KX Security Policy
Version Number: 1.1
Date Last Revised: 17 May 2023
1.0 Scope
All KX Systems Inc (“KX”) personnel must comply in all respects to the DevSecOps Standards as set forth in this document. This Standard applies to KX personnel, contractor, and third-party engagement of services for KX pursuant to relevant services agreements, the data processing related provisions thereof (including any schedules relating to data processing), all processing of, and any Security incidents (defined in Section 4) involving, KX, client and third-party information. This Security Standard does not limit other obligations of personnel under laws that apply to members of KX staff as well as its contractors and/or third party engagement of services.
2.0 General Information Security requirements
2.1 Standards and frameworks
Personnel must adhere to physical, administrative, and technical security controls implemented to protect and ensure the confidentiality, integrity, and availability (“CIA”) of KX information as KX progresses to align to industry recognised best-practice Information Security standards such as ISO 27001 and ISO 27002, NIST Cyber Security Framework (CSF). KX Information is defined herein as all digital or physical data created, stored, or processed by Group personnel, systems or on behalf of its clients within boundaries controlled and managed by KX.
2.2 Specific DevSecOps control requirements
The KX DevSecOps program includes, at a minimum, the following security controls:
2.2.1 Written DevSecOps program
KX has implemented a written DevSecOps framework which includes appropriate policies, procedures, and a defined risk management framework which are reviewed on an annual basis (at minimum). The DevSecOps framework applies to personnel, agents, subcontractors, and suppliers. KX maintains a defined process for monitoring, enforcing, and recording compliance to the framework, and logging any program exceptions or policy violations.
2.2.2 Security awareness & training
KX provides Information Security training to its personnel on a periodic basis covering known security threats such as social-engineering, phishing, and business policies and requirements for handling sensitive data, identifying and reporting Security incidents.
2.2.3 Systems inventory
KX documents and maintains an updated inventory of all systems.
2.2.4 Secure configurations
KX systems and technologies are configured and managed securely and aligned with its internal security policies and procedures to protect KX Information from vulnerabilities and unauthorised access. All systems must be configured consistently and hardened in accordance with good practices.
2.2.5 Management of administrative privileges
KX accounts with administrative privileges (on systems, networks, applications, or devices) are appropriately controlled, limited to only personnel who require it, consistent with its Information Security policies and these permissions are reviewed regularly.
2.2.6 Vulnerability management
KX leverages commercial Static Application Security Testing (SAST), Software Composition Analysis (SCA), IaC scanning, and Container Vulnerability Analysis (CVA) tooling as part of a comprehensive, documented Secure Software Development Life Cycle (SSDLC) policy to identify potential vulnerabilities in KX products. Any potential vulnerabilities identified during the development process will be triaged and remediated by scrum teams as part of their standard sprint planning process.
KX also ensures Threat & Vulnerability Management (TVM), Cloud Security Posture Management (CSPM), and Cloud Workload Protection Platform (CWPP) tools are deployed to identify and remediate vulnerabilities on KX systems and infrastructure on a scheduled basis.
Any vulnerabilities discovered by KX in released Long Term Support (LTS) products will be triaged and prioritised for remediation based on their potential impact. KX will use all commercially reasonable efforts to notify customers then remediate critical & high vulnerabilities within 30 days, and medium vulnerabilities within 90 days.
2.2.7 Logging, monitoring, and review of audit logs
KX system and application logs are collected, stored, and regularly reviewed to investigate suspicious and / or malicious activity relating to KX Information. Logs are stored securely to assist with security investigations. KX logs are either retained for a period of time in accordance with applicable legislation or regulations, or for a minimum period of 24 months.
2.2.8 Malicious code defences
KX systems (servers, workstations, etc.) have appropriate anti-malware software applications installed to detect and prevent the introduction and execution of malicious code in line with good industry practice and updated to the latest versions. Software shall be configured to run scans of systems on a periodic basis.
2.2.9 Network security – Firewalls
KX configure and manage networks securely and utilise network security devices (such as firewalls, Intrusion Detection and Prevention [IDS / IPS] systems) to protect systems and KX Information from unauthorised access. KX review the configuration of network security defences (including firewall rulesets) on a periodic basis.
2.2.10 Network security – insecure services
KX ensures any insecure or unnecessary services, protocols, and ports within its control and under its management are disabled and are not accessible.
2.2.11 Environment management
KX ensures that different technical environments are set up for both testing and development and production as appropriate. KX ensures that production data is not used within test environments, and test data is not used in production environments.
2.2.12 Change management
Changes to production systems and / or environments are risk assessed, tracked, recorded, and reviewed; approval for changes is provided where required.
2.2.13 Encryption
KX ensures that KX Information is encrypted in transit and at rest when being transmitted across open networks (such as the internet) and when being stored on systems. Encryption mechanisms must be in accordance with industry recognised best-practices. Systems used by personnel to access KX Information have full disk encryption.
2.2.14 Access management
KX take all reasonable steps in line with industry recognised best practices to prevent unauthorised physical or electronic access to, or loss of KX Information and the services, systems, devices, or media containing this information. KX implement and maintain the following access control mechanisms to secure KX Information:
(a) Individual access
KX ensures that accounts are unique and assigned to individual users, including those with administrative access. Accounts with direct access to KX Information must not be shared under any circumstances.
(b) Restricted access
Access to KX Information is restricted to individuals who require it for legitimate purposes to perform their duties on a ‘need to know’ basis.
(c) Access reviews
KX conduct user access reviews on a periodic basis (at minimum every 90 days) in line with DevSecOps policies.
(d) Bulk access
KX implement appropriate physical, administrative, and technical controls to detect ‘in bulk’ access. This limits access to specific personnel on a ‘need to know’ basis. ‘in bulk’ access means accessing data by means of database query, report generation, or any other mass transfer of KX managed or client data.
2.2.15 Logins and passwords
KX implement and maintain account management and password policies to protect KX Information, including the following:
(a) Default passwords
KX change any default passwords and / or login credentials on systems (hardware or software) prior to deployment or before use.
(b) Strong passwords
KX ensures strong passwords are used consistently across systems and infrastructure, meeting the following requirements: Passwords must be a minimum length of 12 characters and include, at minimum, 3 of the following – uppercase letter, lowercase letter, number, special character. Passwords must not match commonly used passwords or phrases. They must be reviewed against ‘known bad’ or compromised passwords for verification. Passwords must be enforced be changed if there is evidence that a password may have been compromised.
(c) Administrative accounts
KX document and maintain a list of accounts with administrative privileges with access to KX Information. All users with administrative accounts must have a business justification for this elevated access.
(d) Encryption
Administrative passwords are stored encrypted in a secure environment, aligned with best-practice industry standards.
(e) Failed login attempts
KX implement a mechanism that limits the number of authentication (login) attempts that can be made on a user’s account. For example, an account is disabled after 10 failed login attempts, requiring IT Administrators to reset or re-enable the account.
2.2.16 Remote access management
(a) Multi-factor Authentication
For any individuals with remote access (outside of corporate or on-premises network) to systems, networks, or applications storing KX Information, KX enforce Multi-factor Authentication (MFA), requiring at least 2 forms of authentication to verify personnel login credentials.
(b) Access to KX systems and infrastructure
KX may grant access to KX infrastructure via non-public systems or web-portals. In this case, all users must comply with the following requirements:
- Users must access the system(s) and collect, use, view, retrieve, download or store KX Information for the permitted purpose only.
- KX must ensures that unique accounts are assigned to each user. Users must adhere to password good practice and safeguard credentials.
- KX must ensure access to the KX environment, data and systems is established only through corporate devices, compliant with the Information Security requirements listed in section 2.2.9 (Network security – firewalls), section 2.2.6 (Vulnerability management), section 2.2.8 (Malicious code defences), and section 2.2.13 (Encryption).
- KX has defined a specific technology or process for accessing KX infrastructure / systems. Personnel must use that mechanism only for access and must not circumvent any technical measures implemented by or on behalf of KX in any way.
- KX personnel are prohibited from sharing, distributing, publishing, making available, copying, transferring, downloading, or modifying KX or client Information unless written approval is provided by an authorised person.
- KX conduct user access reviews on a periodic basis (at minimum every 90 days) in line with DevSecOps policies.
- Where personnel are provided with access to KX Infrastructure / systems, personnel must adhere to KX security policies as set out in the Group policy SharePoint site.
2.2.17 Data segregation
KX logically and physically separates KX information from third-party information. KX ensures appropriate physical, administrative, and technical security controls are in place to ensure effective segregation.
2.2.18 Security testing
For systems that store and / or process KX information, KX must conduct periodic internal and external security testing in accordance with industry good practice (on an annual basis at minimum) to identify any vulnerabilities and threats that may be used to exploit those systems and information. KX ensures vulnerabilities are assessed and remediated in line with Information Security policies and risk management frameworks.
2.3 Domain registration
Personnel shall not use or register any domain name utilising any KX related trademarks (or any similar names) without management approval in respect of the use of such domain. For the avoidance of doubt, in all cases KX shall maintain ownership and administration of the domain.
2.4 Website protections
If a public website is used for any KX service, KX shall ensures the following security controls are in place:
2.4.1 Denial of service protections
KX ensures the website(s) have protections to detect Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
2.4.2 Vulnerability assessment
KX ensures the website(s) are subject to periodic web-application vulnerability assessments / penetration testing.
2.4.3 Firewalls
KX ensures the website(s) have Web Application Firewalls (WAFs) implemented and configured to protect against network security attacks.
2.4.4 Anti malware
KX ensures website code and infrastructure (such as systems used for hosting and code management) are protected against malware, in line with the requirements listed in section 2.2.8.
2.4.5 Certificate management
KX ensures websites are correctly configured with SSL / TLS certificates from reputable Certificate Authorities (“CA”), and details of the CA are documented and provided to KX.
2.5 Background checks and due diligence
2.5.1 Background checks
KX conduct and satisfactorily complete background checks on new personnel before the conclusion of the recruitment process.
2.5.2 Due diligence
KX perform due diligence checks with third parties at a corporate level prior to engaging to assess the satisfactory nature of their security posture and its alignment with our security standard. Failure to meet standards may discontinue any further engagement until appropriate remediation is met.
3.0 Data retention, return, and deletion
3.1 Return and secure deletion
All KX information must be deleted securely in line with its data retention policy, using an industry-accepted practice. The process shall ensure that data is unable to be recovered (via the use of secure overwriting, destruction of magnetic media or shredding). KX ensures data that is encrypted; encryption keys are securely disposed of.
3.2 Backups and archives
KX may be required by legal or regulatory purposes to retain archived copies of KX Information. In this case, KX remain bound by their obligations in this security standard and its other confidentiality related obligations in relation to such information. This includes obligations to protect the information using appropriate security controls.
3.3 Media destruction
KX ensures KX information is rendered unusable and unrecoverable on all storage media that has contained or had access to KX Information (such as desktop / laptop hard-drives, backup media, etc.). KX information stored in a third-party environment is securely deleted when no longer required, using an industry-accepted practice, in alignment with section 3.2.
4.0 Security incidents
4.1 Security incident definition
A security incident is an incident, event or breach that has an actual or suspected impact on the confidentiality, integrity, and / or availability of KX Information, assets, or services.
4.2 Incident response plan
KX must maintain a documented incident response plan and defined processes for the management of Security incidents. KX must respond to each Security Incidentsecurity incidenter following the incident response plan and KX’s notification requirements for the escalation of incidents.
4.3 Incident notification
Personnel must inform the KX DevSecOps team of any security incidents directly impacting KX information, assets, or systems / services via one of the following notification methods.
- Raising a ticket in the internal DevSecOps ticketing portal.
- Sending a message to the internal DevSecOps Slack channel.
- Emailing the DevSecOps team distribution list.
4.3.1 Supporting information
The information that personnel must provide on the security incident (if known) includes:
- When the incident occurred (time and date).
- Description of the incident (e.g. type of data involved in a breach).
- Cause of the incident (if known) and how it was discovered.
- Which system(s) or asset(s) (if any) are affected.
- Whether any remedial action has been considered and / or implemented.
4.4 Cooperation with investigations
KX staff and third party personnel must reasonably cooperate with KX investigations of a security incident, including (a) coordinating with KX on incident response plan; (b) assisting with KX’s investigation of the Security incident; (c) facilitating interviews with personnel and others involved in the Security Incidentsecurity incidente to the Security Incidentsecurity incidentg the availability of logs, records, files, forensic and investigation reports, and other materials required for KX to comply with applicable laws, regulations, or industry standards, or as otherwise required by KX.
4.5 Notifications to third parties
KX designated authorised personnel have the sole right to determine (a) whether notice of the security incident is to be provided to any individuals, regulatory bodies, law enforcement agencies, or others; and (b) the format and contents of such notice, unless otherwise required by legislation. KX maintains a data breach response plan and a security incident plan in accordance with applicable laws.
KX personnel agree that they must use and adhere to the KX Incident Response (IR) Policy as set out in the KX Group policy SharePoint site.
5.0 Notice of legal request for data
Personnel must inform KX as soon as possible (and in any case within 24 hours) when KX’s data is being sought by any regulator, in response to a legal process or pursuant to any applicable legal requirement.
6.0 Security reviews and audits
6.1 Security audits
At KX’s request, personnel must complete KX’s Information Security audits and reviews.
6.2 Remediation
KX must promptly address any vulnerabilities or deficiencies identified during KX’s Information Security review or audit, by developing and implementing a corrective action plan.
7.0 Enhanced Information Security requirements
7.1 Systems and applications
KX formally document and maintain technical security standards (including secure build configuration) for applications and systems used for KX Information. KX ensures that access to and management of program source code is restricted and strictly controlled to authorised personnel only.
KX ensures that all applications (including new application developments), changes to existing systems, upgrades, and new software have considered and implemented security control requirements based upon the identified risks as per 2.2.12 Change Management. All systems must be subject to an appropriate level of security testing and vulnerability scanning prior to being used, deployed in a production environment, or interacting with KX Information.
7.2 Logging and monitoring
KX must implement and maintain continuous (24x7x365) monitoring of systems storing KX information (this could include automated monitoring using Security Information and Event Management (SIEM) tools for example). Monitoring includes analysis of logs from network devices, systems / applications, and corporate user-devices. Monitoring tools must have the capability to alert on any suspicious or malicious activity taken against the systems storing KX Information, aligned to, and integrated with the incident response plans for escalating and managing incidents.
7.3 Personal and financial data
KX require that data is handled in accordance with the 2.2 Specific DevSecOps control requirements.
Reference
- KX Documentation
- Industry Documentation
-
- The Open Web Application Security Project (OWASP)
- OWASP: SAMM
- OWASP: DSOMM
- SAFECode: Fundamental Practices for Secure Software Development
- Microsoft: SDL
- Further reading
-
- OWASP: Code Review Guide
- OWASP: Web Security Testing Guide
- Google: 2022 State of DevOps Report