Security Policy

1. Purpose

Information security is the protection of information against accidental or malicious disclosure, modification or destruction. Information is an important, valuable asset which is managed with care.
Access controls are put in place to protect information by controlling who has the rights to use different information resources and by guarding against unauthorised use.
Formal procedures control how access to information is granted and how such access is changed.
This policy also mandates a standard for the creation of strong passwords, their protection and frequency of change.

2. How you can protect yourself

2.1 Choosing Passwords

Passwords are the first line of defence for our ICT systems and together with the user ID help to establish that people are who they claim to be.
A poorly chosen or misused password is a security risk and may impact upon the confidentiality, integrity or availability of our computers and systems.

2.1.1 Weak and strong passwords

A weak password is one which is easily discovered, or detected, by people who are not supposed to know it. Examples of weak passwords include words picked out of a dictionary, names of children and pets, car registration numbers and simple patterns of letters from a computer keyboard.
A strong password is a password that is designed in such a way that it is unlikely to be detected by people who are not supposed to know it, and difficult to work out even with the help of a computer.
Everyone must use strong passwords with a minimum standard of:

• At least seven characters.
• Contain a mix of alpha and numeric, with at least one digit.
• More complex than a single word.

2.2 Protecting Passwords

It is of utmost importance that the password remains protected at all times. The following guidelines should be adhered to at all times:

• Never reveal your passwords to anyone.
• Never use the 'remember password' function.
• Never write your passwords down or store them where they are open to theft.
• Never store your passwords in a computer system without encryption.
• Do not use any part of your username within the password.

2.3 Changing Passwords

All user-level passwords should be changed as often as possible, or whenever a system prompts you to change it. Default passwords should also be changed immediately. If you become aware, or suspect, that your password has become known to someone else, you should change it immediately and report your concern to the Exentriq IT Helpdesk.
Users should not reuse the same password within many password changes.

2.4 User Responsibilities

It is a user's responsibility to prevent their userID and password being used to gain unauthorised access to Exentriq Platform by:

• Following the Password Policy Statements.
• Ensuring that any PC you are using that is left unattended is locked or logged out.
• Leaving nothing on display that may contain access information such as login names and passwords.

3. How we protect you

3.1 User Access Management

Formal user access control procedures are documented, implemented and kept up to date for each application and information system to ensure authorised user access and to prevent unauthorised access. Such access control procedures cover all stages of the lifecycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access.
User access rights are reviewed at regular intervals to ensure that the appropriate rights are still allocated. System administration accounts are provided only to users that are required to perform system administration tasks.
Automation is used at full scale to detect anomalies and enforce compliance.

3.2 System Administration Standards

The password administration process for individual Exentriq systems is well-documented and available to designated individuals.
All Exentriq IT systems are configured to enforce the following:

• Authentication of individual users, not groups of users - i.e. no generic accounts.
• Protection with regards to the retrieval of passwords and security details.
• System access monitoring and logging - at a user level.
• Role management so that functions can be performed without sharing passwords.
• Password admin processes are properly controlled, secure and auditable.

3.3 Supplier's Remote Access to Exentriq Infrastructure

Partners or 3rd party suppliers are not given details of how to access Exentriq Infrastructure without permission from IT Helpdesk. Any changes to supplier’s connections are immediately sent to the IT Helpdesk so that access can be updated or ceased. All permissions and access methods are controlled by IT Helpdesk and a log of activity is maintained.

3.4 Operating System Access Control

Access to operating systems is controlled by a secure process. The access control defined in the User Access Management and the login procedure is also protected by:

• Not displaying any previous login information e.g. username.
• Limiting the number of unsuccessful attempts and locking the account if exceeded.
• The password characters being hidden by symbols.
• Displaying a general warning notice that only authorised users are allowed.

All access to operating systems is via a unique login id that will be audited and can be traced back to each individual user. The login id does not give any indication of the level of access that it provides to the system (e.g. administration rights).
System administrators have individual administrator accounts that will be logged and audited. The administrator account is not used by individuals for normal day to day activities.

3.5 Application and Information Access

Access within Exentriq Infrastructure is restricted using the security features built into the individual product. The IT Helpdesk is responsible for granting access within the Exentriq Infrastructure. The access is:

• compliant with the User Access Management section and the Password section above.
• separated into clearly defined roles.
• give the appropriate level of access required for the role of the user.
• unable to be overridden (with the admin settings removed or hidden from the user).
• free from alteration by rights inherited from the operating system that could allow unauthorised higher levels of access.
• logged and auditable.

3.6 Incident Management

We notify customers of security incidents that impact their data or service and work with the customer in good faith to address any known breach of security obligations. We log all changes in user permissions and revoke access when no longer required.

3.7 CSA STAR Registry

Exentriq is aligned to the security guidelines of the Cloud Security Alliance, more Information about security and privacy related practices can be found in the Cloud Security Alliance registry at the following URL
Exentriq CAIQ CSA STAR Registry:
https://cloudsecurityalliance.org/star/registry/exentriq-ltd/

Exentriq Website, updated 16/09/2020