Operations Security Policy
Operations Security Policy
- Last Updated: 9 August 2023
- Effective Date: 9 August 2023
1. Purpose
To ensure the correct and secure operation of information processing systems and facilities.
2. Scope
All MassPay information systems that are business critical and/or process, store, or transmit company data. This Policy applies to all employees of MassPay and other third-party entities with access to MassPay networks and system resources.
3. Operations Security
3.1 Documented Operating Procedures
Both technical and administrative operating procedures shall be documented as needed and made available to all users who need them.
3.2 Change Management
Changes to the organization, business processes, information processing facilities, production software and infrastructure, and systems that affect information security in the production environment and financial systems shall be tested, reviewed, and approved prior to production deployment. All significant changes to in-scope systems and networks must be documented.
Change management processes shall include:
- Processes for planning and testing of changes, including remediation measures
- Documented managerial approval and authorization before proceeding with changes that may have a significant impact on information security, operations, or the production platform
- Advance communication/warning of changes, including schedules and a description of reasonably anticipated effects, provided to all relevant internal and external stakeholders
- Documentation of all emergency changes and subsequent review
- A process for remediating unsuccessful changes
3.3 Capacity Management
The use of processing resources and system storage shall be monitored and adjusted to ensure that system availability and performance meets MassPay requirements.
Human resource skills, availability, and capacity shall be reviewed and considered as a component of capacity planning and as part of the annual risk assessment process.
Scaling resources for additional processing or storage capacity, without changes to the system, can be done outside of the standard change management and code deployment process.
3.4 Separation of Development, Staging and Production Environments
Development and staging environments shall be strictly segregated from production SaaS environments to reduce the risks of unauthorized access or changes to the operational environment. Confidential production customer data must not be used in development or test environments without the express approval of the CTO or Upper Management.
Refer to the Data Management Policy for a description of Confidential data. If production customer data is approved for use in the course of development or testing, it shall be scrubbed of any such sensitive information whenever feasible.
4. Systems and Network Configuration, Hardening, and Review
Systems and networks shall be provisioned and maintained in accordance with the configuration and hardening standards described in Appendix A to this policy.
Firewalls and/or appropriate network access controls and configurations shall be used to control network traffic to and from the production environment in accordance with this policy.
Production network access configuration rules shall be reviewed at least annually. Tickets shall be created to obtain approvals for any needed changes.
5. Protection from Malware
In order to protect the company’s infrastructure against the introduction of malicious software, detection, prevention, and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.
Anti-malware protections shall be utilized on all company-issued endpoints except for those running operating systems not normally prone to malicious software. Additionally, threat detection and response software shall be utilized for company email. The anti-malware protections utilized shall be capable of detecting all common forms of malicious threats and performing the appropriate mitigation activity (such as removing, blocking or quarantining).
MassPay should scan all files upon their introduction to systems, and continually scan files upon access, modification, or download. Anti-malware definition and engine updates should be configured to be downloaded and installed automatically whenever new updates are available. Known or suspected malware incidents must be reported as a security incident.
It is a violation of company policy to disable or alter the configuration of anti-malware protections without authorization.
6. Information Backup
The need for backups of systems, databases, information and data shall be considered and appropriate backup processes shall be designed, planned and implemented. Backup procedures must include procedures for maintaining and recovering customer data in accordance with documented SLAs. Security measures to protect backups shall be designed and applied in accordance with the confidentiality or sensitivity of the data. Backup copies of information, software and system images shall be taken regularly to protect against loss of data. Backups and restore capabilities shall be periodically tested, not less than annually.
Backups must be stored separately (<describe specific requirements for separate region or availability zone>) from the production data location.
MassPay does not regularly backup user devices like laptops. Users are expected to store critical files and information in company-sanctioned file storage repositories.
Backups are configured to run daily on in-scope systems. The backup schedules are maintained within the backup application software.
A backup restore test should be performed at least annually to validate the backup data and backup process.
7. Logging & Monitoring
Production infrastructure shall be configured to produce detailed logs appropriate to the function served by the system or device. Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and reviewed through manual or automated processes as needed. Appropriate alerts shall be configured for events that represent a significant threat to the confidentiality, availability or integrity of production systems or Confidential data.
Logging should meet the following criteria for production applications and supporting infrastructure:
- Log user log-in and log-out
- Log CRUD (create, read, update, delete) operations on application and system users and objects
- Log security settings changes (including disabling or modifying of logging)
- Log application owner or administrator access to customer data (i.e. Access Transparency)
- Logs must include user ID, IP address, valid timestamp, type of action performed, and object of this action.
- Logs must be stored for at least 30 days, and should not contain sensitive data or payloads
7.1 Protection of Log Information
Logging facilities and log information shall be protected against tampering and unauthorized access.
7.2 Administrator & Operator Logs
System administrator and system operator activities shall be logged and reviewed and/or alerted in accordance with the system classification and criticality.
7.3 Data Restore Logs
In the event the company needs to restore production data containing PII from backups, either for the purposes of providing services or for testing purposes, shall be logged or tracked in auditable tickets.
7.4 Clock Synchronization
The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to network time servers using reputable time sources.
7.5 File Integrity Monitoring and Intrusion Detection
MassPay production systems shall be configured to monitor, log, and self-repair and/or alert on suspicious changes to critical system files where feasible.
Alerts shall be configured for suspicious conditions and engineers shall review logs on a regular basis.
Unauthorized intrusions and access attempts or changes to MassPay systems shall be investigated and remediated in accordance with the Incident Response Plan.
8. Control of Operational Software
The installation of software on production systems shall follow the change management requirements defined in this policy.
9. Technical Vulnerability Management
Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities shall be evaluated, and appropriate measures taken to address the associated risk. A variety of methods shall be used to obtain information about technical vulnerabilities, including vulnerability scanning, penetration tests, review of external vendor alerts, and the bug bounty program.
Vulnerability scans shall be performed on public-facing systems in the production environment at least monthly.
Penetration tests of the applications and production network shall be performed at least annually, and additional scanning and testing shall be performed following major changes to production systems and software.
The IT department shall evaluate the severity of vulnerabilities identified from any source, and if it is determined to be a risk-relevant critical or high-risk vulnerability, a service ticket will be created. The MassPay assessed severity level may differ from the level automatically generated by scanning software or determined by external researchers based on MassPay’s internal knowledge and understanding of technical architecture and real-world impact/exploitability. Tickets are assigned to the system, application, or platform owners for further investigation and/or remediation.
Vulnerabilities assessed by MassPay shall be patched or remediated in the following timeframes:
|
Determined Severity |
Remediation Time |
|
Critical |
30 Days |
|
High |
30 Days |
|
Medium |
60 Day |
|
Low |
90 Days |
|
Informational |
As needed |
Service tickets for any vulnerability which cannot be remediated within the standard timeline must show a risk treatment plan and planned remediation timeline.
10. Restrictions on Software Installation
Rules governing the installation of software by users shall be established and implemented in accordance with the MassPay Information Security Policy.
11. Information Systems Audit Considerations
Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes.
12. Systems Security Assessment & Requirements
Risks shall be considered prior to the acquisition of, or significant changes to, systems, technologies, or facilities. Where requirements are formally identified, any relevant security requirements shall be included. The acquisition of new suppliers and services shall be made in accordance with the Third-Party Management Policy.
The company shall perform an annual network security assessment that includes a review of major changes to the environment such as new system components and network topology.
14. Exceptions
Requests for an exception to this policy must be submitted to CTO or Upper Management for approval.
15. Violations & Enforcement
Any known violations of this policy should be reported to CTO or Upper Management. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.