Protective measures for physical access control

Physical access control is ensured by our cloud provider Amazon Web Services for all datacenters. It has a solid controlling process which involves several policy securities. Access authorization should be previously requested and approved by AWS employees, who must apply for third-party access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. These requests are approved by authorized personnel, and access is revoked after request time expires. Once granted admittance, individuals are restricted to areas specified in their permissions. Anyone granted visitor badge access must present identification when arriving on site and are signed in and escorted by authorized staff.
Authorized accesses are conducted by the Smadex Technology Team Lead.

Protective measures for system access control and Protective measures for data access control

2.1. Protective measures for system access

A. Data protection and privacy for employees

A.1) Storage options
Most of the data produced by employees is stored in the cloud. Other secured areas for Smadex data are local servers on site. Finally, files can also be stored on employees’ local computer.

A.2) Storage access
The cloud specifications also ensure that the data is transmitted through the HTTPS protocol. The same applies to email access, which can only be retrieved through secured access.
The cloud environment is particularly advantageous, especially with regards to storage redundancy. The automated versioning of files also allows for data security in the event that an unexpected edition is made and a previous version of a document must be restored.
Local server data can only be accessed through wire.
Access rights are implemented to ensure that documents are made available only to the appropriate people / teams for all the above technologies.

A.3) Backup policies
Cloud storage helps ensure that files are replicated and that the Smadex will not suffer any data loss.
Local storage on local computers is currently not subject to any backup policy. Therefore, it is the employee’s responsibility to rely on one of the two above solutions to secure his/her work.

A.4) Local copies of sensitive files
If an employee is in a situation where he or she should copy files to his or her local system, he or she is encouraged to use disk encryption technology like FileVault on Mac OS X or BitLocker on Windows 10. Employee may ask office management for help with configuring this option.
In case of loss of theft of a laptop, the activation of this option will prevent the disclosure of sensitive data that may be stored locally.

B. Workstation access
In the context of a tech-oriented company, users are made local administrators of their workstation so that they can install necessary tooling and software on demand. The anti-virus agent running on each computer and in the email software makes sure that attachments and executables are not Trojans, horses or viruses.
All workstations are operated in Windows, Linux and MacOS and a secure login/password is required to login.

C. Workstation protection
Every workstation comes with a pre-installed anti-virus agent.
To avoid unintended access to your workstation while employees are away, they have to lock their session as soon as they leave their desk (shortcut: Windows +L on Windows, CTRL+SHIFT+Power on MacBook). A pre-configured screensaver protected by password will be configured on their workstation.
It is strongly encouraged to update workstations as the OS editor (Microsoft, Apple) publishes security fixes to known breaches.

D. Smartphones
Professional smartphones should have the auto-lock policy activated with a relatively complex code so as to avoid data leakage / identity spoofing.
In the situation where a professional smartphone is lost or stolen, the concerned employee must contact the COO as soon as possible so that the device can be locked, and e-mail and application passwords reset.

E. Virtual Private Network (VPN)
The development and operations teams have the ability to access data center resources through a secured VPN tunnel. The tunnel is secured with a dedicated login/password.

F. Wireless Internet
Wireless Internet is available in the office. Is is completely separated from the production network. It is generally a good practice to connect to the Internet via one source at a time —either wireless and/or Ethernet. It is preferable to use the Ethernet connection when available.
Smadex has a unique wireless password which is periodically changed. The office also provides a public wireless access reserved for visitors.

2.2. Physical access

A. Access to facilities

A.1) Access to the office
Employees can access the building from 7:00 am until 10:00 pm. Outside of these hours, access is granted only to those with a personal key. After 10:00 pm and before 7:00 am, the doors are manually locked by key.
The attribution of keys to newcomers is a part of the integration process that will be initiated by managers upon the employee arrival.

A.2) IT local access
Equipment and servers that are running on site are stored in a technical room secured by a key that is provided to a specific list of people in the Infra team.

B. Security Control
Visitors can be welcomed by any employee, who should introduce or put in contact with the right person. Currently, visitors don’t get a temporary badge, neither are identified while being at Smadex offices.

2.3. Protective measures for data access
Within our applications, we use a custom authentication management with groups, rights and also different access levels, with at least: normal user and super admin (SA).
Access to data contained within cloud provider is protected using best practices of the cloud provider such as two-key authentication login and personal ssh keys together with low level granularity permissions.

Protective measures for transfer control
Access to the internal systems is secured by a VPN. Each employee has its own account and specific rights.
General access to public services is protected by hardware firewalls on each site. Our offices are also equipped with protections that limit/control transfer to specific protocols.
Production data are stored on servers that benefit from limited physical access. Removable storage is allowed on these servers, but the storage is fully emptied/deleted in the vent of detachment.
Data at-rest in cloud’s hardware is not yet encrypted, however it is made sure that all data in backups is stored in a read-only area once it has been generated. A plan to encrypt all at-rest data is in place, and all changes are expected to applied shortly. Access to this servers can only be done using severe
Data in-transit between cloud’s hardware is encrypted using SSL/HTTPS protocols when available. A plan to assure encryption of all in-transit data between cloud servers is in place, and all changes are expected to be applied shortly.
When data is deleted, it cannot be recovered.

Protective measures for input control
Data input for a large set of the features is ensured by controlled UI interfaces or backend servers receiving such data.
Most sensitive operations implement an historization logging that allows to retrieve change history and also get the identity of the person or entity that did the input.
In the near future we will leverage low-level historization features for most critical data stored on all our storage engines.

Protective measures for job control
For contractors scoped on sensitive areas ( finance audit, legal audit or technical audit ) that would lead that contractor to get a close-to access to these data, a Data Processing Agreement is signed and strict rules are emitted.
Smadex provided information security policy procedure for employees responsible for processing of personal data to ensure that data is processed in accordance with data exporter instructions.

Protective measures for availability control
Smadex maintains documented business continuity, incident response, data backup, and disaster recovery procedures designed to maintain business operations and redundancy of critical systems and data. Smadex performs regular testing to
ensure that availability supporting systems function properly in almost all services.
Smadex contained in its roadmap a plan to implement measures to prevent disasters happening on non already covered SPOFs ( single point of failures ).

Protective measures for purpose control
Development, staging and production/live systems are separated instances.
Employee have clear guidelines and work instructions on when to use the development, staging or the production/live environment.