1 SCOPE
This document defines Berkshire’s Data Protection Standards in relation to hosted applications, hosted client data, outsourced client data and company information.
1.1 AUDIENCE
This document is for clients and prospective users who are interested in using applications developed and hosted by Berkshire, users of outsourcing and consulting services provided by Berkshire, attorneys and procurement officers of companies acquiring applications, internal Berkshire staff and IT personnel of Berkshire’s clients and prospective users.
1.2 PURPOSE
This document sets the minimum level of data security and privacy for all Berkshire provided applications and services and client data that is stored on Berkshire’s systems and exposed to Berkshire’s staff. Client data and information may include outsourced services to Berkshire, applications hosted by Berkshire, and custom solutions delivered using a Software as a Service (SaaS), Cloud Computing, or Application Service Provider (ASP) delivery model.
1.3 ASSUMPTIONS
Some hosted applications, that are managed but not administered by Berkshire’s clients, have the functionality to reduce password restrictions. Berkshire expects all clients will properly manage access to their application according to their company‘s policies and practices. Berkshire employs controls wherever possible to allow clients maximum control and security in administering their applications. Clients are aware, unless explicitly noted otherwise, that Berkshire operates all applications in a shared operating environment. Berkshire will ensure all client data is kept isolated and secured in all operating environments.
1.4 CONTACTS
- Karl Hester – Sr. Director of IT and Product Development
1.5 RESPONSIBILITY, ACCOUNTABILITY AND ADMINISTRATION OF POLICIES
The IT Director is responsible for creating, maintaining and executing all security policies for Berkshire. Any issues identified with company security policies and/or the implementation of these policies, is their responsibility.
System and network level configuration changes, patches and maintenance are performed by internal and external IT resources team under the direction of the Director to ensure adherence to the company’s security policies.
2 POLICIES
2.1 EMPLOYEES’ DATA SECURITY AND CONFIDENTIALITY POLICIES
Berkshire has a clearly defined information confidentiality policy and process for any staff that deals with clients or client data. We apply strict standards in providing access to client data. The policy, as outlined in the company’s employee handbook, can be provided upon written request.
Access to client data for outsourcing projects is limited to consultants working on a project and is only given temporarily to other Berkshire staff on an as needed basis for a specific reason. Discretion is used by Project Managers in allocating access to client data.
All requests to allow additional employee access to client data must be submitted through the internal corporate System Support system so that requests can be properly approved and logged. Senior management of Client Services have access to all data and information for the projects in their respective business areas to ensure proper oversight and quality control.
Access to all other data hosted by Berkshire is limited to the Systems Administration team and other senior members of the IT department supporting the specific systems on an as-needed basis. Product Support representatives may only access client data upon request and approval from a client. Clients may also have their application administrators grant access to Berkshire’s Product Support staff for a temporary basis through the application.
Berkshire maintains data retention and data destruction policies which can be provided upon written request. Consultants and other staff members are trained in data destruction procedures supporting this policy at the time they are hired by Berkshire and then are regularly re-trained annually.
2.2 EMPLOYMENT POLICY
Prior to hiring, Berkshire conducts a background check by a third party to screen every employee. The background screening conducted by Berkshire includes education, criminal, and reference checks.
Confidentiality and privacy clauses are part of Berkshire’s Employment Agreement and Employee Handbook. Employees are required to review both agreements and sign an acceptance form as part of their condition of employment. All employees are asked to review security and privacy policies not only upon starting employment at Berkshire but also as policies are reviewed and updated. Changes are communicated to staff via the employee portal, email and staff meetings. Significant changes to any policies are confirmed by having each employee electronically acknowledge receipt in the employee portal.
Employees are also provided annual security training and must acknowledge receipt of the training. Copies of the Employment Agreement and Employee Handbook are posted in Berkshire's employee portal so that they are available for reference by all staff at any time.
Upon termination, either voluntary or involuntary, the Systems Administration team immediately executes the established procedures in the deprovisioning of accounts and retrieval of all assets assigned to the terminated employee.
2.3 REMEDIAL AND NOTIFICATION PROCESS OF BREACH OF DATA
Berkshire maintains and follows an Incident Response Policy and Process that is managed by the Director. Please refer to the Incident Response Policy for details about the policy and process.
Unlawful processing of client or corporate data by an employee of Berkshire is grounds for immediate dismissal from the company and possible legal action against any person involved.
2.4 SYSTEMS USAGE POLICY
The employee handbook contains a detailed Systems Usage Policy and is available upon written request. In summary, employees are only given the permissions necessary to perform their job, and are not provided Administrative rights to a laptop, workstation, server, or other device unless required for their position.
An Acceptable Use Policy is also posted for users of all of Berkshire's hosted systems. In summary, this policy is designed to prevent misuse of hosted systems and outlines the expectations for all users as well as the monitoring and enforcement implemented to ensure compliance.
2.5 REMOTE ACCESS POLICY
A Remote Access policy for Berkshire’s staff is found in the employee handbook. All external access to Berkshire’s network requires a secured, encrypted connection, utilizing two-factor authentication, and only from their Berkshire assigned device. Corporate email can be accessed from mobile devices but requires the device have strong authentication, encryption, and remote wipe enabled.
2.6 PHYSICAL SECURITY POLICY
Systems containing data for Berkshire's hosted application environment are hosted in Microsoft Azure and protected by Enterprise Grade physical security controls.
2.7 THIRD PARTY DATA ACCESS
Berkshire does not have any third party business agreements with any other company to share or process any of our client’s data. We do not hire outside consultants to perform any type of analysis on our client’s data, and therefore, there is no exposure of client data to anyone outside of the company.
Hosted systems are administered by Berkshire’s staff with assistance from an IT provider as required under the direction of the Director.
Berkshire will, upon client request, provide integration services or provide data to vendors that our client has an independent agreement with and has authorized Berkshire to make this information available. Any data that is transferred to these vendors is always encrypted and transmitted securely.
2.8 DATA DISPOSAL
Berkshire has a formal Data Destruction Policy which is available upon request and employees who deal with sensitive client data are trained to securely dispose of all media as outlined in this policy.
Access to removable drives is restricted. In the case of hard drives on company owned devices that stop functioning properly or otherwise decommissioned, they are destroyed by a 3rd party vendor, who provides a certificate of destruction detailing the destruction date of the drive with the corresponding serial number. In addition, drives that are reallocated to a different employee are properly erased by using industry best practices and tools to ensure the data is properly removed.
2.9 RISK ASSESSMENT
Berkshire has risk assessment teams for both the business and technical operations of the business, including members of the Executive Management, Systems Administration, Product Support and Development teams. These risk assessment teams meet periodically and as part of the risk assessment process, maintains a risk register.
Additionally, these teams evaluate any new potential risks to the organization. The risk assessment teams discuss risks that could negatively impact various elements of Berkshire’s business and service and product lines, including, but not limited to: information technology, service level agreements, regulatory changes, state and federal laws and regulations and other standing contracts and agreements.
Once the annual meeting has been held and new and current risks have been evaluated, a list of action items is defined, and adjustments to policy, process and procedure will be made to mitigate risks whenever possible.
A technical risk assessment is also performed by a third party security firm to evaluate any potential risks as a result of current security controls and a remediation report is developed to address open concerns.
2.10 ASSET MANAGEMENT
Berkshire’s Systems Administration team works in conjunction with the Director of Finance and Administration to ensure all information technology resources are tracked throughout its lifespan at Berkshire. Resources are tagged when provisioned and recorded. Any assets that are used to store client data are handled according to the Data Destruction Policy when decommissioned.
2.11 WIRELESS ACCESS POLICY
Berkshire has no wireless access points in the hosted application environment. Wireless access points are in use within the office and separated based on access. Company owned devices that have wireless access to company networks assets utilize RADIUS. Non-company owned devices are restricted to internet access only via a separate guest wireless network. This wireless network does not have any direct access to the corporate network that houses client data.
3 TECHNOLOGY
3.1 CORPORATE FIREWALL
Berkshire uses independent firewalls for the hosted application environment and the corporate environment. Firewall configuration for the hosted environment is backed up after every change and periodic restoration of these settings is performed to ensure the system can be restored in the event of failure. Firmware updates that only provide additional functionality are reviewed by IT staff and deployed as necessary. Firmware updates that resolve security vulnerabilities are always applied and during normal scheduled maintenance windows. A separate firewall policy that further details the management of company firewalls is available upon written request.
3.2 CLIENT DATA AND SYSTEM DATA ACCESS
Berkshire’s IT infrastructure is hosted completely in Microsoft Azure, and no physical servers or other data storage exist at any other location. Separate networks and domains are maintained for the hosted application environment and the corporate environment.
Client data that resides on any of our servers (internal or hosted) have extremely limited exposure and are controlled by the assigned IT team. Client data within the hosted application environment is placed on servers outside the demilitarized zone (DMZ) that have no access to the public Internet. Client data residing on our internal servers for outsourced projects is handled by our internal consultants specifically assigned to the project. Access to this data is limited to the staff directly responsible for client work and the IT staff responsible for managing the servers. All staff responsible for client data are trained in the proper management of data handling on the network and their personal computers.
Hosted web application data is only accessible to the staff responsible for maintaining these applications, which includes the Director, Product Support Manager, Product Development Manager, and the IT team.
Any temporary files used to produce results are removed from the servers when designated as no longer needed to complete a client request.
Direct access to all databases containing client data is restricted to the IT team, Product Support Manager, Product Development Manager, and the Director. Senior Product Support staff responsible for these applications do have User and Password management rights within the applications but do not have direct access to the servers and/or databases. Senior members of the programming staff can request additional temporary access to an application if specifically requested by a client to fulfill a development or support request.
The responsibility for the security of client data lies with the Director.
3.3 CLOUD SYSTEMS
Berkshire uses Microsoft Azure for all hosted infrastructure. The Microsoft 365 platform is also used within the corporate environment, including Exchange, SharePoint, OneDrive, etc., but not for any hosted applications.
3.4 VIRUS SCANNING
Virus Scanning Software is installed on all servers and desktops in Berkshire’s corporate and hosted computing environment and is configured to update virus definition files automatically as they are posted. For Berkshire’s email gateway, additional virus scanning software is used to scan all incoming email for potential virus threats before being delivered to a user’s mailbox. All machines are configured to run a real-time scan as well as a scheduled full weekly scan of the entire machine. Users do not have the ability to disable the virus scan on their machine.
3.5 MONITORING
Using a variety of automated system and application reporting tools, the IT team, in conjunction with senior development team members, monitor hosted and corporate environments on a daily basis and have alerts configured to flag any activity that would compromise either environment.
Issues discovered during monitoring are evaluated for impact and escalated through the proper channels within Berkshire to ensure the issue is handled properly.
Berkshire also has web and network monitoring and scanning enabled within the network and logs all traffic to and from outside networks. An Intrusion Prevention System (IPS) is also employed which identifies any potentially malicious traffic on the network. When malicious activity is identified, the IPS notifies the appropriate personnel at Berkshire and takes action when applicable.
3.6 ARCHITECTURE
Multiple resources, including virtual machines, storage devices, etc. are deployed for each component of every hosted application to minimize any single points of failure. Load balancing is provided by an Application Gateway and Firewall to help distribute load and ensure high availability. An application architecture diagram is maintained and available upon request.
3.7 DATA BACKUP
Berkshire performs daily backups of all production environments that contain client data and mission critical corporate information. For critical databases, daily backups are stored within the same operating environment in for quick restoration. Hourly back-ups of transactional data for hosted applications are run and kept 24 hours to allow for restoration within one hour of a disaster. Daily and hourly backups are also kept on geo-redundant storage for disaster recovery purposes and are encrypted at rest.
The schedule and content for each backup is included in the Backup and Recovery Policy and maintained by the IT Department.
3.8 BUSINESS CONTINUITY AND DISASTER RECOVERY
Berkshire maintains Business Continuity and Disaster Recovery plans that will go into effect in case of a disruption of business operations or if the hosted applications or corporate environments become unavailable.
The plan identifies mission critical systems and processes as well as critical cloud resources to allow for recovery as quickly as possible in case of disruption or disaster. The plan details the failover for replicated resources and the restoration of backups that would be required to become operational. The estimated time to return to full operation for both mission critical applications and the hosted application environment is within 24 hours.
3.9 DATA LOSS PREVENTION
The ability to write to removable media is restricted for staff. Monitoring and filtering is in place at the email and Internet gateways as well as company owned endpoints to prevent sensitive information from leaving the corporate network. Employee accounts also have a variety of controls in place to properly prevent exfiltration of data based on document classification (i.e. public, private, sensitive, confidential), file content, or target destination.
4 SECURITY IN APPLICATIONS DEVELOPMENT AND DEPLOYMENT
4.1 SYSTEM AND HOSTED SOFTWARE MANAGEMENT
Access Management
All hosted applications are deployed to Microsoft Azure. All servers and network devices follow designated hardening policy and procedures. During VM configuration, only the necessary services and applications are installed to minimize the points at which vulnerabilities could be present. The firewall and application gateways are configured to only allow the protocols and services necessary over the specific ports the application is expecting.
The network and database accounts used to run the application are given minimal rights and only have access to the files necessary to operate correctly. At the application level, all hosted applications have configurable permission settings and user administrators can set permissions as needed. At the system level, minimal rights are given to the accounts the application operates under.
Patches and Fixes Management
All machines are patched according to the Patch Management Procedure document. Upon verification, security patches, hot-fixes, and service packs are applied to the system within days of the availability of such relevant updates. In situations where the patches are extremely large in scope, or could affect the overall infrastructure, the updates are performed off hours and all clients are notified of any potential outages. The most recent critical and security updates have been applied to the operating system of each server.
For any updates that cannot be performed without keeping the hosted environment completely operational and online, a regularly scheduled service maintenance window occurs Sunday evenings between 9 PM and 11 PM Eastern Time to minimize disruptions.
Deployment Management
Berkshire uses a deployment promotion procedure which maintains separate Development, User Acceptance, Staging and Production environments. These separate environments allow changes to be tested by the Quality Assurance team and have security evaluations conducted in isolated environments without affecting the production systems. Security updates and bug fixes are generally promoted quickly and clients are notified upon release.
The Development environment is internal to Berkshire and used for the Development team to develop changes to the code and allow for preliminary functional testing by the Quality Assurance team.
The User Acceptance, and Staging environments are all housed on resources that mirrors the production environment, providing a more realistic representation of how the system will operate upon deployment. The User Acceptance testing environment is used for new builds to review features.
The Staging environment is an exact replica of the production environment, but does not contain client data, and is used to troubleshoot issues found in the production environment without disrupting the actual production environment itself. The Staging environment is also used to verify deployment processes and files before being run against the actual production environment.
Audit Logging
Logging is retained at both at the system/infrastructure level, and also at the application level. The application logs include events such as when users are created, any permissions or permission definitions are modified, key transaction dates and times with User ID, and execution of any other system level functions.
Various system logs are stored for different lengths, but for no less than six months. Application logs are retained at least for two years and as long as the client has an active hosting agreement with Berkshire. An enterprise grade SIEM tool is used to aggregate and collate logs in the event forensic analysis is needed.
4.2 SOURCE CODE MANAGEMENT
Berkshire uses an industry standard code management tool, for version control and change management. The development team must verify all code can be built before submitting to the repository. Changes submitted to the repository must be attached to an associated work item that has already been approved and scheduled by management. A full audit log is kept of all changes made to the source code and a detailed report can be produced to identify any changes made between updates. Only senior level staff has rights to remove or revert changes to the code base to ensure vulnerabilities are not introduced.
4.3 PROGRAMS QUALITY AND SECURITY MANAGEMENT
All requested changes to existing hosted applications require management approval before development can begin. Berkshire has an internal Quality Assurance team that is responsible for reviewing and accepting all submitted code changes before being promoted to production. Code is promoted only by the QA team or Management once the QA team has accepted and documented the submitted changes.
For security code reviews, Berkshire uses an internal peer review process to review all code where developers review code submitted to the repository to ensure it meets the internal company standards and processes for securing the application. First, a developer will review his own code for any security issues. Second, another team member, with adequate experience, will review the code and report all findings to the first member. Next, the initial developer will make changes to mitigate the reported vulnerabilities, and resubmit the change to the original developer to ensure the issues were resolved and no new vulnerabilities were created. In the event additional vulnerabilities were created, the process repeats until the code passes the code review.
A secure code platform is also used for SCA, SAST and reputational analysis that notifies the Development Manager of any potential risks. These issues are resolved before deployment, or in the case of existing production libraries that have newly identified vulnerabilities, scheduled for resolution and deployment in an upcoming hotfix.
4.4 SECURITY AND VULNERABILITY TESTING
Berkshire has integrated security testing, and validation of the authentication and authorization mechanisms, throughout the development and deployment of all applications. Berkshire’s hosted applications use system profiles and roles to manage permissions at the application level, and at each step of development and deployment, these profiles are verified. Several of these applications also allow for the profiles to be modified by the client within their own implementation to provide even tighter control over the security for their organization.
Additionally, Berkshire uses an independent third party provider to perform ongoing network vulnerability scans, including monthly reporting, to ensure external facing systems are kept secure against newly discovered threats. Annual application penetration testing is also performed against all hosted applications to ensure no new vulnerabilities have been introduced into the code.
Berkshire’s development team participates in regular security training and covers a variety of topics, including a focus on the OWASP Top 10 and secure coding practices for the elements of the tech stack used for development.
4.5 CRYPTOGRAPHY
Berkshire maintains a Data Classification and Encryption Policy that is available upon written request. All application passwords are properly hashed using salt. All information transmitted by the hosted applications, such as query string and cookie values, are encrypted. TLS 1.2 and later is required for the transport of any data for all hosted applications.
Berkshire uses Azure Key Vault for managing encryption keys used in both the hosted and corporate environments. For keys that cannot be integrated with Azure Key Vault, they are protected using Active Directory, enforcing administrator access and are not directly accessible by users or any accounts that are used to run any applications.
Database and file level data is encrypted at-rest at the file system. Additionally, individual databases may be encrypted at the database level at an additional cost. All data is stored at rest using AES-256 bit encryption.