Systems Security Policy

Systems Security Policy

SOC2 CertificationNetspective Unified Process
 

The Systems Security Policy outlines the guidelines and procedures for the management of Systems Security within the Netspective Communications LLC.

  • Servers, platforms, networks, communications, databases, and software applications are among the systems included.

    • A designated individual or group must be responsible for maintaining and administering any system used on behalf of the organization. A centralized list of assigned individuals or groups must be maintained.

    • Security must be taken into consideration during system inception and recorded as part of the decision to create or modify a system.

    • All systems must adhere to a secure system development lifecycle (SSDLC) during development, maintenance, and decommissioning. [FII-SCF-019-PRM-05]

Server details

  • Each system must have a set of controls that correspond to the classification of any data stored on or transmitted through the system.

  • All system clocks must synchronize with a centralized reference time source that is set to Coordinated Universal Time (UTC) and is itself synchronized to at least three time sources.

  • Environments and test plans must be established to verify that the system works correctly before deployment in production. [FII-SCF-004-CHG-02.2]

  • Separation of environments (such as development, test, quality assurance, and production) is necessary, either logically or physically, including distinct environmental identifications (such as desktop backgrounds and labels).

  • Formal change control procedures must be established, implemented, and enforced for all systems. Any change that could affect the production environment or production data must be included at a minimum. [FII-SCF-004-CHG-02]

  • Databases and software (including commercial off-the-shelf (COTS) and in-house or third-party developed):

  • All software written for or deployed on systems must use secure coding practices to prevent common coding vulnerabilities and to be resilient to high-risk threats before being deployed in production.

  • Test data must be protected and controlled for the duration of the testing according to its classification. [FII-SCF-018-PRI-05.1]

  • Production data may only be used for testing purposes if a business case is documented and approved in writing by the information owner and the following controls are implemented:

    • All security measures, including access controls, system configurations, and logging requirements for the production data, must be applied to the test environment, and the data must be deleted as soon as testing is completed; or

    • Sensitive data must be masked or overwritten with fictitious information. [FII-SCF-018-PRI-05.2]

  • Development software and tools must not be kept on production systems.

  • Source code used to generate an application or software must not be saved on the production system running that application or software.

  • Scripts, except those necessary for operating and maintaining the system, must be deleted from production systems.

  • Access to production systems by development staff must be restricted to privileged access. [FII-SCF-012-IAC-16]

Admin users list

Non Admin users list

  • Migration processes for transferring software from the development environment to the production environment must be documented and implemented.

Approved by
Ajay Kumaran Nair on August 9, 2023 |
Last Updated by
Sreejith K on August 9, 2023