Security Policy for NikaTime

Overview

NikaTime is dedicated to protecting the security of its systems and the confidentiality, integrity, and availability of client information. This Security Policy defines stringent measures to safeguard information assets from identified threats and risks, ensure compliance with contractual obligations owed to customers, and adhere to applicable laws and regulations. This policy is reviewed and updated annually.

Access Control Policy

User Account Management

  • Account Creation: User accounts for accessing client information systems must be created only after formal approval from designated authorized personnel. Each request must be documented.

  • Account Amendment: Any changes to user accounts must follow a documented request and approval process, ensuring modifications are tracked and authorized.

  • Account Deletion: User accounts must be deactivated within 24 hours upon termination of employment or change of employment responsibilities for critical systems and applications, and within 7 days for less critical ones.

Access Reviews

  • Regular Audits: Conduct quarterly audits of user access permissions to verify alignment with current job responsibilities.

  • Adjustments: Adjust access permissions promptly in response to role changes or department transfers, based on audit findings.

Formal Access Control Policies

  • Documentation: Maintain formal, documented access control policies to support the creation, amendment, and deletion of user accounts for systems or applications holding or allowing access to client information.

User Authentication Controls

Password Policy

  • Individual Accounts: Each user account must have a password.

  • Initial Passwords: If set by the system administrator, the initial password issued must be random and must be changed by the user upon first use.

  • Confidentiality and Encryption: Passwords must be treated as confidential data and encrypted upon transmission.

  • Password Restrictions:

    • Restrict reuse of nine (9) previous password iterations.

    • Enforce password changes every 60 days if not two-factor enabled.

    • Enforce password changes every 365 days if two-factor enabled.

    • Enforce account lock-out after five (5) failed login attempts.

    • Require password complexity.

    • Enforce minimum ten (10) characters in length and contain at least three of the following elements:

      • Upper case letter (A-Z)

      • Lower case letter (a-z)

      • Number (0-9)

      • Special characters

Multi-Factor Authentication (MFA)

  • Enforcement: Enforce multi-factor authentication (MFA) for remote access and access to the cloud environment.

  • User and Device Authentication: Both user and device (e.g., laptop) must be suitably authenticated in the MFA arrangement.

Software Installation Controls

  • Privilege Restriction: Prohibit employee installation of software without explicitly assigned privileged status.

Encryption and Key Management Policy

Cryptographic Protection

  • Processing and Transmission: Implement cryptographic solutions to secure the processing and transmission of confidential information over all networks.

  • Storage: Encrypt all confidential information stored on any media, including databases, files, and backups.

  • User End-Point Devices: Require the use of encryption for all user end-point devices (e.g., issued workstations, laptops, mobile devices) to protect either the entire device using solutions like BitLocker for full disk encryption or for data identified as sensitive, enforceable through technology controls.

Acceptable Encryption Algorithms and Tools

  • Approved Algorithms:

    • AES (Advanced Encryption Standard) with a key size of 256 bits.

    • RSA (Rivest-Shamir-Adleman) with a key size of 2048 bits or higher.

    • SHA-256 (Secure Hash Algorithm) for hashing.

    • TLS (Transport Layer Security) version 1.2 or higher for secure communications.

  • Approved Tools: Use industry-standard cryptographic tools that comply with these algorithms.

Central Inventory

  • Inventory Maintenance: Maintain a centralized inventory of all cryptographic applications and solutions, detailing encryption types, purposes, and systems utilizing encryption.

Encryption Key Lifecycle Management

  • Secure Key Generation: Generate cryptographic keys using secure, approved methods.

  • Key Distribution: Distribute keys securely to authorized personnel or systems, ensuring confidentiality and integrity during transmission.

  • Key Usage: Utilize keys solely for their intended purposes, protected against unauthorized use.

  • Secure Key Storage: Store keys securely using hardware security modules (HSMs) or equivalent high-security solutions.

  • Backup and Recovery: Securely back up keys and ensure their recoverability in case of corruption or loss.

  • Key Replacement: Regularly replace keys and immediately replace them if compromise is suspected.

  • Key Destruction: Securely destroy keys that are no longer needed, preventing unauthorized access or retrieval.

Responsibilities of Cryptographic Key Owners

  • Separation of Duties: Ensure that key management and key usage are performed by different individuals to prevent conflicts of interest.

  • Key Owner Duties: Key owners are responsible for the secure management and usage of their assigned keys, ensuring compliance with this policy.

Protection of Cryptographic Keys

  • Physical and Logical Controls: Protect cryptographic keys using robust physical and logical controls to prevent unauthorized access, modification, or destruction.

Secure Backup and Destruction of Cryptographic Solutions

  • Secure Backups: Store backups of cryptographic solutions securely, restricting access to authorized personnel only.

  • Secure Destruction: Destroy cryptographic solutions securely when they are no longer needed to prevent misuse or unauthorized access.

Key Compromise Plans

  • Identification and Notification: Immediately identify and notify stakeholders if a key compromise occurs.

  • Key Replacement: Generate and distribute new keys promptly following a compromise.

  • Revocation and Recovery: Revoke compromised keys and implement recovery procedures.

  • Investigation and Reporting: Investigate the cause of the compromise and report findings to relevant parties.

Contractual Requirements

  • Confidentiality Agreements: All employees, contractors, and third-party service providers must sign confidentiality agreements before accessing any client information.

  • Service Level Agreements (SLAs): Establish clearly defined SLAs with customers, outlining security measures and responsibilities.

  • Third-party Audits: Conduct regular third-party security audits to ensure compliance with contractual and regulatory requirements.

Identified Threats and Risks

  • Risk Assessment: Perform regular risk assessments to identify potential threats to information assets.

  • Mitigation Strategies: Implement appropriate mitigation strategies to address identified risks, utilizing advanced security technologies and best practices.

Compliance with Laws and Regulations

  • Monitoring and Updates: Stay informed about changes in applicable laws and regulations, updating this policy as necessary to ensure ongoing compliance.

  • Employee Training: Conduct regular training sessions to educate employees about legal and regulatory requirements related to information security.

By strictly adhering to this Security Policy, NikaTime aims to provide a secure environment for its customers, ensuring the highest levels of confidentiality, integrity, and availability of their information. This policy is reviewed annually and updated as needed to reflect advancements in technology, emerging threats, and changes in regulatory requirements.