Effective from: February 13, 2019
Litmus Software, Inc. (“Litmus”) has established this Litmus Information Security Policy (the “Policy”) to provide management direction in accordance with business requirements and relevant laws and regulations. This Policy sets forth governance to protect the confidentiality, integrity and availability of information and information processing facilities of Litmus, and its customers and partners.
This Policy applies to all Litmus employees, contractors, consultants, agents, and affiliates (collectively referred to as “Litmus Personnel”).
The purpose of this Policy is to protect information and information processing facilities of Litmus from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction.
3. Organization of the Policy Document
This policy is comprised of the following components:
- Information Steering Committee and other key stakeholders with defined roles and responsibilities.
- A set of sub-policies specified in this document.
A description of the sub-policies follows
4. Acceptable Use Policy
The purpose of this sub-policy is to provide Litmus Personnel with guidelines regarding what is considered acceptable and unacceptable use of the assets and processes of Litmus.
4.1. Ownership and General Use
All proprietary information of Litmus (including without limitation information of its customers, vendors and licensors) stored in any form or format—including on electronic and computing devices, whether owned or leased by Litmus—that is accessed and/or used by Litmus Personnel is (as between Litmus and Litmus Personnel) the sole property of Litmus.
All internet/intranet/extranet-related systems—including but not limited to computer equipment, software, operating systems, storage media, and network accounts that provide electronic mail, internet browsing, and FTP—are the property of Litmus. These systems are to be used for business purposes in serving the interests of Litmus and our customers.
Litmus may monitor equipment, systems and network traffic for performance, security and network maintenance purposes.
Litmus Personnel must:
- Comply with this Policy, including without limitation Asset Management Policy and Access Management Standard for Mobile and Remote Computing, whenever connecting mobile and/or computing devices to any Litmus system.
- Secure all mobile devices with a password-protected (or similar functionality) screen-lock.
- Ensure that all system-level and user-level passwords comply with the Password Protection Policy.
- Secure all computing devices with a password-protected screensaver with the automatic activation feature set to 5 minutes or less.
- Lock the screen or log off when the device is unattended.
- Use extreme caution when opening email attachments received from unknown senders, which may contain malware.
- Follow all laws pertaining to the handling and disclosure of copyrighted or export controlled materials.
- Exercise good judgment while using any equipment, systems or networks of Litmus for occasional personal use (e.g., to check personal email); Litmus personnel is advised to consult with their supervisor if there is any uncertainty.
- Promptly report the theft or loss of, or unauthorized access to, any equipment, system or network of Litmus.
- NOT provide information about, or lists of, Litmus personnel to parties outside Litmus.
- NOT provide information about, or lists of, Litmus customers to parties outside of Litmus unless expressly authorized by senior management of Litmus.
- NOT make fraudulent offers of products, items, or services originating from any Litmus account.
- NOT make statements about warranty, expressly or implied, unless it is a part of normal job responsibilities. Individual’s manager should be consulted prior to making any statement that is in question.
- NOT engage in any activity that is illegal under applicable law while utilizing Litmus-owned resources.
- NOTviolatetherightsofanypersonorentityprotectedbycopyright,tradesecret, patent, or other intellectual property right, or similar laws or regulations, including but not limited to installing or distributing "pirated" or other software products that are not appropriately licensed for use by Litmus.
- NOT violate the privacy rights of any person protected by applicable laws or regulations.
- NOT copy any copyrighted material, such as digitizing and distributing photographs from magazines, books, or other copyrighted sources, copyrighted music, or installing any copyrighted software for which Litmus or the end user does not have an active license.
- NOT export software, technical information, encryption software or technology in violation of applicable export control laws. Senior management or the individual’s manager should be consulted prior to exporting any material that is in question.
4.2. Security of Proprietary Information
Litmus Personnel must:
- Access, use or share Litmus proprietary information only to the extent authorized and necessary to fulfill their assigned job responsibilities.
- Ensure that proprietary information is protected in accordance with all relevant laws and regulations.
- Promptly report the theft, loss or unauthorized disclosure of Litmus proprietary information.
4.3. Unacceptable Use of Litmus Assets
Unless the following activities are a part of the normal job responsibilities of the Litmus Personnel or a prior approval is obtained from a member of the Information Security Steering Committee, Litmus Personnel must:
System and Network Activities
- NOT disable network access or disrupting production services.
- NOT access Litmus data, server or accounts for any purpose other than conducting Litmus business.
- NOT inject malicious programs into a network or server, such as viruses, worms, Trojan horses or email bombs.
- NOT reveal personal account password to others or allowing use of individual account by others.
- NOT use a Litmus computing asset to actively procure or transmit material that are in violation of applicable law, including without limitation sexual harassment or hostile workplace laws in the local jurisdiction of the user.
- NOT cause or contribute to any security incident  or disrupt  network communication.
- NOT scan ports or Litmus networks.
- NOT circumvent user authentication or security of any host, network or account.
- NOT introduce honeypots, honeynets or similar technology on the Litmus network host.
Email and Communication Activities.
Please refer to Electronic Mail (Email) Policy for details.
Blogging and Social Media
Blogging and social media (e.g., Facebook, Twitter, Instagram, etc.) by Litmus personnel, whether using the property and systems of Litmus or personal property and systems, is also subject to the terms and restrictions set forth in this Policy. Limited and occasional use of the property and systems of Litmus to engage in social media is permissible, if it is done in a professional and responsible manner, does not otherwise violate the policies of Litmus, is not detrimental to the best interests, image, goodwill or reputation of Litmus, and does not interfere with the individual’s regular work duties. Social media postings made using the property or systems of Litmus are subject to monitoring.
Litmus personnel must:
- NOT reveal any confidential or proprietary information of Litmus when blogging or posting on social media.
- NOT engage in any social media activities that may harm or tarnish the image, reputation and/or goodwill of Litmus and/or any Litmus Personnel.
- NOT make any discriminatory, disparaging, defamatory or harassing comments when posting on social media or otherwise engaging in any conduct prohibited by Litmus policies, including the Non-Discrimination and Anti-Harassment policy.
- NOT attribute personal statements, opinions or beliefs to Litmus when engaged in social media. If any Litmus Personnel desires to express his or her beliefs and/or opinions, that individual may not, expressly or implicitly, represent that s/he is an employee or representative of Litmus. Litmus Personnel are solely responsible for any and all risk associated with their social media activities.
- NOT use the name, trademarks, logos or any other intellectual property of Litmus in the social media posts.
4.4. Off-site Removal of Information Systems, Computers and Network Devices
Information systems, computers and network devices must not be removed from Litmus offices unless prior written approval is obtained from the IT department.
In the case where Litmus Personnel are permitted to work remotely, the following controls apply:
- Equipment and media taken off-site must not be left unattended in public places or left in sight in a vehicle.
- Information should be protected against loss or compromise when working remotely.
- Care should be taken with the use of mobile devices such as laptops, mobile phones, smartphones and tablets.
- All devices must be password protected and disk encryption must be in-effect.
- Approved VPN software must be used while on any public network.
- Anti-virus/malware software must be installed, running and up to date.
5. Clean Desk and Clear Screen Policy
This sub-policy is a part of standard basic privacy controls. The purpose of this sub-policy is to ensure that all sensitive/proprietary materials are safeguarded by establishing the minimum requirements for maintaining a “clean desk and clear screen.”
5.1. Policy Components
When Litmus Personnel use shared space, they must:
- Ensure that all sensitive/proprietary information in hardcopy or electronic form is secure in their work area when they are expected to be away from their work area for an extended period of time and at the end of the work day.
- Lock their workstations or laptops when their workspace is unoccupied.
- Remove from their work area or securely store any restricted or sensitive information when their work area is unoccupied and at the end of the work day.
- Close and/or lock the file cabinets containing confidential or secret information.
- NOT leave the keys used to access confidential or secret information at an unattended desk.
- Promptly remove printouts containing confidential or secret information from shared printers and use secure print functionality where available.
- Shred confidential or secret documents using official shredder bins or deposit documents in official locked confidential disposal bins.
- Erase whiteboards containing confidential or secret information.
- Lock away portable computing devices, such as laptops and tablets.
- Treat mass storage devices, such as CDROM, DVD or USB drives, as sensitive and secure them in a locked drawer.
6. Application Security Policy
Web application vulnerabilities account for the largest portion of attack vectors outside of malware. It is crucial that the Litmus web-based application be assessed for vulnerabilities, and that these vulnerabilities be remediated prior to deploying the application in a production environment.
A brief description of the procedure Litmus uses to secure its applications follows.
6.1. Application-layer Testing
Applications are tested via the following methodologies based on the ISO 9001 standards:
- Code Reviews - Source code is reviewed for good coding principles and best practices before every release.
- Static and Dynamic Analysis - Whitehat security conducts static and dynamic analysis of the source code and binary code continuously for the application. Findings are prioritized and remediated.
- Opensource Code Analysis - All opensource code used is analyzed for emerging CVEs (Common Vulnerability Enumerations) and CWEs (Common Weakness Enumerations). Tools, such as Blackduck, are used for this process.
6.2. Application-layer Assessment Process
The following guidance shall be adhered to when assessing the security of the Litmus web-based applications:
- New or Major Application Releases are subjected to a full assessment prior to approval of the change control documentation and/or release into the live environment.
- Point Releases are subjected to an appropriate assessment level based on the risk of the changes in the application functionality and/or architecture.
- Patch Releases are subjected to an appropriate assessment level based on the risk of the changes to the application functionality and/or architecture.
- Emergency Releases are allowed to forgo security assessments and carry the assumed risk until such time that a proper assessment can be carried out. Emergency releases are designated by the appropriate manager who has been delegated this authority.
- Third Party or Acquired Web Applications are subjected to full assessment after which it will be bound to policy requirements.
6.3. Risk Assessment Categories
All security issues that are discovered during assessments must be mitigated based upon the following risk levels. The risk levels are based on the OWASP Risk Rating Methodology . Remediation validation testing will be required to validate fix and/or mitigation strategies for any discovered issues of medium  risk level or greater.
- High –Any high-risk issues are fixed immediately, or other mitigation strategies are put in place to limit exposure before deployment. Applications with high-risk issues are subject to being taken off-line or denied release into a live environment.
- Medium – Medium-risk issues are reviewed to determine what is required to mitigate and scheduled accordingly. Applications with medium-risk issues may be taken off-line or denied release into a live environment based on the number of issues and if multiple issues increase the risk to an unacceptable level. Issues are fixed in a patch/point release unless other mitigation strategies limit exposure.
- Low – Low-risk issues are reviewed to determine what is required to correct the issue and scheduled accordingly.
6.4. Risk Assessment Levels
The following security assessment levels are established by the Information Security organization (or such other designated organization that performs the assessment):
- Full – A full assessment is comprised of tests for all known web-application vulnerabilities using both automated and manual tools based on the OWASP Testing Guide. A full assessment will use manual penetration testing techniques to validate and determine the overall risk of any and all discovered vulnerabilities.
- Quick – A quick assessment consists of a (typically) automated scan of an application for the OWASP Top Ten web-application security risks at a minimum.
- Targeted – A targeted assessment is performed to verify vulnerability remediation changes or new application functionality.
6.5. Risk Assessment Tools
The current approved web-application security assessment tools in use that will be used for testing are:
- AWS Trusted Advisor
- Brakeman (Rails)
- Cloud Custodian
Other tools and/or techniques may be used depending upon what is found during the default assessment. The validity and risk are subject to the discretion of the Security and Engineering teams.
7. Asset Management Policy
The purpose of this sub-policy is to maintain accurate records of the physical computer assets of Litmus. This sub-policy establishes procedures to ensure compliance with industry standards and to ensure accurate reporting of physical assets.
7.1. Asset Management
All IT assets purchased are recorded and maintained on a fixed asset register by the Litmus IT Department. To manage the register accurately and efficiently, all Litmus Personnel shall adhere to the following requirements. Litmus Personnel must:
- NOT remove IT assets—including without limitation laptop or tablet computers, personal digital assistants (PDAs) or smartphones—supplied by Litmus from company premises, except when the Litmus Personnel are teleworking or working outside the office on a Litmus assignment.
- Safeguard any IT assets they remove from the premises of Litmus, including keeping all assets under their direct physical control whenever possible, and physically securing the assets when they are not under the individual’s direct physical control.
- Immediately report the loss or theft of any assigned IT assets to the IT Department.
- NOT bring their own IT assets into work locations to connect to Litmus network or access Litmus data.
7.2. Media Handling
7.2.1. Management of Removable Media
Litmus Personnel do not have a need to use removable media, in general. They are permitted to take their laptops to remote locations for teleworking purposes. These laptops must be managed by the Litmus IT Department. That is, they must have end- point controls in effect. See Endpoint Protection Policy for additional details.
7.2.2. Disposal of Media
Disposal of IT assets, including the sale, transfer, donation, write off or sustainable disposal (recycling), must be done in adherence with all applicable laws and contractual obligations of Litmus. Computer hardware must have all software and information securely removed prior to disposal. Sensitive data must be deleted using secure methods as soon as such data is no longer required. Secure methods of removal mean the use of software that can be configured to overwrite the data at least three times and/or physical destruction of the hard drives to the extent it precludes any possible restoration of the data. The Litmus IT Department owns this responsibility.
7.2.3. Physical Media Transfer
Litmus Personnel do not use physical media. All transfers take place via cloud services or in an automated manner.
8. Change Management Policy
The primary goal of this sub-policy is to establish a process to deliver changes in an efficient and timely manner while minimizing risk. To enable our business to function smoothly, changes fall into one of the three change processes.
Some changes fall under a category of well-known repeated changes that require a prior pre-approval. These changes are implemented as needed and are tracked through standard issue tracking tools but are not in scope for the change management process.
The remaining bulk of our changes are managed through continuous integration or continuous delivery tools. These are tracked through an automated process that generally follows this pattern:
- Change Implementation – These changes are in code, either through an automation tool like Chef or Terraform or to actual software application code (such as services, APIs and front-end interfaces). These changes are always made to a branch and pushing to master directly is prohibited.
- Pull-Request – A pull-request (“PR”) is then opened, requesting permissions to merge to them master branch and deploy the change.
- Unit Testing – When a PR is opened, the software is run through an initial set of automated tests, as applicable.
- Code Review – All PR’s must be reviewed and approved by at least one other member of the team familiar with the code in question.
- Integration Tests – When the PR is approved, a full build is run and remaining tests are run, as applicable.
- Deployment – If the build and tests pass, the build is either queued for manual deployment or automatically deployed to production, depending on the service and the team.
A deployment typically incorporates a staging environment at some point in the process, but the implementation may vary.
Lastly, there are high-risk or heavily manual changes. These changes go through the following approval process:
- Change Request– Changes are filed through a specific template that requires (as a minimum) documentation of:
- When the change will happen
- What the justification for the change is
- What risks are present in the proposed change and what mitigating steps have been taken to address those risks
- A detailed description of the change itself and how it will be tested for success or failure afterward
- A detailed description of what steps to take to roll back the change (if possible) should anything go wrong
- Technical Review – All changes are then reviewed by another team member familiar with the affected systems.
- Stakeholder Review – Changes that affect customers are socialized with key stakeholders, along with the change window, to balance risk and customer impact with the justification for the change itself.
- Change Announcement – For changes that impact customers, the finalized window is announced to our partners and posted on our statuspage.io site in advance of the change in accordance with our established partner agreement requirements.
- Change Implementation – The change is implemented according to the documented plan. Any unforeseen deviations from that plan are documented, and rollback steps are updated as needed. Any planned tests are run to verify the change is successful with no unanticipated side effects.
- Post-Change Review – After the change is complete, it is left open for a minimum of 24 hours.
Any outages caused by a change are noted, as well as whether the change failed, was rolled back or was successful. This data is leveraged to establish metrics for operational safety and performance.
9. Compliance and Security Audit Policy
The purpose of this sub-policy is to advise users of security scanning procedures and precautions used by Litmus to audit its network and systems. Other persons or entities, unless authorized, are prohibited from performing any such audits.
Audits may be conducted to:
- Ensure integrity, confidentiality and availability of information and resources.
- Investigate possible security incidents to ensure conformance to Litmus Information Security policies.
- Monitor user or system activity where appropriate.
Litmus will utilize auditing software to perform electronic scans of its networks, servers, switches/routers, firewalls, and/or any other systems used at Litmus. This audit also includes scans of any electronic communication and emails, regardless of the sender or recipient of the communications.
These audits may include:
- User and/or system-level access to any computing or communications device.
- Access to information that may be produced, transmitted or stored on Litmus equipment or premises.
- Access to work areas (such as offices, workstations, and storage areas).
- Access to interactively monitor and log traffic on Litmus networks.
- Penetration testing.
- Password Auditing.
- Scanning for personally identifiable information, including personal data.
Scheduled third-party audits of Litmus infrastructure, code and processes are conducted to maintain the highest level of confidentiality, integrity and availability of systems and data of Litmus and its customers and partners.
10. Disaster Recovery Policy
The purpose of this sub-policy is to establish the processes and procedures that will be followed to ensure the overall continuation of Litmus business operations during an outage event. See the Litmus Disaster Recovery Plan for details.
11. Electronic Mail (Email) Policy
Email is pervasively used in almost all industry verticals and is often the primary communication and awareness method within an organization. At the same time, misuse of email can post many legal, privacy and security risks.
The purpose of this sub-policy is to provide governance on what Litmus considers acceptable or unacceptable use, best practices and compliance or non-compliance with this policy.
Therefore, it is important for Litmus personnel to understand the appropriate use of electronic communications and be aware of the following guidelines:
- All use of email must be consistent with Litmus policies and procedures, including those related to ethical conduct, safety and compliance with applicable laws and proper business practices.
- Litmus email accounts should be used primarily for Litmus business-related purposes; personal communication is permitted on a limited basis, but non-Litmus related commercial uses is prohibited.
- All Litmus data contained within an email message or an attachment must be secured according to applicable laws.
- Email that is identified as a Litmus business record shall be retained according to Litmus Record Retention Schedule.
- The Litmus email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including without limitation: offensive comments about race, gender, physical appearance, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Litmus Personnel who receive any emails from other Litmus Personnel that contains any content that may be in violation of this policy should report the matter to their supervisor immediately.
- Users are prohibited from automatically forwarding Litmus email to a third-party email system. Individual messages that are forwarded by a user must not contain proprietary information of Litmus, including any sensitive information.
- Users are prohibited from using non-standard third-party email systems and storage servers to conduct Litmus business, to create or memorialize any binding transactions, or to store or retain email on behalf of Litmus. Such communications and transactions should be conducted through proper channels using Litmus- approved systems.
- Using a reasonable amount of Litmus resources for personal emails is acceptable, but non-work-related email shall be saved in a separate folder from work-related email. Sending chain letters, joke emails, Ponzi or other pyramid schemes from a Litmus email account is prohibited.
- Personal emails must not be used for forwarding Litmus’ customer related information.
- Litmus Personnel shall have no expectation of privacy in anything they store, send or receive via the Litmus email system.
Litmus may monitor messages without prior notice.
12. Endpoint Protection Policy
This section refers to the hardening, patching and protection of endpoints used by Litmus Personnel. Litmus utilizes several layers of protection for endpoints. Litmus enforces:
- AES 128-bit disk-level encryption on laptops/workstations.
- Anti-malware/virus scanning.
- Two-factor authentication for access to any Litmus applications when not on the Litmus network.
See the Litmus Asset Management Policy and Operations Controls – Malware Protection Policy for additional details.
13. Network Security Policy
Remote access to the Litmus network is essential to maintain business productivity. It is, however, likely that the remote access originates from networks that may already be compromised or are at a significantly lower security posture than the corporate network of Litmus.
Therefore, this sub-policy is established for the purpose of instituting the requirements that Litmus Personnel must follow when connecting with the Litmus network, in addition to abiding by the best practices specified in the Acceptable Use Policy. Litmus Personnel must:
- Use Virtual Private Networks (VPNs) and strong passphrases to connect with the Litmus (corporate) network.
- Secure their personal network (e.g., WIFI) with strong encryption and passphrase protection.
- NOT bridge the Litmus network with any personal networks (such as Hotspots).
- Get prior written approval for use of any external resources to conduct Litmus business from the Information Security Lead and appropriate business unit manager.
- Ensure that all hosts that are connected to Litmus internal networks via remote access technologies have the most up-to-date anti-virus software.
14. Password Protection Policy
This sub-policy provides technical guidelines to promote the secure implementation of the password management lifecycle, and to enable multi-factor authentication for Litmus IT services.
The guidelines follow. Litmus Personnel, especially and including the system administrators must:
14.1. Password Creation
- NOT use the same password for Litmus accounts for access to other non-Litmus accounts (example: personal ISP account, option trading, benefits, etc.). Use tools such as 1Password to facilitate maintenance of different passwords.
- Use a password  that is a combination of upper and lower case letters, and numeric and punctuation characters and have a minimum length of 8 characters.
14.2. Password Change
- Change all passwords on a quarterly basis, and follow the reminders sent by the Information Security Department.
- NOT re-use the previously used four passwords.
14.3. Password Protection
- Treat passwords as sensitive Litmus information. Therefore, Litmus Personnel must not share their passwords with anyone, including but not limited to administrative assistants, managers, co-workers or family members.
- NOT re-use the previously used four passwords.
15. Physical Security Policy
This sub-policy is established to limit access to physical environments with a purpose to protect information and information processing facilities from unauthorized physical access, electronic penetration through electronic emissions and environmental hazards. In case of any conflict between this policy and applicable law, applicable law shall prevail.
15.1. Secure Areas
A brief description of how Litmus ensures that physical security is in-effect follows.
15.1.1. Physical Security Perimeter
The building owners that host Litmus offices share the responsibility of providing physical security. They protect the reception, delivery and loading areas, and physically secure the perimeters. For the Cambridge. MA office of Litmus, there is also a guard posted at the entrance 24 hours a day, 7 days a week, and all visitor entries are logged by building reception. Litmus further adds another layer of physical protection by using electronic card access and video-monitoring at the entrances of the office.
For the San Mateo, CA office of Litmus, access is restricted by electronic card access or unique keycode, and all visitor entries are logged by Litmus personnel.
Remote workers share responsibility in protecting information and information processing facilities in their respective remote locations.
The data center owners provide and own the responsibility of securing the centers.
15.1.2. Physical Entry Controls
The electronic cards are assigned to only Litmus Personnel. A Litmus employee must always accompany all visitors, including the contractors and construction workers, while they are in the offices of Litmus.
15.1.3. Securing Officers, Rooms and Facilities
Physical security for office, rooms and facilities are in effect. Video-monitoring and electronic card-readers are used at the entrances of the offices. All rooms, including the conference rooms, offices and breakout rooms have doors with locks in case sensitive work needs to be carried out in these locations.
15.1.4. Working in Secure Areas
Litmus offices, rooms and facilities are secured by additional measures. There must be an access control to these areas and video monitoring is in place. The access controls will be reviewed once a year or when a change in employment occurs.
15.1.5. Delivery and Loading Areas
The building owners from whom Litmus leases office space share the risk and responsibility of protecting delivery and loading areas. They are responsible to help ensure that these locations do not become an entry point for unauthorized entry.
15.1.6. Removal of Assets
Litmus Personnel are permitted to work remotely and, therefore, are permitted to take their laptops or other assets along with them as needed to perform their work. Litmus also holds Litmus Personnel responsible for ensuring that the assets and the information in the assets remain protected at all times and all locations. The controls provided for end- point management, asset management and access controls detailed in this sub-policy under their respective sections add additional layers of protection.
15.1.7. Security of Equipment and Assets Off-Premises
Litmus Personnel are made aware of, and own, the responsibility of securing their equipment and assets off-premises. The controls provided for end-point management, asset management and access controls detailed in this sub-policy under the respective sections apply. In addition, other network controls specified in the Network Security Policy must be followed.
15.1.8. Secure Disposal or Re-Use of Equipment
Litmus Personnel and asset owners (such as the IT Department or authorized administrators) are made aware of the responsibility of protecting their equipment. Litmus provides additional protection by ensuring that the equipment is password-protected and that the disk encryption is in-effect.
16. Security Awareness Policy
This sub-policy is established for the purpose of ensuring that all activities undertaken by Litmus Personnel ensure that effective, risk-based decisions are made in the best interest of the organization, while protecting critical and sensitive information from being compromised.
All Litmus Personnel are required to take Security Awareness Training annually and/or within 30 days of onboarding. The training will be provided by a set of on-line video tutorials and or via electronic material. In-person training may also be provided when and where possible.
17. Security Event Logging and Monitoring Policy
This sub-policy is established to address the institution of event logging and monitoring infrastructure by Litmus to support monitoring of performance, security-related events and forensic investigations.
17.1. Types of Logs
The following are the examples of the logs aggregated and stored:
- Application-layer Logs – Rails application-layer logs and Jira logs.
- System-layer and Network-layer Logs – DNS, VPN, NuGet, RDS, NGINX and system security logs.
- Cloud-service Logs – Cloudtail logs, SSH access logs, and AWS identity and access management logs.
17.2. Log Retention
Our current log aggregation keeps application logs for 30 days; however, logs may be persisted for a longer period on the application servers. Litmus is currently deploying an enhanced solution that will retain our critical application, system and security logs for a minimum of 90 days.
17.3. Privacy Compliance
Detailed documentation is maintained that describes who accesses logs and the use- cases for which the logs are accessed. In addition, (a) prior approval from the Information Security Lead is required before any logs are accessed, and (b) privacy management software, such as OneTrust, is utilized for integrating workflows pertaining to log usage.
18. Vulnerability and Patch Management Policy
This sub-policy specifies the standards and procedures for the identification and remediation of Litmus system and software security vulnerabilities. It includes the following measures:
18.1. Vulnerability Assessment Framework
Litmus will maintain standard security configurations in line with sub-policy and vendor recommendations for all systems.
Vulnerabilities at all the following layers are assessed and remediated:
- Application-layer Assessment – Please refer to the Application Security Policy.
- Operating-layer (OS) Assessment – Litmus uses Mac and Windows OS and ensures that all its assets in data-centers, as well as those used by Litmus Personnel, are running the latest version of the OS and patched for all security updates.
- Network-layer Assessment – Litmus assets, as well as the data center scans, will be conducted periodically. The data center scans will comply with the supplier (AWS) requirements.
- Default Configurations and Configuration Drifts – All opensource components will be assessed for security. The configuration drifts of the S3 buckets are periodically tested.
18.2. Vulnerability Validation, Triaging and Remediation
All the vulnerabilities shall be triaged as “CRITICAL,” HIGH,” “MEDIUM,” and “LOW.” The Critical and High vulnerabilities will be validated for true positives, and remediated. A report detailing the vulnerabilities and remediation approaches will also be generated.
Remediation efforts may be subject to delay when patches to be applied need to be developed in-house or tested to ensure that the production environment continues to operate correctly.
18.4. Going Forward
Litmus shall monitor US-CERT alerts, incorporate threat-intelligence reports from Open Source Intelligence and analyze opensource vulnerabilities.
19. Access Control Policy
This sub-policy ensures that only those individuals who are authorized and authenticated shall have access to the sensitive/confidential materials of Litmus. This sub-policy specifies operational controls, business requirements, user access management, user responsibilities and system and application access control requirements. Since Litmus uses cloud-based services, access controls provided by these cloud services are also leveraged.
19.1. Business Requirements
Access to the information and information processing facilities, networks and networks services identified as business-critical is limited. Access control rules, access rights and restrictions are in-place for these critical assets. The access controls are formalized with suppliers, and role-based access has been instituted.
19.2. User Access Management
Litmus ensures that only authorized users have access to systems and services. These controls include the following:
- User-registration and Deregistration to enable assignment of access rights.All users of systems or applications are supplied with a unique user ID related to the user’s identity, or other individually identifiable authentication method, to gain access to those systems. Unique user IDs enable users to be linked to, and held responsible for, their actions. To detect unauthorized access, logging and monitoring infrastructure is being set up. A formal user-registration and deregistration process has been established and implemented.
- Records of Authorized Users –A record of authorized users who have access to information and information facilities is maintained in our IDP/Okta.
- User Access Provisioning – A formal user access provisioning process must be implemented to assign or revoke access rights for all users. People Operations, along with personnel managers, shall authorize users for membership to relevant groups. The membership to the group shall be granted by a member of the IT/Operations Department.
- Unique Use of User IDs – Each user having access to sensitive information is assigned a unique identification for authentication and authorization purposes.
- User ID Management – Only a limited number of users are provided privileged access rights, thereby limiting the use and access of these rights. These rights are reviewed by the senior management periodically.
- Management of Privileged Access Rights – All opensource components will be assessed for security. The configuration drifts of the S3 buckets are periodically tested.
- Management of Secret Authentication – Allocation of secret authentication of information (such as password to critical information) is managed by the IT department.
- Review of User Access Rights – User access rights are reviewed by the asset owners every year or when a change of employment or contract takes place.
- Removal or Adjustment of Access Rights – The access rights of all Litmus Personnel and external party users to information and information facilities are removed upon termination of employment, contract or engagement, or otherwise adjusted upon change in status.
19.3. User Responsibilities
Users will be made accountable for safeguarding their authentication information so that the information of Litmus, and its customers and suppliers, is protected and not divulged to any unauthorized person.
19.4. System and Application Access Control Requirements
This control limits unauthorized access to systems and applications and comprises the following aspects:
- Information Access Restriction –Access tos ystems are restricted in accordance to the access control policy. Access shall be reviewed when a person joins or leaves Litmus, or changes departments. For further elaboration, refer to the Access Control Policy.
- Secure Log-on Procedures – All systems are access-controlled via log-on procedures. Refer to the Access Control Policy and Password Protection Policy for further elaboration of the specific procedures.
- Password Management System – The Litmus password sub-policy is implemented to manage the passwords used for accessing sensitive/confidential information and information-processing facilities. Refer to the Password Protection Policy for further details.
- Use of Privileged Utility Programs – Access to privileged utility programs, such as operating system utilities, is restricted. In addition, logging and monitoring infrastructure is instituted to monitor the usage of these utility programs on critical information facilities.
- Access Control to Program Source code –Accesstoprogramsourcecodeand associated items (such as design specifications, validation and verification plans) is restricted. This control will prevent the introduction of unauthorized functionality to these critical resources.
20. Information Security in Development and Support Processes
20.1. Security Requirements of Information Systems
Information security requirements are recognized and integrated in the software development cycle. Information involved in application services passing over public networks must be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.
20.2. Security in Development and Support Processes
Litmus will separate testing environment from production environment. Segregation of duties is applied between testing functions (such as user acceptance, quality assurance, functionality, and information security) and production functions.
20.3. Protection of Test Data
Test data is protected and separated from production data. Production data will not be used for testing without prior authorization.
21. Access Management Standard for Mobile and Remote Computing
Litmus relies on, and permits, Litmus Personnel to work remotely. Therefore, Litmus uses and enforces security controls for mobile and remote computing.
21.1. Mobile Device Security
Litmus-issued computing devices have (a) antimalware solution, (b) disk-encryption, and (c) mobile device management (MDM) on Mac laptops. Media card usage is not permitted.
These devices can be remotely erased/wiped and managed by the Litmus IT administrators in the event they get stolen or misplaced.
21.1.1. Use of Cell Phones and Personal Device Assistance (PDAs)
Litmus Personnel typically bring their own mobile devices. These devices can be used for checking official business emails. Litmus relies on the mobile operating systems and applications to ensure that the container-level partition exists. Mobile device management solutions are being considered.
21.1.2. Use of USB Memory
Litmus Personnel must not use USB memory for storing customer, and system production or test data.
21.1.3. Use of Storage and Tape
Litmus Personnel must not use any storage devices or tape for storing customer, and system production or test data.
21.2. Secure Computer Image
Disk encryption via FileVault and anti-malware solutions via Bitdefender are provided for the Mac OS used by Litmus Personnel. Litmus Personnel are advised to use time- machine to take periodic secure images of their operating systems.
22. Supplier Management Policy
22.1. Information Security Policy for Suppliers
This sub-policy specifies information security requirements that suppliers must comply with when they access the assets, information, and information processing infrastructure of Litmus so that risks suppliers could introduce may be mitigated.
Following are the key aspects of managing information security aspects for suppliers:
- Addressing Security with Supplier Agreements – Litmus shall establish information security requirements and make each supplier agree to be legally bound to these requirements if the supplier’s employees, products or services access, store or process the data or access the information systems of Litmus or its customers. As a part of the supplier agreements, Litmus requires each supplier to complete a questionnaire that must be approved by the Information Security Lead. In addition, all suppliers are continuously tracked through privacy management software (One Trust ).
- Contract Measures – Litmus has entered into a contract with its cloud service provider that specifies how personally identifiable information, including personal data and other sensitive information, if applicable, shall be protected in accordance with applicable laws.
- Information and Communication Technology Supply Chain – Litmus shall specify information security requirements in supplier agreements to ensure information security risks associated with information and communication technology supply chains are mitigated.
- Supplier Relationships – Third parties, including contractors and suppliers who access Litmus information or information processors, must comply with Litmus security requirements and controls.
22.2. Supplier Service Delivery Management
Supplier service delivery will be managed via the following two activities:
- Monitoring and Review of Supplier Services – Litmus shall regularly monitor, review and audit supplier service delivery in accordance to the level of risk to Litmus.
- Managing Changes to Supplier Services –Re-assessment of supplier risk shall be carried out whenever supplier services and/or products change.
23. Information Security Incident Management Policy
Litmus has established policies and procedures to manage information security incidents. Refer to the Information Security Incident Management Policy for a description of the policy.
24. Information Classification Policy
Information is a critical resource at Litmus. To ensure that Litmus meets customer, industry, regulatory, and privacy standards, and to reduce the risk that restricted or sensitive information is accidentally released to unauthorized parties, Litmus adheres to the following structured four-tier data classification system:
- Public – This information is approved for public release by our Marketing team. Disclosing this information would not be a problem for Litmus, its customers or business partners.
- Internal – This information is intended for use within Litmus, and in some cases with other affiliated organizations, such as business partners or vendors. Unauthorized disclosure of this information may be a violation of applicable law or contractual obligations, or may otherwise cause problems for Litmus, its customers or business partners.
- Confidential – This information is private or otherwise sensitive in nature and is restricted to those with a legitimate business need for access. Unauthorized disclosure of this information may be against applicable law or contractual obligations, or may cause significant problems for Litmus, its customers, or business partners.
- Secret – This information is the most private or otherwise sensitive and is always monitored and controlled. Unauthorized disclosure of this information to people without a legitimate business need for access may be against applicable law or contractual obligations, and will cause severe problems for Litmus, its customers or business partners.
25. Operational Security Policy
The purpose of this sub-policy is to specify the information security requirements that ensure secure operations of Litmus information systems and proper management of IT security program and technologies.
This sub-policy comprises the following components:
- Operational and Deployment Procedures and Responsibilities – Operating procedures and deployment procedures used by Litmus Personnel will be documented to ensure that systematic processes and information security procedures are followed during deployment.
- Change Management – All changes to operational software adhere to an agile methodology comprising of sprints. Jira is used to plan and manage changes. Refer to the Change Management Policy for further elaboration of the process.
- Separation of Development, Testing and Operational Environments – Litmus uses separate environments for development, testing and production, thereby reducing risks of unauthorized risks to the production/operational environment.
25.1. Protection Against Malware
Litmus uses anti-malware software to protect the software on Litmus-managed information processing assets. BitDefender is used as the anti-malware tool. The tool is updated hourly and completed scans are conducted bi-weekly. The scans include analyzing all the files as well as CD/DVD storage and USB.
25.2. Logging and Monitoring
A logging and monitoring infrastructure are being designed and prototyped for Litmus infrastructure. It is described in the Security Event Logging and Monitoring Policy.
25.3.1. Information Backup
The databases supporting the Litmus software and storage of information (for the testing, development and production environments) are backed up daily with transaction logs backed up every 5 minutes allowing for minimal data loss in the case backup restoration is required from a backup. GitHub backup is leveraged to ensure that the source code that Litmus uses is backed up.
The software or automation tool used for backup shall be tested every quarter to ensure that it is working properly.
25.3.2. Control and Logging of Data Restoration
When and if data is restored, the following must be logged: (a) the type of data restored, (b) who restores it, and (c) when the restoration took place.
25.3.3. Retention Period for Administrative Security Policy and Guidelines
Copies of the security policies, guidelines and procedures will be retained for 5 years, or such other period if required by applicable law or contractual obligations.
25.4. Control of Operational/Production Software
Installation of any software in an operational environment is conducted in accordance with the Change Management Policy.
25.5. Technical Vulnerability Management
The Whitehat Security runs static and dynamic analysis on Litmus software. The scans from the analysis are provided to engineers so that critical risks are appropriately mitigated. Refer to Vulnerability and Patch Management Policy for a further description on the topic.
25.5.1. Infrastructure and Network Assessment Procedure
Litmus conducts network and infrastructures assessments (scans, penetration testing or red-teaming) once per year. These scans are conducted using enterprise-class scanning tools, such as Qualys or Nessus. Prior permission to scan the data-centers shall be obtained from the owners.
Data from scans shall be treated as sensitive information.
At the conclusion of an assessment, Critical, High and Medium (Levels 4 and 5) vulnerabilities will be fully addressed within 60 calendar days of discovery. Low (Levels 3 and 2) vulnerabilities will be addressed within 180 calendar days of discovery.
25.5.2. Application Security Assessment Procedure
Refer to the Application Security Policy of this document for a detailed discussion on the topic.
25.5.3. External Security Assessments
External security assessments of the software, the architecture and systems that deploy the software, will be conducted once per year. The security assessment report will be reviewed and prioritized, and the vulnerabilities observed will be addressed.
26. Account Management Policy
26.1. Account Management Procedure
Litmus personnel are given access to computer/laptop accounts, and AWS and GitHub accounts.
26.1.1. Litmus Computer/Laptop Accounts
The Litmus IT Department is responsible for managing IT accounts on the laptops or other computing devices used by Litmus Personnel. All new personnel are assigned accounts at the time they join Litmus, and the accounts are removed upon their termination, or amended if they change departments or job duties.
26.1.2. AWS/GitHub Accounts
AWS and GitHub accounts are provided to employees on a need-to-have basis. The accounts are approved by the personnel’s manager. The Director of Technology Operations owns the responsibility of creating AWS accounts. Managers with a title of “Director” or above in the Engineering Department are authorized to create the GitHub accounts.
26.1.3. Amendment/Deletion of Accounts.
When Litmus Personnel member leaves Litmus, changes roles or groups within Litmus, or is terminated, their accounts are deleted. The manager of the Litmus Personnel, in collaboration with the IT Department, ensures that that accounts are amended or deleted.
At no point shall redundant or duplicate accounts exist for any individual within Litmus.
26.1.4. Account Characteristics
All accounts are:
- Attributable to an individual.
- Characterized by a unique identifier (e.g., employee ID and email) and password.
27. Policy Compliance
27.1. Compliance Measurement
The Information Security team will verify compliance with this Policy and the associated sub-policies through various methods, including but not limited to, business tool reports, and internal and external audits.
Any exception to this Policy must be approved by the Information Security team.
27.3. Non-Compliance/Corrective Disciplinary Action
Any violation of the Acceptable Use Policy or the associated policies set forth in this Policy document may be subject to corrective disciplinary action, up to and including termination of employment. People Operations and the individual’s manger will determine the level and severity of any disciplinary action.
28. Policy Reviews
This Policy and the associated sub-policies shall be reviewed once per year, or more frequently if a significant change takes place within or to Litmus.