databases that house Confidential data must be rekeyed annually, and after the termination of staff with database access.
Decryption keys must be made inaccessible to unauthorized persons, not stored in cleartext on any system, and be stored encrypted offsite for use during DR/BCP events.
Specific encryption and key protection baseline standards will be published in an Encryption Standard by Information Security.
System and Data Owners are responsible for ensuring that any systems, devices, and data under their purview are encrypted in accordance with this policy, and with the Encryption Standard. VASU personnel, contractors, and vendors using mobile computing devices (e.g. laptops, tablets, PDAs, smart phones, wearables) or mobile data storage devices (e.g. CDs, DVDs, flash memory, portable hard drives) are responsible for the protection of sensitive data on those devices.
Exceptions to the Encryption Policy may be granted by Information Security in cases where encryption is not feasible, and where mitigating controls lower residual risk to acceptable levels.
4.3.5.11 Identification & Authorization Control
Information systems must be configured to uniquely identify users, devices, and processes through the assignment of unique user accounts, and validate users (or processes acting on behalf of users) using standard, Information Security-approved authentication methods such as passwords, tokens, certificates, smart cards, or biometrics (“authenticators”).
VASU shall implement a centrally controlled mechanism for Identity Access Management (IAM). All applications and systems capable of using the mechanism for IAM will do so, rather than using decentralized or local mechanisms.
Any authenticator used for identification, authentication, or authorization is rated as Confidential, and must be protected by commensurate digital and physical controls. Users of VASU computing resources must protect authenticators and not share them with others.
4.3.5.12 Incident Response
An Incident Response Standard shall be adopted and published that defines cybersecurity incidents, their severities, and how they should be prioritized and managed so operations can be restored as quickly as possible with minimal impact. The Standard should discuss how an incident is reported and assessed; how damage is minimized; how the incident and resolution are documented; how forensic evidence should be preserved; and, whom to contact, and when.
Any user of VASU computing resources who encounters a potential cybersecurity incident that could violate the confidentiality, integrity, or availability of VASU information, or impact VASU’s reputation, must notify his or her manager or Information Security immediately. Examples of cybersecurity incidents include attempts to gain unauthorized access to systems or data; attempts to obtain others’ passwords or elevate privileges; bypassing security controls; denials of service (DoS); the installation of unauthorized software; the unauthorized use of hacking tools; and, the introduction or spread of malware.
4.3.5.13 Malware Protection
All VASU information systems, including computers, servers, networks, networked devices, and Bring Your Own Devices (BYODs) shall be protected against potentially malicious software and hardware. All such systems will be equipped with real-time defenses against viruses, spyware, unauthorized remote access, trojans, back doors, and worms. Information Security will adopt defenses that detect and/or block the installation of unauthorized software. Computers and servers will have USB, Bluetooth, and all other non-essential interfaces disabled, with exceptions evaluated on a case-by-case basis as business needs require.
All systems will be scanned for viruses twice per week, including Friday mornings, and malware definition files shall be updated daily.
Malware-related security incidents must be detected, logged, investigated, verified, and remediated by Information Security.
4.3.5.14 Media Protection
Information Security shall publish standards governing how media will be continually protected, which owners and users of media must enforce. Media includes, but is not limited to, hard and floppy disks; backup tapes; data files; readable discs, such as CDs, DVDs, laser discs, and Zip Disks; USB, Firewire, Thunderbolt, and other internal or external storage devices; smartphone, camera, and copier storage; electronic RAM and ROM circuits; and, printed material, such as documents or reports.
Digital and physical protection of media must be commensurate with the data classification of the information stored on the media. Confidential and Privileged information, for example, must be encrypted at rest whenever stored on media.
Media may contain malware capable of infecting VASU systems. Media whose origin is unknown should not be connected to VASU systems or networks. Owners and users of media shall be trained on the safe use of media, and the threat it poses for transmitting malware.
Information Security shall publish a Data Destruction Standard, which owners and users of media must enforce to ensure that residual data stored on media is safely destroyed to prevent it from being recovered after media is repurposed or discarded.
4.3.5.15 Mobile Devices / Bring Your Own Device (BYOD)
Tablets, smartphones, and other consumer mobile devices are popular for their convenience, but in many instances, such devices are not capable of protecting VASU data reliably.
Confidential and Privileged information must not be stored on devices without approval by Information Security. When approval is granted, Information Security may mandate that a device be equipped with a hardened operating system, encryption, anti-malware, and/or ENGINEERING management software that allow stored data to be protected, and the device wiped remotely if stolen.
4.3.5.16 Network Security
Information Security shall publish a Network Security Standard establishing how networks should be architected and secured, how networks may be accessed and used, and how policies should be enforced.
VASU networks must comply with the published Network Security Standard. Prior to a network’s deployment or use, Information Security will be consulted, both to determine if additional controls are required due to risks present, and to test the networks to identify vulnerabilities.
Information Security will deploy and maintain security controls to protect VASU networks. At minimum, networks shall employ firewalls, Demilitarized Zones (DMZs), the use of discrete zones segregated by data classification, intrusion detection/prevention (IDS), encryption for sensitive data, and access controls that promote Least Privilege and Segregation of Duty.
Information Security shall regularly scan VASU networks to identify vulnerabilities, unauthorized ingress or egress points, unknown or insecure hosts, unauthorized wireless access points, and sensitive data that has not been acceptably secured. System and Data Owners who are notified of vulnerabilities or policy violations shall be responsible for remediating findings.
Information Security shall provide users with training and guidance conveying the importance of protecting networks against intrusion and abuse.
4.3.5.17 Onboarding and Offboarding
Information Security shall publish standards for Onboarding and Offboarding.
All prospective employees and contractors must successfully complete a criminal background check before hire.
Before new employees or contractors are permitted access to VASU systems or data, they must first sign a VASU NDA, and an agreement promising compliance with all VASU information security policies, standards, and guidelines.
Employees and contractors being onboarded must complete VASU’s cybersecurity training program within one week of hire.
When a VASU employee, contractor, agent, partner, or vendor relationship is terminated, access to VASU systems and data must be revoked immediately. The manager responsible for the terminating relationship shall notify the Help Desk within three hours of termination. Once notified of the termination, the Help Desk shall disable access within four hours.
Once access is disabled, the user’s identity record shall remain in the Identity and Access Management (IdM) system for VASU’s published retention period, after which the record should be deleted.
4.3.5.18 Passwords and Other Credentials
Information Security shall publish a Password Standard that establishes the minimum requirements for generating, using, managing, changing, and protecting passwords, passphrases, session tokens, and other credentials used to identify, validate, or authenticate users, systems, networked devices, databases, applications, and sessions.
Users of VASU computing resources, networks, networked devices, and data must follow and enforce the Password Standard. Each user must protect his or her password against disclosure, never store passwords unencrypted, and never share passwords with others.
Information Security will deploy and require the use of security controls that enforce password policies and standards.
Passwords and other credentials shall be protected as Confidential information, which requires that they be encrypted in transit and in storage.
4.3.5.19 Patch Management
Information Security and ENGINEERING shall jointly create a Patch Management Program. The program will monitor the Internet for news of important manufacturer-supplied patches that should be applied; scan VASU networks to detect systems or software that are in need of patches for security and stability; evaluate and test patches; deploy and install patches; confirm that patch installations were successful; and, maintain an inventory of current patch levels of all VASU systems and software worldwide.
System Owners are responsible for ensuring that systems under their control are included in VASU’s patch management program.
Patches will be evaluated and deployed in descending order of their importance to VASU system stability and security. If a patch is deemed critical for stability or security by a manufacturer, ENGINEERING and Information Security shall evaluate its stability and fitness for deployment within thirty calendar days of its release.
Enterprise-wide patch scanning should occur no less frequently than every thirty calendar days.
When a system or software reaches its end of life, and patches for security or stability are no longer provided by the manufacturer, the asset must be updated to a newer and patchable version within six calendar months, unless a formal exception is granted by ENGINEERING and Information Security. Exceptions shall not be granted for operating systems, application server or container software, or database server software, due to their importance to VASU operations.
4.3.5.20 Physical and Environmental Security
VASU shall adopt policies, standards, guidelines, and controls to protect information and technology from physical and environmental threats in order to reduce the risk of loss, theft, damage, unauthorized access, breaches, and service disruption.
Physical security zones will be established to control and monitor access to assets at all VASU facilities and data centers, with controls commensurate with the classification level of the systems, data, or other assets being protected.
Any zone housing computers, servers, networks or network devices, or data must be protected by, at minimum, day and night surveillance cameras; overnight burglar alarms; doors that automatically lock if public-facing; keycards or other identity mechanisms that identify individuals entering; and, logging of all visitors. Visitors must sign in prior to entry, wear an assigned visitor badge, and remain accompanied by a VASU employee at all times. Data centers will also be equipped with advanced physical access controls; reinforced and attacker-resistant walls, ceilings, floors, doors, and windows; fire alarms and fire suppression; HVAC and power redundancy; and, 24/7 security guards who authenticate and log all visitors, and permit entry only to VASU personnel authorized by ENGINEERING or Information Security management.
VASU staff who encounter a person suspected of breaching physical security protocols should immediately contact management, campus security guards, or emergency responders.
All computers and servers not housed in data centers must be equipped with a means for locking them up to prevent equipment theft. Cable locks, locking enclosures, locking docking bays, and locking desk drawers are acceptable. VASU employees and contractors must not leave computers unlocked at VASU facilities overnight or during weekends.
Printed information must be protected at all times, since it may contain information useful to hackers, criminals, competitors, and other actors. Business plans, product strategies and timelines, development plans, HR and legal documents, network architecture diagrams, system and vulnerability lists, login credentials, and similar printed information should not be visible on desks or white boards at night or during weekends. Live computer screens that display the above information should also be turned off during non-business hours. Staff must put away papers, and if needed, close office doors and window blinds to keep information from being viewed, photographed, or stolen by visitors, workers, intruders, or the public.
Commuters and travelers must protect VASU equipment and data while traveling. Computers and sensitive papers must not be left unattended in public spaces or vehicles. While staying in a hotel, unattended computers should be locked up in the hotel safe. Before crossing any international border, VASU users must check that computers do not contain Confidential VASU information that could be confiscated by U.S. or foreign governments. Any employee or contractor who suffers a theft of VASU equipment or data should notify a manager or Information Security immediately.
4.3.5.21 Records Management and Retention
VASU Information Security, ENGINEERING, Legal, HR, and Compliance departments shall together establish an enterprise Records Management and Retention Program. The program will feature an inventory of record types across all VASU departments; retention periods for each type; technical and procedural enforcement methods for ensuring retention; procedures for destroying digital and physical records that exceed their retention periods; strategies for reducing records retention costs; and, training for VASU staff. The program shall maintain VASU records, including documents and data, for the durations required by state, federal, and international law.
All VASU employees, contractors, partners, and third-party vendors must comply with the Records Management and Retention Program.
Data shall not be shared with any third party without a signed contract that enforces a VASU-approved retention period. The contract must also specify how and when data will be destroyed, and require that VASU be provided with an affidavit of destruction.
4.3.5.22 Remote Network Access
VASU will provide remote access to network, computing, and email resources for employees when necessary.
Since there are security risks associated with providing remote access, VASU will adopt strong controls for controlling and monitoring all remote access activities.
Remote access to VASU’s network shall require multifactor authentication (MFA).
Remote connections into VASU’s network or servers must pass through VASU’s perimeter firewalls and Intrusion Detection system earmarked for use with remote access. Users will not install their own remote access software or hardware, or otherwise open up back door remote access ports into VASU environments.
Any client system used for remote access must be hardened against attack, with anti-virus and firewall software running.
Remote access for third-parties and contractors must be approved by the Information Security Officer.
4.3.5.23 Security Controls
Security controls are the management, preventive, detective, corrective, and measurement tools for enforcing Information Security policy. This Information Security Policy describes many VASU security controls, with additional control details and requirements provided in accompanying policies, standards, and guidelines that are included here by reference.
All VASU computing resources, data, and projects should undergo review by Information Security before deployment to determine which security controls should be applied. It then becomes the duty of the System or Data owner to ensure that the selected controls are incorporated and tested.
Information Security shall maintain an inventory of its available security controls, and review it annually to ensure controls remain viable against new attacks. Deficient controls will be identified and corrected.
VASU shall adopt controls required by audit exam bodies to maintain VASU’s financial licenses, plus controls recommended by cybersecurity best practice organizations such as the Open Web Application Security Project (OWASP).
4.3.5.24 Servers and Computers
Information Security shall publish standards for hardening servers and computers, which must be enforced by system and database administrators, and by VASU users.
At minimum, servers and computers shall be equipped with remote and centralized administration capabilities; defenses that prevent unauthorized reconfiguration of any system; access controls that promote Segregation of Duty and Least Privilege; endpoint protection that defends against malware and intrusion; an encryption mechanism for sensitive data that cannot be compromised if a system’s hard drive is removed; and, tools for monitoring all user activity.
Any system that houses or accesses sensitive data should have audit logging enabled for data-related operations, and also be equipped with Data Loss Prevention (DLP) monitoring.
Technical controls shall prevent users from making unauthorized configuration changes to servers and computers. Local admin, root, and other super-user privileges must not be granted by default to any user whose primary job function is not system administration. Temporary exceptions may be made when a user needs local admin access to install authorized software, after which admin rights should be revoked.
Users and administrators of systems must not install unauthorized software onto VASU servers or computers without prior permission from Information Security.
Before any server is opened for user or public access, it must be tested by Information Security, and all vulnerabilities mitigated or managed.
Logs generated by defensive mechanisms on servers and computers must be protected against tampering.
4.3.5.25 System and Information Integrity
Integrity of VASU systems and applications shall be enforced using controls described in this Information Security Policy that prevent unauthorized changes to systems and data, and validate the integrity of changes that might or do occur.
Firewalls, intrusion detection, and audit monitoring shall be used by Information Security to protect all VASU computing assets and data.
All computers and servers shall be protected by hardened operating systems, access controls, regularly updated and real-time anti-virus software, and monitoring. Users shall be prevented from installing unauthorized software, or making Registry or other configuration changes. Access controls shall enforce Segregation of Duty and Least Privilege, and privileges shall be reviewed regularly.
Databases shall be protected against unauthorized modification of data, and critical data shall be backed up regularly.
Confidential data shall be encrypted at rest and in transit to guard against intentional and accidental modification.
For cases where data integrity is especially critical for operational, financial, accounting, or regulatory tasks, audit monitoring must be enabled to record all data access and modification activity. The use of salted hashes is also recommended to verify that data has not been altered while in storage or in transit.
Software and web applications must defend against common integrity-based attacks, including Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL Injection (SQLi), buffer overflows, and tampering of web or program parameters. Programs shall filter all input against unexpected content, type, length, or encoding. All applications should be penetration tested prior to production, and vulnerabilities mitigated.
4.3.5.26 System Maintenance
Only personnel explicitly authorized by ENGINEERING or Information Security shall perform maintenance on VASU information systems, which includes monitoring system health, running diagnostic tools, adjusting configurations, and removing, installing, and upgrading software and hardware.
VASU shall ensure that system maintenance is scheduled and documented; announced in advance to stakeholders if possible; aligned with manufacturer recommendations; and also, that results are validated, with a roll-back plan available if maintenance fails.
4.3.5.27 System and Data Ownership
Each VASU system and set of data shall have a functional owner who is responsible for its management, protection, retention, and destruction. Each System and Data Owner will be a Manager, Director, or higher level employee who is required to understand and enforce all published VASU security policies, standards, and guidelines.
The Data Owner will set and enforce the classification level of data under his or her control in accordance with VASU’s Data Classification Policy and Standard. VASU shall not share data with any third party without the written permission of the data’s Data Owner.
The System and Data Owners shall be responsible for establishing access privileges for systems and data under their control.
4.3.5.28 Third-Party Products, Systems, and Data
Third-party providers who design, implement, furnish, or maintain technologies for VASU must protect VASU systems and data using Information Security policies, standards, and controls that are equivalent to VASU’s own.
Third party contracts must include cybersecurity provisions governing access controls, shared architecture, data classifications and handling, network and host monitoring and protection, data protection and encryption, data sharing with fourth parties, code security standards, password standards, incident response, breach notification, operational support, service levels, vulnerabilities and defects, security assessments and testing, right to report, data retention and destruction, and lists of formal documentation required. Information Security will collaborate with VASU’s Legal Department to develop the above provisions into a standard boilerplate Information Security Contract Schedule. If a standard vendor contract does not include the above provisions, a mutual contract that includes VASU’s Information Security Contract Schedule would be required.
No third party services shall be contracted until the contract has been reviewed by VASU’s Information Security Officer.
No VASU employee, contractor, partner, or vendor shall share VASU Confidential or Privileged information with any third party unless the share has been approved by the information’s VASU Data Owner; a mutual Non-Disclosure-Agreement (“NDA”) has been signed by both VASU and the third-party’s officers; and, an information sharing contract approved by Information Security has been signed by both parties.
4.3.5.29 Threat & Vulnerability Management
Information Security shall establish a Threat and Vulnerability Management Program for detecting, evaluating, prioritizing, tracking, and mitigating potential cybersecurity threats against VASU operations, systems, data, employees, and partners worldwide. Threat intelligence and recommended defenses will be regularly socialized across the enterprise for awareness.
Information Security shall also adopt a vulnerability management system to identify, assess, inventory, prioritize, track, and remediate cybersecurity vulnerabilities.
Threat and vulnerability information shall be protected as Confidential data.
- Training and Awareness
Training employees is a crucial element in building a strong and lasting culture of compliance.
Regular Company-wide security awareness and training are vital for ensuring compliance with Information Security policies, standards, and guidelines, and for maintaining a security culture where employees, contractors, partners, and service providers.
Information Security shall establish and maintain a cybersecurity Training and Awareness Program to provide ongoing education about VASU’s security policies, standards, and guidelines; the use of Information Security’s Intranet site; general best practices for computer, Internet, and operational cyber safety; how information should be classified, handled, and protected; the breach methods used by insiders and outside attackers, and how to defend against them; and, proper incident response and reporting procedures for when security incidents do occur. Training shall be global, and available in local languages.
All employees and contractors must undergo cybersecurity training during initial onboarding, and then annually thereafter.
VASU requires additional detailed training for employees, affiliates, and service providers whose jobs are impacted by specific policies receive training appropriate for their roles and responsibilities at least annually. Examples include Record Retention, secure programming practices, employee screening etc
The Training and Awareness Programs shall be reviewed and updated annually by Human Resources and Information Security.
- Records Retention
VASU records, including data, files, and email, will be retained in accordance with a Records Management Retention Schedule that VASU shall establish.
- Policy Exceptions
Exceptions to this policy may be allowed by Senior Management. All exceptions must be made in writing prior to the exception being made.
Exceptions to this Information Security Policy, or to other policies, standards, or guidelines, may be granted if they pertain to a single record and do not include a bulk or categorical exception to the standards outlined in this Policy. Requests for exceptions to this policy must be specific to the record and must be provided in writing to the Chief Information Security Officer or Chief Information Officer. Exceptions that impact third party service providers must be provided to the service provider.
Exceptions and their dispositions shall be tracked by Information Security, and all exceptions must be reviewed annually.
- Policy Compliance
All VASU officers, employees, contractors, affiliates, subsidiaries, partners, agents, contracted third parties, and users of VASU products, systems, networks, or data are required to enforce this Information Security Policy. Failure to do so may result in corrective employment action or other disciplinary measures, up to and including termination of employment or contracts.
- Other Reviews & Approvals
This Policy will be reviewed and approved annually by the VASU Board of Directors, or by the Audit and Finance Committee acting as a delegate to the VASU Board of Directors. Time-sensitive updates to this Policy may also be granted interim approval by the Chief Information Officer.