Information Security Policy

The CTO has the overall responsibility for information security, including information security regarding personnel and IT security. The CTO is the owner of the security policy (this document).

The CTO is responsible for purchasing requirements, development and maintenance of information and related information systems. The CTO must define which users or user groups are allowed access to the information and what authorised use of this information consists of.

Employees, contractors and consultants are responsible for getting acquainted with and complying with Cognise’s information security policy. Questions regarding the administration of various types of information should be posed to the CTO.

Employees, contractors and consultants are allowed to use mobile devices to perform their work. The company can set specific rules regarding the use of mobile devices.

Remote working is allowed in agreement with management. Cognise does not operate internal IT systems hosted in a private office network; therefore working remotely is effectively equivalent to working from the Cognise offices.

A confidentiality agreement should be signed by employees, contractors or others who may gain access to sensitive and/or internal information. For employees this is included in their employment agreement.

This information security policy should be provided and accepted as part of all employment contracts, and to contractors, consultants and other third parties if they need system access.

All users must comply with the information security requirements described in this document.

The information security policy and relevant supporting documentation should be reviewed annually by all employees.

All employees and third-party users should receive adequate training regarding the information security policy and procedures at least annually, and when major changes are made to the policies and procedures.

Breaches of the information security policies and procedures by employees can lead to HR sanctions.

Cognise's information, information systems and other assets must only be used for their intended business purposes. Necessary private use of personal computing devices issued by the company is permitted, except for commercial use outside of the scope of the company.

Cognise will change or terminate access rights accordingly at termination or change of employment.

Management maintains an inventory of information and IT assets operated by the company.

Company assets (e.g. laptop, mobile phone, etc) should be returned to the company at the conclusion of the need for the use of these assets.

All employees must agree to the Code of Conduct for Security and Privacy, which lays out the acceptable use of IT assets.

Written guidelines for access control and passwords based on business and security requirements should be in place. Guidelines should be re-evaluated on a regular basis.

Users accessing systems must be authenticated according to guidelines.

The principle of least privilege is applied for access to Cognise’s information. New employees, or employees changing roles will be assessed for the access they need in order to perform their job.

Access to information systems should be authorised and/or implemented by the Operations team, on a "need to know" basis, regulated by the user’s role in the company.

Periodic review should be performed for high-risk accounts to detect and prevent that unauthorised employees still have access.

Users are assigned a unique username when starting to work for Cognise and an initial password.

Users are responsible for any usage of their company accounts and passwords.

Users should keep their passwords confidential and not disclose them.

Employees must change their password to one of their own choice immediately.

Employees should use a company-approved password manager with automatically generated, unique passwords for all work-related accounts that are not the Computer Password or the Password Manager credentials.

User-chosen passwords must comply with the following complexity requirements:
- 8 characters minimum

- At least one capital letter

- At least one special character (e.g. !@#$%^&*(){}[] )

- No dictionary words
​

All employees must use 2-Step Verification using Google Authenticator or Microsoft Authenticator to access Google G Suite (e.g. Cognise Email). This must be enforced on the company level.

For any other service the company uses that offers two factor authentication, it is required to enable it (e.g. Bitbucket, JIRA, AWS).

Applications and systems should automatically enforce access controls based on the user’s privilege level.

Access to privileged accounts and sensitive areas should be restricted.

Only authorised employees can have access to Cognise’s source code repositories.

Source code must not be publicly shared unless authorised by management, or when the source code has been released under Cognise’s open-source program.

Only authorised employees are allowed access to staging and production systems.

Cognise does not have systems with (customer) data at office locations. All infrastructure is outsourced to Amazon Web Services (AWS), a professional organisation with multiple security certifications and third-party reports such as ISO 27001, ISO 27017, ISO 27018, SOC1, SOC2, SOC3, PCI-DSS, etc. More info about AWS compliance is available at
http:// aws.amazon.com/compliance/

Offices are located in shared office space or, operated by a commercial landlord. The shared office space provider is responsible for enforcing access controls (based on instructions by Cognise). Cognise does not operate internal IT systems hosted in any private office network in its offices.

Information classified as "sensitive" (e.g. customer data) should not be stored on portable data carriers (e.g. cell phones, memory sticks, USB hard drives etc.). If it is necessary to store this information on portable equipment, the information must be password protected and encrypted.

During travel, portable computer equipment should be treated as carry-on luggage.

Password protected screen savers should be enabled and should protect the computer within 10 minutes of user inactivity. Computers should not be unattended with the user logged on and no password protected screen saver active. Users should not leave their computers unlocked.

Employees must report all lost or stolen devices to management immediately.

All important actions in the production systems must be logged centrally, and the logs protected from deletion and modification.

Relevant logs should be review regularly to ensure proper working of the systems.

Computer clocks on all production systems should be synchronised.

All systems that are typically susceptible to malware should have adequate malware protection installed.

All servers should be kept up-to-date with the latest security updates within two weeks of patches being released, except for emergency patches, which should be deployed within 48 hours.

Employees should install security updates on their company laptop as soon as they become available.

Backups should be taken according to a predefined schedule in accordance with the company’s recovery point objective and recovery time objective.

Audits should be appropriately planned to minimise disruption to the production systems.

For all systems in the AWS environment, appropriate firewall rules (security groups) need to be configured.

Electronic messaging is outsourced to Google G Suite, or Intercom, which provides adequate safeguards for the security of emails.

When building new systems or making changes to existing systems, security requirements and considerations must be an integral part of the process.

All software developed by Cognise must comply with the Privacy by Design and Privacy by Default philosophies.

All application code must be stored in source control (Git).

All software changes must go through the regular change process: via development, then staging, then to production.

Code reviews should be performed to keep the source code quality high and minimise the risk of security issues.

Developers should be trained on the principles of secure coding and apply those principles to the Cognise software.

In case of emergency changes, some steps of the change process can be bypassed temporarily. Testing procedure and formal acceptance should then be performed retrospectively.

Applications and infrastructure configurations must be appropriately hardened according to industry best practices.

Without approval from the CTO, it is not permitted for Cognise staff to use privacy sensitive customer data in a development or staging environment.

Before engaging a new service provider that will process information for which high or medium security requirements are necessary, due diligence should be performed in order to assess whether the service provider is able to adequately protect the data. Due diligence can be performed by researching public information, verifying security certifications or codes of conduct, performing an audit, or by engaging in a conversation with the service provider.

For service providers that process information for which high security requirements are necessary, their security certifications should be reviewed annually.

All breaches of security, including the use of information systems contrary to operating procedure, should be treated as incidents.

All employees are responsible for reporting (possible) breaches of security. Incidents should be directly reported to management.

A procedure should be available detailing how to handle breaches of personal data, including the legal and contractual notification requirements.

A disaster recovery plan must be developed and documented which contains a process enabling Cognise to restore any loss of data in the event of a system failure.

In the situation of a disaster, Cognise’s CTO will be in charge of the recovery operation.

The disaster and recovery plan should be evaluated and tested annually.

Applications servers should not contain any user data. User data should always be stored within the storage system.

Every day a backup should be made of the customer data. The backups should (also) be stored in a different AWS Region than the original data.

All legal and contractual requirements should be identified and complied with.