Governance
Governance makes data protection measures and controlling tasks explicit in execution and accountability. It describes what should be done to verify that the Information Security Management policy is working properly and who is responsible to do so.
Data Protection Officer
The Data Protection Officer (DPO) is accountable for implementing procedures that guarantee the protection of data. The Data Protection Officer reports to the board of directors.
There is a dedicated Data Protection Officer assigned who can be reached via dpo@shipitsmarter.com
Governance structure
The DPO is accountable to guarantee the protection of data. As such the DPO defines schedules to review the state of the data protection measures.
The DPO reports to the board of directors. At least once a year a report on the state of affairs is expected, including suggested and executed changes to improve data protection.
In order to enable the DPO to execute the task given, the DPO has the right to view every technical solution, where temporarily access should be provided by DevOps.
The DPO works in close collaboration with the product owner and the operational team (DevOps) to ensure that the protection of data is upheld.
Vulnerability protection
All systems that are part of the SaaS platform will be scanned for vulnerabilities at least every six months. This scan preferably is executed in an automated way but can be executed manually.
Systems that are hosted by other parties (like Azure) where keeping the software up to date is guaranteed by those providers can be handled as up to date as long as there is certified proof provided by these parties.
Operating systems and other software systems should not be more than three months behind the release schedule for security updates as provided by the manufacturer.
The result of the scheduled scan and the execution of the security updates will be collected in a journal.
More information can be found in the Vulnerability Management Policy.
Access reviews
Every six months all Identity Access and Authorisation providers will be reviewed with the goal to minimise the risk related to Identity Access and Authorisation. Access is always given base on the least privilege principle, whereas little access is given to just enable persons and systems to execute the necessary operations.
An important part of the review is if the Identity Access provider supports the current Password Policy.
The DPO will organise and lead the Identity Access reviews. The result of the review will be a journal describing which Identity Providers have been reviewed, what needs to be changed, who will execute the changes and when the changes should be in place, where the DPO is responsible for the final approval.
External penetration test
Every six months a penetration test will be executed by an independent party, testing the vulnerability of automated systems to external attacks. The results will be reported to the DPO. The DPO will advise the product owner on changes when improvements are expected.
Security awareness training
At least once a year an internal Security Awareness Training will be followed by every employee. This training educates employees on how to handle data, what to do with potential issues, like breaches, and to give a clear overview on best practices. This training is also used to collect feedback in order to improve Information Security.
Registering infrastructural changes
All changes to the infrastructure, both in hard- and software, will be registered using the Operation Journal. Journal entries will contain a data, a description of the context and a relation to the associated work items, providing complete context, pull requests, code and builds.