Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Scope

This policy applies for our employees and vendors. Having this cybersecurity policy we are trying to protect Purde Software’s data and technology infrastructure.

This policy applies in addition to the Privacy policy.

Until end of 2020 we will implement https://owaspsamm.org/model/verification/security-testing/ maturity level 1.

Protection of our own infrastructure (PCs, laptops etc.)

Email

We do not open attachments of senders we do not trust.

USB drives / SD cards etc.

We do not insert USB devices or SD cards we do not trust.

Virus scanner

We use a state-of-the-art virus scanner.

Passwords

On our development PCs we have a password policy in place which requires passwords of a certain strength and expiration date. On mobile devices we use passwords or bio-metric access protection.

Transferring data

When transferring data from and to our clients we try to use our Jira ServiceDesk whenever possible. A transfer of confidential data via email should be avoided.

Protection of our cloud servers

Our cloud servers are protected as follows:

  • We only access the servers via a two-factor-authentication.

  • We only used well established providers.

  • The servers are located in the EU.

  • We only offer an https interface to the clients.

  • We perform a regular vulnerability scan of the cloud service.

Protection of our apps

Cybersecurity design guidelines

As we are a small company a full-blown quality management system has not been established. However we adhere to the following principles during development and any change:

  • All user input (e.g. via dialogs) has to be escaped before inserted into templates.

  • All data transferred from the client to the server (e.g. cache data) has to be escaped before inserted into templates.

  • All REST interfaces or servlets contain a check whether the current user has the appropriate permission before executing any actions.

  • All permission checks are done on the server not the client.

  • When a request collects data from multiple content entity objects we check that the current user has a view permission on them before including them in the result.

  • We only include the necessary information the responses.

  • We minimize the number of 3rd party libraries in our apps.

  • In case we use 3rd libraries we check the published anomalies list before using them and regularly after release.

  • Cloud only: we do not store customer data within our cloud apps.

Cybersecurity audits

We perform cybersecurity audits depending on the criticality:

  • Protection of our infrastructure: 2 times / year

  • Protection of cloud servers: 2 times / year

  • Protection of apps: at every change or at least once per year for every app

The results are kept here: /wiki/spaces/PLUG/pages/1765998612.

Cybersecurity issue fixing

The timelines to fix security related issues is outline in theService level agreement. It is our target to fix found issues as fast and efficient as possible.

In case we identify an issue we inform Atlassian via: https://ecosystem.atlassian.net/servicedesk/customer/portal/14/create/129

  • No labels