Policy
SECURITY
PRIVACY
INCIDENT MANAGEMENT
- Security Policy
- Privacy Policy
- Incident Management Policy
1. Security Policy
Last updated on 05/08/2022
1. Purpose
Protection of Mango 3 proprietary software and other managed systems shall be addressed to ensure the continued availability of data and programs to all authorized parties, and to ensure the integrity and confidentiality of impacted data and configuration controls.Failure to follow the policy requirement may result in disciplinary action, up to and including termination.
2. Scope
This policy provides some of Mango 3 policies for some key security aspects of Mango 3 systems. This policy reasonably adheres to industry standards and best practice and reasonably provides safeguards against accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access to covered data.
3. Definitions
- Data Breach: means a Security Incident that directly impacts Personal Data.
- Data Controller: means the person or organization that determines the purpose and means of the Processing of Personal Data.
- Firewall: means a device and/or software that prevents unauthorized and improper transit of access and information from one network to another.
- Incident Management: means the process for detecting, reporting, assessing, responding to, dealing with, and learning from Security Incidents.
- Password: A protected, private character string used to authenticate an identity.
- Personal Data: means any information relating to an identified or identifiable natural person
- Personnel: means Mango 3 employees (part-time and full-time)
- Security Event: means an identified occurrence of a system, service or network state indicating a possible breach of information security policy, a possible exploitation of a Security Vulnerability or Security Weakness or a previously unknown situation that can be security relevant.
- Security Incident: means a single or series of unwanted or unexpected Security Events that compromise business operations with an impact on Information Security.
- Security Vulnerability: means a weakness of an existing asset or control that can be exploited by one or more threats.
- Security Weakness: means a weakness that results from the lack of an existing, necessary control.
- Restricted Information: Refer to Data Classification Policy
- Confidential Information: Refer to Data Classification Policy
- Username: A unique symbol or character string that is used by a system to identify a specific user.
- Virus: Computer software that replicates itself and often corrupts computer programs and data.
4. Data Encryption
- To provide data confidentiality in the event of accidental or malicious data loss, all Restricted, Confidential or Internal Information & data should be encrypted at rest.
- Encryption of data at rest should use at least AES 256-bit encryption.
- Strong cryptography and security protocols, such as TLS 1.2 or IPSEC, are required to safeguard Restricted, Confidential or Internal Information & data during transmission.
- Key exchange must use RSA or DSA cryptographic algorithms with a minimum key length of 2048 bits and minimum digest length of 256.
- Digital signatures must use RSA, DSS with a minimum key length of 2048 bits and minimum digest length of 256.Hashed data must be salted and must use bcrypt with SHA-256 or higher.
- Restricted, Confidential or Internal Information & data may not be stored on equipment not owned or managed by Mango - Documented policies and process should be implemented to ensure appropriate key management.
5. Password Policy
Unless otherwise specified within this Security Policy, the following security requirements should be adhered to when creating passwords:
- Minimum of eight (8) characters in length, containing characters from the following four categories:
- English uppercase characters (A through Z)English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (e.g., !, $, #, %)
Passwords history should be kept for the previous six (6) passwords and passwords should be unique across the password history.
Maximum password age is ninety (90) days.Must not be the same as or include the user id or be visible when entered.Must not be easily guessable.
User accounts should be locked after five (5) incorrect attempts.
Lockout duration should be set to a minimum of twenty-four (24) hours or until an administrator resets the user’s ID.If a session has been idle for more than twenty (20) minutes, the user should be required to re-enter the password to re-activate access.
The following should be adhered to when managing user passwords:
- Verify user identity before performing password resets.
- Resetting passwords should involve re-entering old password.
- Role based access to all systems should be implemented, including individually assigned username and passwords.
- Usernames and passwords should not be shared, written down or stored in easily accessible areas.
- Assigning multiple user names to users should be limited. However, when multiple usernames are assigned to Personnel, different passwords should be used with each username.
- Group, shared, or generic accounts and passwords should not be used unless approved by Security Management (e.g., service accounts) and should follow associated information security standards.
- Special administrative accounts, such as root, should implement additional controls, such as alerting, to detect and/or prevent unauthorized usage.
- Change any default passwords on systems after installation.
- Render all passwords unreadable during transmission and storage using strong cryptography as defined in Data Encryption policy.
- Passwords should be protected in storage by hashing following data encryption policy.
6. Backups
Regular backups of data, applications, and the configuration of servers and supporting devices should occur to enable data recovery in the event of a disaster or business continuity event.
There should be a backup system in place for Mango 3 core database able to recover data in the event of a disaster to the minute within a day.
Backup snapshots should be encrypted following data encryption policy and there should be a minimum of 7 daily backups, 4 weekly backups and 3 monthly backups.
Backups should be stored in a physically and logically secure location.
7. Virus and Malware Protection
Up to date anti-virus software for the detecting, removing and protecting of suspected viruses should be installed on all servers and laptops.
Anti-virus software should be updated regularly for all laptops with the latest anti-virus patches and/or signatures.
All systems should be built from original, clean master copies to ensure that viruses are not propagated.
Personnel should inform the IT Department immediately in the event of a possible virus infection.
Upon notification of a virus infection systems should be isolated from the network, scanned, and cleaned appropriately. Any removable media or other systems to which the virus may have spread should be treated accordingly.
If a system has been identified as potentially infected and removal/quarantine of the virus/malware cannot be definitively proven, the system should be completely wiped and re-imaged.
Users impacted by virus related security incidents should be notified as soon as reasonably possible in alignment with incident response procedures.
Potential virus and malware infections should be immediately reported to Security Management.
8. Incident Management Policy
Management responsibilities and procedures should be established to ensure a quick, effective, and orderly response to Security Incidents.
The objectives for Security Incident management should be agreed upon with management, and it should be ensured that those responsible for Security Incident management understand the organization’s priorities for handling Security Incidents.
Security Events should be reported through appropriate management channels as quickly as possible
Personnel and contractors using the organization’s information systems and services are required to note and report any observed or suspected Security Weakness in systems or services
Security Events should be assessed and it should be decided if they are to be classified as Security Incidents.Security Incidents should be responded to in accordance with documented procedures.
Knowledge gained from analyzing and resolving Security Incidents should be used to reduce the likelihood or impact of future incidents.
Procedures should be defined and applied for the identification, collection, acquisition, and preservation of information, which can serve as evidence.
Awareness should be provided on topics such as:
- The benefits of a formal, consistent approach to Incident Management (personal and organizational);
- How the program works, expectations;
- How to report Security Incidents, who to contact;
- Constraints imposed by non-disclosure agreements.
- Communication channels should be established well in advance of a Security Incident.
In the event of a Security Incident, Data Controllers, government bodies and other necessary parties should be notified in a reasonable timeframe, and in compliance with regulatory and other applicable requirements and guidance.
9. Security Weakness, Events, and Incidents
Identified Security weaknesses should be immediately reported to the Security Management. At no time should an attempt be made to take advantage of an identified Security weakness.
Security Weaknesses that have been compromised could trigger a Security Event. Security Events shall be analyzed by Security Management to determine whether they are considered Security Incidents, which are required to be addressed in accordance with the documented procedures.
Security awareness training should be conducted at least once per calendar year. Training should cover information security policies, as well as best practices. In addition, the following should occur:
- Security awareness training should be given at the first onboarding session attended by new employees (usually within two weeks of employment)
- Training should be given to key stakeholders (i.e., incident management, security policy and process, assessment response best practice, etc.)
10. Auditing and Assessments
Data center providers should have ISO 27001 or SOC-2 audits performed at least once per calendar year.
Customers can perform reasonable security assessments once per calendar year, following industry best practices.
11. Patch Management
Mango 3-owned and maintained servers, computers, computer systems & computer networks and electronic communications devices must be updated with the latest but stable patches released by the respective vendors.
Those responsible for each system, device and application must monitor relevant sources of information which may alert them to a need to act in relation to new security vulnerabilities.Patches must be obtained from a known, trusted source.
The integrity of patches must be verified through such means as comparisons of cryptographic hashes to ensure the patch obtained is the correct, unaltered patch.
Patches must be tested and assessed before implementation in a preproduction environment mirroring the production environmernt to ensure that there is no negative impact as a result.
A backup of the production systems must be taken before applying any patch.
An audit trail of all changes must be created and documented.
Critical (CVSS : 10)
A vulnerability whose exploitation could allow code execution or complete system compromise without user interaction. These scenarios include self-propagating malware or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could include browsing to a web page or opening an email or no action at all.
24 hours
High (CVSS : 7.0 – 9.9)
A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. This includes common use scenarios where a system is compromised with warnings or prompts, regardless their provenance, quality, or usability. Sequences of user actions that do not generate prompts or warnings are also covered.
7 days
Medium (CVSS : 4.0 – 6.9)
Impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations. The vulnerability is normally difficult to exploit.
30 days
Low (CVSS : < 4.0)
This classification applies to all other issues that have a security impact. These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited, or where a successful exploit would give minimal consequences.
90 days or dismiss as not a risk
12. Endpoint Security
Users should shutdown, logout or lock laptops when leaving for any length of time.
Laptops should be restarted periodically.
Laptops should adhere to virus and malware protection policy.
Define and implement endpoint build standards that include, at a minimum, the following:
- Defined configurations based on industry best practice;
- Authorized softwareAnti-virus/anti-malware
- Laptop access to the Internet should be controlled
13. Mobile Computing
Ensure appropriate controls are in place to mitigate risks to protected information from mobile computing and remote working environments.
Data loss prevention processes and tools should be implemented to identify and/or prevent data loss.
Use of personally owned devices should comply to information security policy if used to access Restricted, Confidential or Internal Information & data.
Devices owned by personal should never be used to access customer data, unless appropriate controls approved and monitored by Security Management have been implemented.
Devices owned by Personal or authorized parties are not allowed to connect to the corporate or production networks.
14. Network Security
Access to internal and external network services that contain Users’ data should be controlled through:
- Network access control lists (NACLs), or equivalent.
- Firewall policies, or equivalentSecurity groups, or equivalent.
- IP whitelists, or equivalent
- A multi-tier architecture that prevents direct access to data stores from the internet.
- Usage of role-based access controls (RBAC) should be implemented to ensure appropriate access to networks
- Two-factor authentication for remote access should be implemented as defined in the access control policy.
Firewalls, routers, and access control lists, or equivalent access controls, should be used to regulate network traffic for connections to/from the Internet or other external networks, as follows:
- Configuration standards should be established and implemented.
- Access control policy should limit inbound and outbound traffic to only necessary protocols, ports, and/or destinations.
- Internal IP address ranges should be restricted from passing from the Internet into the DMZ or internal networks.
- All inbound internet traffic should terminate in the DMZ.
- Only properly established connections should be allowed into Mango 3 networks.
- The use of all services, protocols, and ports allowed to access Mango 3 networks should be reviewed on a periodic basis, at a minimum every six (6) months, for appropriate usage and control implementation.
- All rule set modifications should be reviewed and approved by Security Management prior to implementation.
Network equipment should be configured to close inactive sessions.
Remote access servers should be placed in the firewall DMZs.
Network intrusion detection systems (IDS) should be implemented and monitored by Security Management.
Routers, Hubs and Switches
- LAN equipment, hubs, bridges, repeaters, routers and switches should be kept in physically secured facilities.
- Network equipment access should be restricted to appropriate Personnel only. Other staff and contractors requiring access are required to be supervised.
- Network equipment access should occur over encrypted channels as defined in the data encryption policy. Access via unencrypted protocols (http, ftp, tftp) should not occur. Unused channels should be disabled.
- Wireless access points and controllers should not be allowed to connect to the production network.
Unnecessary protocols should be removed from routers and switches.
Secure, encrypted VPN connections to other networks controlled by iCIMS or outside entities, when required, must be approved by Information Security.
Configuration of routers and switches should be documented and align with industry best practice. This should include changing any vendor-supplied defaults (passwords, configurations, etc.) before installing in production.
15. Wireless Network Security
Wireless networks should be encrypted as defined by Mango 3 encryption policy.
Personnel and authorized third parties are not allowed to install unauthorized wireless equipment.
All Wi-Fi bridges, routers and gateways should be physically secured.
SSIDs and default usernames and passwords must be modified prior to implementation in a production environment.
16. Test, Development and Production Environments
Test software upgrades, security patches and system and software configuration changes before deployment, including but not limited to the following:
- Validate proper error handling.
- Validate secure communications.
- Validate proper role-based access control (RBAC).
- Performance impact
Development, test, and production environments must be segregated.
Separation of duties must exist between development, test, and production environments.
Use only scrubbed/anonymized data for testing and/or development.
Remove test data and accounts before production systems become active.
Follow change control procedures for all changes to system components. The procedures should include testing of operational functionality.
17. Development
Manage all code through a Version Control System to allow viewing of change history and content.
Ensure that a Quality Assurance (QA) methodology is followed using a multi-phase quality assurance release cycle that includes security testing.
Deliver security fixes and improvements aligning to a pre-determined schedule based on identified severity levels.Ensure that software is released only via production managed change control processes, with no access or involvement by the development and test teams.
Develop all web applications (internal and external, including web administrative access to application(s)) based on secure coding best practice. Cover, at a minimum, prevention of common OWASP Top 10 coding vulnerabilities in software development processes, including the following:
- Cross-site scripting (XSS).
- Injection flaws, including SQL, LDAP and Xpath.
- Malicious file execution.
- Insecure direct-object references.Cross-site request forgery (CSRF).
- Information leakage and improper error handling.
- Broken authentication and session management.
- Insecure communications.
- Failure to restrict URL access.
Awareness training regarding secure coding must be conducted at least once per calendar year. The curriculum must be approved by Security Management.
18. Transfer of Information
To protect the confidentiality of Information in transit:
- Ensure that all data in transit is either encrypted and/or the transmission channel itself is encrypted following data encryption policy.
- Monitor all data exchange channels to detect unauthorized information releases.
19. Messaging Security
All incoming email should be scanned for viruses, phishing attempts, and spam.
Outgoing email should have data loss prevention (DLP) monitoring in place.
20. Removable Media
Use of removable media should be excluded when possible.
All removable media brought in from outside Mango 3 should be scanned for viruses/malware prior to use. Any identified malware/viruses should be removed prior to use.
Restricted Information & data is prohibited on any kind of removable device, unless the device is encrypted following data encryption policy. Notwithstanding the foregoing, if stored or cached information resides on a removable device, Personnel will follow company policies and procedures to mitigate the risk of a Data Breach.
Individuals in sensitive positions, with access to Restricted or Confidential Information & data, should not store such data on removable media, unless required by their role and approved by Security Management.
21. Vendor/Partner Risk Management
Vendor and partner risk management policies and processes should be defined to verify that vendors comply with security policies.
Vendor and partner contracts should include language requiring adherence to security policy requirements or their equivalent.
Critical vendors should be reviewed at least once per calendar year, to ensure continued alignment with security policies.
1. Purpose
Protection of Mango 3 proprietary software and other managed systems shall be addressed to ensure the continued availability of data and programs to all authorized parties, and to ensure the integrity and confidentiality of impacted data and configuration controls.Failure to follow the policy requirement may result in disciplinary action, up to and including termination.
2. Scope
This policy provides some of Mango 3 policies for some key security aspects of Mango 3 systems. This policy reasonably adheres to industry standards and best practice and reasonably provides safeguards against accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access to covered data.
3. Definitions
- Data Breach: means a Security Incident that directly impacts Personal Data.
- Data Controller: means the person or organization that determines the purpose and means of the Processing of Personal Data.
- Firewall: means a device and/or software that prevents unauthorized and improper transit of access and information from one network to another.
- Incident Management: means the process for detecting, reporting, assessing, responding to, dealing with, and learning from Security Incidents.
- Password: A protected, private character string used to authenticate an identity.
- Personal Data: means any information relating to an identified or identifiable natural person
- Personnel: means Mango 3 employees (part-time and full-time)
- Security Event: means an identified occurrence of a system, service or network state indicating a possible breach of information security policy, a possible exploitation of a Security Vulnerability or Security Weakness or a previously unknown situation that can be security relevant.
- Security Incident: means a single or series of unwanted or unexpected Security Events that compromise business operations with an impact on Information Security.
- Security Vulnerability: means a weakness of an existing asset or control that can be exploited by one or more threats.
- Security Weakness: means a weakness that results from the lack of an existing, necessary control.
- Restricted Information: Refer to Data Classification Policy
- Confidential Information: Refer to Data Classification Policy
- Username: A unique symbol or character string that is used by a system to identify a specific user.
- Virus: Computer software that replicates itself and often corrupts computer programs and data.
4. Data Encryption
- To provide data confidentiality in the event of accidental or malicious data loss, all Restricted, Confidential or Internal Information & data should be encrypted at rest.
- Encryption of data at rest should use at least AES 256-bit encryption.
- Strong cryptography and security protocols, such as TLS 1.2 or IPSEC, are required to safeguard Restricted, Confidential or Internal Information & data during transmission.
- Key exchange must use RSA or DSA cryptographic algorithms with a minimum key length of 2048 bits and minimum digest length of 256.
- Digital signatures must use RSA, DSS with a minimum key length of 2048 bits and minimum digest length of 256.Hashed data must be salted and must use bcrypt with SHA-256 or higher.
- Restricted, Confidential or Internal Information & data may not be stored on equipment not owned or managed by Mango - Documented policies and process should be implemented to ensure appropriate key management.
5. Password Policy
Unless otherwise specified within this Security Policy, the following security requirements should be adhered to when creating passwords:
- Minimum of eight (8) characters in length, containing characters from the following four categories:
- English uppercase characters (A through Z)English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (e.g., !, $, #, %)
Passwords history should be kept for the previous six (6) passwords and passwords should be unique across the password history.
Maximum password age is ninety (90) days.Must not be the same as or include the user id or be visible when entered.Must not be easily guessable.
User accounts should be locked after five (5) incorrect attempts.
Lockout duration should be set to a minimum of twenty-four (24) hours or until an administrator resets the user’s ID.If a session has been idle for more than twenty (20) minutes, the user should be required to re-enter the password to re-activate access.
The following should be adhered to when managing user passwords:
- Verify user identity before performing password resets.
- Resetting passwords should involve re-entering old password.
- Role based access to all systems should be implemented, including individually assigned username and passwords.
- Usernames and passwords should not be shared, written down or stored in easily accessible areas.
- Assigning multiple user names to users should be limited. However, when multiple usernames are assigned to Personnel, different passwords should be used with each username.
- Group, shared, or generic accounts and passwords should not be used unless approved by Security Management (e.g., service accounts) and should follow associated information security standards.
- Special administrative accounts, such as root, should implement additional controls, such as alerting, to detect and/or prevent unauthorized usage.
- Change any default passwords on systems after installation.
- Render all passwords unreadable during transmission and storage using strong cryptography as defined in Data Encryption policy.
- Passwords should be protected in storage by hashing following data encryption policy.
6. Backups
Regular backups of data, applications, and the configuration of servers and supporting devices should occur to enable data recovery in the event of a disaster or business continuity event.
There should be a backup system in place for Mango 3 core database able to recover data in the event of a disaster to the minute within a day.
Backup snapshots should be encrypted following data encryption policy and there should be a minimum of 7 daily backups, 4 weekly backups and 3 monthly backups.
Backups should be stored in a physically and logically secure location.
7. Virus and Malware Protection
Up to date anti-virus software for the detecting, removing and protecting of suspected viruses should be installed on all servers and laptops.
Anti-virus software should be updated regularly for all laptops with the latest anti-virus patches and/or signatures.
All systems should be built from original, clean master copies to ensure that viruses are not propagated.
Personnel should inform the IT Department immediately in the event of a possible virus infection.
Upon notification of a virus infection systems should be isolated from the network, scanned, and cleaned appropriately. Any removable media or other systems to which the virus may have spread should be treated accordingly.
If a system has been identified as potentially infected and removal/quarantine of the virus/malware cannot be definitively proven, the system should be completely wiped and re-imaged.
Users impacted by virus related security incidents should be notified as soon as reasonably possible in alignment with incident response procedures.
Potential virus and malware infections should be immediately reported to Security Management.
8. Incident Management Policy
Management responsibilities and procedures should be established to ensure a quick, effective, and orderly response to Security Incidents.
The objectives for Security Incident management should be agreed upon with management, and it should be ensured that those responsible for Security Incident management understand the organization’s priorities for handling Security Incidents.
Security Events should be reported through appropriate management channels as quickly as possible
Personnel and contractors using the organization’s information systems and services are required to note and report any observed or suspected Security Weakness in systems or services
Security Events should be assessed and it should be decided if they are to be classified as Security Incidents.Security Incidents should be responded to in accordance with documented procedures.
Knowledge gained from analyzing and resolving Security Incidents should be used to reduce the likelihood or impact of future incidents.
Procedures should be defined and applied for the identification, collection, acquisition, and preservation of information, which can serve as evidence.
Awareness should be provided on topics such as:
- The benefits of a formal, consistent approach to Incident Management (personal and organizational);
- How the program works, expectations;
- How to report Security Incidents, who to contact;
- Constraints imposed by non-disclosure agreements.
- Communication channels should be established well in advance of a Security Incident.
In the event of a Security Incident, Data Controllers, government bodies and other necessary parties should be notified in a reasonable timeframe, and in compliance with regulatory and other applicable requirements and guidance.
9. Security Weakness, Events, and Incidents
Identified Security weaknesses should be immediately reported to the Security Management. At no time should an attempt be made to take advantage of an identified Security weakness.
Security Weaknesses that have been compromised could trigger a Security Event. Security Events shall be analyzed by Security Management to determine whether they are considered Security Incidents, which are required to be addressed in accordance with the documented procedures.
Security awareness training should be conducted at least once per calendar year. Training should cover information security policies, as well as best practices. In addition, the following should occur:
- Security awareness training should be given at the first onboarding session attended by new employees (usually within two weeks of employment)
- Training should be given to key stakeholders (i.e., incident management, security policy and process, assessment response best practice, etc.)
10. Auditing and Assessments
Data center providers should have ISO 27001 or SOC-2 audits performed at least once per calendar year.
Customers can perform reasonable security assessments once per calendar year, following industry best practices.
11. Patch Management
Mango 3-owned and maintained servers, computers, computer systems & computer networks and electronic communications devices must be updated with the latest but stable patches released by the respective vendors.
Those responsible for each system, device and application must monitor relevant sources of information which may alert them to a need to act in relation to new security vulnerabilities.Patches must be obtained from a known, trusted source.
The integrity of patches must be verified through such means as comparisons of cryptographic hashes to ensure the patch obtained is the correct, unaltered patch.
Patches must be tested and assessed before implementation in a preproduction environment mirroring the production environmernt to ensure that there is no negative impact as a result.
A backup of the production systems must be taken before applying any patch.
An audit trail of all changes must be created and documented.
Critical (CVSS : 10)
A vulnerability whose exploitation could allow code execution or complete system compromise without user interaction. These scenarios include self-propagating malware or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could include browsing to a web page or opening an email or no action at all.
24 hours
High (CVSS : 7.0 – 9.9)
A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. This includes common use scenarios where a system is compromised with warnings or prompts, regardless their provenance, quality, or usability. Sequences of user actions that do not generate prompts or warnings are also covered.
7 days
Medium (CVSS : 4.0 – 6.9)
Impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations. The vulnerability is normally difficult to exploit.
30 days
Low (CVSS : < 4.0)
This classification applies to all other issues that have a security impact. These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited, or where a successful exploit would give minimal consequences.
90 days or dismiss as not a risk
12. Endpoint Security
Users should shutdown, logout or lock laptops when leaving for any length of time.
Laptops should be restarted periodically.
Laptops should adhere to virus and malware protection policy.
Define and implement endpoint build standards that include, at a minimum, the following:
- Defined configurations based on industry best practice;
- Authorized softwareAnti-virus/anti-malware
- Laptop access to the Internet should be controlled
13. Mobile Computing
Ensure appropriate controls are in place to mitigate risks to protected information from mobile computing and remote working environments.
Data loss prevention processes and tools should be implemented to identify and/or prevent data loss.
Use of personally owned devices should comply to information security policy if used to access Restricted, Confidential or Internal Information & data.
Devices owned by personal should never be used to access customer data, unless appropriate controls approved and monitored by Security Management have been implemented.
Devices owned by Personal or authorized parties are not allowed to connect to the corporate or production networks.
14. Network Security
Access to internal and external network services that contain Users’ data should be controlled through:
- Network access control lists (NACLs), or equivalent.
- Firewall policies, or equivalentSecurity groups, or equivalent.
- IP whitelists, or equivalent
- A multi-tier architecture that prevents direct access to data stores from the internet.
- Usage of role-based access controls (RBAC) should be implemented to ensure appropriate access to networks
- Two-factor authentication for remote access should be implemented as defined in the access control policy.
Firewalls, routers, and access control lists, or equivalent access controls, should be used to regulate network traffic for connections to/from the Internet or other external networks, as follows:
- Configuration standards should be established and implemented.
- Access control policy should limit inbound and outbound traffic to only necessary protocols, ports, and/or destinations.
- Internal IP address ranges should be restricted from passing from the Internet into the DMZ or internal networks.
- All inbound internet traffic should terminate in the DMZ.
- Only properly established connections should be allowed into Mango 3 networks.
- The use of all services, protocols, and ports allowed to access Mango 3 networks should be reviewed on a periodic basis, at a minimum every six (6) months, for appropriate usage and control implementation.
- All rule set modifications should be reviewed and approved by Security Management prior to implementation.
Network equipment should be configured to close inactive sessions.
Remote access servers should be placed in the firewall DMZs.
Network intrusion detection systems (IDS) should be implemented and monitored by Security Management.
Routers, Hubs and Switches
- LAN equipment, hubs, bridges, repeaters, routers and switches should be kept in physically secured facilities.
- Network equipment access should be restricted to appropriate Personnel only. Other staff and contractors requiring access are required to be supervised.
- Network equipment access should occur over encrypted channels as defined in the data encryption policy. Access via unencrypted protocols (http, ftp, tftp) should not occur. Unused channels should be disabled.
- Wireless access points and controllers should not be allowed to connect to the production network.
Unnecessary protocols should be removed from routers and switches.
Secure, encrypted VPN connections to other networks controlled by iCIMS or outside entities, when required, must be approved by Information Security.
Configuration of routers and switches should be documented and align with industry best practice. This should include changing any vendor-supplied defaults (passwords, configurations, etc.) before installing in production.
15. Wireless Network Security
Wireless networks should be encrypted as defined by Mango 3 encryption policy.
Personnel and authorized third parties are not allowed to install unauthorized wireless equipment.
All Wi-Fi bridges, routers and gateways should be physically secured.
SSIDs and default usernames and passwords must be modified prior to implementation in a production environment.
16. Test, Development and Production Environments
Test software upgrades, security patches and system and software configuration changes before deployment, including but not limited to the following:
- Validate proper error handling.
- Validate secure communications.
- Validate proper role-based access control (RBAC).
- Performance impact
Development, test, and production environments must be segregated.
Separation of duties must exist between development, test, and production environments.
Use only scrubbed/anonymized data for testing and/or development.
Remove test data and accounts before production systems become active.
Follow change control procedures for all changes to system components. The procedures should include testing of operational functionality.
17. Development
Manage all code through a Version Control System to allow viewing of change history and content.
Ensure that a Quality Assurance (QA) methodology is followed using a multi-phase quality assurance release cycle that includes security testing.
Deliver security fixes and improvements aligning to a pre-determined schedule based on identified severity levels.Ensure that software is released only via production managed change control processes, with no access or involvement by the development and test teams.
Develop all web applications (internal and external, including web administrative access to application(s)) based on secure coding best practice. Cover, at a minimum, prevention of common OWASP Top 10 coding vulnerabilities in software development processes, including the following:
- Cross-site scripting (XSS).
- Injection flaws, including SQL, LDAP and Xpath.
- Malicious file execution.
- Insecure direct-object references.Cross-site request forgery (CSRF).
- Information leakage and improper error handling.
- Broken authentication and session management.
- Insecure communications.
- Failure to restrict URL access.
Awareness training regarding secure coding must be conducted at least once per calendar year. The curriculum must be approved by Security Management.
18. Transfer of Information
To protect the confidentiality of Information in transit:
- Ensure that all data in transit is either encrypted and/or the transmission channel itself is encrypted following data encryption policy.
- Monitor all data exchange channels to detect unauthorized information releases.
19. Messaging Security
All incoming email should be scanned for viruses, phishing attempts, and spam.
Outgoing email should have data loss prevention (DLP) monitoring in place.
20. Removable Media
Use of removable media should be excluded when possible.
All removable media brought in from outside Mango 3 should be scanned for viruses/malware prior to use. Any identified malware/viruses should be removed prior to use.
Restricted Information & data is prohibited on any kind of removable device, unless the device is encrypted following data encryption policy. Notwithstanding the foregoing, if stored or cached information resides on a removable device, Personnel will follow company policies and procedures to mitigate the risk of a Data Breach.
Individuals in sensitive positions, with access to Restricted or Confidential Information & data, should not store such data on removable media, unless required by their role and approved by Security Management.
21. Vendor/Partner Risk Management
Vendor and partner risk management policies and processes should be defined to verify that vendors comply with security policies.
Vendor and partner contracts should include language requiring adherence to security policy requirements or their equivalent.
Critical vendors should be reviewed at least once per calendar year, to ensure continued alignment with security policies.
2. Privacy Policy
Last updated on 05/08/2022
Mango 3 is an online solution created by Mango 3 that facilitates connections between coworkers within an organisation (the “Service“).
This Privacy Policy describes how your data is processed, used and shared when you use the Service.
The Service is intended for use by organisations and in accordance with their instructions and is provided to you by your employer or other organisation that has authorised your access to, and use of, the Service (your “Organisation”).
The Service is provided by your Organisation and is governed by this Privacy Policy and the Terms of Service. Your Organisation may provide additional Terms of Service or policies.
Your Organisation is responsible for and administers your Mango 3 account (“Your Account“). Your Organisation is also responsible for the collection and use of any data that you submit or provide through the Service and such use is governed by the terms your Organisation has in place with Mango 3.
In addition to this Privacy Policy, your Organisation may have additional policies or codes of conduct which will apply in relation to your use of the Service.
If you have any questions about your use of the Service, please contact your Organisation.
1. What data is processed ?
The following data is processed when you, your colleagues or other users access the Service:
- your contact information, such as full name and email address;
- your work title, department information and other information related to your work or Organisation;
- information that you provide when you or your Organisation contact or engage platform support regarding the Service.
We also automatically collect certain information provided by your browser or operating system through the Service, such as your Internet protocol (IP) address and other browser or device identifiers, browser type, operating system, crash data, Internet service provider, pages that you visit before and after using the Services, the date and time of your visit, information about your activities and actions (such as the links that you click and pages that you view) within the Services and other standard server log information.
2. How is this data used?
Your Organisation will share the information that it collects with Mango 3, as the provider of the platform, in order to allow Mango 3 to provide the Service to you following instructions from your Organisation.
The data is also used to support the Service for your Organisation and other users and in accordance with any other instructions from your Organisation. Examples of such use include:
- enhancing the security and safety of the Service for your Organisation and other users, such as by investigating suspicious activity or violations of applicable terms or policies;
- developing new tools, products or services within the Service for your Organisation;to identify and fix bugs that may be present;and conducting data and system analytics, including research to improve the Service.
3. Disclosure of data
Data is shared with our partner companies that are essential to provide the Service:
- Google Cloud Platform, which is used to host the data.
Our partners securely store and process your data in the EU (for european customers) and in North America (for american customers).
Our partners are GDPR Compliant.
4. What are your data protection rights?
You are entitled to the following data protection rights:
The right to be informed – This means that anyone processing your data must make clear what they are processing, why, and who else the data may be passed to.
The right to access – You have the right to request copies of the data about you processed for the use and the support of the Service.
The right to rectification – The right to have your data corrected if what is held is incorrect in some way.
The right to erasure – You have the right to request the erasure of the data processed for the use and the support of the Service, under certain conditions.
The right to restrict processing – You have the right to request the restriction of the processing of your data for the use and the support of the Service, under certain conditions.
The right to data portability – You have the right to request for copies of the data processed for the use and the support of the Service in a structured, commonly-used and machine-readable format.
The right to object to processing – You have the right to object to the processing of your data, under certain conditions.
Rights in relation to automated decision making and profiling – You have the right not to be subject to a decision based solely on automated processing. The use of the Service includes automated matching between colleagues based on rules that are defined by your Organisation. This processing is considered to be automated decision making, and the use of our Service requests that you accept each time before your data is processed for this automated decision making.If you make a request, your Organisation has one month to respond to you. Mango 3 will cooperate closely with your Organisation to answer these requests in a timely manner. If you would like to exercise any of these rights, please contact your Organisation, or contact us at privacy@mango3.io.
5. Accessing and modifying your information
You and your Organisation may access, correct or delete information that you have submitted to the Service using the tools within the Service (for example, editing your profile information). If you are not able to do so using the tools provided in the Service, you should contact your Organisation directly to access or modify your information, or send an email to contact@rmango3.io
6. Account Closure
If you would like to stop using the Service, you should click on the unsubscribe link provided in every email sent by the platform, or you can contact your Organisation. Similarly, if you stop working for or with the Organisation, the Organisation may suspend your Account and/or delete any information associated with your Account.
7. Changes to the Privacy Policy
This Privacy Policy may be updated from time to time. When updated the effective date will be amended and the new Privacy Policy will be posted online.
8. Contact
If you have any questions about this Privacy Policy, please send us an email at privacy@mango3.io or contact your Organisation.
Mango 3 is an online solution created by Mango 3 that facilitates connections between coworkers within an organisation (the “Service“).
This Privacy Policy describes how your data is processed, used and shared when you use the Service.
The Service is intended for use by organisations and in accordance with their instructions and is provided to you by your employer or other organisation that has authorised your access to, and use of, the Service (your “Organisation”).
The Service is provided by your Organisation and is governed by this Privacy Policy and the Terms of Service. Your Organisation may provide additional Terms of Service or policies.
Your Organisation is responsible for and administers your Mango 3 account (“Your Account“). Your Organisation is also responsible for the collection and use of any data that you submit or provide through the Service and such use is governed by the terms your Organisation has in place with Mango 3.
In addition to this Privacy Policy, your Organisation may have additional policies or codes of conduct which will apply in relation to your use of the Service.
If you have any questions about your use of the Service, please contact your Organisation.
1. What data is processed ?
The following data is processed when you, your colleagues or other users access the Service:
- your contact information, such as full name and email address;
- your work title, department information and other information related to your work or Organisation;
- information that you provide when you or your Organisation contact or engage platform support regarding the Service.
We also automatically collect certain information provided by your browser or operating system through the Service, such as your Internet protocol (IP) address and other browser or device identifiers, browser type, operating system, crash data, Internet service provider, pages that you visit before and after using the Services, the date and time of your visit, information about your activities and actions (such as the links that you click and pages that you view) within the Services and other standard server log information.
2. How is this data used?
Your Organisation will share the information that it collects with Mango 3, as the provider of the platform, in order to allow Mango 3 to provide the Service to you following instructions from your Organisation.
The data is also used to support the Service for your Organisation and other users and in accordance with any other instructions from your Organisation. Examples of such use include:
- enhancing the security and safety of the Service for your Organisation and other users, such as by investigating suspicious activity or violations of applicable terms or policies;
- developing new tools, products or services within the Service for your Organisation;to identify and fix bugs that may be present;and conducting data and system analytics, including research to improve the Service.
3. Disclosure of data
Data is shared with our partner companies that are essential to provide the Service:
- Google Cloud Platform, which is used to host the data.
Our partners securely store and process your data in the EU (for european customers) and in North America (for american customers).
Our partners are GDPR Compliant.
4. What are your data protection rights?
You are entitled to the following data protection rights:
The right to be informed – This means that anyone processing your data must make clear what they are processing, why, and who else the data may be passed to.
The right to access – You have the right to request copies of the data about you processed for the use and the support of the Service.
The right to rectification – The right to have your data corrected if what is held is incorrect in some way.
The right to erasure – You have the right to request the erasure of the data processed for the use and the support of the Service, under certain conditions.
The right to restrict processing – You have the right to request the restriction of the processing of your data for the use and the support of the Service, under certain conditions.
The right to data portability – You have the right to request for copies of the data processed for the use and the support of the Service in a structured, commonly-used and machine-readable format.
The right to object to processing – You have the right to object to the processing of your data, under certain conditions.
Rights in relation to automated decision making and profiling – You have the right not to be subject to a decision based solely on automated processing. The use of the Service includes automated matching between colleagues based on rules that are defined by your Organisation. This processing is considered to be automated decision making, and the use of our Service requests that you accept each time before your data is processed for this automated decision making.If you make a request, your Organisation has one month to respond to you. Mango 3 will cooperate closely with your Organisation to answer these requests in a timely manner. If you would like to exercise any of these rights, please contact your Organisation, or contact us at privacy@mango3.io.
5. Accessing and modifying your information
You and your Organisation may access, correct or delete information that you have submitted to the Service using the tools within the Service (for example, editing your profile information). If you are not able to do so using the tools provided in the Service, you should contact your Organisation directly to access or modify your information, or send an email to contact@rmango3.io
6. Account Closure
If you would like to stop using the Service, you should click on the unsubscribe link provided in every email sent by the platform, or you can contact your Organisation. Similarly, if you stop working for or with the Organisation, the Organisation may suspend your Account and/or delete any information associated with your Account.
7. Changes to the Privacy Policy
This Privacy Policy may be updated from time to time. When updated the effective date will be amended and the new Privacy Policy will be posted online.
8. Contact
If you have any questions about this Privacy Policy, please send us an email at privacy@mango3.io or contact your Organisation.
3. Security Incident Management Policy
Last updated on 05/08/2022
1. Purpose
The purpose of the incident management policy is to provide organization-wide guidance to employees on proper response to, and efficient and timely reporting of, computer security related incidents, such as computer viruses, unauthorized user activity, and suspected compromise of data. It also addresses non-IT incidents such as power failure. Further, this policy provides guidance regarding the need for developing and maintaining an incident management process within Mango 3.
2. Scope
This policy applies to all Employees, Contractors, and Third Party Employees, who use, process, and manage information from individual systems or servers.
3. Definition & Examples
An incident is an event that violates Mango 3 Security Policy or that threatens the confidentiality, integrity or security of Mango 3’s information systems or their data. Examples of incidents include:
- Data breaches
- Unauthorized use of a system
- Unauthorized use of the system as a gateway to other systems
- Unauthorized use of another user’s account
- Execution of malicious code that destroys data
4. Stages & process
Stage 1: Preparation
1. Develop and review Mango 3’s policies and procedures
2. Train employees on Mango 3’s policies and procedures
Stage 2: Detection & escalation
Detection may be the result of:
- External detection (i.e.: by customers)
- Internal detection, using monitoring tools and other detection strategies, or identified by Mango 3’s employees.
In any case, procedures should include emailing support@mango3.io, messaging #general on Slack to notify the security team, and if applicable creating a Jira ticket following the procedure. Behave as if you were reporting a crime and include lots of specific details about what you have discovered.
Security Team should take ownership as incident is reported on company-wide channel.
Customer Success Managers are responsible for keeping informed involved customers, relaying only Security Team approved information.
Stage 3: Containment
1. Identify, isolate and/or mitigate risks associated with the incident
2. Notify affected parties, create of safety plan (if applicable)
3. Decide whether or not to investigate incident
4. Preserve physical and/or digital evidence
Stage 4: Investigation
1. Determine the incident’s priority, scope and root cause
2. Collect physical and/or digital evidence
3. Conduct interviews with complainants and/or persons involved
Stage 5: Remediation
1. Repair affected systems
2. Communicate to and instruct affected parties about next steps
3. Confirm that the threat has been contained
4. File formal reports as per regulatory requirements (notably in the context of GDPR)
5. Create post-incident report
Stage 6: Recovery
1. Analyze the incident for its procedural and policy implications
2. Gather metrics
3. Review and edit established policies and procedures with lessons learned from the incident
5. Testing
This policy is periodically tested. After each test is identified what needs to be improved, and how the improvements can be implemented. Testing ensures that key teams are familiar with their assignments. The executive team is in charge with making sure the plan is up to date & regularly tested.
1. Purpose
The purpose of the incident management policy is to provide organization-wide guidance to employees on proper response to, and efficient and timely reporting of, computer security related incidents, such as computer viruses, unauthorized user activity, and suspected compromise of data. It also addresses non-IT incidents such as power failure. Further, this policy provides guidance regarding the need for developing and maintaining an incident management process within Mango 3.
2. Scope
This policy applies to all Employees, Contractors, and Third Party Employees, who use, process, and manage information from individual systems or servers.
3. Definition & Examples
An incident is an event that violates Mango 3 Security Policy or that threatens the confidentiality, integrity or security of Mango 3’s information systems or their data. Examples of incidents include:
- Data breaches
- Unauthorized use of a system
- Unauthorized use of the system as a gateway to other systems
- Unauthorized use of another user’s account
- Execution of malicious code that destroys data
4. Stages & process
Stage 1: Preparation
1. Develop and review Mango 3’s policies and procedures
2. Train employees on Mango 3’s policies and procedures
Stage 2: Detection & escalation
Detection may be the result of:
- External detection (i.e.: by customers)
- Internal detection, using monitoring tools and other detection strategies, or identified by Mango 3’s employees.
In any case, procedures should include emailing support@mango3.io, messaging #general on Slack to notify the security team, and if applicable creating a Jira ticket following the procedure. Behave as if you were reporting a crime and include lots of specific details about what you have discovered.
Security Team should take ownership as incident is reported on company-wide channel.
Customer Success Managers are responsible for keeping informed involved customers, relaying only Security Team approved information.
Stage 3: Containment
1. Identify, isolate and/or mitigate risks associated with the incident
2. Notify affected parties, create of safety plan (if applicable)
3. Decide whether or not to investigate incident
4. Preserve physical and/or digital evidence
Stage 4: Investigation
1. Determine the incident’s priority, scope and root cause
2. Collect physical and/or digital evidence
3. Conduct interviews with complainants and/or persons involved
Stage 5: Remediation
1. Repair affected systems
2. Communicate to and instruct affected parties about next steps
3. Confirm that the threat has been contained
4. File formal reports as per regulatory requirements (notably in the context of GDPR)
5. Create post-incident report
Stage 6: Recovery
1. Analyze the incident for its procedural and policy implications
2. Gather metrics
3. Review and edit established policies and procedures with lessons learned from the incident
5. Testing
This policy is periodically tested. After each test is identified what needs to be improved, and how the improvements can be implemented. Testing ensures that key teams are familiar with their assignments. The executive team is in charge with making sure the plan is up to date & regularly tested.