This policy mentions all the requirements that are needed to be fulfilled in order to ensure the highest level of application and data security with optimum data quality and to minimize the risk in case of any breach on any digital assets of Event Hub.
This policy applies to all applications, databases, systems, and platform components that constitute or support the landscape of Event Hub to ensure the highest level of data security.
Vulnerability
A vulnerability is a weakness that can be exploited by a threat actor, such as an attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a computer system.
Penetration Test
A penetration test, also known as a pen test, pentest or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system.
Encryption
Encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext.
Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information.
Key Management
Key management is the process of administering or managing cryptographic keys for a cryptosystem. It involves the generation, creation, protection, storage, exchange, replacement, and use of said keys and with another type of security system built into large cryptosystems, enables selective restriction for certain keys.
Respective tools should be deployed to perform periodic vulnerability assessments in live or near-live time.
Proper logs should be maintained for identified vulnerabilities. Once they are mentioned, they should be analyzed and mitigated using a change management process.
All identified vulnerabilities should be resolved as per the below duration. It must be ensured that all vulnerabilities are properly followed in alignment with both Change Management and Source Code Management Policies.
Look for best practices and industry recommendations for regular updates to identify and ensure that the assets are safe and prepared to cater to any newly discovered threat or vulnerability in the market.
Look for public reports and assessments for any kind of vulnerability in any third-party application/ library that is being used and leveraged by the organization.
Although it is mandatory to perform internal tests to detect any possible analogy or weak link. It is equally important to get penetration testing, regression testing, and other similarity threat or vulnerability assessments through external entities.
Once a vulnerability is fixed, a proper report should be maintained with relevant references and supporting information to confirm that how the risk was mitigated.
This report should be internally visible to all relevant stakeholders for their reference and to avoid such a scenario. In best cases, this Report should be part of the Knowledge Base that is used by Employees and Contractors.
Once an anomaly is identified and fixed, it should be kept under strict monitoring for at least 14 days to ensure that likelihood of that vulnerability is reduced to a minimum.
Only authorized members that have explicit permission are permitted to conduct any form of penetration testing
Frequent penetration testing should be conducted through both internal and external stakeholders.
Reports from penetration testing and vulnerability should be properly analyzed. A report should be generated automatically or manually with observations and comments at end of each penetration testing session.
In case of any threat or vulnerability, it should be properly studied, categorized, and based on its severity respective. Preventive or corrective actions should be proposed.
All penetration testing attempts should be performed in a duration that has the minimum load on the solution.
All penetration testing should have no or minimal impact on the live and other capabilities of the solution.
Penetration testing should be done on both staging and production environments.
Based on the outcomes and results from penetration testing reports, a proper mitigation plan should be designed.
Critical risks should be catered to as Emergency Changes and should be fixed at the earliest.
In case any Critical change requires some time to fix, that feature should be disabled temporarily and a public notice can be released mentioning the unavailability of that feature.
All systems, components, integration touch-points should be secure and encrypted (where applicable) to ensure that
Path Level Encryption, particular keys, and certificates should be used when data is being transmitted from one system to another.
Email, SMS, and other official communication through Messengers and collaboration tools should be encrypted end-to-end.
Encryption should also be applied on all official Desktops, Laptops, Printers, and other End-Points including Mobiles, Tablet, PCs, etc.
In the case of Bring Your Own Device (BYOD) scenario, where the employer or contractor is bringing his own device, in that case, it should properly monitor using some End-Point Security Monitoring Tool
Password, files, and other similar information should be properly encrypted with the latest encryption technology.
Frequent reports and assessments should be consulted to ensure that any changes in the library, encrypting/decrypting protocols are properly reflected on respective systems.
Keys are leveraged whenever there is some kind of encryption that is performed on either or both sides.
The key should be kept in a secure place, itβs the responsibility of the individual/organization to ensure that the keys are secured and are not available to the public or any unauthorized user.
Key should also be updated at regular intervals (few weeks) and sometimes right away as soon as some possible threat is identified.
In case of any suspicion or unauthorized access or leak of keys, all keys should be changed right away.
Keys can be in form of a password, pass-phrase, or even some file format. In any case, they should be kept with the highest level of protection.
There should be a proper mechanism to destroy the Keys whenever needed.
In some scenarios, the access can also be revoked to isolate the exact issue.
