Security Controls

5. Information security policy

nodeProtect is built, managed and run by Addlevel in Sweden. Addlevel’s information security policy provides the framework which ensures that the company and its employees abide by clear and strict rules and guidelines related to the security of the data in all of its systems and networks. The policy covers a wide array of organizational and technical controls aimed at preserving the confidentiality, integrity, and accessibility of the systems and information under Addlevel’s responsibility.

6. Organization of information security

6.1. Internal organization

Information security at Addlevel is under the responsibility of the Chief Executive Officer (CEO), but the Board of Directors is ultimately responsible of enacting the information security policy and ensuring its implementation and compliance.

One of the main roles of the CEO is to ensure that all necessary processes and routines are in place in order to fulfill the goals of the information security policy. The CEO is also responsible of resolving any issue related to information security, such as the choice of technologies or frameworks.

The Chief Technical Officer (CTO) is mainly responsible of the development and adaptation of IT solutions to the needs of the firm as well as advising on the risks and opportunities afforded by new technologies.

The Data Protection Officer (DPO) is in charge of communicating with external parties on issues related to information security. DPO is especially reponsible of reporting security incidents to affected parties and relevant regulatory authority.

6.2 Mobile devices and teleworking

Addlevel employees have to abide by strict rules regarding the use of mobile devices (laptops, mobile phones, etc.) and removable devices (hard drives, USB devices, etc.), whether they work on premises or remotely. In addition, employees are trained in taking extra precautionary measures when working in remote environments, especially in public spaces.

7. Human resource security

7.1. Prior to employment

All new employees are throughly screened, their identity and credentials are verified and, in some cases, even their financial history and criminal records.

All employees are required to sign a non-disclosure agreement without any time limitation.

7.2. During employment

Since we have clients who require high security clearances, all our employees have to go through background checks on a random schedule.

Employees are also required to learn Addlevel’s information security guidelines as well as to participate in information security awaareness workshops on a regular basis where they can put the guidelines into practice and demonstrate their level of proficiency.

7.3. Termination and change of employment

Different processes are in place depending on the type of termination. In case of immediate termination, the employee has all of his/her authorizations revoked without delay and s/he is escorted off the premises. An investigation is then launched into the employee’s activities while his/her devices are scanned to make sure that no security breach has occurred.

8. Asset management

8.1. Responsibility for assets

All of Addlevel’s information assets are inventoried in central registers under the responsibility of the Operations Division. Every information asset is managed by its designated owner, who is responsible for its management and security.

Employees have also strict obligations when it comes to handling and protecting Addlevel’s assets (devices as well as information), e.g. from abiding by laws, regulations and company guidelines to not engaging into unethical and immoral behavior. Assets under an employee’s responsibility have to be immediately returned when the employee leaves the firm.

8.2. Information classification

Information, systems and other resources such as devices are classified and labelled by their owners according to the security protection needed, and handled appropriately. The classification is based on the information security triad (confidentiality, integrity, and accessibility) and follows clear rules and procedures that are easily applied by any employee.

8.3. Media handling

Information storage media must be managed, controlled, moved and disposed of in accordance with the security requirements that are applicable for the data in question. Encryption is required for removable media devices that contain sensitive data while high accessibility information must be available in multiple copies.

Moreover, the disposal of storage media must follow Addlevel’s procedures in order to make sure that no confidential information is leaked and that any data is irremediably destroyed. Moving storage media also requires appropriate physical and logical security measures.

9. Access control

9.1 Business requirements of access control

The company’s requirements to control access to information assets are clearly documented in an access control policy and procedures. The ground principle is that access is restricted unless expressly authorized.

System owners at Addlevel are responsible for managing access to their systems, including providing access on a “need-to-know” and “need-to-use” basis as well as reviewing and updating access rights regularly.

9.2 User access management

The allocation of access rights to users is controlled from initial user registration through to removal of access rights when no longer required. There are also special restrictions for privileged access rights and the management of passwords plus regular reviews and updates of access rights.

All access rights are personal and therefore fully traceable to an individual user. Each account is only given the privileges needed to perform its associated tasks and the privileges are only granted as long as necessary. Accounts are then deactivated for a period of time before their complete deletion.

9.3 User responsibilities

Addlevel employees and relevant stakeholders are responsible for maintaining effective access controls, i.e. using multifactor authentication, choosing strong passwords, and protecting adequately authentication information.

9.4 System and application access control

Information access is restricted in accordance with the access control policy on a “need-to-know” and “need-to-use” basis as well as according to the principle of “all access is forbidden until expressly granted.” In addition, appropriate processes and measures are in place to ensure secure log-on and password management, control over privileged utilities, and restricted access to program source code.

10. Cryptography

10.1 Cryptographic controls

Information is encrypted on the basis of its value and sensitivity as well as of its risk analysis. Addlevels CISO is responsible for setting and updating the requirements in that regard and for evaluating the efficiency of specific cryptographic solutions.

Cryptographic solutions are revised on a yearly basis to ensure that the right protection levels are in place in different situations (monitoring, authentication, remote desktop, smart cards, data at rest, etc.).

11. Physical and environmental security

11.1 Secure areas

All of Addlevel’s premises where IT environments (e.g. data centers, network, communication equipment or any other sensitive asset) are protected against accidents, attacks and unauthorized physical access in accordance with industry standards. Physical access to the company’s premises is stricly limited to authorized personal with appropriate security measures. Work that require an extra level of secrecy and protection is performed in dedicated secure areas with restricted access and additional security.

11.2 Equipment

Equipment as well as supporting utilities (such as power and air conditioning) and cabling are secured and maintained according to an established schedule. Equipment and information cannot be taken off-site without express authorization, and must be adequately protected both on and off-site. Information must be destroyed prior to storage media being disposed of or re-used. Unattended equipment must be secured during working hours and stored in a safe or locked cabinet outside working hours. Addlevel has also a very strict clear desk and clear screen policy.

12. Operations security

12.1 Operational procedures and responsibilities

IT operating responsibilities and procedures for all systems and networks under Addlevel’s control are fully documented in accordance with the ITIL standard. Every change to IT facilities and systems is promptly reflected in the documentation. Capacity and performance are managed according to agreed service levels, all the while ensuring that development, test and operational systems remain separated.

12.2 Protection from malware

All computers, servers and network devices are protected against malware, from both technical and organisational standpoints. This includes for example malware scanning, incident response, business continuity and user training.

12.3 Backup

Appropriate backups are taken, retained and regularly tested in accordance with Addlevel’s backup policy.

12.4 Logging and monitoring

Relevant user and administrator activities, exceptions, malfunctions, errors and information security events are logged, monitored and protected.

All system clocks are synchronized with two external time servers.

12.5 Control of operational software

All changes to operational systems, including the installation of new software and updates, must follow Addlevel’s change management policy.

12.6 Technical vulnerability management

Technical vulnerabilities are subject to recurrent risk and vulnerability analyses. Vulnerabilities that require action are patched in a timely manner as soon as security updates are made available and have been examined and tested.

Software installation by users is not allowed except for software that has been expressly approved.

12.7 Information systems audit considerations

IT auditing activities are planned and controlled so as to avoid adverse effects on production systems or inappropriate data access.

13. Communications security

13.1 Network security management

Networks and network services are secured and monitored in accordance with the confidentiality, integrity and availability levels identified for each system.

Moreover, Addlevel’s networks are segmented in separate domains (physical or logical) to limit access to information assets, hosts and network components.

13.2 Information transfer

Addlevel has adopted clear policies, procedures and agreements (e.g. non-disclosure agreements) concerning information transfer to/from third parties, including electronic messaging.

14. System acquisition, development and maintenance

14.1 Security requirements of information systems

Upon acquiring, developing or operating new systems, business needs and requirements as well as information sensitivity are always taken into account. The system, the solution, the administration and the proposed supplier have to meet all the requirements in the guidelines that are linked to information sensitivy and/or responsibility of external parties.

Security control requirements are analyzed and specified, including web applications and transactions.

14.2 Security in development and support processes

Addlevel has adopted a number of rules, processes, and principles in order to ensure that information security is designed and integrated into the development cycle of the information systems. Not only are our developers trained in and practice secure coding but Addlevel has clear policies and guidelines to support secure development at all stages of the software development life cycle.

In addition, changes to systems (both applications and operating systems) must follow well-established processes, including testing changes to the operational environment. Software packages cannot be modified without substantial grounds.

Secure system engineering principles must be followed so as to ensure that all software development follows well-established industry standards and best practices. The development environment is secured with strict access control and monitoring as well as segmented away from other systems. In the case of outsourced development, agreements with external parties sets very high requirements with regard to, among others, secure design, coding and testing.

To ensure code quality and security, software development and review must be conducted collectively and code has to undergo extensive tests. Finally, before being released into production, systems have to pass acceptance tests that take security aspects into account.

14.3 Test data

Test data is carefully generated and controlled. Not only may it never contain any production or personal data but it cannot leave the test environment.

15. Supplier relationships

15.1 Information security in supplier relationships

In order to protect the organization’s information that is accessible to IT outsourcers and other external suppliers, all of Addlevel’s supplier relationships are fully documented and suppliers who have access to restricted information must sign strict non-disclosure agreements.

15.2 Supplier service delivery management

Service delivery by external suppliers is monitored on an on-going basis, and agreements are periodically reviewed. Service changes from either Addlevel’s or a supplier’s part are also controlled to analyse their impact regarding information security.

16. Information security incident management

16.1 Management of information security incidents and improvements

Addlevel’s incident response plan describes the responsibilities and procedures in place to manage information security events, incidents and weaknesses consistently and effectively.

17. Information security aspects of business continuity management

17.1 Information security continuity

Addlevel’s business continuity plan ensures that the company’s information assets remain protected and that business activities can be carried out even in the event of a disruption. Addlevel as a whole and every division is responsible for laying out appropriate processes, routines and security measures, as well as periodically reviewing them.

17.2 Redundancies

All appropriate measures are taken to ensure that IT facilities and services have sufficient levels of redundancy to satisfy availability requirements.

18. Compliance

Addlevel has identified and documented its legal and contractual obligations to external authorities and other stakeholders in relation to information security, including intellectual property, business records, personally identifiable information and cryptography.

18.2 Information security reviews

Addlevel’s information security arrangements are independently reviewed and reported to management on a regular basis. Managers are also responsible for routinely reviewing employees’ and systems’ compliance with security policies, procedures etc. and initiate corrective actions where necessary.