1. Secure Development
1.1. Safe Development Policy
What technologies are used in product development?
ANSWER: ASP.NET WebForms;
ASP.NET WebApi
.NET Framework 4.7.2 with C #;
React JS
SQL Server 2014 database
Does the product use any internal infrastructure?
ANSWER: No. We use the AWS cloud.
Is product development done by an internal or external team?
ANSWER: All product development is done by an internal team from Engage.
Is there segregation of environments? Example: Production, Development, Approval, Test and QA "
ANSWER:
DEV: Used for product development and improvement. It is used only by the IT team.
TEST: Environment where the development team uploads the new features so that the internal CS team and the external client can test and validate the improvements applied in the product releases.
PRODUCTION: Environment used by end users and customers
Physical development, approval and production environments have been and / or are strictly controlled
ANSWER: Yes.
Is the application or will it be hosted on dedicated server (s)?
ANSWER: The applications are hosted on Amazon's AWS servers, on three separate servers:
Application: On an EC2 server, with AutoScalling configured.
Database: On an RDS server
Content Server: Stores static files, such as videos, PDF documents, DOC, etc. It is on an S3 server.
How the development / test system and data are prevented from being inadvertently migrated to production environments and vice versa (for example, launching virtual replication, image or snapshot mechanisms)
ANSWER: The application is developed in an environment segregated from the productive environment. The source code is versioned on GitHub and the database scripts (whether to create / change objects and / or insert / update in enumeration tables) are created by the developers and stored, also, on GitHub. When we are going to deploy to production, we do the update at low access time, after business hours. The database scripts created during the development stage are run against the production database, too.
The organization has mechanism controls to ensure that all pages and resources require authentication, except those specifically intended for the public (Principle of mediation completed) (Application controls)
ANSWER: All API's endpoints are restricted in access, with rare exceptions. To be able to consume them, it is necessary to send the access token and it must be valid and not expired. In addition, there are endpoints that require higher permissions, such as those in the administrative area. Therefore, if the token does not have such permissions, access to services is denied.
Does the organization have mechanism controls in place to ensure that issues related to session management are addressed in the software developed?
ANSWER: The application allows the user's session to be active for 24 hours. If the browser is closed, the user's session is ended and the user will have to log in again. In the app, the operation is similar. When the user's session expires or he logs out of the platform, all data related to the user's session is also finalized and a new authentication will be necessary to access the platform.
Does the organization have mechanisms / controls to ensure that the developed application does not issue error messages or stack traces containing sensitive data that can assist an attacker, including session ID in personal information?
ANSWER: All errors in the application are logged to assist in diagnosing problems and a generic message is returned to the user, not providing any data on the architecture and / or stack trace that can be used to exploit any flaws in the application.
Does the organization have mechanism controls to ensure that the developed application has no buffer overflow failures (data overflow)?
ANSWER: The application is typed, so that only the expected values, according to the size of the data type, are accepted by the application, in order to avoid buffer overflow.
Does the organization have mechanism controls to ensure that the developed application is free from XSS (Cross Site Scripting) flaws?
ANSWER: To protect our application from XSS attacks, we have added the X-XSS-Protection header.
Does the organization have mechanism controls to ensure that the developed application accepts only a defined set of HTTP request methods, such as GET and POST, and that unused methods are explicitly blocked?
ANSWER: Yes, only the GET, POST, PUT, PATCH, DELETE and OPTIONS request methods are accepted. Otherwise, they are blocked by our API.
Does the organization have mechanism controls to ensure that the developed application restricts file uploads with a dangerous type?
ANSWER: On screens where users can send files, only those whose extensions and formats are informed that uploads are allowed. Otherwise, the upload is blocked.
Does the organization perform a source code review before the developed software is delivered to the customer?
ANSWER: The development code is always subjected to a review by Senior Analysts before going into production.
Does the organization conduct comprehensive penetration tests of the developed application?
ANSWER: Vulnerability tests are performed using the Site Blindado tool.
Does the organization have mechanisms / controls in place to ensure that the application developed has controls with the respective Access Controls, for example, users can only access protected functions, URLs or services for which they have specific authorization?
ANSWER: In addition to being authenticated on the platform, the user must have authorization to access certain resources, either through the application or through APIs, otherwise access to the resources is denied by the application to the user.
Does the organization have mechanism controls to ensure that the developed application has cryptographic controls during presentation and storage?
ANSWER: Although the bank's data is not encrypted, only the technician responsible for the product has access to the production environment;
Only the user's password is stored in the form of an SHA2_256 hash;
All data transmission in the application is done under the HTTPS protocol.
1.2. Cybersecurity architecture and design
Applications must be developed in accordance with best security practices such as OWASP, NIST, among others. Adopting these recommendations is likely to reduce the most common application vulnerabilities, such as:
A1 - Code Injection
A2 - Breach of Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Direct References to Objects in an Insecure manner
A5 - Insecure Settings
A6 - Exposure of Sensitive Data
A7 - Absence of Access Control Function
A8- Forged Request between Sites (CSRF)
A9 - Use of Components with Known Vulnerabilities A10 - Routes and Redirects without Validation
ANSWER:
We follow a practice called Clean Code, which consists that the code itself needs to be self-documented, that is, the name of variables, methods, classes, etc. they need to say clearly and objectively what they mean, so that the programmer doesn't waste time interpreting what the code in question does.
The application is shielded against SQL Injection, since queries are handled via Entity Framework and Stored Procedures;
The connections to the database are always closed in the finally block of the try / catch blocks, so that even if an error occurs in the application, the connection is closed;
Application cookies are stored with the attributes Secure and HTTP Only, to prevent attacks via malicious Javascript and / or software that tries to intercept the cookies recorded in the user's browser. This information is documented in releases released via GitHub;
The user's password is saved in the system database in the form of a hash with the SHA2-256 algorithm;
The platform has log mechanisms such as user access, errors and actions on screens on the platform.
We use GitHub for version control of the applications we develop;
We use the SCRUM methodology to manage the activities developed by each team member, what the deadlines are, what was done in each release, etc. - Trello assists us in the implementation of Scrum in the company.
We use DDD (Domain Driven Design) architecture in our project. All of our subsystems consume the services of a REST API where all the business rules of the application are found.
Our application has an application with support for Android and iOS systems.
2. Access Management
2.1. Password Policy
Is it necessary to change the password at the first login?
ANSWER: Yes. The administrator has, through the administrative area, autonomy to enable or disable the password change at the first access.
Is a password change required every 60 days?
ANSWER: Yes, the periodicity can be set up or down, if necessary, by the administrator himself through the administrative area of the platform.
Is the user blocked after 5 invalid login attempts?
ANSWER: Currently, this limit on the platform is 6 attempts, which can be reduced by the administrator, through the administrative area.
Is the user blocked after 60 days of no use?
ANSWER: This process can be done manually, through the administrative area or by spreadsheet, or automatically, through API.
How does it happen to unblock a user blocked by incorrect attempts? (Ans: Automatic or Manual)?
ANSWER: The lock is performed automatically by the platform, for a period of 30 minutes until it is automatically unlocked.
However, the administrator can also unblock the user manually through the administrative area
Are access to profiles revoked and access is disabled after 180 days without use?
ANSWER: This process can be done manually (through the administrative area or by spreadsheet) or automatic (through API)
Is there a lock so that the same password cannot be reused within the period of 1 year?
ANSWER: During the password change process, the user needs to enter a password different from the 10 previous passwords, otherwise, the platform does not allow the change.
Does the tool require a minimum password length of 8 characters?
ANSWER: During the password change process, in addition to the password having a minimum of 8 characters, the user must provide letters, numbers and special characters.
Does the system require the password to be strong and contain a combination of at least (3) three of the following characters: uppercase letters, lowercase letters, numbers, characters?
ANSWER: During the password change process, in addition to the password having a minimum of 8 characters, the user must provide letters, numbers and special characters.
The company has documented password management procedures, including:
- Minimum number of characters and password complexity;
- Cryptographic structure that is used to protect passwords (for example, hash functions)
- Session time, use of multi-factor authentication
ANSWER: The procedure is not formally documented, but the business rules of the application, referring to the password management policy are:
They must have at least 8 characters made up of uppercase or lowercase letters, numbers and special characters;
They must be different from the last 10 previous passwords, otherwise, the platform does not allow the change;
The application stores the user's password in the form of an SHA2-256 hash;
The session time is 24 hours. If the user closes the browser, the session is ended and the user will have to log in again.
Multifactor authentication is not currently supported by the platform. Local authentication only, with username and password.
Is it possible to customize the access model on the platform?
ANSWER: Yes. The administrator has the autonomy to create customized profiles, with reduced privileges and assigning these profiles to users.
Does the solution support the implementation of Single Sign-On for authentication and authorization?
ANSWER: The platform supports SSO for authentication only. The access to the platform functionalities is released through the access profiles, with their respective roles, created directly on the platform.
If full integration of Single Sign-On is not possible, what other interface to automate access provisioning is supported?
ANSWER: This automation is possible, leaving the profiles, with their respective roles, previously created on the platform and developing a customized integration for the client following their respective rules for assigning the profile to the user, after the SSO, according to the appropriate level of privileges that the user should have.
Does the company provide a pre-production environment for its customers?
ANSWER: Yes. The environment available for testing by the customer is: https://test.engage.bz.
How does the company limit and control the use of privileged access rights (for example, administrators, development, advanced users, etc.) that can have access to customer data? Describe how it is performed.
ANSWER: Yes, the platform has profiles that limit users' access to customer environment information.
Does the company have a documented Bring Your Own Device (BYOD) policy? How is information protected when it is processed on a private device?
ANSWER: We currently have no policy in place in this regard.
Does the company run the Bug Bounty or Responsible Disclosure program, which allows it to continuously identify vulnerabilities in its applications? Provide a brief description of the program.
ANSWER: Our customers are advised to report any incidents on the platform, be it bugs, usability problems, navigation or incidents related to information security on our official channel meajuda@engage.bz. By sending the incident to this address, a call is automatically opened to our support team who will take care of responding to the request and activate the IT team whenever necessary to resolve the problem.
Does the platform support authentication integrated with the Microsoft Active Directory service?
ANSWER: Only authentication with AD is supported, while the authorization process is done directly by the platform, through the administrative area, informing the user's access profiles.
Does the platform allow for a single sign-on strategy with the Active Directory structure?
ANSWER: The platform allows the user to authenticate to the platform with Active Directory credentials - informing their username and password.
Does the platform allow you to change the names and passwords of the standard administration accounts for the tool?
ANSWER: Standard platform data cannot be edited even by the administrative area
2.2. Function Segregation
Is there function segregation?
ANSWER: There are two standard profiles on the platform: the Player and the Administrator, described below:
Player: It is the end users who will participate in the missions of each of the tracks in a competition, since they are not allowed to edit other users and / or manage competitions
Administrator: He is responsible for managing all the resources of the platform - users, competitions, trails and missions. This profile even allows the creation of other profiles with more restricted access permissions.
Custom Profiles: The administrator has the autonomy to create customized profiles with reduced privileges or not, according to their needs.
Is there a unique profile for user management?
ANSWER: To manage users, it is necessary to access the administrative area with a profile that has the "User Management" permission
Is there an exclusive profile for password reset and user unlock?
ANSWER: To manage users, it is necessary to access the administrative area with a profile that has the permission of "User Management
In Engage's multitenant environment, how is the separation between the different customers guaranteed?
ANSWER: The platform, both in the application and in the database, is shared among all customers. Segregation in the application is done through a parameter that we call customerId, that is, all entities in the database have this parameter that are used to filter the customer's environment, preventing unauthorized access between the various customers that Engage It has.
2.3. Types of Accesses
Your solution or service has features for:
1. Access Federation / 2. Multi-Factor Authentication (MFA) / 3. IP restrictions / 4. None
ANSWER:
SAML (Idp Initiated)
AD (Network)
ADFS 4.0 (OAuth)
Azure AD
Local authentication (User and Password)
3. Database
Which Databases exist in the environment?
ANSWER: SQL Server 2014
Is there an EOF database (out of contract for maintenance support by the manufacturer) in the environment? What Version of Databases are there in the environment?
ANSWER: SQL Server 2014
Is there physical or logical segregation of environments for database bases?
ANSWER: All existing environments in the organization (DEV, TEST (QA), and Production), each have a dedicated base.
Do the people who access these environments have segregated profiles?
ANSWER: Access to the production database is restricted to the person responsible for the product Core and the technical leader
If it exists and what is the high availability mechanism in use?
ANSWER: There are backups of the images of the application, database and content production servers
Is the data stored in the bank encrypted?
ANSWER: The data is not encrypted, but only the person responsible for the product Core and the technical leader has access to the production servers and their respective environments - including the database
For data stored in the database, is there any protection against direct access?
ANSWER: The bank data is segmented and login.
Is the data used in production the same as that used in development?
ANSWER: The test mass used during product development is not the same as the production base.
Is there a data masking mechanism in use?
ANSWER: No
Is the data stored in the bank encrypted? Example: Encryption on disk, Encryption in tables, Encryption in communication between users and the database and etc.
ANSWER: The data stored in the Engage database is not encrypted. However, only members of the Engage Product team have access to the production servers and their respective environments - including the database.
Is the data used in production the same as that used in development? Example: Many companies when developing an application need real data to simulate the use and resource of the new software that is being developed, there are companies that use fictitious information in order not to expose the real information such as: Payroll, personal information of employees and of customers and etc.
ANSWER: The test mass used during product development is not the same as the production base.
4. Infrastructure security
What are the hardware and software requirements to run the platform?
ANSWER: IIS 8.5 or higher
.NET Framework 4.7 or higher
SQL Server 2014 database or higher
Windows Server 2012 or higher
8 GB of Memory or higher
100 GB of Disk Space or higher
Which browser does the tool support?
ANSWER: The platform is cross-browser, with the following browsers supported:
IE 11 or higher;
Edge 46 or higher
Chrome 68 or higher;
Firefox 61 or higher;
Does the solution include a cloud model and local infrastructure?
ANSWER: The platform only supports the cloud model, with cloud hosting from Engage.
Is there a segregation of environments in the supplier's infrastructure?
ANSWER: The infrastructure of the Engage platform will be distributed as follows
Database Server: Hosted on an AWS RDS Server with SQL Server 2014 as DBMS
Application Server: Hosted on a Windows Server 2019 server
Content Server: Hosted on AWS S3, stores static files, such as videos, pdf's, SCORM courses that are sent by administrators and made available to users
Are protection documents available for all components of the infrastructure (including network devices, servers, databases, web servers, etc.)?
ANSWER: N / A. All infrastructure services are contracted from AWS.
Are all components of the infrastructure (including network devices, servers, databases, web servers, etc.) protected according to the protection guidelines?
ANSWER: Access to Engage's network resources and production servers are protected by a firewall.
Does the organization have provision for implementing Web Application Firewall?
ANSWER: We use the AWS native EC2 firewall as a WFA tool
Are phishing and malware protection services available for the web application?
ANSWER: Automatic emails sent by the platform, with rare exceptions, such as password reset, do not have links, thus preventing viruses from spreading or malicious codes that may harm our users.
Is DDoS protection available for the web application and the corresponding infrastructure?
ANSWER: AWS Shield is used as a tool against DDoS attacks.
Does the Organization have provision for the implementation of HIDS / NIDS (Host Intrusion Detection System) / (Network Instrusion Detection System)?
ANSWER: We don't have any of these tools in place.
Does the company conduct technical security assessments (for example, vulnerability, penetration testing) in its own IT environment?
ANSWER: Scanning procedures are not performed on workstations, however the use of devices such as pen drives and external hard drives are blocked on the machines;
Access to the company's networks is authorized only for authorized equipment and devices;
Employees cannot install any software without authorization from the company's infrastructure team, and the applications used on the machines must be related to the activities performed within the organization.
Employees are not authorized to use corporate e-mail to deal with matters that are not of a professional nature and / or in relation to the functions performed in the company.
5. Data Control and Identity and Access Management
Are there guarantees about preserving data integrity?
ANSWER: The integrity of the database is accomplished through the following resources:
> Foreign Keys
> Check (Check Contraints)
> In addition to validations in the registration screens (front-end) and APIs (backend), aiming that the stored data is always consistent
Is there control and how are cases of violation of data protection laws handled?
ANSWER: Because our production servers on Amazon are hosted on servers in the USA, data breaches are subject to the laws of that country as well as to the controls of Brazilian law, through the LGPD.
Is recovery of critical information subject to delays regardless of the SLA agreed between the parties?
ANSWER: In urgent cases, such as system outages, the entire team is mobilized to restore services as quickly as possible.
Has the organization documented and implemented logical access controls?
ANSWER: At the time of hiring, employees have access to the company's systems, based on their role and department in which the employee is part;
Only registered and previously authorized persons have access to the company's facilities;
Each user has their specific login and password to access the systems used by the company;
In the event of a disconnection, your accesses are immediately cut off.
Is there a process for reviewing user access rights at regular intervals?
ANSWER: Whenever there is a change of function within the organization, the accesses granted to the user are immediately reviewed and updated.
The organization has procedures that prohibit the use of groups, shared or generic IDs and password (on servers, systems or network)
ANSWER: Yes. Each employee has a specific username and password to access resources, systems and devices within the organization.
Does the company allow its employees to work remotely? If so, how is the connection to the company’s network established and secured?
ANSWER: Yes, employees can work remotely and access is via a VPN connection.
6. Data vulnerabilities
Is there a formal process for handling Security incidents?
ANSWER: In urgent cases, such as system outages and / or data leakage, the entire team is mobilized to reestablish services as quickly as possible and correct critical failures.
How are IS incidents handled?
ANSWER: The company's service channels - Helpdesk, E-mail, Chat, Telephone Whatsapp - are always available, during business hours on business days so that the customer can get in touch whenever he needs.
Is there a tool for opening calls for handling Information Security incidents?
ANSWER: We use Freshdesk as a helpdesk system to answer calls opened by our customers.
Is there an IS patch management system?
ANSWER: All changes are recorded. We use GitHub to version the releases we have released for the product.
During the development of new features or bugfixes we register all activities in Trello, informing the description of what is being accomplished, who is responsible for executing the tasks and what is the deadline for completion.
When we close a release, we create a document - the Release Notes - where we detail the improvements that have been implemented and make the changes available in an approval environment for the tests to be carried out. If all tests were successful, we update the production environment.
The internal service team is always notified of changes so that they can provide more assertive support to the customer.
Is there a periodic vulnerability check process?
ANSWER: The vulnerability verification process is done by the Site Blindado Tool and occurs weekly.
The analysis via vulnerability scan has a scope of 360, is the entire environment analyzed without exception?
ANSWER: The process is only done in the application
Can the customer conduct a vulnerability scan on Engage's application and / or infrastructure?
ANSWER: Due to confidentiality clauses provided for in contracts with other customers, these tests cannot be performed on the application and / or on Engage's infrastructure
How did your vulnerability remediation process go?
ANSWER: When identifying security flaws, they are corrected and the tests are redone to ensure that the problem has been definitively remedied.
Is the vulnerability assessment carried out whenever there are any significant changes to the application?
ANSWER: Yes. However, during the development of the application, techniques for developing secure code are used.
It is the process and procedures for regular updates of antivirus DAT files on all available system components. What is the frequency?
ANSWER: The scan frequency is done weekly and the anti-virus software is updated monthly.
Are policies and procedures in place and business processes and technical support measures in place for regular patch management?
ANSWER: Update patches are made on a monthly basis.
Are all connections between the database and the application secure? If so, how is this done?
ANSWER: Access to the production database is restricted by IP. Only the IP of the application server is released.
How are changes to firewall and network settings tracked and managed?
ANSWER: Access to the production servers' firewall is restricted and only the Infrastructure Analyst has access to it.
Does the solution support secure deletion of customer data? Describe the data deletion process.
ANSWER: Not all data is subject to physical exclusion from the database through the application. However, on screens where this action is allowed in the administrative area, the system requires confirmation from the administrator about the continuation of the operation, warning about the fact that, once completed, this cannot be undone. If the administrator chooses to proceed, this is done.
Describe the vulnerability management processes. In particular:
Is the solution / code tested for vulnerabilities?
Are the tests performed regularly?
What is the deadline for correcting critical vulnerabilities?
ANSWER: During the development of the application, secure code development techniques (OWASP) are used.
Our application is scanned weekly using the Site Blindado tool
Application errors are logged in the system so that we can diagnose problems and correct them with assertiveness;
The deadline for fixing critical vulnerabilities is 48 working hours.
How does the company monitor vulnerabilities in third-party modules / solutions used to process PMI data ?:
ANSWER: Before implementing any solution, we do a search if the component to be used is not in the list of components with known vulnerabilities, such as Jquery 3.3.0 or lower;
The tests performed by the Site Blindado tool provide us with information on application components that, eventually, contain vulnerabilities;
Does the company have documented procedures for responding to computer security incidents, including alerts and allegations about data breaches? Provide copies of applicable procedures.
ANSWER: In urgent cases, such as system outages and / or data leakage, the entire team is mobilized to reestablish services as quickly as possible and correct critical failures.
The company's service channels - Helpdesk, E-mail, Chat, Telephone Whatsapp - are always available, during business hours on working days, so that the customer can get in touch whenever he needs.
The vulnerability verification process is done by the Site Blindado Tool and occurs weekly.
When identifying security flaws, they are corrected and the tests are re-done to ensure that the problem has been definitively remedied.
Does it have a list of the main events and resources that should be monitored?
ANSWER: Application availability - servers and files
User access to the platform
Actions taken on the platform
7. Physical and Network Security
Is there a room and where is the network and server equipment located?
ANSWER: We do not have physical access to the Amazon Data Center. All access to the servers is done remotely and only by previously authorized persons.
Is there any access control to the environments that store or process information?
ANSWER: We do not have physical access to the Amazon Data Center. All access to the servers is done remotely and only by previously authorized persons.
Are there logs of the physical accesses performed?
ANSWER: We currently do not have access logs for servers, but access to production and development servers is restricted to the company's Product team.
Is there a fire prevention system?
ANSWER: Responsibility for incident prevention in the data center is guaranteed by the supplier hired by Engage.
Where are the "known" data storage locations? Where is the data center located?
ANSWER: The application is hosted on AWS and the data center is located in Virginia, United States.
Is there restricted and monitored access to critical assets 24x7?
ANSWER: The application servers have alarms that are automatically triggered when the processing of the machines is above 80%, as well as when there is low or insufficient memory. These alarms are triggered to the product IT staff and to the personal email of the person responsible for the product at any time.
Which security mechanism (such as 2-factor authentication) available for remote id administration is allowed?
ANSWER: Credentials and access token.
Do you use any insecure protocols, such as Telnet and FTP for device administration?
ANSWER: The protocols used on the network are secure.
Is there a segregation of data and / or infrastructure for a given customer from the others?
ANSWER: No. The entire infrastructure and application are shared among all customers.
What are your data leak prevention features?
ANSWER: Following the main practices of developing secure code;
Employee awareness of data leakage;
Backup Policies;
Software Update;
Use of security software such as Software and Antivirus.
Does the organization have controls in place to ensure that access to sensitive areas is available only with authorized personnel?
ANSWER: Access to the company's premises is only allowed upon presentation of the electronic point.
Is access to the company's sensitive area reconciled periodically?
ANSWER: Nowadays the company does not have sensitive physical areas
Does the organization have visitor authorization and are access controls in place?
ANSWER: The access of visitors to the company's premises is only allowed with the prior identification and authorization of a representative of the company.
Access to the company's internal networks and devices is forbidden to visitors;
Confirm that people (working on the CD) wear visitor badges or other identification and that visitors are easily distinguishable from staff on site.
ANSWER: They wear visitor badges.
Confirm that the data is encrypted before the backup and also remains encrypted on the backup media
ANSWER: N / A. We do not perform backups on physical media and we do not encrypt them. The backups are stored in the cloud, with access restricted to the product's IT team.
Confirm that all media sent out of the facility is registered and sent via secure mail or other delivery methods that can be tracked?
ANSWER: N / A. We do not make backups on physical media.
The organization has procedures to clear confidential data when it is no longer needed. What kind of data cleaning procedures are employed to remove confidential data?
ANSWER: If it is digital data, it is physically erased from the system and / or equipment. If it is paper documents, they are destroyed in paper shredders.
What is the set of security settings / features implemented for the standard device issued by the employee? (full disk encryption, firewall, etc.)
ANSWER: Blocking removable devices from machines
Firewall configuration
Antivirus Installation
Awareness campaigns with the internal public are also used.
Did the company appoint people in the organization to the role of data privacy director (DPO) (or equivalent)?
ANSWER: Yes, the company's CIO, Mauricio Pradella, took on this role.
Do the responsibilities of the Company's data privacy officer role include providing training and awareness about protecting personal data?
ANSWER: Although we do not have formal information security training, all our employees sign a confidentiality agreement at the time of hiring, committing themselves not to disclose customer and / or company information without prior authorization;
Awareness campaigns about the importance of not leaking information are made to employees;
We prioritize hiring new professionals by referral and who have a good professional history and good conduct in the work environment.
Their respective accesses to the company's systems, files and infrastructure are released to employees according to their profile and role in the company.
Employees are instructed not to share their passwords with anyone, inside or outside the organization.
Documentation on server infrastructure (fire protection, alarms, power, air conditioning and temperature)
https://media.amazonwebservices.com/en/wp/AWS%20Security%20Whitepaper%20-%20May%202011.pdf
8. BCP (Business Continuity Plan) and DR (Disaster Recovery) and Incident Management
Are there any defined disaster recovery (PRD) and business continuity (PCN) plans?
ANSWER: All products developed at Engage are stored in the cloud.
Our internal process defines that daily we have to commit the changes made in order to avoid loss of information in the event of eventual equipment failure, disasters, etc.
Database, file and application backups are regularly performed with redundancy;
The servers have images of them;
In case of disasters, adopting the practices described above, it is possible to recover our projects through backups made to the cloud.
The process is reviewed quarterly and improved.
Is there control of test periodicity cycles?
ANSWER: We started the implementation of automated tests in the product API - where the business rules of the platform are centralized - in order to guarantee the quality of the product for our final customer.
In addition, before uploading new features and / or bug fixes for production, we performed tests on the platform's features. If a bug is identified, the responsible team reports what happened to the development team, which is in charge of correcting it and launching a new correction patch. If everything is ok, the person in charge of the area approves the changes, the release is released and is properly published in the production environment.
Is there tolerance for loss of information? What would be the window of loss?
ANSWER: We back up everything that is produced in the company and they are stored in the cloud, with redundancy, so that it is possible to reestablish the organization's activities in the event of a disaster.
Is there an agreed time to return to the operation in the event of a disaster? What is the maximum time?
ANSWER: Yes, the maximum established time is 8 hours counting from the registration.
Does the organization have a written capacity management procedure in place?
ANSWER: The company's IT team monitors the performance of the servers, evaluating their capacity to meet the requirements contracted by our customers and for a good performance of the application, as well as carrying out cost reduction studies, maintaining the quality of the services provided. We often benchmark with other startups and partners to constantly improve our products and services.
Are management responsibilities and procedures in place to ensure a quick and effective response to the information security incident?
ANSWER: In the organization, the roles and functions are duly defined among team members with regard to all aspects of IT, including those of information security. In addition, in case of emergencies, the entire team is mobilized in order to remedy the reported / identified incident as soon as possible.
Are there procedures in place to deal with a data breach?
ANSWER: We believe that prevention is the best way to be taken to prevent information leakage. For this, we adopt the following practices:
Employee awareness of data leakage;
We are in compliance with current legislation following the guidelines dictated by the LGPD;
Conducting vulnerability tests;
Use of tools to prevent attacks that exploit any vulnerabilities in the platform.
Does the organization have documented contact points, communication channels and availability of the Incident Response
Team in the event of an information security incident?
ANSWER: The company's service channels - Helpdesk, E-mail, Chat, Telephone Whatsapp - are always available, during business hours on business days so that the customer can get in touch whenever he needs. In addition, in the event of any emergency incident, whether related to information security or system outages, for example, the entire team is immediately mobilized to solve the problem with the highest priority.
Is the Incident Response plan tested periodically?
ANSWER: The Incident Response plan is reviewed quarterly and improved.
Is appropriate training provided to all employees and contractors to report security incidents in notes and reports and are they observed to be security breaches in systems or services?
ANSWER: Although we do not have formal information security training, if any security-related incident is identified, this fact is immediately shared among all team members, discussed and resolved together, so that everyone on the team is able to deal with it. with these situations.
9. Encryption and Key Management
Are there secure mechanisms for accessing application data? Example: VPN, SSL / TLS, etc.
ANSWER: SSL / TSL
This control can be implemented through the following procedures: Use secure technologies such as SSH, S-FTP, TLS or IPsec VPN OR use encryption in communications (for example, using TLS 1.2 (Transport Layer Security) or equivalent)
ANSWER: The authentication process occurs through the HTTPS protocol. When the user authenticates on the platform, an encrypted access token is generated and stored in a cookie, also encrypted
Does the company use any type of encryption to protect corporate data?
ANSWER: Our internal process determines that access to development and / or production servers is restricted to the company's IT team and can only be performed from within Engage's internal network;
All passwords for platform users are stored in the form of a SHA2-256 hash;
All traffic between Engage applications is done under the HTTPS protocol;
What type of encryption and key strength is used (during transmission)?
ANSWER: RSA (2048 bits)
How is data encrypted during storage?
ANSWER: Although the bank's data is not encrypted, only the technician responsible for the product has access to the production environment;
Only the user's password is stored in the form of an SHA2_256 hash;
All data transmission in the application is done under the HTTPS protocol.
10. Security Tools
Is there an Antivirus tool installed on the servers hosting the platform and also in the supplier's on premises environment? Example: Symantec, McAfee, Trend, Kaspersky and etc.
Yes, Windows Defender
Is there an AntiSpam tool (Applied only to e-mail services)? - Vendor and cloud
Example: Symantec, McAfee, Trend, Barracuda, Ironport, etc.
ANSWER: Microsoft's Office 365 email management service itself has a native SPAM tool.
Is there a vulnerability analysis tool? Cloud and vendor
ANSWER: To prevent the injection of malicious code and attacks: Site Blindado
Is there a password vault tool for keeping platform service credentials? Cloud and provider Example: CyberArk, Keeper, Fortsafe
ANSWER: We use the LastPass manager to store passwords for all systems used by Engage.
Is there a system for SIEM - Security Information and Event Management (Analysis tool, Correlation and Log Management)? Example: HP, IBM. LogRhythm, Splunk, Intel Security and etc
ANSWER: The platform has its own log management mechanism.
Is there a Database Firewall tool? In the contracted cloud? Example: Imperva, McAfee, Trustwave DB Protect, IBM Guardium, Fortnet FortDB and ect ...
ANSWER: We use the AW2 native EC2 firewall as a WFA tool.
Is there a WAF tool - WEB Application Firewall? In the contracted cloud?
ANSWER: We use the AW2 native EC2 firewall as a WFA tool.
Is there an IDS / IPS tool enabled? Both in the cloud and in the vendor's support environment?
ANSWER: No
Is there an Anti-DDoS tool implemented in the cloud service?
ANSWER: We are implementing a Cloud Flare Anti-DDoS solution.
11. Backup Policies
• It is the responsibility of the company's IT team, to monitor Engage's backup processes;
• The application database backup process is generated daily;
• Our clients' content files - such as courses, videos, PDF’s, etc. - go through the backup process once a week, due to the large volume of data;
• All backups of the organization are stored in the cloud;
• Backups are made of the images of the servers where the applications are hosted;
• No backups are made to media such as HD’s and / or tapes;
• Employees are instructed not to keep company files on their workstations, which must be stored in directories that are within the backup routes;
• The source code of the application is versioned, allowing the company to have control of each version of the product.
12. Data Retention Time
What is the data retention period in the company?
ANSWER: The retention time for backups is 30 (thirty) days;
Regarding the data stored in the Platform's database, we guarantee full availability while the contract is in force. After the end of the contract, after 30 (thirty) consecutive days the data is erased, definitively
The same criterion as in the previous item applies to content files.
Does the solution support a custom data retention period for customer data?
ANSWER: No. Currently, the data retention period is previously established in the contract. During the term of the contract, we guarantee the full availability of customer data and files stored on the platform. After the closure, the data are kept for 30 days and, after this period, they are physically removed both from the database and from our content servers.
Does it allow purging of historical data (transferring old data to new tables)? Output format (eg files, external databases, etc.). Specify which forms of output are supported.
ANSWER: The platform has no data purging mechanisms.
13. Audit Trail
Describe how the audit trails on the platform work.
ANSWER: The platform provides Excel reports of users' access (login) on the platform;
Actions such as creating / editing and deleting users, missions, rounds, activities and competitions, can be obtained through reports;
Errors also on the platform are also recorded on the platform, allowing for more assertive diagnostics to correct bugs. These, as they contain technical product information, are not available via reports.
14. Asset Control
Classify information in terms of confidentiality, availability and integrity. Use the IC-Tool form.
ANSWER: The control follows the table below:
Assets | Confidentiality | Integrity | Availability |
Customer Content Files (electronic) | Confidential | Critical | Critical |
Contracts | Internal Use | Very High | Restricted |
Employee Health Records | Internal Use | Very High | Restricted |
Application Source Code | Confidential | Very High | Critical |
Application Database | Confidential | Very High | Critical |
Development Environments |
| High | Restricted |
Production Servers (Application and Database) | Confidential | Very High | Critical |
Emails |
| High | Restricted |
Equipment (computers, cell phones, etc.) | Internal Use | High | Critical |
15. Privacy Policies and Terms of Use
Does the company have a document with privacy policies?
ANSWER: Yes. It is available at the link https://www.engage.bz/privácia/
Does the company have a document with the terms of use?
ANSWER: Yes. It is available at the link https://www.engage.bz/termos-gerais/
Does the company have measures for prevention, detection and treatment against information leakage? Describe them. Is there a formal process for communicating the unauthorized disclosure to a group responsible for dealing with breaches of confidentiality?
ANSWER: Engage professionals are instructed not to disclose data without authorization as well as to share confidential materials
Vulnerability tests are performed on the platform
The data traffic of the application is done under SSL / TLS protocol
Do you support the use of digital certificates for published services?
ANSWER: Yes, and only the certificate issued by AWS through the application's control panel is supported.
Have the risks associated with the collection, use, disclosure and retention of personal information been identified and documented?
ANSWER: The risk of leakage has negative impacts on the image of the organization as well as the reliability of the platform and the services provided by the company.
Failure to comply with current legislation can put the company's operation at risk, and the authorization for data collection and processing may be suspended.
Fines can be imposed in case of improper handling of user data stored on the platform.
Does the organization describe the options available (opt-in vs. opt-out) for the individual in relation to the collection, use and disclosure of personal information?
ANSWER: The personal information stored on the platform is only the Name, Email (if any) and a single field for authentication, IP address for login to the platform, photo (if the admin configures the platform) and cookies. Information such as department, class, for example, is provided by the company's human resources area.
Has the organization identified and documented the various channels for collecting personal information from users?
ANSWER: On the platform, personal data of employees is provided by the customer's HR area. The data is loaded through spreadsheets and / or integrations through REST APIs. There is also the possibility for the user to self-register, but the information collected and stored on the platform, in both cases, is the full name and a field used for authentication (it can be e-mail, CPF or a registration, for example). example)
Does the organization communicate that personal information is collected only for the purposes identified in the notice, to the respective individuals?
ANSWER: In our privacy policies, available at the link https://www.engage.bz/privacy, we describe what data we collect and how this data is used.
Does the organization have procedures in place to ensure that the personal information held is accurate, complete, relevant and up-to-date?
ANSWER: As the user data is passed on to Engage through the contracting area of our services within the client's company, it is the client's responsibility to keep the records properly updated, either manually, through the administrative area of the platform, as per spreadsheet imports and or integrations via APIs.
Does the organization have procedures in place to ensure that personal information is retained only as long as necessary to fulfill stated objectives?
ANSWER: Regarding the data stored in the Platform's database, we guarantee full availability while the contract is in force. After the end of the contract, after 30 (thirty) consecutive days the data is erased, definitively
The same criterion as in the previous item applies to content files.
Is personal information being disclosed to third parties for processing, storage or any other purpose?
ANSWER: We do not make any disclosure of customer data and its users to third parties without the customer's prior authorization. About storage we only use the AWS cloud for file and application hosting, as well as data storage in RDS, also, from AWS.
Does the organization communicate its privacy policies, practices and requirements to third parties to whom personal information is being disclosed and ensures that they comply with these standards?
ANSWER: Whenever there is a need for outsourcing, we will communicate our privacy policies with the partner to ensure the confidentiality of the personal data of users and customers.
Does the organization have a written Non-Disclosure Agreement with all third parties in accordance with privacy policies?
ANSWER: Whenever a third party is contracted by Engage, it is submitted to the signature of a data confidentiality term, committing itself not to disclose any information pertinent to the project, client or its users without prior authorization.
Are there any corrective procedures to deal with any misuse, unauthorized disclosure, access, alteration, destruction or loss caused by third parties?
ANSWER: In case of data loss, through our backup policy and operational procedures for creating new products - do not store files on local machines, commit all changes made to Github - we mitigate the risk of information loss. It is worth mentioning that third parties do not have access, under any circumstances, to the production environment. Regarding disclosure, access or unauthorized editions, the third party is subject to sanctions provided for in the contract and, eventually, to penalties provided for by law.
Has the organization defined, documented and approved security measures to protect data at rest, in transit and on the move?
ANSWER: Rest: Although the bank data is not encrypted, only the technician responsible for the product has access to the production environment
Transit: All data traffic is carried out using the HTTPS TLS 1.2 protocol
Does the organization have mechanisms to protect personal information from unauthorized, authorized use and disclosure?
ANSWER: Access to the application's database is protected by a Firewall with IP restriction;
Access to the production environment is restricted to the technician responsible for the product;
The application only allows the consultation of data through authentication of users with the appropriate access permissions and their respective environment, not allowing the viewing of other customers;
Any data movement is carried out with prior authorization from the client;
16. Log Management
Does the platform have any logging mechanism?
ANSWER:
The platform has a native log management system.
The platform logs are stored in the database
It is not possible to delete and / or edit them.
Access is restricted to the Engage IT team, by default, but can be made available to administrators through reports.
The information stored in it are: User, IP, date and time of access, environment (if it was a web application or app), and the user's geolocation
Does the organization have provisions in place to monitor all additions and deletions of changes to any account with root or administrative privileges?
ANSWER: Yes. The platform has logging mechanisms to record the actions performed by users.
17. Security Incident Management
Does the company have a process for applying emergency corrections? Describe the process, the existence of the registration and approval of the owners.
When any incident is reported by the customer, the product development team is immediately triggered and the response time is the one agreed in the SLA contract, following the scale below:
Urgent Priority: Up to 4 working hours
High Priority: Up to 8 working hours
Medium Priority: Up to 12 working hours
Low Priority: Up to 16 business hours
The database has some security policy related to data prevention. Ex: Any alert generated by mass data extraction
ANSWER: Whenever some routine causes the processing in the database or in the application to exceed more than 60% of CPU for 1 minute, the servers start issuing alerts to the Engage IT team.
18. Security of Human Resources
Does the company have a security process incorporated in the hiring of its employees? Describe it. Comment if the company conducts a curriculum analysis of the candidate and if, upon hiring, the employee signs the code of ethics, confidentiality terms and information integrity. Describe the existence of employee training focused on information security.
ANSWER:
Whenever an employee is hired, he or she signs a confidentiality agreement committing himself or herself not to disclose company and / or customer information without prior authorization.
We prioritize hiring new professionals by referral and who have a good professional history and good conduct in the work environment.
In cases of change of department, the accesses are revised granting permissions to the systems and tools that will be used in their new role and those that will no longer be needed are cut;
Access to the systems is allowed to the professional according to his function, with the creation of a personal and non-transferable password.
Does the company have security processes incorporated in the termination of its employees? Describe them. In cases of termination, is there a checklist for checking and returning assets (notebooks, cell phones, mouse, keyboard, tablet, etc.)?
ANSWER:
Whenever a professional is turned off, their access to workstations is immediately cut off
Your users on systems used by the company are immediately hacked
Equipment held by the employee is immediately collected from the employee and the machine is formatted.
The organization has procedures in place to confirm that users are authenticated using unique IDS (server, network, application)
ANSWER: Each employee has their respective username and password to access the company's environments, allowing their access to be revoked in the event of termination.
Has the organization developed a program to protect the misuse of personal information?
ANSWER: Company professionals are advised not to share their passwords with anyone inside and, especially, outside the organization, since this is personal and non-transferable information
It is strictly forbidden to disclose company and / or customer information without prior authorization.
Access to the company's environments and systems is segregated according to the role of each employee.
19. Cyber Risk Management and Governance
Does the company have an Information Security program? If so, describe the main objectives related to the program and the framework used (Cobit, COSO, IOSCO, ISO27001, NIST, ITIL, etc.)?
ANSWER: Although we do not have any certification as an ISO or SOC implemented, for example, our internal processes follow the best information security practices in the market and are appropriate to the LGPD;
All employees, when hired, sign a term in which they commit to the confidentiality of information, both stored in the internal systems and those of customers;
Access to internal environments can only be accessed from the organization and development and production servers are restricted and can only be accessed by previously authorized persons and also from within Engage's network;
It is not allowed to use pen drives and / or external hard drives in the company's equipment without authorization;
Access to the company's networks is authorized only for authorized equipment and devices;
We care for the fulfillment of all contractual clauses signed with the client
Is top management aligned with and committed to the information security program, allowing the needs to coordinate security activities to be addressed, based on risks and / or supporting legal and compliance requirements?
ANSWER: Engage is in compliance with LGPD legislation
We fully appreciate compliance with the contractual clauses signed with the client.
When engaged, Engage employees sign a confidentiality agreement, committing themselves not to disclose confidential data of customers and / or companies without prior authorization;
The use of removable media is not allowed on Engage workstations
Access to production servers is restricted to the IT staff
Employees are instructed not to leave Engage client or internal files on their machines, that is, every day they need to send their changes to directories that are within the backup routes.
Access to information from Engage and its customers should only be done during working hours, segmented by department
When an employee leaves the company, their access is immediately canceled
The company preaches that passwords are personal for use restricted to activities during work .;
System passwords used by Engage are stored in LastPass and access is restricted to the IT staff.
Does the organization have a mechanism to provide information security training to all employees and contractors and does it keep records for auditing purposes?
ANSWER: Although we do not have formal information security training, all our employees sign a confidentiality agreement at the time of hiring, committing themselves not to disclose customer and / or company information without prior authorization;
Awareness campaigns about the importance of not leaking information are made to employees;
We prioritize hiring new professionals by referral and who have a good professional history and good conduct in the work environment.
Their respective accesses to the company's systems, files and infrastructure are released to employees according to their profile and role in the company.
Employees are instructed not to share their passwords with anyone, inside or outside the organization.
The organization has a w.r.t. Human Resources Security (integration / deactivation processes and background check)?
ANSWER: Whenever an employee is hired, he or she signs a confidentiality agreement committing himself or herself not to disclose company and / or customer information without prior authorization.
We prioritize hiring new professionals by referral and who have a good professional history and good conduct in the work environment.
Access to the systems is allowed to the professional according to his function, with the creation of a personal and non-transferable password.
When an employee is disconnected, their access to workstations is immediately cut off
Your users on systems used by the company are immediately hacked
Equipment held by the employee is immediately collected from the employee and the machine is formatted.
Does the organization have a logical control policy (documented and applied) for creating, deleting, segregating and managing user access privilege ids?
ANSWER: The organization's infrastructure team has documentation of the procedures for creating / editing a user and assigning their respective access profiles according to the role exercised in the company.
Does the organization have a password management policy?
ANSWER: Yes. The password must have at least 8 characters, including upper and lower case letters and special characters, in addition to not being able to be equal to 10
20. Legislation
In what geographic locations will customer data be stored?
ANSWER: Customer data is stored in Virginia, USA, subject to that country's legislation.
How are data backups made? What geographic locations are stored? When was the last restoration done?
ANSWER: The backups are performed through applications developed internally. These are stored on servers located in Virginia. The last restoration was done about 1 month ago.
Describe how the holder can correct his data:
ANSWER: The platform has a screen called "My Account", where the user can edit some of his data, except for his Name and Login. For such cases, the system administrator has the autonomy to change them, either through an import spreadsheet or through the administrative area.
Describe how the holder can access the data stored in this system
ANSWER: Except data that is displayed directly on the platform, such as name, email and training carried out by the student, data such as the user's access IP address and geolocation, for example, can only be accessed by the user through reports issued by the platform and sent to the student by the administrator.
Is there any type of anonymization implemented?
It is possible for the administrator to configure the platform so that the training data performed by the INACTIVE user is preserved, but their confidential data is completely obscured from the platform, not allowing their identification.
21. Outsourcing
Does the Company have a supplier management procedure including selection, evaluation / qualification and monitoring? Are suppliers regularly re-evaluated / re-evaluated? Provide a description of the process.
ANSWER: Before hiring suppliers, we benchmark with other companies on the service we are going to hire;
We always look for at least three proposals from possible suppliers;
We look for references about the track record of all of them;
We check if the supplier is in compliance with the current legislation regarding LGPD and data security;
At the time of signing the contract, we send the supplier a confidentiality agreement where he undertakes not to disclose information and / or data about Engage and / or its customers without prior authorization.
Do any IT third parties have comprehensive access to the system?
ANSWER: Dataside - Database Solutions: Our partner who assist us in specific tunning projects on our database server.
Darede: They help us with AWS-related tasks.
Both suppliers, when accessing our environment, do so only under the supervision of Engage's IT department.
22. Sending Emails
Does the tool have integration with SMTP service?
ANSWER: Yes. It is possible to send emails through the tool. For that, we use AWS's Simple Email Service as a mechanism for sending e-mails.
Este artigo foi útil?
Que bom!
Obrigado pelo seu feedback
Desculpe! Não conseguimos ajudar você
Obrigado pelo seu feedback
Feedback enviado
Agradecemos seu esforço e tentaremos corrigir o artigo