Information security and disaster recovery policy.

1.
fka Project Travel
Information Security Policy
Last Updated February 26, 2016
Includes So ware Disaster Recovery Plan as of December 10th, 2015
PURPOSE
● To define operational parameters for hardware and so ware
utilization with a specific focus on protecting Personal User Data
utilized in the “Via TRM SaaS Application” .
● To provide a set of guidelines for Via TRM employees to use as a
reference when interacting with any Information Technology
platform.
CONTEXT
● It is the sole responsibility of Via TRM and its associated sta
and contractors to adhere to the guidelines specified in this
document.
● In order to maintain relevance, the details about specific
technology platforms in use that are detailed in this document
(both hardware and so ware) should be updated bi-annually.

2.
NETWORKING & HARDWARE
FIREWALL & NETWORK CONNECTIVITY
● All network endpoints are protected by a firewall that meets the
following criteria:
○ Performs Stateful Packet Inspection (“SPI”).
○ Supported VPN Encryption is 256-bit in strength.
○ Physical hardware and operating system maintain
support via the manufacturer or distributors.
● WiFi Access Points meet the following criteria:
○ Capable of segmentation with multiple SSIDs.
○ Publicly (non-employee / contractor) accessible Wifi is
segmented from the development network and is
bandwidth throttled.
○ WPA2 Encryption Standard is supported and appropriate
password is enforced.
○ WiFi Protected Setup (“WPS”) is disabled.
● When connecting to WiFi networks outside of the o ice all
network connections will be treated as “insecure by default”.
Care should be taken to only use encrypted channels to
transmit sensitive information.
○ When using a web browser, this is indicated by the HTTPS
prefix and, typically, a green or gold padlock icon.
○ Certificate warnings should be taken seriously, and when
present the underlying connection should be considered
insecure.
Information Security Policy for Via TRM 2

3.
PHYSICAL SYSTEMS DISPOSAL
● Electronic Data Disposal Policy
○ All computer systems, electronic devices and electronic
media is properly cleaned of sensitive data and so ware
before being transferred outside of Via TRM either as
surplus property or as trash.
○ Computer hard drives are sanitized by using so ware that
is compliant with Department of Defense standards.
○ Non-rewritable media, such as CDs or non-usable hard
drives, is physically destroyed. The primary responsibility
for sanitizing computer systems, electronic devices and
media rests with the units that purchase them.
REMOVABLE MEDIA POLICY
● Removable Media Policy
○ Inappropriate use of removable data storage media
results in malware infections and loss of sensitive
information. The purpose of this policy is to establish
standards of secure use for removable data storage
media, where sensitive data is involved and to protect the
campus network from malicious so ware.
○ This standard applies to all Via TRM system and network
users with regard to removable media including floppy
disks, USB drives, CDs, DVDs, and any other physical
media available, used to transport or store data.
○ Users will ensure that the removable data storage
medium is free from malicious so ware before using
them (Removable storage media needs to be scanned for
any malicious so ware using standard anti virus so ware
having latest updates before using it.)
Information Security Policy for Via TRM 3

4.
○ Users will refrain from storing confidential data in
removable storage medium whenever possible. In case it
is absolutely required for business purpose, information
needs to be stored in encrypted format.
○ Users will ensure that removable storage device is
physically secure
○ When removable media is no longer needed, proper
disposal techniques will be employed (see Electronic Data
Disposal Policy).
ENCRYPTION STANDARDS FOR COMPUTING SYSTEMS
● All devices used to process or store data utilize full-device
encryption.
○ Mac OS X: Filevault 2 must be enabled. The recovery key
must not be stored with Apple or in any electronic format.
It will be recorded on paper and stored in a secure
location (Bank Safety Deposit Box).
○ PC: The device must support FIPS 140-2 (Windows
Bitlocker is approved) and must require a passcode
during the boot process to decrypt the boot drive.
○ External devices: Encryption is used for all data. For this
reason, a secure cloud provider (see “Cloud / SAS
Providers & Data Confidentiality”) will be utilized for data
sharing instead of physical devices such as USB memory
sticks.
Information Security Policy for Via TRM 4

5.
SOFTWARE & SYSTEMS
STANDARDS FOR COMPUTING SYSTEMS
● All devices used to process or store data are secured against
access by third parties. Personal devices used in this context are
not be shared with anyone else.
● This includes separate accounts for members of the same
household. The devices used for this are not be shared in any
way (including tablets and phones).
MOBILE DEVICES
● iOS: If available, Touch ID will be enabled. A device password
must be set, and simple passcode (4-digit PIN) must be
disabled. Find my iPhone should be enabled in order to allow
the device to be wiped in the event that it is lost or stolen.
● Android: If available, a Fingerprint Reader will be enabled. A
device password must be set, and simple passcode (4-digit PIN)
must be disabled. Android Device Manager should be enabled in
order to allow the device to be wiped in the event that it is lost
or stolen.
Information Security Policy for Via TRM 5

6.
PASSWORD MANAGEMENT & COMPLEXITY
● 3rd Party Services that require SSL and use 256 Bit encryption
are used for website and application password management.
● Passwords must be reasonably complex and not shared with
any personal services.
○ Passwords must be at least twelve characters in length,
but do not need to include special characters or digits.
○ Passwords must not be based on publicly-available
information (Birthdays, names, Social Security or bank
numbers, &c.).
Information Security Policy for Via TRM 6

7.
EMAIL
● Email is not an acceptable means of transferring data to another
user or entity.
○ Acceptable alternates would include hightail.com and
fileshare.com.
○ Any third party interaction with the email system (Google
Apps Marketplace, plug-ins to Outlook, etc) must meet the
stated encryption and SSL requirements as specified for
storage and network connectivity.
○ De-identified (obfuscated) client data is not considered
sensitive and may be shared via email in an unencrypted
format.
○ In all cases the transfer connection is required to be
encrypted with modern cryptography (TLS 1.2).
○ Sensitive Personal Information or PHI Data may never be
sent via email.
ANTIVIRUS APPLICATIONS
● Antivirus products are used on all applicable systems.
○ Mac OS X: Webroot SecureAnywhere.
○ Windows: Microso Security Essentials, Webroot
SecureAnywhere.
MULTIFACTOR AUTHENTICATION
● Where possible, two-factor authentication will be used.
● This is not required, but provides an additional layer of
protection against unauthorized access.
Information Security Policy for Via TRM 7

8.
BACKUP & DISASTER RECOVERY
● All data is backed up where practical.
○ This is not required for short-term transient data, but all
data that is intended to be available for long-term
retrieval is stored in at least two places.
○ Most cloud providers provide utilities that retain a “local”
copy of cloud data, such as Google Drive Sync or Box
Sync. These are su icient to safeguard against device
failure, but care must still be taken to protect against
accidental deletion.
○ A separate, dedicated backup service (to provide
incremental checkpoints) is in place.
○ All backups of sensitive data must also be considered
sensitive data.
○ Local backups (from Time Machine or a local version of
Crashplan as examples) must also maintain the same
level of encryption as the host system.
○ See attached Disaster Recovery Plan for additional
information regarding Via TRM so ware.
SOFTWARE PATCHING & OPERATING SYSTEM VERSIONING
● All devices used must use a currently supported Operating
System, and must be patched.
● In general, Apple products are considered obsolete a er five
years, and Microso products are considered obsolete a er
seven years.
● Apple: Please consult the Apple vintage and obsolete product
list at http://support.apple.com/kb/HT1752.
● Microso : Please consult the Microso Products Support
Lifecycle Policy at http://support.microso .com/gp/lifeselect.
Information Security Policy for Via TRM 8

9.
● For all others, please consult your device manufacturer.
CLOUD / SAS PROVIDERS & DATA CONFIDENTIALITY
● Any cloud services used should have terms of service ensuring
data confidentiality and provide a business associate
agreement (“BAA”).
● Any cloud providers that require a license be granted to them
(for any purpose) or that claim ownership of uploaded content
are not acceptable, and must not be used.
● Many video and photo sharing services such as Vimeo, YouTube,
Instagram, &c. include compulsory licensing clauses and are not
acceptable.
DEVELOPMENT PRACTICES (VIA GITHUB)
● A branch is created with a descriptive name to test new code.
● Comments are added to the branch and tracked.
● A pull request is made and code is reviewed and edits are
pushed to the branch.
● Changes are deployed and merged with the master branch.
● Code must pass through Continuous Integration and automated
tests before deploying to staging, quality assurance, or
production.
Information Security Policy for Via TRM 9

10.
Software Disaster Recovery Plan
Updated As of December 10, 2015
This is a high level overview of the scenarios, components, and
process for a disaster recovery plan. This is primarily a recovery plan
and does not cover specific backup methodologies. This also does not
factor in replication having been employed as a high availability
solution to disaster recovery.
Scenarios to be covered:
1. A server is compromised or impaired
2. The customer’s cloud hosting account is compromised
3. The cloud hosting vendor is impaired
A server is compromised or impaired
This scenario could be caused for several reasons.
● An intrusion by hackers
● A performance problem with the shared tenant environment
● Failed storage
● Failed physical host
ETA: under 1 hour
Steps:
1. Shutdown failed server especially if it is suspected to have
been compromised
2. Provision new server via Foreman
3. Deploys code to new server
4. Update DNS to reflect new IP address of new server for the
application
The customer’s cloud hosting account is compromised
This scenario would likely be caused by someone with malicious
intent knowing the customer’s credentials to AWS. This is an o en
overlooked scenario but perhaps one of the most potentially
catastrophic. For this reason it is very important to take account
security very seriously and to maintain backups outside of the
account.
Information Security Policy for Via TRM 10

11.
ETA: under 3 hours
Steps:
1. Shut down the servers inside the compromised account
2. Create a new account at Digital Ocean or Amazon Web
Services.
3. Provide new account credentials to obtain API keys
4. Configure Foreman with the new API keys
5. Provision new servers to new account and restores data
6. Deploy code to new servers
7. Update DNS to reflect new IP address of new server for the
application
The cloud hosting vendor is impaired
This scenario is similar to “The customer’s cloud hosting account is
compromised” in terms of recovery method with a few exceptions.
ETA: under 4 hours
Steps:
1. Create a new account at Amazon Web Services (could have a
dormant account
already setup ahead of time). If AWS is already being used for
backups then that
same account could be used.
2. Failover to new Foreman server at another cloud vendor
3. Provide new account credentials to obtain API keys
4. Configure Foreman with the new API keys
5. Deploy code to new servers
6. Update DNS to reflect new IP address of new server for the
application
Information Security Policy for Via TRM 11