Operations Security Policy

Purpose

To ensure the correct and secure operation of information processing systems and facilities.

Scope

All SecureCHEK AI information systems that are business critical and/or process, store, or transmit company data. This Policy applies to all employees of SecureCHEK AI and other third-party entities with access to SecureCHEK AI networks and system resources.

Documented Operating Procedures

Both technical and administrative operating procedures shall be documented as needed and made available to all users who need them.

Change Management

Changes to the organization, business processes, information processing facilities, production software and infrastructure, and systems that affect information security in the production environment and financial systems shall be tested, reviewed, and approved prior to production deployment. All significant changes to in-scope systems and networks must be documented.

1. Change Documentation and Review

All significant changes to systems, networks, and processing facilities must be documented. Changes should be tested and reviewed in environments segregated from both production and development (e.g., staging environments).

2. Approval and Authorization

Changes with substantial impact on information security and operational functionalities must obtain formal authorization before deployment. Emergency changes may be expedited but must undergo a retrospective review and authorization.

3. Change Management Procedures

• Planning and Impact Assessment: Evaluate potential impacts of the changes considering system dependencies
• Authorization: Secure necessary approvals before initiating changes
• Communication: Inform relevant internal and external stakeholders about the planned changes, schedules, and expected impact in advance
• Testing and Quality Control: Ensure changes are tested thoroughly and meet quality standards before implementation
• Implementation and Deployment: Execute changes in alignment with the planned deployment schedule
• Emergency Management and Remediation: If changes fail or present unexpected issues, they shall be reverted
• Documentation Maintenance: Ensure that the ticketing systems or the code repository platform keeps record of changes, commits and deployments

4. Continuity and Consistency

Ensure that the ICT continuity plans, response, and recovery procedures are updated to remain appropriate and consistent with the changes made. Ensure operating documentation and user procedures are modified and remain suitable.

5. Security and Integrity

Ensure that changes preserve and do not compromise the confidentiality, integrity, and availability of information in processing facilities and systems.

Capacity Management

The use of processing resources and system storage shall be monitored and adjusted to ensure that system availability and performance meets SecureCHEK AI requirements. Human resource skills, availability, and capacity shall be reviewed and considered as a component of capacity planning and as part of the annual risk assessment process. Scaling resources for additional processing or storage capacity, without changes to the system, can be done outside of the standard change management and code deployment process.

Data Leakage Prevention

In adherence to this Data Leakage Prevention Policy, and in order to minimize the risk of leakage of sensitive information, the organization shall:

• Identify and classify information in accordance with the Data Management Policy
• Provide awareness training to users including the appropriate use and handling of sensitive information
• Consider the use of technical monitoring and Data Loss Prevention (DLP) tools in accordance with the risks to the organization and data subjects

Web Filtering

The organization shall ensure safe, secure, and appropriate internet use by the organization's personnel.

Website Access and Blocking

• Implement mechanisms, such as secure DNS and IP address or domain blocking, to restrict access to websites that pose a substantial risk due to their content or known distribution of malware, viruses, or phishing materials
• Employ browsers and anti-malware technologies capable of automatic website blocking or configuration for the same
• Unless justified by legitimate business reasons, consider blocking access to websites with information upload capabilities, known or suspected malicious content, command and control servers, content identified as malicious through threat intelligence, or sharing of illegal content

Separation of Development, Staging and Production Environments

Development and staging environments shall be strictly segregated from production SaaS environments to reduce the risks of unauthorized access or changes to the operational environment. Confidential production customer data must not be used in development or test environments without the express approval of the COO. If production customer data is approved for use in the course of development or testing, it shall be scrubbed of any such sensitive information whenever feasible.

Systems and Network Configuration, Hardening, and Review

Systems and networks shall be provisioned and maintained in accordance with the configuration and hardening standards described in Appendix A to this policy. Firewalls and/or appropriate network access controls and configurations shall be used to control network traffic to and from the production environment in accordance with this policy. Production network access configuration rules shall be reviewed at least annually.

Protection from Malware

In order to protect the company's infrastructure against the introduction of malicious software, detection, prevention, and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.

• Anti-malware protections shall be utilized on all company-issued endpoints except for those running operating systems not normally prone to malicious software
• Threat detection and response software shall be utilized for company email
• SecureCHEK AI should scan all files upon their introduction to systems, and continually scan files upon access, modification, or download
• Anti-malware definition and engine updates should be configured to be downloaded and installed automatically
• Known or suspected malware incidents must be reported as a security incident
• It is a violation of company policy to disable or alter the configuration of anti-malware protections without authorization

Information Backup

The need for backups of systems, databases, information and data shall be considered and appropriate backup processes shall be designed, planned and implemented. Backup procedures must include procedures for maintaining and recovering customer data in accordance with documented SLAs. Security measures to protect backups shall be designed and applied in accordance with the confidentiality or sensitivity of the data.

• Backups and restore capabilities shall be periodically tested, not less than annually
• SecureCHEK AI does not regularly backup user devices like laptops. Users are expected to store critical files in company-sanctioned file storage repositories
• Backups are configured to run at least daily on in-scope systems
• A backup restore test should be performed at least annually to validate the backup data and process

Logging & Monitoring

Production infrastructure shall be configured to produce detailed logs appropriate to the function served by the system or device. Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and reviewed through manual or automated processes as needed.

• Log user log-in and log-out
• Tracking of user activity by document version
• Protection of log information against tampering and unauthorized access
• System administrator and operator activities shall be logged and reviewed
• Clock synchronization to network time servers using reputable time sources

File Integrity Monitoring and Intrusion Detection

SecureCHEK AI production systems shall be configured to monitor, log, and self-repair and/or alert on suspicious changes to critical system files where feasible. Alerts shall be configured for suspicious conditions and engineers shall review logs on a regular basis. Unauthorized intrusions and access attempts or changes to SecureCHEK AI systems shall be investigated and remediated in accordance with the Incident Response Plan.

Technical Vulnerability Management

Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities shall be evaluated, and appropriate measures taken to address the associated risk.

• Vulnerability scans shall be performed on public-facing systems in the production environment at least monthly
• Penetration tests of the applications and production network shall be performed at least annually
• Additional scanning and testing shall be performed following major changes to production systems and software

Remediation Timeframes

Exceptions

Requests for an exception to this policy must be submitted to the COO for approval.

Violations & Enforcement

Any known violations of this policy should be reported to the COO. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.