Yazi Information Security Policy
1. Purpose
This Information Security Policy outlines Yazi's commitment to protect the confidentiality, integrity, and availability of data collected through our market research platform, especially survey data containing PII. It aims to establish a framework for securing survey data against unauthorised access or breaches, and ensuring compliance with data protection laws such as GDPR and other relevant local data protection laws.
2. Scope
The policy applies to all employees, contractors, and third-party partners who interact with Yazi's data and systems. This includes the management of survey data from the point of collection to its processing and storage within our AWS-managed system infrastructure.
3. Data Classification and Handling
Survey Data (Confidential): Survey responses containing PII are treated as confidential information. Access is restricted to authorised personnel and specific roles that require data interaction for analysis and reporting purposes.
Database Encryption: All survey data is encrypted in transit and at rest within our AWS RDS databases using AES-256 encryption standards. We employ AWS Key Management Service (KMS) to manage and rotate encryption keys.
PII Handling: When handling PII, employees are required to follow strict operational procedures including secure data entry, anonymisation techniques, and adherence to data minimisation principles.
Additional Data Types: Any additional data types handled by Yazi (e.g., metadata, operational data) are classified and managed according to their sensitivity and the potential impact of their exposure.
4. Access Control
User Access: Access to the survey platform and databases is controlled via AWS Identity and Access Management (IAM), ensuring that employees have access only to the resources necessary for their job function.
Principle of Least Privilege: We operate on the principle of least privilege, granting permissions to the minimum level of access required to perform job tasks.
Authentication: Multi-factor authentication (MFA) is enforced for all access to cloud services where survey data is stored or processed.
Review of Access Rights: Access rights are reviewed regularly (quarterly) to ensure they remain appropriate. Exceptions are documented and managed on a case-by-case basis.
5. Risk Management
Risk Assessments: Regular risk assessments are conducted to identify potential risks associated with survey data collection and processing. These assessments help inform our security posture and refine our data protection strategies.
Risk Assessment Methodology: Our risk assessments follow a structured methodology, identifying risks, evaluating their potential impact, and prioritising mitigation measures based on severity.
Incident Response: When a potential security incident is detected, our incident response procedure is activated to handle the situation swiftly and effectively, minimising any potential harm.
Identification: Any unusual activity must be reported immediately to our Security Officer. We utilise AWS CloudWatch and AWS GuardDuty to monitor and alert on suspicious activities indicative of a security incident.
Containment: The first step is to contain the incident to prevent further data compromise. This may involve isolating affected systems or temporarily suspending certain services.
Eradication: Once contained, we investigate to identify the root cause. Necessary measures are then taken to remove the cause of the breach, which may involve system patches, resetting passwords, or other remediation actions.
Recovery: After eradicating the threat, we restore services and data from backups if necessary. This stage includes rigorous testing to ensure that systems are clean before being reintroduced to the network.
Communication: We communicate with all relevant stakeholders, including customers, employees, and regulatory bodies, about the nature of the incident, as dictated by the severity and potential data exposure.
Documentation: Every step of the process is documented for future reference, including the nature of the incident, how it was discovered, the response actions taken, and the lessons learned.
Review: Post-incident, we review the effectiveness of the response and update our policies and procedures to mitigate the risk of future incidents.
6. Data Retention
Survey data is retained only as long as necessary for the purpose it was collected or as required by law. Following this period, data is securely deleted in accordance with our data retention guidelines.
7. Security Training and Awareness
Training Sessions: Regular, mandatory training sessions are held, which every Yazi employee must attend. These cover secure handling of survey data, with a focus on identifying and avoiding phishing attacks, correct data disposal methods, and secure use of cloud services.
AWS Partner Training: AWS Partner, Silicon Overdrive also provides annual training and keeps Yazi up to date on the latest security trends and best practices.
Training Metrics: Training effectiveness is measured using assessments and feedback, with results used to improve future training sessions.
8. Vendor and Third-Party Security
Due Diligence: Yazi conducts due diligence to ensure third-party service providers comply with our security expectations, focusing on their data handling and storage practices, especially when survey data is involved.
Access Management: We use AWS's IAM (Identity and Access Management) to ensure that vendor access is limited to what is strictly necessary for their service provision.
Ongoing Monitoring: Vendor compliance is monitored regularly, with annual reviews to ensure continued adherence to our security standards.
9. Physical Security
Device Encryption: Although Yazi operates primarily online, any physical devices used are encrypted and stored securely when not in use. Given the small team size, device management is straightforward and closely monitored.
AWS Security: AWS's physical security mechanisms protect our virtual infrastructure, and Yazi leverages these through compliance with AWS best practices.
10. Compliance and Legal Obligations
GDPR and Local Laws: We ensure GDPR compliance through data minimization, gaining explicit consent for data collection, and facilitating user rights such as data access and erasure.
Audits: Annual audits are performed, combining AWS security features with our internal checks to guarantee compliance with data protection laws.
Certifications: We aim to achieve and maintain relevant security certifications (e.g., ISO 27001) to demonstrate our commitment to data protection.
11. Policy Maintenance and Review
Bi-Annual Review: Our Information Security Policy is a living document, revisited bi-annually or following any significant operational change. Given the agile nature of Yazi, policies are adapted to the evolving tech landscape, with revisions approved by our CEO.
Employee Briefing: Employees are briefed on any updates to ensure everyone is aligned with the current policy standards, crucial for maintaining a secure and aware working environment.
Version Control: A version control section is included to document changes and updates to the policy.
12. Data Encryption and Handling
Encryption in Transit: All survey data collected via our platform is encrypted both in transit and at rest. For in-transit data, we use TLS encryption to secure the data as it moves from the respondents to our servers. AWS provides this encryption automatically for data moving between AWS services.
Encryption at Rest: The AWS RDS service that hosts our databases uses encryption to safeguard stored data. The encryption keys are managed through AWS Key Management Service (KMS), ensuring they are rotated regularly and never exposed.
Handling of PII: Handling of Personally Identifiable Information (PII) is done with utmost care. Access to PII is strictly controlled and logged, and staff are trained in the secure handling of such sensitive data, ensuring they understand the importance of confidentiality and the potential consequences of a data breach.
13. Account Management
Principle of Least Privilege: The principle of least privilege is rigorously applied at Yazi. Access to systems and data is provided based on role-specific requirements, ensuring that staff have only the access they need to perform their job functions.
AWS IAM: AWS IAM is used to manage user access, creating individual accounts for each staff member with permissions tailored to their responsibilities. Multi-factor authentication (MFA) is enforced on all accounts with access to sensitive data or systems.
Regular Audits: Regular audits are performed to review access rights. These audits are facilitated by AWS's CloudTrail and Config services, which track and record user activities and changes to the environment.
14. Security Incident Management and Reporting
Incident Management Protocol: Yazi has an incident management protocol to address any security events promptly. This protocol includes immediate isolation of affected systems, investigation to determine the cause and scope, and steps to prevent a recurrence.
Stakeholder Communication: In the event of a security incident, stakeholders, including clients and regulatory bodies, are informed as required by law and contractual obligations. We use a standardised incident response template to ensure that all communications are clear, factual, and timely.
Incident Logging: We keep a detailed incident log within AWS CloudWatch Logs. This log records all security events, the responses taken, and their outcomes. It's reviewed regularly to identify trends and areas for security enhancement.
Incident Response Drills: Periodic incident response drills are conducted to ensure readiness and effectiveness of our incident management protocol.
15. Change Management
Change Control Policy: All changes related to production and support processes, as well as information processing facilities, follow a formal Change Control Policy. This policy includes detailed procedures for requesting, evaluating, and implementing changes.
Emergency Changes: Emergency changes follow the same procedures as regular changes, with additional expedited approvals. Documentation is mandatory for all emergency changes.
Communication and Logging: Significant changes are communicated to all relevant parties prior to implementation. Change logs are maintained to ensure transparency and traceability.
Separation of Duties: Duties are separated among personnel who authorise changes and those who implement them, ensuring proper oversight and reducing the risk of errors.
16. Backup and Recovery
Backup Procedures: Yazi implements comprehensive backup procedures to ensure data integrity and availability. Backups are encrypted and stored off-site to protect against data loss.
Backup Frequency and Retention: Differential, incremental, and full backups are conducted regularly. Backup success rates are monitored, and data retention policies ensure that backups are stored for the necessary duration.
Testing and Verification: Regular tests are conducted to verify the integrity and recoverability of backups. Any issues identified are addressed promptly to ensure data can be restored when needed.
17. Vendor Management
Approved Supplier List: Yazi maintains an approved supplier list, ensuring that all third-party service providers meet our security and compliance standards.
Contractual Obligations: Contracts with suppliers, freelancers, and third-party service providers include relevant information security, data protection, and confidentiality requirements.
Risk Management: Risks related to external parties are identified and addressed through due diligence, review meetings, and regular audits to ensure compliance with Yazi's security policies.
18. User Management
User Registration and De-registration: Formal procedures are in place for granting and revoking access to information systems. User privileges are restricted and controlled based on role requirements.
Password Policy: Password policies enforce complexity, length, and expiry periods. High-privilege accounts are subject to stricter policies, and inactive sessions are automatically logged out.
Access Reviews: Regular reviews of access rights ensure that permissions remain appropriate. Any changes are documented and approved through formal procedures.
19. Data Protection and Privacy
Personal Data in Transit: Procedures are in place to protect personal data in transit, including encryption for email, media, and paper-based data transfers.
Clear Desk and Clear Screen Policy: Policies ensure that sensitive information is not left unattended. Employees are required to clear their desks and screens when not in use.
Incident Reporting: Any security incidents or data breaches must be reported within 24 hours. Incident management procedures ensure timely and effective responses.
20. Business Continuity and Disaster Recovery
Business Impact Analysis (BIA): Documented BIAs include Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical functions and assets.
Business Continuity Plans: Up-to-date business continuity plans are reviewed regularly. These plans include detailed procedures for maintaining operations during disruptions.
Testing and Review: Business continuity plans are tested periodically, with results documented and used to improve future preparedness.
21. Physical Security
Office Security: Physical security measures, such as access controls, barriers, and surveillance, protect Yazi's office premises. Security staff monitor the premises 24/7.
Equipment Protection: Policies ensure that equipment is protected from loss, damage, theft, or compromise. Secure disposal procedures prevent unauthorised access to retired equipment.
Remote and Mobile Security: Procedures ensure the security of remote and mobile users. Access is controlled and monitored, with measures in place to address any security issues.
Last updated