SECURITY

Cybersecurity Policy for RCReports

 

1. Purpose

The purpose of this Cybersecurity Policy is to establish a framework for securing the digital assets, data, and infrastructure of RCReports, which operates entirely on Amazon Web Services (AWS). This policy aims to protect the confidentiality, integrity, and availability of RCReports’ information systems and data.

2. Scope

This policy applies to all RCReports employees, contractors, partners, and any other third parties who have access to RCReports’ AWS infrastructure, applications, and data.

3. Roles and Responsibilities

  • Chief Information Security Officer (CISO): Responsible for the overall cybersecurity strategy, policy enforcement, and incident response.
  • System Administrators: Responsible for implementing security controls, monitoring systems, and ensuring compliance with this policy.
  • Employees and Contractors: Responsible for adhering to security policies, reporting suspicious activities, and maintaining best security practices.

4. AWS Security Best Practices

RCReports commits to following AWS security best practices, including:

  • IAM (Identity and Access Management):
    • Use of the principle of least privilege for all user accounts.
    • Multi-factor authentication (MFA) is mandatory for all IAM users.
    • Regular reviews and audits of IAM roles and policies.
  • Data Protection:
    • All sensitive data must be encrypted both at rest and in transit.
    • AWS Key Management Service (KMS) will be used for managing encryption keys.
    • Data classification to ensure appropriate security measures are applied.
  • Network Security:
    • Use of Virtual Private Cloud (VPC) with appropriate security groups and Network Access Control Lists (NACLs).
    • Implementation of AWS WAF (Web Application Firewall) to protect against common web exploits.
    • VPN or other secure methods must be used for accessing internal systems.
  • Logging and Monitoring:
    • Enable AWS CloudTrail for auditing all API calls.
    • Use of Amazon CloudWatch for real-time monitoring of logs, metrics, and setting up alarms.
    • Regular review of logs to identify and respond to security incidents.
  • Backup and Recovery:
    • Regular backups of critical data using AWS Backup or equivalent.
    • Testing of disaster recovery plans at least annually.
    • Ensuring that backups are encrypted and stored in geographically diverse locations.

5. Application Security

  • Secure Development Lifecycle (SDLC):
    • Security requirements must be defined during the planning phase.
    • Code reviews and vulnerability assessments must be conducted regularly.
    • Use of AWS CodePipeline, CodeBuild, and CodeDeploy to automate secure deployment processes.
  • Vulnerability Management:
    • Regular scanning of the infrastructure and applications using AWS Inspector or equivalent.
    • Prompt patching and updating of software to address known vulnerabilities.
    • Automated patch management tools where possible.

6. Incident Response

  • Incident Detection:
    • Continuous monitoring for potential security incidents using AWS GuardDuty, CloudWatch, and other tools.
  • Incident Management:
    • Immediate containment, investigation, and mitigation of any detected security incidents.
    • Incident response plan should be reviewed and tested periodically.
  • Communication:
    • Prompt notification to affected parties in case of data breaches or significant incidents.
    • Coordination with AWS Support for incident handling.

7. Compliance and Auditing

  • Regulatory Compliance:
    • Compliance with applicable data protection regulations (e.g., GDPR, HIPAA) and industry standards.
    • Regular audits and reviews to ensure compliance with this policy.
  • Third-Party Access:
    • Third-party vendors and contractors must adhere to the same security standards.
    • Regular assessment of third-party risks and review of contracts to include security requirements.

8. Employee Training and Awareness

  • Security Awareness Training:
    • Mandatory cybersecurity training for all employees and contractors at onboarding and annually.
    • Phishing simulations and awareness programs to maintain vigilance against social engineering attacks.
  • Policy Acknowledgment:
    • All employees must acknowledge understanding and compliance with this cybersecurity policy.

9. Review and Revision

  • Policy Review:
    • This policy will be reviewed annually or following any significant changes to the AWS environment or the threat landscape.
    • Updates to the policy will be communicated to all relevant parties.

10. Enforcement

  • Non-Compliance:
    • Any violation of this policy may result in disciplinary action, up to and including termination of employment or contracts.
    • Legal action may be taken in cases of intentional or gross negligence leading to security breaches.

This policy is effective as of 01.01.2024 and is subject to change as required. All stakeholders are responsible for staying informed of the latest version.

How to Contact Us

          Submit a Ticket

          Scroll to Top