Information security policy

Overview of the service

The company provides a hosted Software as a Service product which allows user contributed content to be solicited, moderated and published
to public websites. The service is offered to client organisations (clients).

Members of the public (end users) submit contributions (text, images and videos) via public websites and mobile apps to a specific client's instance of the system. These contributions are reviewed by members of the client's staff (moderators) before been made public.

The vast majority of the system's contents is intended for public display. The end user's expectation is that their submissions are intended for eventual public display but their personal details, contact details and the correspondence with the moderators should not be made public.

The end user's contact details may be disclosed to the client's staff to assist with verification.

It's is envisioned that end users have a relationship with clients rather than the company itself.

Protected user data

The following data held in the system is not intended for public disclosure:

Original, unreviewed original submissions received from end users

Raw submissions may contain the following potentially sensitive information:

Internal moderation work flow

The system records the internal moderation workflow leading up to a submission been approved or rejected.
This history includes text moderation notes applied by moderators and the internal email addresses of the individual moderators.
Details of correspondence between the end user and moderators may also be held in the system.

Client and social media supplied contact details for end users

The system allows users to identify themselves via a client's identity system or via 3rd party social media accounts (such as Facebook and Twitter).
In this case the system may display the 3rd party user id publicly.

Contact details (including real name and email address) may be retrieved from the 3rd party system.
The 3rd party credientials required to do this may be persisted within the system.
The retrieved 3rd party contact details may not be permentatly persisted in the system

Software development methodology

The company's core product is a hosted software system. The core component is an Internet accessible API.
To function, this API must be assessible over the public Internet.

Approved submissions and public data are accessible over HTTP with no credentials.
Access to private data (such as unapproved submissions and moderation functions) requires API requests to be authenticated.
Authenticated requests must be made over HTTPS. Access to authenticated resources is not permitted over unencrypted HTTP.

Software developers working on the system are aware of the OWASP guidelines.

New releases of the software must pass a series of automated acceptance tests in a development environment before being released to production. These tests include regression tests around access control and the visiblity of protected resources.
The development system is regularly subjected to scans from an automated integrated penetration testing tool.
These scans are periodically performed on the live system.

Production environment

Data location

The application and data are hosted on Amazon EC2.

The live system components and persisted user data reside in the EU-WEST-1 region (Republic of Ireland).
An encrypted, offline backup of the user data is held at an address in England.

All staff and contractors (excluding suppliers) involved in the day to day operation of the system are located in England.

All persisted user data is held with the European Economic Area (EEA) EEA.

Network access to data

HTTP, HTTPS and WS (Websockets) are the the only services publicly exposed by the system.

Operations staff have secure shell access to all nodes of the production environment via a trusted jump off machine.
Operations staff have access to the production environment via the EC2 console.
No unencrypted shell connections to live systems are permitted.

The following restrictions are placed on access to production systems and data:

The decryption keys for these backup files are not stored on a network connected machine.

Incident response

Contact information

Contact information for relevant team members is to be available during non business hours should an incident occur and escalation be required.
This contact does not need to be a member of development staff but must be provided with an escalation contact within the development team.

Triage

Incident reports should be forwarded to development staff for initial assessment.
Development staff should review monitoring, logs and the relevant application code.
Development are authorised to suspend the service immediately if it is suspected that a possible incident is in progress.

Identified mitigations and testing

The results of the initial triage should be discussed with development. In the event that a confirmed vulnerability is identified this vulnerability must be patched before service may resume. Patches must go through the normal regression testing and deployment pipeline.

Mitigation and remediation timelines

Incident reports must be brought to the attention of development within 24 hours. An acknowledgement must be returned to the reporter within 1 working day of receipt. The results of initial triage and the an expected resolution timeframe should follow as soon as possible but within 24 hours of the initial acknowledgement in all cases.

Notification

Confirmed incidents must be reported to the effected clients. Those client have the option of notifying their end users in accordence with their own policies. Confirmed incidents of unauthorised disclosure of personal data must be notified to the Information Commissioners Office (ICO) within 1 week.

Secure disposal policy

Technology equipment often contains parts which cannot simply be thrown away. Proper disposal of equipment is both environmentally responsible and often required by law. In addition, hard drives, USB drives, CDROMs and other storage media contain various kinds of client and end user data, some of which is considered sensitive. In order to protect our client's and end user's data, all storage mediums must be properly erased before being disposed of.
For the avoidance of doubt all company owned technology should be refered to the nominated member of development staff for disposal.

Scope

This policy applies to any computer/technology equipment or peripheral devices that are no longer needed within Contribly including, but not limited to the following: personal computers, servers, hard drives, laptops, mainframes, smart phones, or handheld computers ( i.e., Windows Mobile, iOS or Android based devices), peripherals (i.e., keyboards, mice, speakers), printers, scanners, typewriters, compact and floppy discs, portable storage devices (i.e. USB drives), backup tapes, printed materials.

Policy