InEntertainment Security Policy Overview
This document outlines the minimum practices necessary to secure our database assets as well as our proprietary software assets. In order to protect the security of our clients we have implemented these policies to address the concerns that have been highlighted by high profile breaches of security at other firms in the entertainment industry.
Persons of Responsibility
Bobby Greenberg – email@example.com – First Contact for any incident. All escalations from support and automated notifications are sent directly to Bobby for addressing.
William Mabery – William.firstname.lastname@example.org – Handles implementation and addressing of security vulnerabilities as they are discovered. Recommends additional guidelines and proposals of solutions to Bobby. Works with clients to ensure minimum recommendations are met
Support Team – email@example.com – First responders to client issues and points of contact for escalation from clients
Clients – Responsible for onsite security of offices in accordance with our guidelines and protection of our software. Users are responsible for maintaining password integrity policies on site in accordance with best practices.
Client – An entity to which InEntertainment is the vendor
Customer – An Entity to which a client is the vendor.
User – Any end user through the IE client or mobile device.
Security Incident Protocol
In the event of a security breach detected by the support team, the event will be logged in the ticket system and escalated to Bobby for an immediate response. If a contact cannot be made in person, a call must be made within 5 minutes of the breach and a call made every 15 minutes until a connection is established with the escalation team.
While data in the AWS Cloud is secured by Amazon IT policies and maintain PCI compliance with their datacenter, we need to make sure that clients are securing data on their premises. Servers should be held in a secure location with a locked door and if possible, access should be restricted to only essential personnel. If clients are unable to comply, then the recommendation to move to the hosted solution should be made an option.
All databases should be stored on encrypted hard drives to prevent access in case the systems are physically stolen. Since operating systems are varied, we will address the implementation details in the support setup document for new clients. Hosted clients already have their data stored on encrypted systems when at rest.
User Security Policy
User accounts are to be restricted to only the necessary amount of privileges needed to complete their assignments. Any additional rights should be granted, documented and then expired after the task has been completed. Permanent rights will be given based on assignment of duties and is at the discretion of their direct supervisor.
- Passwords should be 9 characters including at least one lowercase, one upper case and one special character.
- Users must choose new passwords every 90 days.
- Passwords will not be stored in readable form without access control or in other locations where unauthorized persons might discover them. All such passwords are to be strictly controlled using either physical security or computer security controls
- All traffic must be encrypted using either SSL for database connections and SSL or a similar AES256 encryption on text strings to preserve integrity.
- AWS MySQL traffic must use SSL connections to and from the server. A VPN tunnel from the VPC to the client networks are preferable when available.
- All data traffic that is transferred between machines on a network must be on the same domain and subnet, not be on a broadcast domain and must be encrypted even when it is only being routed internally.
Queries to unencrypted data must be performed by a specific user using a multilayered authentication process. Users must be authenticated at the application level inside of InEntertainment and also at the session level inside database. Session level access options may be LDAP, Active Directory or Native MySQL.
Customer Access must be authorized by a predefined list of users sent during the initial setup of the systems and may only be appended by a designated contact from the client company. Authorization for a change of client contacts must be authorized by a current client contact. Clients must maintain at least 2 contacts authorized for user management.
Third Party Threats
Third party applications and libraries in use on the servers need to be maintained first by automatic updates and secondly by manual maintenance every month. This applies to OS security updates as well. All clients should have a maintenance schedule for updating their OS’s with the latest patches and service packs.
When applicable, anti-virus and malware software should be installed on all client machines and servers to prevent key indirect attacks from workstations.
Personal Identity Information
To comply with the California Online Privacy Protection Act of 2003 (OPPA) information that could potentially be used to identify an individual is not to be distributed out of the system by any employee, contractor or associate to any third parties unless expressly authorized by the user in accordance with OPPA. Such information could be comprised of personal identification numbers, mother’s maiden name, phone numbers, addresses and must remain in the database in an encrypted state at rest and only transmitted through secure channels to the application. InEntertainment client data is to be stored within the private servers of IE and not distributed in writing or electronic form to any third parties without direct customer consent. Customer data is never used by InEntertainment and is subject to the same policy as client data. Delete
Sensitive data is to be removed immediately by the application and will not be archived or have values logged in the database. This is to allow for the eventual pruning of the data from the backups. Backups of data are retained for 30 days as part of general system maintenance and are kept locally unless special arrangements have been made at a client’s request.
Migrations of client data will occur from backups to ensure that no additional copies will exist.
Access logs at the application and session level are to be monitored and an automated notification sent to the appropriate response team when an error or anomalous activity is detected. A bi-weekly review of security logs is recommended to determine if additional monitoring agents need to be added to catch new threats.
Logging is implemented at the application, data and operating system level and are reviewed in the case of a reported incident.
In depth audits are performed on a per incident basis while routine audits are performed by monitoring software and the support teams during periodic checks of client systems. Cloud based services are monitored continually and notifications are provided by email to the security team.