Purpose

This Information Security Policy outlines the methods and responsibilities to safeguard data within our application ecosystem. Ensuring the confidentiality, integrity, and availability of data is fundamental to maintaining trust and compliance with industry standards.

Scope

This policy applies to all data stored in Google Cloud Platform (GCP) buckets and MongoDB Cloud instances that are part of the application ecosystem. This includes all personnel who create, manage, or interact with this data.

Data Encryption & Cryptography

1. At Rest:

   - Google Cloud Platform (GCP) Buckets: All data stored in GCP buckets is encrypted at rest using industry-standard encryption methods to protect data from unauthorized access.
   - MongoDB Cloud: Data stored in MongoDB Cloud is encrypted at rest using AES-256-CBC encryption, ensuring robust security against unauthorized data breaches.

2. In Transit:

   - All data transmitted across networks is encrypted using HTTPS protocols and AES-256 encryption standards to prevent interception by unauthorized entities.

Data Replication, Business Continuity and Disaster Recovery

Data is replicated across multiple geographic regions in both GCP buckets and MongoDB Cloud. This replication strategy supports our Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP), ensuring data availability and durability in the event of regional failures or catastrophic events.

Access Control

1. Access to data within GCP buckets and MongoDB Cloud is strictly governed by role-based access control (RBAC) systems. Access permissions are granted based on the principle of least privilege, ensuring individuals have access only to data necessary for their role and responsibilities.
2. Continuous monitoring of access patterns is conducted to ensure compliance with this policy and to identify and respond to unauthorized access attempts.

Monitoring and Compliance

1. Quarterly audits are conducted to ensure that encryption protocols and access controls are effectively protecting data within our ecosystem.
2. Any deviations from expected encryption and access control practices are logged and investigated as potential security incidents.

Incident Response

1. A predefined incident response protocol is in place to address potential security breaches or data exposure incidents. This protocol includes steps for containment, eradication, recovery, and post-incident analysis to prevent future occurrences.
2. All incidents must be reported to our security team immediately upon discovery.
3. The incident policy can be accessed via the following: https://connect.zoho.com/portal/intranet/manual/platform-technical-organizational-data-security/article/cryptography-encryption

Policy Enforcement

1. The Security Team is responsible for enforcing this policy. Non-compliance with this policy can result in disciplinary action, up to and including termination of employment.
2. Employees are required to participate in security awareness and training programs to understand their responsibilities under this policy.

Review and Revision

1. This policy will be reviewed annually or in response to significant changes to the technology landscape, organizational structure, or compliance requirements.
2. Any amendments to this policy will be documented and communicated to all affected parties.

Approval and Implementation

This policy is approved by the leadership and is effective immediately. All existing and new data storage and processing practices must conform to this policy without exception. Any changes to this policy shall me communicated in due time.