Operations Security Policy

OPERATIONS SECURITY POLICY

PURPOSE

To ensure the correct and secure operation of information processing systems and facilities.

SCOPE

All Kredit Financial Inc. information systems that are business critical and/or process, store, ortransmit company data. This Policy applies to all employees of Kredit Financial Inc. and other third-party entities with access to Kredit Financial Inc. networks and system resources.

DOCUMENTED OPERATING PROCEDURES

Both technical and administrative operating procedures shall be documented as needed and made available to all users who need them.

CHANGE MANAGEMENT

Changes to the organization, business processes, information processing facilities, production software and infrastructure, and systems that affect information security in the production environment and financial systems shall be tested, reviewed, and approved prior to production deployment. All significant changes to in-scope systems and networks must be documented.

1. CHANGE DOUCMENTATION AND REVIEW

  • All significant changes to systems, networks, and processing facilities must be documented.

  • The documentation must encompass the change's purpose, specification, potential impact considering dependencies, and deployment plan if not already automated.

  • Changes should be tested and reviewed in environments segregated from both production and development (e.g., staging environments).

2. APPROVAL AND AUTHOIRZATION

  • Changes with substantial impact on information security and operational functionalities, must obtain authorization before deployment.

  • Emergency changes may be expedited but must undergo a retrospective review and authorization.

3. CHANGE MANAGEMENT PROCEDURES

  • Planning and Impact Assessment: Evaluate potential impacts of the changes considering system dependencies.

  • Authorization: Secure necessary approvals before initiating changes.

  • Communication: When necessary, inform relevant internal and external stakeholders about the planned changes, schedules, and expected impact in advance.

  • Testing and Quality Control: Ensure changes are tested thoroughly and meet quality standards before deployment.

  • Implementation and Deployment: Execute changes in alignment with the planned deployment schedule

  • Emergency Management Remediation: If changes fail or present unexpected issues, they shall be reverted.

  • Documentation Maintenance: Ensure that the ticketing systems or the code repository platform keeps record of changes, commits, and deployments.

4. CONTINUITY AND CONSISTENCY

  • Ensure that continuity plans, response, and recovery procedures are updated to remain appropriate and consistent with the changes made.

  • Ensure operating documentation and user procedures are modified and remain suitable.

5. SECURITY AND INTEGRITY

  • Ensure that changes preserve and do not compromise the confidentiality, integrity, and availability of information in processing facilities and systems.

CAPACITY MANAGEMENT

The use of processing resources and system storage shall be monitored and adjusted to ensure that system availability and performance meets Kredit Financial Inc. requirements.

Human resource skills, availability, and capacity shall be reviewed and considered as a component of capacity planning and as part of the annual risk assessment process.

Scaling resources for additional processing or storage capacity, without changes to the system, can be done outside of the standard change management and code deployment process.

DATA LEAKAGE PREVENTION

In adherence to this Data Leakage Prevention Policy, and in order to minimize the risk of leakage of sensitive information, the organization shall:

  • Identify and classify information in accordance with the Data Management Policy.

  • Provide awareness training to users including the appropriate use and handling of sensitive information.

  • Encrypt or hash sensitive information in databases and storage locations.

WEB FILTERING

The organization shall ensure safe, secure, and appropriate internet use by the organization's personnel.

USAGE RULES AND GUIDELINES:

  • User shall conform to all company rules in accordance with the Code of Conduct and the Acceptable Use Policy found in the Information Security Policy.

SEPERTATION OF DEVELOPMENT, STAGING, AND PRODUCTION ENVIRONMENTS

Development and staging environments shall be strictly segregated from production SaaS environments to reduce the risks of unauthorized access or changes to the operational environment. Confidential production customer data must not be used in development or test environments without the express approval of the CTO.

Refer to the Data Management Policy for a description of Confidential data. If production customer data is approved for use in the course of development or testing, it shall be scrubbed of any such sensitive information whenever feasible.

SYSTEMS AND NETWORK CONFIGURATION, HARDENING, AND REVIEW

Systems and networks shall be provisioned and maintained in accordance with the configuration and hardening standards described in Appendix A to this policy.

Firewalls and/or appropriate network access controls and configurations shall be used to control network traffic to and from all environments in accordance with this policy.

Production network access configuration rules shall be reviewed at least annually. Tickets shall be created to obtain approvals for any needed changes.

PROTECTION FROM MALWARE

In order to protect the company's infrastructure against the introduction of malicious software, detection, prevention, and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.

Anti-malware protections shall be utilized on all company-issued endpoints except for those running operating systems not normally prone to malicious software. Additionally, threat detection and response software shall be utilized for company email. The anti-malware protections utilized shall be capable of detecting common forms of malicious threats and performing the appropriate mitigation activity (such as removing, blocking or quarantining).

Kredit Financial Inc. should scan all files upon their introduction to systems, and continually scan files upon access, modification, or download. Anti-malware definition and engine updates should be Configured to be downloaded and installed automatically whenever new updates are available. Known or suspected malware incidents must be reported as a security incident.

It is a violation of company policy to disable or alter the configuration of anti-malware protections without authorization.

INFORMATION BACKUP

The need for backups of systems, databases, information and data shall be considered and appropriate backup processes shall be designed, planned and implemented. Backup procedures must include procedures for maintaining and recovering customer data in accordance with documented SLAs. Security measures to protect backups shall be designed and applied in accordance with the confidentiality or sensitivity of the data. Backup copies of information ,software and system images shall be taken regularly to protect against loss of data. Backups and restore capabilities shall be periodically tested, not less than annually.

Backups must be stored in separately from the production data location with a 12 month retentionperiod.

Kredit Financial Inc. does not regularly backup user devices like laptops. Users are expected tostore critical files and information in company-sanctioned file storage repositories.

Backups are configured to run daily on in-scope systems. The backup schedules are maintainedwithin the backup application software.

A backup restore test should be performed at least annually to validate the backup data and backup process.

LOGGING AND MONITORING

Production infrastructure shall be configured to produce detailed logs appropriate to the function served by the system or device. Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and reviewed through manual or automated processes as needed. Appropriate alerts shall be configured for events that represent a significant threat to the confidentiality, availability or integrity of production systems or Confidential data.

Logging should meet the following criteria for production applications and supporting infrastructure:

  • Log user log-in and log-out.

  • Log CRUD (create, read, update, delete) operations on application and system users and objects.

  • Log security settings changes (including disabling or modifying of logging).

  • Log application owner or administrator access to customer data (i.e. Access Transparency).

  • Logs must include user ID, IP address, valid timestamp, type of action performed, and object of this action.

  • Logs must be stored for at least 30 days, and should not contain sensitive data or payloads.

PROTECTION OF LOG INFORMATION

Logging facilities and log information shall be protected against tampering and unauthorized access.

ADMINISTRATOR AND OPERATOR LOGS

System administrator and system operator activities shall be logged and reviewed and/or alerted in accordance with the system classification and criticality.

DATA RESTORE LOGS

In the event the company needs to restore production data containing PII from backups, either for the purposes of providing services or for testing purposes, shall be logged or tracked in auditable tickets.

CLOCK SYNCHRONIZATION

The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to network time servers using reputable time sources.

FILE INTEGRITY MONITORING AND INTRUSION DETECTION

Kredit Financial Inc. production systems shall be configured to monitor, log, and self-repair and/or alert on suspicious changes to critical system files where feasible.

Alerts shall be configured for suspicious conditions and engineers shall review logs on a regular basis.

Unauthorized intrusions and access attempts or changes to Kredit Financial Inc. systems shall be investigated and remediated in accordance with the Incident Response Plan.

CONTROL OF OPERATION SOFTWARE

The installation of software on production systems shall follow the change management requirements defined in this policy.

THREAT INTELLIGENCE

Information relating to information security threats should be collected and analyzed to produce threat intelligence.

COLLECTION

Draw from diverse sources, such as blogs, news articles, vendor updates, public databases, and industry communities.

ANALYSIS

Examine the data to derive actionable insights and enable proactive response initiatives.

Report any actionable insights or specific threats to the Security Team.

DISSEMINATION

Ensure effective communication of threat intelligence to pertinent teams for effective action.

The Security Team shall disseminate actionable information via communication channels, such as slack, email and emergency alerts.

FEEDBACK

Cultivate continuous improvement by leveraging feedback for policy enhancements.

Integrate feedback into policy amendments and conduct regular policy reviews.

TECHNICAL VULNERABILITY MANAGEMENT

Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities shall be evaluated, and appropriate measures taken to address the associated risk. A variety of methods shall be used to obtain information about technical vulnerabilities, including vulnerability scanning, penetration tests, review of external vendor alerts, and the bug bounty program.

Vulnerability scans shall be performed on public-facing systems in the production environment continuously.

Penetration tests of the applications and production network shall be performed at least annually ,and additional scanning and testing shall be performed following major changes to production systems and software.

The engineering team shall evaluate the severity of vulnerabilities identified from any source, and if it is determined to be a risk-relevant critical or high-risk vulnerability, a service ticket will be created. The Kredit Financial Inc. assessed severity level may differ from the level automatically generated by scanning software or determined by external researchers based on Kredit Financial Inc.'s internal knowledge and understanding of technical architecture and real-world impact/exploitability. Tickets are assigned to the system, application, or platform owners for further investigation and/or remediation.

Vulnerabilities assessed by Kredit Financial Inc. shall be patched or remediated in the following timeframes:

Service tickets for any vulnerability which cannot be remediated within the standard timeline must show a risk treatment plan and planned remediation timeline.

RESTRICTIONS ON SOFTWARE INSTALLATION

Rules governing the installation of software by users shall be established and implemented in accordance with the Kredit Financial Inc. Information Security Policy.

INFORMATION SYSTEMS AUDIT CONSIDERATIONS

Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes.

SYSTEMS SECURITY ASSESSMENT AND REQUIREMENTS

Risks shall be considered prior to the acquisition of, or significant changes to, systems, technologies, or facilities. Where requirements are formally identified, any relevant security requirements shall be included. The acquisition of new suppliers and services shall be made in accordance with the Third-Party Management Policy.

The company shall perform an annual network security assessment that includes a review of major changes to the environment such as new system components and network topology.

DATA MASKING

Kredit Financial Inc. will implement data masking based on risk or a specific requirement to do so.

TECHNIQUE GUIDANCE

  • Adopt appropriate techniques such as masking, encryption, hashing, or anonymization to protect PII and other sensitive data effectively.

  • Guarantee that anonymization methods effectively break the link between PII and individuals or sensitive data elements.

  • Confirm all elements of the information are considered for adequate data anonymization.

DATA MASKING CONSIDERATIONS

  • Design data queries and masks to disclose only the minimally required data to users, safeguarding privacy and security.

  • Develop mechanisms for data obfuscation, considering specific circumstances under which certain data should be concealed from users.

USING DATA MASKING, PSEUDONYMIZATION, OR ANONYMIZATION

  • Determine the suitable strength level, access controls, user agreements, and usage restrictions for processed data.

  • Prevent the combination of processed data with other information to identify PII principals and ensure traceability of provided and received processed data.

EXCEPTIONS

Requests for an exception to this policy must be submitted to the CTO for approval.

VIOLATIONS AND ENFORCEMENT

Any known violations of this policy should be reported to the CTO. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.

CHANGE SUMMARY

Purpose: Internal Policy

Category: Operations

Policy Name: Operations Security Policy

APPENDIX A - CONFIGURATION AND HARDENING STANDARDS

NETWORK STANDARDS

  • Management of network rules and settings may only be performed by authorized members of engineering team and all changes must comply with change Management procedures defined in the Operations Security Policy.

  • Supported network controls for production networks are AWS NACLs, GCP firewall rules, and Cilium network policies.

  • In the production environment, defined rules and configurations must be enforced to control traffic from untrusted networks (e.g. publicly available services) to internal production networks.

  • Network control systems must be configured to use default Network Address Translation to prevent the disclosure of internal IP addresses to the Internet.

  • Mobile devices connecting to production networks must meet the requirements of the Mobile Device Policy found in the Information Security Policy.

  • All network control systems must be configured with default anti-spoofing rules to block or deny inbound internal addresses originating from the Internet.

  • External configurations must limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

  • Use of insecure services and protocols without justification and documentation of additional security features implemented to mitigate risk is prohibited.

  • Remote access sessions must be configured to enforce timeout after a specified period of 8hours.

  • Remote-access technologies for vendors and business partners used to access production systems must be enabled only when needed for business purposes and immediately deactivated after use.

CLOUD HARDENING

  1. Identity and Access Management (IAM)

  • Least Privilege Principle: Ensure each entity (user, service, system) possesses minimal necessary access.

  • Enforce Multi-Factor Authentication (MFA) for production access

  1. Data Storage and Management

  • Data Encryption: Ensure encryption for data at rest and in transit in accordance with the Cryptography Policy.

  • Data Lifecycle Management: Configure backups for customer data repositories.

  • Ensure all AWS S3 buckets are configured according to Security best practices for Amazon S3 .

  1. Network Security

  • Isolation: Utilize VPC, subnets, and network policies to isolate environments and segment networks.

  • Firewalls: Implement cloud-native or third-party firewall solutions.

  1. Monitoring an Logging

  • Logging: Configure logging focusing on write-once-read-many storage to prevent tampering.

  • Alerting: Implement cloud-based alerting (Amazon CloudWatch, Azure Alerts) for real-time incident response.

CONTAINER HARDENING

  1. Image Security

  • Create images only from Kredit Financial Inc. authorized base images or repositories.

  • Use minimal base images to reduce attack vectors. Images may not be deployed directly from public repositories.

  • Third party images must be reviewed and pushed to a private repository before deployment.

  1. Runtime Security

  • Runtime Analysis: Implement runtime security tools for live vulnerability and threat detection.

  1. Network Security

  • Policy-Based Controls: Implement network policies using third party or cloud native tools.

  1. Orchestration Security

CI/CD SECURITY

  • As a baseline, all repositories must adhere to the CIS Benchmark for Software Supply Chain Security and are scanned regularly for compliance.

  • Pipelines are defined in code and stored in source control repositories and are subject to the same change control and review process as their associated applications.

  • All changes are built, and all automated tests must pass before merging.

  • Vulnerability scans are performed during the build process. Vulnerabilities must be resolved before merging.

  • Static code analysis, including security analysis, is performed during the build process.

  • Changes are scanned for exposed secrets during the build process. Exposed secrets must be removed and changed before merging.

SERVERS AND VIRTUAL MACHINES

Baseline Configuration

  • Ensure systems are aligned with applicable CIS Benchmarks.

Technical Adherence

  • All default configurations, especially passwords, must be altered prior to network integration.

  • Only necessary services, protocols, daemons, etc., may be enabled, and only as required for the function of the system.

  • All unnecessary functionality (such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers) must be disabled.

  • All security patches identified as <critical, high, or medium> must be applied to systems within SLAs established in this policy.

NETWORK STANDARDS

Network Management and Documentation

  • Change Management: Any alterations to network settings must adhere to the change management processes.

Traffic Management in Production Environments

  • Rule Enforcement: Strictly enforce predefined rules, which should be revisited and validated at least annually.

  • Remote Access Control: Ensure strict control and auditing of remote access, restricting and logging all connections.

PreviousInquiry Handling Policy and ProcedureNextRegulatory Policies

Last updated