Effective May 1, 2018
This Information Security Addendum (“Addendum”) applies whenever it is incorporated by reference into the Master Services Agreement (“Agreement”). Capitalized terms used but not defined in this Addendum have the meanings ascribed in the Agreement.
1. Purpose
1.1 This Information Security Addendum describes the minimum information security standards that CodeGuard maintains to protect your Customer Data. Requirements in this Addendum are in addition to any requirements in the Agreement.
2. Data storage
Customer Data is backed up to CodeGuard data centers.
3. Encryption and key management
3.1 You have the ability to disable encryption in some CodeGuard products, and if you do then the sections of this Addendum relating to encryption do not apply to your Customer Data.
3.2 CodeGuard uses industry-standard encryption techniques to encrypt Customer Data at rest and in transit. The CodeGuard System is configured by default to encrypt user data files at the source using AES 256-bit encryption. Customer data remains encrypted in transit and at rest. CodeGuard encrypts and secures your encryption keys within the authority server. CodeGuard has a policy and process for managing encryption keys for file data blocks, which includes security requirements for key creation, use, storage, and protection. CodeGuard generates encryption keys using a secure random number generated based on a global industry recognized information security framework.
3.3 CodeGuard uses industry standard encryption technologies for data contained within, accessed by, or transmitted through CodeGuard systems in accordance with data classification standards. Once files are encrypted and secured at the source, the Software sends backup transmissions to the destination server(s) using the 128-bit AES Transport Layer Security (TLS) encryption protocol. Transmitted Customer Data is MD5 check-summed at multiple points during the backup process, including after encryption at the source to provide destinations the ability to detect tampering without having encryption keys for the original data.
4. Support and maintenance
CodeGuard deploys changes to the Cloud Services during scheduled maintenance windows, details of which are posted to the CodeGuard website prior to the scheduled period. In the event of a service interruption, CodeGuard posts a notification to the website describing the affected services. If additional maintenance is needed, CodeGuard notifies impacted customers in advance of scheduled maintenance occurring outside of the scheduled window. CodeGuard communicates upgrades, new releases, and minimum release version requirements to customers via the CodeGuard support website.
5. Incident response and notification
5.1 “Incident” means a security event that compromises the integrity, confidentiality or availability of an information asset. CodeGuard has an incident response plan and team to assess, escalate, and respond to identified physical and cyber security Incidents that impact the organization or customers or result in data loss. CodeGuard reviews and updates this plan annually and as needed throughout the year. The incident response team resolves intrusions and vulnerabilities upon discovery and in accordance with the established procedures.
5.2 “Breach” means an Incident that results in the confirmed disclosure, not just potential exposure, of data to an unauthorized party. If CodeGuard determines that an Incident has led to a Breach, CodeGuard will follow its breach notification process. Incident management and escalation procedures exist to ensure that CodeGuard addresses system issues, problems and security-related events, in a timely manner, and that all Incidents are logged, prioritized, and resolved based on established criteria and severity levels.
5.3 If there is a Breach involving your Customer Data, CodeGuard will (A) notify you within 24 hours of discovery of the breach, (B) reasonably cooperate with you with respect to any such breach, and (C) take appropriate corrective action to mitigate any risks or damages involved with the breach to protect your Customer Data from further compromise. CodeGuard will take any other actions that may be required by applicable law as a result of the Breach.
6. CodeGuard security program
6.1 Scope and Contents. CodeGuard maintains a written security program that (A) complies with applicable global industry recognized information security frameworks, (B) includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of data and (C) is appropriate to the nature, size and complexity of CodeGuard’s business operations.
6.2 Security Program Changes. CodeGuard has policies, standards, and operating procedures related to security, availability and confidentiality that are available to personnel via the corporate intranet. CodeGuard reviews, updates and approves security policies and procedures at least annually to maintain their continuing relevancy and accuracy. Personnel acknowledge security policies during onboarding and annually thereafter. The CodeGuard Privacy Policy describes confidentiality and privacy commitments to our customers and is posted on the CodeGuard website.
6.3 Security Training & Awareness. CodeGuard personnel complete security awareness training on an annual basis, and re-acknowledge the Code of Conduct and other CodeGuard policies as appropriate. CodeGuard conducts periodic security awareness campaigns to educate personnel about their responsibilities and give them direction for creating and helping to maintain a secure workplace.
7. Risk management
CodeGuard has a formal security risk assessment and management process to identify potential threats to the organization. CodeGuard management rates and reviews all identified risks.
8. Access control program
8.1 CodeGuard manages access to internal and external applications via Active Directory user security groups. CodeGuard allocates System privileges and permissions to users or groups on a least privilege principle. CodeGuard assigns application and data rights based on user groups and roles, and grants access to information based on job function.
8.2 CodeGuard allocates system privileges and permissions to users or groups on a least privilege principle. CodeGuard classifies informational assets in accordance with the CodeGuard data classification requirements.
9. User access management
CodeGuard requires approved access requests prior to granting new user access and changing existing user access to the corporate and cloud networks and systems. CodeGuard promptly disables application, platform and network access for terminated users upon notification of termination. CodeGuard reviews access privileges to internal systems and the corporate and cloud networks, including administrative access privileges, on a quarterly basis. CodeGuard uses separate administrative accounts to perform privileged functions and are restricted to authorized individuals.
10. Password management and authentication controls
Authorized users must identify and authenticate to the network, applications, and platforms using their unique user ID and password. The Active Directory system requires Minimum password parameters for access to the Corporate network.
11. Remote access and cloud access
A Virtual Private Network (VPN) solution with two-factor authentication secures remote access to the corporate network. Access to the Cloud network requires two authentication steps; authorized users must log on to the corporate network and then authenticate using separate credentials through a secure shell (SSH) jump box server.
12. Asset configuration and security
All CodeGuard workstations have active anti-virus (AV) software installed to monitor for virus and malware infections. Endpoint devices are scanned in real-time and a full system scan is performed weekly. Monitoring is in place to indicate when an anti-virus agent does not check in for prolonged periods of time. The Security Operations Team investigates and takes action to resolve issues as appropriate. Virus definition updates are pushed out to endpoint devices automatically from the AV software central administration console as they become available. CodeGuard uses full-disk encryption on endpoints. End-point configuration is managed using JAMF Software Server (JSS) and System Center Configuration Manager (SCCM) tools and IT administrators are alerted of discrepancies in security policies and settings identified from the tools. CodeGuard maintains and regularly updates an inventory of corporate and Cloud infrastructure assets, and systematically reconciles the asset list annually.
13. Threat and vulnerability management and security testing
CodeGuard has a Threat and Vulnerability Management (TVM) program to monitor for vulnerabilities on an on-going basis that are acknowledged by vendors, reported by researchers, or discovered internally through vulnerability scans, Red Team activities, and personnel identification. CodeGuard documents vulnerabilities within a security risk ticket and ranked based on severity, which is determined by the likelihood and impact ratings assigned. CodeGuard assigns tickets to the appropriate team(s) for remediation and vulnerabilities are tracked to resolution. Weekly internal and external vulnerability scans are conducted using an industry-recognized vulnerability scanning tool. CodeGuard evaluates and documents identified vulnerabilities within a security risk ticket, and remediates to address the associated risks.
14. Logging and monitoring
CodeGuard continuously monitors application, infrastructure, network, data storage space and system performance. A monitoring system pulls security log information from servers, firewalls, routers, and Intrusion Detection System devices on a real-time basis. Logs contain details on the date, time, source, and type of events. The Security Operations Team reviews key reports daily and follows up on events, as necessary. System logging is enabled for end user and administrator activity and is reviewed as necessary, including failed and successful login attempts and updates executed by privileged CodeGuard system users.
15. Change management
CodeGuard follows documented change management policies and procedures for requesting, testing, and approving application, infrastructure, and product related changes. Changes undergo various levels of review and testing, including security and code reviews, regression, and user acceptance prior to approval for implementation. Following the successful completion of testing, the appropriate managers must approve changes prior to implementation in a production environment. Dedicated environments separate from production exist for development and testing activities. Logical access controls requiring two-factor authentication secure these separate environments. Only authorized individuals can move code into production.
16. Secure development
CodeGuard’s Software Development Life Cycle (SDLC) methodology governs the acquisition, development, implementation, configuration, maintenance, modification, and management of infrastructure and software components. The SDLC methodology is consistent with the defined CodeGuard security, availability, and confidentiality policies. Developers use secure coding guidelines based on leading industry standards, and receive annual secure coding training. For each product release, CodeGuard performs a security architecture review and conducts a vulnerability scan and static code analysis in the development environment. Identified vulnerabilities and coding defects are resolved prior to implementation. Prior to final release of a new CodeGuard version to the production Cloud environment, an internal rollout is performed within the CodeGuard internal cloud to test and troubleshoot the product. CodeGuard utilizes a code versioning control system to maintain the integrity and security of application source code. Access privileges to the source code repository are reviewed periodically and limited to authorized employees.
17. Network security
Network perimeter defense solutions, including an Intrusion Detection System (IDS) and firewalls, are in place to monitor, detect, and prevent malicious network activity. Security operations personnel monitor items detected and take appropriate action. Firewall configurations and rules are reviewed at least annually. Significant changes to firewall rules follow the Change Management process and require approval by the Change Advisory Board. CodeGuard’s corporate and cloud networks are logically segmented by Virtual Local Area Networks (VLANs) and firewalls monitor traffic to restrict access to authorized users, systems, and services.
18. Third party security
CodeGuard’s vendor management team assesses the risk associated with new vendors prior to onboarding, and has an ongoing risk management process for existing vendors. The vendor management team employs a risk based vendor scoring model that accounts for data access, network connectivity, compliance impacts and sub-vendor usage among other elements. CodeGuard communicates security and confidentiality requirements and operational responsibilities to third parties through contractual agreements.
19. Physical security
CodeGuard grants physical access to CodeGuard facilities based on job responsibilities. CodeGuard removes physical access when access is no longer required and as a component of the employee termination process. Badge readers control access to restricted areas within CodeGuard office facilities. Unauthorized badge access attempts are denied and logged. Tailgating is prohibited by CodeGuard policy.
20. Oversight and audit
CodeGuard conducts internal control assessments to validate that controls are designed and operating effectively. Issues identified from assessments are documented, tracked and remediated as appropriate. For enterprise offerings only, internal controls related to security, availability, and confidentiality are audited by an external independent auditor at least annually and in accordance with applicable regulatory and industry standards.
21. Business continuity plan
CodeGuard has a Business Continuity Plan and a Disaster Recovery Plan in place to manage significant disruptions to CodeGuard operations and infrastructure. CodeGuard’s Chief Security Officer reviews, updates and approves these plans annually. CodeGuard conducts exercises to evaluate the tools, processes and subject matter expertise of CodeGuard in response to a specific incident. CodeGuard documents a summary of the exercise results, and any tracks and remediates any issues identified.
22. Human resources security
CodeGuard personnel sign a confidentiality agreement and acknowledge security policies during the new employee on-boarding process. CodeGuard conducts background verification checks for potential CodeGuard personnel in accordance with relevant laws and regulations. The background checks are commensurate to an individual’s job duties and include at a minimum social security verification and a criminal history check. CodeGuard maintains a disciplinary process to take action against personnel that do not comply with company policies, including but not limited to, those put in place to meet its security, availability and confidentiality commitments and requirements.
