Security and Breach Protocols

 

Data Management

  • All data collected for Evaluation, Program Setup, Communication, and Online Community is processed using a MySQL database. Data and services are hosted on Amazon Web Services.

  • Data in transit is encrypted via SSL/TLS and data at rest is encrypted at AWS.

  • Management access and data transfers are done via SSH and SFTP.

  • Backups of data are taken on a daily or monthly basis depending on the AWS instances.

  • The development environment is separated from production: access to the development environment does not grant access to the production environment or user data.

Risk Assessments

Soliya’s security team perform quarterly risk assessments including security auditing, penetration testing, vulnerabilities assessment, and account auditing.  Based on the assessment, security recommendations are made to the relevant organizational departments, and security patches and software upgrades are performed. If vulnerabilities are discovered, security updates and/software updates are performed immediately, and do not wait for the scheduled security assessment period. An investigation into any resulting breaches is immediately performed as per the Breach Policy below.  

Restricted Access Control

  • Remote access to Linux servers is done through SSH protocols using SSH-keys version 2; public keys are provided to team members and contractors on a needs basis and with written approval.

  • Remote access to Windows machines is done through Remote Desktop Protocol.

  • Access to Soliya’s AWS account and services is provided to team members and contractors through IAM policies. The master account access is restricted to Soliya’s IT Director only.

  • Soliya staff have manager access rights to the LMS, but the master account is restricted to the IT Director only. Permissions for access requested by staff or contractors require written approval. 

Firewalls and Security Software

  • Security groups and secure management ports are enabled on all of our instances.

  • All staff and contractor devices have up to date anti-virus and anti-malware software.

Accounts

Soliya conducts a quarterly review of all the privileged accounts in the technology stack. In coordination with the HR and Operations Departments, terminated users and/or staff accounts are disabled and privileges are revoked immediately upon departure or end of contract.

Login Security

All account changes are monitored and logged, and alerts are sent to notify users in case of changes in their account access credentials.  Soliya encourages all staff to change all their login credentials bi-annually.

Third Party Access

All contractors who require access to the technology stack must sign Soliya’s Non-Disclosure Agreement. Only contractors directly working on program implementation and support can request such access. No third party access to Soliya’s technology stack or data is otherwise granted, including for commercial purposes.

Security Awareness

  • Soliya provides in-house training to all staff about data security and protection, and all privacy policies and procedures are presented to incoming Soliya staff and contractors.

  • All staff and contractors who have access to user data must sign a Non-Disclosure Agreement.

  • IT staff are additionally trained on complying with the organization’s security standards and making users aware of policies and procedures regarding appropriate use of networks, systems, and applications.

Soliya Data Breach Policy

Risk Assessment and Incident Prevention

Preventing incidents is less costly than reacting to them after they occur.  Thus, in addition to automated detection capabilities, as part of the organization’s incident prevention policy, the security team will conduct quarterly risk assessments under the direction of the IT Director and in conjunction with Soliya’s Data Protection Officer. 

The assessment will include a review of baseline activity logs and the security of all data repositories, ports, anti-virus products, application activity, usage data, email security, and intrusion detection.

Based on the outcome of the risk assessment, the organization will determine the presence of incident precursors and the need for security enhancements or reversal to a clean OS image. 

If indicators of a breach are discovered, the risk assessment and the supporting documentation shall be fact specific and address:

  • Assess the accuracy of the indicators discovered and the presence of a breach

  • Consideration of who impermissibly used or to whom the information was impermissibly disclosed;

  • The type and amount of data involved;

  • The cause of the breach, and the entity responsible for the breach, either User, Soliya, or Partner.

Discovery of Breach

A breach shall be treated as “discovered” as of the first day on which such a breach is known to Soliya, or, by exercising reasonable diligence would have been known to the organization (includes breaches by the organization’s users, partners, or subcontractors). Soliya shall be deemed to have knowledge of a breach if such breach is known or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or partner of the organization.

For an acquisition, access, use or disclosure of data to constitute a breach, it must constitute a violation of the data privacy policy. A use or disclosure of data that is incident to an otherwise permissible use or disclosure and occurs despite reasonable safeguards and proper procedures would not be a violation of the Privacy Policy and would not qualify as a potential breach.   The organization has the burden of proof for demonstrating that all notifications to appropriate users or that the use or disclosure did not constitute a breach.

Breach Investigation and Containment

Following the discovery of a potential breach, including unauthorized access to user data or unauthorized access to the technology stack, the organization shall:

  • Apply containment measures immediately

  • In conjunction, launch an investigation and risk assessment

  • Begin the process to notify each user affected by the breach.

  • Determine what external notifications are required or should be made.

The Incident Response Team, constituted by the IT Director and the Data Protection Officer, shall be responsible for the management of the breach investigation, completion of a risk assessment, and coordinating with others within or outside the organization as appropriate to contain, eradicate, and recover from the breach.  They will identify other staff and departments within the organization who may need to participate in the investigation or its resulting response, including relationship managers and communication managers.  They will also assess whether outside consultation with specialized expertise is required to complete the investigation, assess the breach, or provide the necessary security measures. 

Incident prioritization is done by the IT Director and the Data Protection Officer.  Prioritization is done on the basis of safety and security of users, confidentiality and integrity of user data, and impact on organizational function.

Timeliness of Notification

Upon discovery of a breach, notice shall be made to the affected Soliya users no later than 72 hours after the discovery of the breach.  Incidents will also be reported to relevant stakeholders, including donors and board members, and to the relevant authorities.

Content of the Notice

The notice shall be written in plain language and must contain the following information:

  • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;

  • A description of the types of protected information that were involved in the breach, if known;

  • Any steps the user should take to protect user data from potential harm resulting from the breach.

  • A brief description of what Soliya is doing to investigate the breach, to mitigate harm to individuals and users, and to protect against further breaches.

  • Contact procedures for individuals to ask questions or learn additional information, which may include a toll-free telephone number, an e-mail address, a web site, or postal address. 

Methods of Notification

Soliya users will be notified via email within the timeframe for reporting breaches as outlined above.

Maintenance of Breach Information Log

If any organizational or user data is compromised, the following information will be collected and logged for each breach:

  • The current status of the incident

  • A summary of the incident

  • Indicators related to the incident

  • Other incidents related to this incident

  • Actions taken by all incident handlers on this incident

  • Impact assessments related to the incident

  • Contact information for other involved parties (e.g., system owners, system administrators)

  • A list of evidence gathered during the incident investigation

  • Comments from incident handlers

  • Next steps to be taken

Recovery

The security team will determine the best course of action for recovery.  These include restoring systems to normal operation, confirming that the systems are functioning normally, and remediating vulnerabilities to prevent similar incidents. Recovery may involve restoring systems from clean OS backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords, or tightening network perimeter security

Post-Incident Activity

A thorough analysis of each breach incident and handling process will be conducted by the security team in conjunction with Soliya’s leadership. Lessons learned will be shared with relevant staff and organizational departments, and used to build more robust security systems.  

Complaints

Individuals who wish to make complaints concerning the organization’s user privacy policies and procedures or its compliance with such policies and procedures can contact dataprotection@soliya.net.

Retaliation

Soliya may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any privacy right.