1. Introduction & Purpose

This document summarises the Veremark Information Security Policy, which establishes the framework for protecting Veremark’s information assets, ensuring the confidentiality, integrity, and availability of data, and preventing unintended disclosure. All staff are required to adhere to these standards. This Information Security Policy may be updated or enhanced by Veremark; a most recent copy of the same may be obtained upon request.

2. Access Control & User Management

  • Access Provisioning: Access is granted based on the "principle of least privilege" and role-based needs.
  • Authentication: * Passwords: Minimum 15 characters, including mixed case, numbers, and special characters. Changed every 90 days.
  • Multi-Factor Authentication (MFA): Mandatory for all compatible systems, including email.
  • Revocation: Immediate revocation of access for leavers via a formal staff exit procedure.

3. Physical & Device Security

  • Physical Security: Strict access controls to physical locations; segregation of duties implemented to prevent unauthorized access.
  • Device Encryption: Full disk encryption is mandatory for all portable devices and computers.
  • Remote Work: Access to internal systems is secured via cryptographically secure VPNs with individual keys.

4. Network & System Security

  • Network Segregation: Internal and Guest Wi-Fi networks are strictly isolated.
  • Firewalls & Protection: All networked systems utilize approved firewalls. Mandatory anti-virus software is deployed with up-to-date definitions.
  • Vulnerability Management: * Monthly automated security scans.
    • Annual third-party penetration testing and software security audits.
  • Patching: Automated patch management via Qualys cloud agent; users responsible for timely updates.

5. Data Protection & Encryption

  • Data Classification: Data is categorised as Confidential (sensitive third-party/client data), Internal (staff only), or Public.
  • Encryption in Transit: All traffic encrypted using PKI certificates/keys (HTTPS, SSH).
  • Encryption at Rest: Confidential information is stored using cryptographically sound mechanisms aligning with ISO 27000 and SOC 2 standards.
  • Data Destruction: Secure eradication methods (e.g., Disk Crusher, Gdisk) used for end-of-life media.

6. Software Development & Change Management

  • Secure Development: All systems undergo a Security Architecture Review by the CTO prior to deployment.
  • OWASP Compliance: Systems are tested against the OWASP Top 10 prior to release.
  • Change Control: Strict change management procedures for application, infrastructure, and emergency fixes, requiring approval from the CTO and relevant leads (DevOps/Product).
  • Code Review: Rigorous internal review for all code, including third-party developments.

7. Compliance & Third-Party Management

  • PCI DSS: Veremark minimizes scope by not storing PCI data directly; however, any systems touching such data must be PCI compliant.
  • Supply Chain Security: No unapproved third-party libraries or services permitted.

8. Incident Response & Logging

  • Logging: Comprehensive audit logs retained for a minimum of 90 days, covering access, modifications, and suspicious activity.
  • Incident Response: A formal Incident Response Plan is in place covering identification, classification, escalation, and resolution of security events.