Purpose, Scope and Organization
This policy defines behavioural, process, technical and governance controls pertaining to privacy and security at Sherpa that all personnel are required to implement in order to ensure the confidentiality, integrity, and availability of the Sherpa services and data (the “Policy”). All personnel must review and be familiar with the rules and actions set forth below.
This policy defines security requirements for:
- All Sherpa employees, contractors, consultants and other third parties providing services to Sherpa (the “Personnel”);
- Management of systems, both hardware and software and regardless of locale, used to create, maintain, store, access, process or transmit information on behalf of Sherpa, including all systems owned by Sherpa, connected to any network controlled by Sherpa, or used in the service of Sherpa’s business, including systems owned by third party service providers; and
- Circumstances in which Sherpa has legal, contractual, or fiduciary duty to protect data or resources in its custody.
In the event of a conflict, the more restrictive measures apply.
1.1 Governance and Evolution
This Policy was derived from the effective policies of other businesses with similar operational circumstances, and established templates, in close collaboration with and approved by Sherpa executives. It is reviewed and modified as needed to ensure clarity, sufficiency of scope, concern for customer and personnel interests, and general responsiveness to the evolving security landscape and industry best practices, at least annually. This policy will be stored in G Suite and updated as a living document, where anyone has the ability to suggest and be notified of changes.
Max Tremaine, CEO: firstname.lastname@example.org
Data Protection Officer:
Ivan Sharko, Chief Product Officer: email@example.com
1.2 Capacity Planning
Providing an infrastructure that is high performing, scalable, and can stay fully online through network outages and disasters is a critical element to the success of Sherpa’s services. The Sherpa Development Team leverages auto-scaling application services which provide high availability “out of the box” and thus the application pool of instances are all managed and scaled appropriately given changing demand. The same application services are scaled down respectively as well, ensuring that resources are not spent unduly.
In the future, Sherpa plans to leverage more regions and multiple zones within a region, where zones describe different data centres that located within the same region. Spanning multiple zones increases the accessibility of Sherpa’s services to a global audience. Spanning multiple zones also increases responsiveness to outages, where if an issue with a data centre occurs Sherpa’s traffic can be automatically re-routed to maintain high service uptime.
1.3 Compliance and Third Parties
As an Ontario, Canada corporation, collecting personal information in the regular operations of our business sherpa is regulated by the Privacy Commissioner of Canada to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).
Sherpa vets third parties’ information security policies and keeps the number of third parties with access to Sherpa’s data to a minimum. The following third parties have access to Sherpa’s data in the regular course of business:
- As a Google Cloud Platform and GSuite contractee, Sherpa has a GDPR-friendly back-end, and maintains minimal managed physical storage;
- As a Stripe contractee, Sherpa has a PCI-friendly payment process; and
- As a Freshworks contractee, Sherpa’s Customer Support practices are done in a secure way.
Email for formal notices regarding compliance: firstname.lastname@example.org
1.4 Information Security Team
The Sherpa Information Security Team oversees the implementation of this Policy, including:
- Procurement, provisioning, maintenance, retirement, and reclamation of corporate computing resources;
- All aspects of service development and operation related to security, privacy, access, reliability, and survivability;
- Ongoing risk assessment, vulnerability management, incident response; and
- Security-related human resources controls and personnel training.
Information Security Team email: email@example.com
The Sherpa Information Security Team maintains safeguards in line with PIPEDA Schedule 1 (Section 5) Principle 7 - “Safeguards”. As the Policy changes regular checks are made to ensure that alignment is maintained.
Our Safeguards include the following:
- Personal information is protected against loss, theft, unauthorized access, disclosure, copying, use or modification regardless of format;
- The relative sensitivity of information is taken into account when designing systems and classifying data;
- Protection methods take into account physical measures, technological measures, and systems design;
- The whole Sherpa team is made aware of the Policy on an ongoing basis; and
- Information that is no longer useful should be destroyed in a careful manner.
Personnel and Office Environment
2.1 Work Behaviours
The first line of defence in data security is the informed behaviour of personnel, who play a significant role in ensuring the security of all data, regardless of format.
Senior leaders and executives within Sherpa must set a prime example. In any business practice, honesty and integrity must be top priority.
Executives must have an open door policy and welcome suggestions and concerns from employees. This will allow employees to feel comfortable discussing any issues and will alert executives to concerns within the workforce.
The following questions will be used when any behaviour is questionable:
- Is the behaviour legal?
- Does the behaviour comply with Sherpa’s policies?
- Does the behaviour reflect Sherpa’s values and culture?
- Could the behaviour adversely affect Sherpa’s stakeholders?
- Would you feel personally concerned if the behaviour appeared in a news headline?
- Could the behaviour adversely affect Sherpa if all employees did it?
All employees and contractors must undergo the Sherpa Information Security Policy Training program, offered at least twice annually, to inform all personnel of the requirements of this Policy.
Date of Training: November 12, 2019
Number of Attendees: 10
Number of Employees and Contractors: 13
Unrecognized Persons and Visitors
It is the responsibility of all personnel to take positive action to maintain physical security. If any personnel notices an unrecognized person present in an office location where outside parties should not be they should challenge that outside party (the “Challenged Person”). Any Challenged Person who does not respond appropriately should be immediately reported to the Information Security Team. All visitors to Sherpa’s offices must be registered as such or accompanied by Sherpa Personnel.
Personnel should maintain workspaces clear of sensitive or confidential material and take care to clear workspaces of such material at the end of each workday.
Unattended devices must be locked. All devices will have an automatic screen lock function set to automatically activate upon no more than fifteen minutes of inactivity.
Use of Work Devices
Systems used in the regular course of business (“Work Devices”) are to be used for business purposes in serving the interests of the company, and for our clients and partners in the course of normal business operations. Personnel are responsible for exercising good judgement regarding the reasonableness of personal use of systems. Only Work Devices with Sherpa-managed software are permitted to be connected to or installed on corporate equipment or networks and used to access information pertinent to the regular course of business at Sherpa, or any sensitive Sherpa-related data (“Sherpa Data”). Sherpa-managed hardware and software includes those either owned by Sherpa or owned by Sherpa personnel but used during the regular course of business at Sherpa. All personnel must read and understand the list of prohibited activities outlined in this Policy. Modifications or configuration changes are not permitted without explicit written consent by the Sherpa Information Security Team.
Backups and Use of Cloud Storage
Personnel may not configure work devices to make backups of Sherpa Data. Instead, personnel are expected to operate primarily “in the cloud” and treat local storage on computing devices as ephemeral. Making a practice of keeping important work artifacts replicated into company-approved secure cloud storage (eg. Google Docs) ensures that even in the event of a Work Device being lost, stolen, or damaged, such work artifacts will be immediately recoverable on a replacement device.
The following activities are prohibited. Under certain conditions and within the explicit written consent of the Information Security Team, personnel may be exempted from certain of these restrictions during the course of their legitimate job responsibilities (eg. planned penetration testing, systems administration staff may need to disable the network access of a host if that host is disrupting production services).
The list below is not exhaustive, but attempts to provide a framework for activities which fall into the category of unacceptable use.
- Under no circumstances are personnel of Sherpa authorized to engage in any activity that is illegal under local, provincial, federal, or international law while using Sherpa-owned resources.
- Violations of the rights of any person or company protected by copyright, trade secret, patent, or other intellectual property, or similar laws or regulations including but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by Sherpa.
- Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books, or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which Sherpa or the end user does not have an active license.
- Exporting software, technical information, encryption software, or any other technology may result in the violation of international or regional export control laws. The appropriate management should be consulted prior to export of any material that is in question.
- Revealing an account password for a personal account to another person or allowing use of an account by other people. This includes colleagues, as well as family and other household members when work is being done at home.
- Making fraudulent offers of products, items, or services originating from any Sherpa account.
- Making statements about warranty, expressly or implied, unless it is a part of normal job duties and then only to the extent the warranties are consistent with Sherpa’s authorized warranties.
- Introduction of malicious programs into the network, development environment, or product environment (eg. viruses, worms, Trojan horses, email bombs, etc.)
- Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a network or account that the employee is not expressly authorized to access. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, ping floods, packet spoofing, denial of service, and forged routing information for malicious or unlawful purposes.
- Using port scanning or security scanning software, or other such software designed to exploit or find computer, software, or network vulnerabilities on Sherpa products or networks, except by or under the direct supervision of the security team.
- Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal duties.
- Circumventing user authentication or security of any host, network, or account, or attempting to break into any information resource or to bypass a security feature. This includes running password-cracking programs or sniffer programs, and attempting to circumvent file or other resource permissions.
- Attempting to interfere with or deny service to any user.
- Providing information about, or lists of, Sherpa personnel to parties outside Sherpa.
- Installing software which includes any form of malware, spyware, or adware as determined by the Information Security Team.
- Crashing an information system. Deliberately crashing an information system is strictly prohibited. Users may not realize that they caused a system crash, but if it is shown that the crash occurred as a result of user action, a repetition of that action by that user may be viewed as a deliberate act.
- Attempting to subvert technologies used to effect system configuration of Sherpa-managed devices or personal devices voluntarily used for company purposes (eg. having separate user profiles).
- Social Media and Blogging by personnel should not include Sherpa Data or other proprietary information, and should reflect a high ethical standard if personnel are presenting themselves as representatives or relatives to Sherpa.
2.2 Personnel Systems Configuration, Ownership, and Privacy
Centralized System Configuration
Personnel devices and their software configuration may be managed remotely by members of the Information Security Team via configuration-enforcement technology. Such technology may be used for purposes including auditing/installing/removing software applications or system services, managing network configuration, enforcing password policy, encrypting disks, copying data files to/from employee devices, and any other allowed interaction to ensure that employee devices comply with this policy.
Retention of Ownership
All software programs, data, and documentation generated or provided by personnel while providing services to Sherpa or for the benefit of Sherpa are the property of Sherpa unless otherwise covered by a contractual agreement.
Privacy of Personnel
While Sherpa’s network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of Sherpa. Due to the need to protect Sherpa’s network, management does not intend to guarantee the privacy of personnel’s personal information stored on any network device belonging to Sherpa. Personnel are responsible for exercising good judgement regarding the reasonableness of personal use such as general web browsing or personal email. If there is any uncertainty, personnel should consult the Information Security Team.
Personnel should structure all electronic communication with recognition of the fact that the content could be monitored and that any electronic communication could be forwarded, intercepted, printed, or stored by others.
Sherpa reserves the right, at its discretion, to review personnel’s files or electronic communications to the extent necessary to ensure all electronic media and services are used in compliance with all applicable laws and regulations as well as Sherpa’s policies.
Sherpa reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. For security and network maintenance purposes, authorized individuals within Sherpa may monitor equipment, systems, and network traffic at any time.
2.3 Human Resources Practices
Background checks are conducted on all employees prior to their start date. The consequences of problematic background check results may range from a limitation of security privileges, to revocation of an employment offer, to termination.
The Sherpa Information Security Policy training covers security awareness, policies, processes, and training to ensure that personnel are sufficiently informed to meet their obligations. Those most responsible for maintaining security at Sherpa, including the Information Security Team itself as well as key engineering/operations staff, should undergo more technical training.
In the case of personnel termination or resignation, the Information Security Team will coordinate with human resources to implement a standardized separation process to ensure that all accounts, credentials, and access of outgoing employees are reliably disabled.
2.4 Physical Office Environment
Access to Sherpa offices is mediated by an electronic control system that provides for identity-aware entrance, programmable control over access time of day, and audits of use. All doors shall remain locked at all times under normal business conditions. The Information Security Team may provide approval to unlock doors for short periods of time in order to accommodate extenuating physical access needs.
Internet-based security cameras are positioned to record time-stamped video of ingress/egress, which are stored off-site.
2.5 Office Network
Internet access shall be provided to devices via wired ethernet and WPA2 wifi. Networking switches and routers shall be placed in a locked networking closet with only the security team and site providers having access. Site providers, Sherpa executives and the Information Security Team may grant access to the networking closet to individuals on a case-by-case and as-needed basis. A network firewall that blocks all WAN-sourced traffic shall be put in place. WAN-accessible network services shall not be hosted within the office environment.
Personnel Identity and Office Management
3.1 User Accounts and Authentication
Each individual having access to any Sherpa-controlled system does so via a G Suite user account denoting their system identity. Such user accounts are required to have a unique username, a strong password, and two-factor authentication (“2FA”) mechanism.
Logging Into Sherpa Systems
Logins by personnel may originate only from Sherpa-managed devices. Authentication is performed by Google’s account management system, details of which can be found at https://gsuite.google.com/security. Sherpa leverages G Suite’s facilities of detecting malicious authentication attempts. Repeated failed attempts to authenticate may result in the offending user account being locked or revoked.
Logging Into Third Party Systems
Whenever available, third-party systems must be configured to delegate authentication to Sherpa’s G Suite account authentication system (described above) thereby consolidating authentication controls into a single user account system (“Single Sign In”) that is centrally managed by the Information Security Team. When Single Sign In is not available a password manager should be used, and in cases where a password manager is not used the following policies apply:
- Passwords should never be written down or stored in a way that make them easily accessible during the creation process;
- Users must not use the same password for Sherpa accounts as for other non Sherpa access; and
- Where possible, users must not use the same password for multiple third parties.
Revocation and Auditing of User Accounts
User accounts are revoked (that is, disabled but not deleted) immediately upon personnel separation. As a further precaution, all user accounts are audited at least quarterly, and any inactive user accounts are revoked.
3.2 Access Management
Sherpa adheres to the principle of “least privilege,” where personnel only have access to systems and information relevant to their job and no more, and every action attempted by a user account is subject to access control checks.
Role-Based Access Control
Sherpa employs a role-based access control (RBAC) model utilizing Google-supplied facilities such as organizational units, user accounts, user groups, and sharing controls.
Web Browsers and Extensions
Sherpa may require use of specified web browsers for normal business use and for access to corporate data such as email. For certain specified roles such as software development and web design, job activities beyond those mentioned above necessitate the use of a variety of browsers, and these roles may do so as needed for those activities.
Any browser that is allowed to access corporate data such as email is subject to a whitelist maintained by the Information Security Team that restricts which browser extensions can be installed.
Access to administrative operations is strictly limited to Information Security Team members and further restricted as a function of tenure and the principles of least privilege.
Access control policies are reviewed regularly with the goal of reducing or refining access whenever possible. Changes in job function by personnel trigger an access review.
Upon termination of personnel, whether voluntary or involuntary, the Information Security Team will follow Sherpa’s personnel exit procedure, which includes revocation of the associated user account and reclamation of company-owned devices, office keys or access cards, and all other corporate equipment and property prior to the final day of employment.
Provenance of Technology
4.1 Software Development
Sherpa stores source code and configuration files in private GitHub repositories. The security and development teams conduct code reviews and execute static code analysis tools on every code commit. Reviewers shall check for compliance with Sherpa’s conventions and style, potential bugs, potential performance issues, and that the commit is bounded only to its intended purpose.
Security reviews shall be conducted on every code commit to security-sensitive modules. Such modules include those that pertain directly to authentication, authorization, access control, auditing, and encryption.
All major pieces of incorporated open source software libraries and tools shall be reviewed for robustness, stability, performance, security, and maintainability.
The Information Security and Development Teams shall establish and adhere to a formal software release process.
4.2 Configuration and Change Management
The Sherpa Information Security and Product Development teams shall document the configuration of all systems and services under development, whether hosted by Sherpa for a third party. Industry best practices and vendor-specific guidance shall be identified and incorporated into system configurations. All configurations shall be reviewed on at least an annual basis. Any changes to configurations must be approved by appointed individuals and documented in a timely fashion.
System configurations must address the following controls in a risk-prioritized fashion in accordance with the rest of this policy:
- Encryption-at-Rest for stored data;
- Encryption-in-Transit protection of confidentiality, authenticity, and integrity for incoming and outgoing data;
- Minimization of data in transit;
- Data and file integrity;
- Malware detection and resolution;
- Capturing redacted event logs;
- Authentication of administrative users;
- Access control enforcement;
- Removal or disabling of unnecessary software; and
- Allocation of sufficient infrastructure and resources to support loads that are expected at least twelve months into the future.
4.3 Patch Management
All of Sherpa’s services deployed on Google Cloud Platform go through Vulnerability Scans during deployment which include scanning for available patches using Google’s Cloud Security Scanner for App Engine. As the scope of Sherpa’s product development grows this practice should be reviewed to ensure that it is sufficient.
4.4 Third Party Services
For every third-party service that Sherpa adopts, the Information Security Team will review the service and/or vendor, on an annual basis, to gain assurance that their security posture is consistent with Sherpa’s for the type and sensitivity of data that the service will store.
When users interact with Sherpa’s tools (for example our white-label products, websites, apps, or subscribe to marketing/reporting emails) Sherpa and third parties may collect information by using “cookies” and other technologies such as pixel tags (for simplicity this policy will refer to all such technologies as “cookies”). By continuing to use Sherpa’s tools, users agree to Sherpa and third parties using cookies in line with the cookie settings in their browser.
Cookies are bundles of text that are transferred to a user’s computer or other device when they visit a website. Your browser sends these cookies back to the company whose website the user is visiting every time they visit the website again, so the company can recognize the user and can tailor what they see on the screen based on their past behaviour (ie. remembering that a person identified themselves as a Canadian citizen, so they don’t need to enter that information again).
- “Experience Cookies” - Enable information to be carried from one part of a service to another. Without cookies the site may forget a person’s basic information, like the passports they hold or the details of their trip, requiring a user to provide that information more than once, especially if there is a significant time delay between entering different information.
- “Analytics Cookies” - Enable analysis of Sherpa’s products, showing us things like which pages and links are most popular, including information from our emails, and which ones don’t get used as often to help us make sure that our websites and emails are relevant and effective. We also use these cookies to customize a user’s visits to the site, and measure the effectiveness of different designs.
Data Classification and Processing
5.1 Data Classification
Sherpa maintains the following classes and processing rules for Sherpa Data. For each data class, the Sherpa Information Security and Product Development teams must provision and dedicate specific information systems in Google Cloud Platform to store and process data of that class, and only data of that class, unless otherwise explicitly stated throughout Section 5. For all classes of user data, the corresponding systems may store and process data items needed to keep each customer’s data properly segmented.
Data is prioritized by risk into the following four categories:
- “Restricted” (Highest) - Data whose unauthorized access or loss could seriously or adversely affect Sherpa, a partner, or the public. This includes Passport Details, Personal Identification Numbers, Authentication Credentials, Service Account Information, Government Visa Verdict Communications, and other such data.
- “Protected” - Data with a less high level of importance, but that should be protected from general access. This includes General Government Communications, User Travel Information, Sherpa’s Service Communications, Visa Application Systems Information, and other such data.
- “Confidential” - All other non-public data not included in the Restricted or Protected classes. This includes User Event Metadata, General Partner Information, and other such data.
- “Public” (Lowest) - All public data. This includes Marketing Information, Published Information, and other such data.
Data is categorized in the following groups:
“Partner Account Data” - This is data pertaining to the accounts of Sherpa’s partners. This data will be encrypted-at-rest so as to protect the data in the event of unauthorized access attempts. Partner credentials shall be hashed in such a matter that plaintext keys cannot be recovered.
“User Identification Data” - This is data pertaining to the documentation of users. This is the most highly protected class of data, where all useful safeguards are used to protect against leak or breach.
“User Personal Data” - This is data pertaining to the physical characteristics and preferences of users.
“User Travel Data” - This is data pertaining to the travel behaviour of users.
“User Contact Data” - This is contact data about Sherpa users.
“User Event Metadata” - This is metadata about behaviour conducted on all classes of user data. This includes standard syslog data pertaining to users, and instances of User Identification Data, User Travel Data, and User Contact Data.
“User Transaction Metadata” - This is metadata about purchases of services. This data does not include Credit Card Data.
“Credit Card Data” - This includes credit card numbers, expiry dates, and other unique identifiers. Sherpa should avoid collecting this information, using third parties that comply with ISO and other similar standards.
User Identification Data, User Personal Data, User Travel Data, and User Contact Data may be stored and processed in systems hosted in environments other than Google Cloud Platform, including relevant government websites for eVisa and eTA applications, as approved by the Information Security Team.
5.2 Employee Access to User Data
Sherpa employees may access User Data only under the following Conditions:
- From managed devices;
- For the purpose of incident response, customer support, or feature testing;
- For no longer than is needed to fulfill the purpose of access; and
- In an auditable manner.
5.3 Partner Access
Sherpa may provide web user interfaces (UIs), application programming interfaces (APIs), reports, and specialized data export facilities to provide partners and users with access to their data.
5.4 Exceptional Cases
The Information Security Team in conjunction with the Executive Team may approve emergency exceptions to any of the above rules, in response to security incidents, service outages, or significant changes to the Sherpa operating environment, when it is deemed that such exceptions will benefit and protect the security and mission of Sherpa, Sherpa’s users, and visitors of Sherpa partners’ apps and websites.
Data Retention and Deletion
6.1 Data Retention
In situations where data may be necessary to carry out Services, however defined in the relevant end user terms and conditions or partnership agreement, data should be retained in accordance with Sherpa’s data protection standards therein.
6.2 Data Deletion
In situations where data ceases to be useful for any foreseeable purpose it should be deleted.
Vulnerability and Incident Management
7.1 Vulnerability Detection and Response
The Sherpa Information Security and Product Development teams shall use all the following methods to detect vulnerabilities that may arise from Sherpa’s information systems:
- Cross-checking vulnerabilities databases with all systems and software packages that support critical Sherpa services;
- Automated source code scanners;
- Code reviews on every security-sensitive code commit;
- Vulnerability scanning on Sherpa services;
- Maintaining a bug bounty program; and
- Annual penetration testing with an independent provider.
7.2 Incident Detection and Response
The Information Security Team will use all the following measures to detect security incidents:
- Monitor logs to detect potentially malicious or unauthorized activity;
- Conduct reviews on the causes of any service outages; and
- Respond to notices of potential incidents from employees, contractors, or external parties.
The Information Security Team will make a determination of whether every indicator is representative of an actual security incident. The severity, scope, and root cause of every incident shall be evaluated, and every incident shall be resolved in a manner and timeframe commensurate with the severity and scope. In the event that a data breach affecting a partner has been detected, Sherpa will initiate and maintain communication with the partner about the severity, scope, root cause, and resolution of the breach without undue delay.
Business Continuity and Disaster Recovery
Sherpa services hosted in Google Cloud Platform (GCP) will be configured in such a manner so as to withstand long-term outages to a GCP Availability Zone. Controls such as automated replication or automated data recovery process may be used to achieve this desired level of availability.