Network & Information Security Policy

Last modified: Version 2.16 July 2024

Summary

oboloo is committed to maintaining the highest standards of information security to protect the confidentiality, integrity, and availability of data for our customers, partners, and employees. As a SaaS provider, we understand that trust is paramount, and we have implemented comprehensive security measures to safeguard our systems and data.

Scope

This Information Security Policy applies to all employees, contractors, consultants, temporary workers, and third parties who have access to oboloo’s systems, networks, and data. It covers all information assets owned, leased, or otherwise managed by oboloo.

Data Classification and Handling

  • Data Classification: All data processed by oboloo is classified into three categories: Public, Internal Use Only, and Confidential. Each classification has specific handling requirements.
    • Public: Data that can be freely shared without restriction.
    • Internal Use Only: Data that should not be disclosed outside of oboloo.
    • Confidential: Sensitive data requiring the highest level of protection, including customer data and proprietary information.
  • Data Handling: Handling of data must adhere to the classification level, with Confidential data requiring encryption both at rest and in transit, as well as strict access controls.

Access Control & Identity Management

  • Role-Based Access Control (RBAC): Access to systems and data is granted based on role requirements. Each role is assigned a specific set of permissions, and users are granted access according to their job functions.
  • Identity Management: oboloo utilises a centralised identity management system integrated with Single Sign-On (SSO) and Multi-Factor Authentication (MFA) to enforce secure authentication across all services.

Network Security

  • Firewall Management: Firewalls are configured to allow only necessary traffic and are regularly reviewed and updated based on evolving security needs. Rulesets are minimised to reduce attack surfaces.
  • VPN and Remote Access: All remote access to the oboloo network is secured through VPN with MFA, ensuring that only authorised users can access internal resources.

Other

  • Access to the network will be via a secure log-on procedure, designed to minimise the opportunity for unauthorised access. This includes two-factor authentication and SSH keys.
  • There is a formal, documented user registration and de-registration procedure for access to the network.
  • Access rights to the network will be allocated on the requirements of the user’s job, rather than on a status basis.
  • Security privileges (i.e. ‘super user’) to the network will be allocated on the requirements of the user’s job, rather than on a status basis.
  • Access will not be granted until prior approval has been granted by the appropriate staff member(s).
  • All users to the network will have their own individual user identification and password.
  • Users are responsible for ensuring their password is kept secret.
  • User access rights will be immediately removed or reviewed for those users who have left the organisation or changed jobs.
  • You may not use, or encourage, promote, facilitate or instruct others to use, the Services or Oboloo Site or platform for any illegal, harmful or offensive use, or to transmit, store, display, distribute or otherwise make available content that is illegal, harmful, or offensive.

Third-party Access To The Network

  • Apart from hired contractors, no third-party access is allowed on any oboloo network
  • Third-party contractors will need to hold public liability insurance, professional indemnity insurance and cyber insurance. These need to be approved by the supplier onboarding team prior to access.

Cloud Security

  • Cloud Provider Security: oboloo uses cloud service providers (CSPs) that comply with industry-recognised security standards, such as ISO/IEC 27001 and SOC 2 Type II.
  • Data Encryption: All data stored in the cloud is encrypted at rest using strong encryption algorithms, and data in transit is encrypted using TLS 1.2 or higher.
  • Cloud Configuration Management: oboloo uses automated tools to monitor and enforce secure configurations of cloud resources, including identity and access management, network configurations, and logging.

Incident Response and Management

  • Incident Detection and Response: oboloo maintains a Security Operations Centre (SOC) that monitors systems 24/7 for security incidents. The SOC uses Security Information and Event Management (SIEM) tools to detect and correlate potential threats.
  • Breach Notification: oboloo commits to notifying affected parties and regulatory authorities within legally required timeframes in the event of a data breach.

Logging and Monitoring

  • Centralised Logging: All critical systems, applications, and network devices send logs to a centralised logging platform where they are monitored for unusual activity.
  • Log Retention: Logs are retained for a minimum of 12 months and are stored securely to prevent tampering or unauthorised access.
  • Continuous Monitoring: oboloo employs continuous monitoring tools to detect security events and trigger alerts for further investigation by the SOC.

Third-Party Risk Management

  • Vendor Risk Assessment: oboloo conducts thorough security assessments of all third-party vendors and partners before engaging them. This includes reviewing their security policies, conducting audits, and ensuring they meet our security standards.
  • Third-Party Access Controls: Third-party access to oboloo’s systems is limited to the minimum necessary and is subject to the same security controls as internal users. Third parties must use secure authentication methods and are monitored while accessing the network.

Physical Security

  • Data Centre Security: oboloo’s data centres are protected by physical security measures, including access controls, surveillance cameras, and environmental controls. Only authorised personnel are allowed access to sensitive areas.
  • Office Security: Access to oboloo’s office locations is controlled by keycard entry systems, and visitors are required to sign in and be escorted by an employee.

Business Continuity and Disaster Recovery

  • Business Continuity Plan (BCP): oboloo maintains a Business Continuity Plan that ensures critical services can continue during and after a disaster. The BCP is regularly tested and updated.
  • Disaster Recovery (DR) Plan: oboloo has a Disaster Recovery Plan that includes data backups, redundancy, and failover mechanisms to ensure rapid recovery of services in the event of a major incident. Our disaster recovery plan is designed to minimize downtime and data loss in the event of a system failure or disaster. The key components of our strategy include:

    1. Regular Data Backups:

      • We perform automated, incremental backups daily and full backups weekly.
      • All backups are securely stored off-site in geographically redundant locations to ensure data availability in case of regional failures.

    2. Redundant Infrastructure:

      • Our systems are hosted in a high-availability environment, with load balancing and failover mechanisms across multiple data centers.
      • This ensures that, in case of hardware failure or system malfunction, services can be quickly switched over to backup servers.

    3. Disaster Recovery Testing:

      • We conduct disaster recovery drills and testing twice per year to ensure that all systems can be recovered as per our defined objectives.
      • This includes simulating various failure scenarios and validating that data integrity is maintained during the recovery process.

    4. Monitoring and Alerts:

      • We use 24/7 monitoring tools to track system health and receive real-time alerts in the event of an issue.
      • In the case of a critical event, our team is notified immediately to initiate our recovery plan.

  • Recovery Point Objective (RPO): Our RPO is 6 hours. This means that in the event of a disaster, we could restore up to the last 6 hours of data, ensuring minimal data loss.

  • Recovery Time Objective (RTO): Our RTO is 2.5 hours. This means that we aim to restore critical services and bring the system back online within 2 hours of a disaster or failure.

Compliance

Regulatory Compliance: oboloo is committed to complying with all relevant legal and regulatory requirements, including GDPR, CCPA, and industry-specific regulations.

User Training and Awareness

  • Security Awareness Program: All employees and contractors are required to participate in regular security awareness training. Training covers topics such as phishing prevention, secure password management, and data protection.
  • Phishing Simulations: oboloo regularly conducts phishing simulations to test employee awareness and response to phishing attempts.

Review and Update of the Policy

  • Bi-Annual Review: This Information Security Policy is reviewed bi-annually to ensure it remains aligned with industry best practices, emerging threats, and regulatory requirements.
  • Policy Updates: Any updates to the policy are communicated to all employees, and training is provided as necessary to ensure compliance.