Last revised on April 2023
The Security Policy Framework serves as the foundation for all the Company’s Global Information Security and Privacy activities, and as a guide for implementing practices to minimize risk to the Company’s operations.
This Policy has been created to define the methods with which Bagel protects and secures data, specifically personal data that the Company receives.
Purpose and Scope
This document outlines Bagel’s Security Policy. This security policy describes Bagel management’s view of information security and its implementation in both corporate vision and day-to-day activities of the company. The security policy provides high-level guidelines for practicing information security in Bagel. Further details regarding implementing information security aspects can be found in Bagel’s matter-related policies.
This security policy relates to Bagel’s activities worldwide. The policy refers to all systems, networks, and data resources operated and managed by Bagel.
Information Security is essential to Bagel’s business because:
- It helps maintain a reliable service
- It achieves and maintains compliance with various laws and regulations in countries that Bagel operates in.
- It helps protect Bagel’s clients and their information.
- It complies with Customers’ and Regulators’ security requirements.
- It reduces the threat to Bagel’s activities.
Bagel’s management is committed to maintaining a high level of information security and intends to invest the required resources to enforce its security policy in all aspects of the company’s activities.
All Bagel employees, consultants, contractors, and affiliates are subject to the policies noted herein. Continued lack of adherence to the policies may result in appropriate disciplinary action, up to and including termination of employment or affiliation.
Laws and Regulations
Bagel strives to comply with the laws and regulations governing the processing of personal data where Bagel operates, including GDPR, CCPA and any other national applicable laws or regulations governing the processing of personal data.
These laws and regulations impact the Data Management Policy, such as backup requirements of accounting systems, employee data retention, and more. The legal department is responsible for identifying new relevant laws and changes to existing laws.
Users must not make unauthorized copies of software owned by the organization, except in cases permitted by law, by the manufacturer, or the legal department.
Users must not copy software or other original materials from other sources and are liable for all consequences that could arise under the intellectual property commitments, as applicable by law or other company policies.
Information Security Policy
A Security Steering Committee will act as an advisory board and a channel to communicate security issues, including information strategy and requirements, setting, prioritizing and managing security initiatives, updating and reviewing Bagel’s Information Security Policy, setting the information security standards, recommending security enhancements, defining and managing ongoing security auditing and testing processes, managing information security incident response, and managing security-related discussions with clients and other 3rd parties.
Responsibility and Ownership for Information Assets
Bagel maintains a current list of all its information assets. Each information asset belonging to Bagel is owned by an information asset owner. An information asset owner must be an internal Bagel employee.
An information asset owner assumes the following responsibilities:
- Determining the sensitivity level of the information asset
- Determining the criticality level of the information asset
- Determining the risk level of the information asset
- Determining the type of data stored on the information asset
- Promoting awareness of the security characteristics of the information asset.
Bagel’s Disaster Recovery Policy provides the framework for Bagel to implement the Disaster Recovery Plan, mobilizing its response and undertaking work to prevent or mitigate the severity of potential disruptions.
The Plan identifies the recovery objectives, the structure for implementation, mitigation measures, and the communication process to keep staff, partners, and the public informed of necessary changes to service delivery.
Bagel, as a software vendor, service provider, and corporation faces various risks. To prepare for risks and plan for their mitigation, Bagel implements a Risk Management process that includes Risk Assessment and Risk Mitigation activities.
Malware Detection and Response
Bagel implemented a procedure for detecting and responding to viruses, trojans, malware, and ransomware in Bagel’s workstations and production systems.
Service Disruption Communication
Bagel implements a communication procedure for service disruption incidents. The process is designed to achieve the following goals in case of critical Service Disruption incidents:
- Provide near-instant initial notification to impacted customers and internal stakeholders
- Ensure an ongoing communication channel as long as corrective measures are ongoing
- Deliver a precise postmortem analysis to customers and internal stakeholders following the incident’s resolution
Penetration and vulnerability tests
Bagel performs penetration tests and vulnerability scans regularly on the production, staging, and development networks.
Access to Bagel information assets are restricted and are only granted to Bagel employees and contractors to fulfill their duties on a need-to-use basis. Bagel employees and contractors will not be granted access to any information asset that is not necessary for their work in Bagel with consideration to segregation of duties (‘SoD’).
Bagel has defined various user roles, according to the various positions and activities in the company. Each Bagel employee and contractor will be assigned one of these roles and receive access control privileges relevant to that role, per its roles and responsibilities.
Access requests need to be considered and approved by the business owner and Asset custodian before access provisioning. All the access requests are documented in the internal systems.
User account management
Each user in Bagel shall receive a personal user account. This user account shall only be used by the user it was assigned to. Users shall not allow others to use their user account or user accounts of other Bagel employees.
Bagel will not use generic accounts (accounts that do not belong to a specific user, but rather serve a group of users), as they prevent accountability for actions performed under that account.
Users are required to log in to Bagel’s production servers to access their user accounts. Logging into Bagel’s production environment requires the users to authenticate themselves. The authentication method used depends on the sensitivity of the information asset, the authorization level requested by the user (e.g. regular user, administrator), and the access method used (e.g. internal network, remote access).
Authentication data and devices (e.g. passwords, authentication tokens) provided by Bagel are strictly for the individual receiving them. Authentication data should not be given to any other party or used in any way other than for fulfilling the user’s duties.
The use and activity of Bagel information assets are logged for the audit trail.
The logged data is audited for security and non-compliance with Bagel’s Information Security Policy and additional procedure.
Each security-related event that is detected by any Bagel employee or system is reported to the relevant information asset owner
Security incidents detected by Bagel employees, clients, or business partners shall be reported to the firstname.lastname@example.org
Bagel will notify all relevant parties upon related security incidents and according to its internal incident response policy.
Physical Access Controls
Bagel hosts its data in AWS. Bagel manages its data center activities in a highly secured environment, with strict access controls (both logical and physical). Servers at the data center are in a secure location with security measures implemented to protect against environmental risks or disasters performed by AWS. Bagel reviews security examination reports (such as SOC 2 Type II) annually.
Awareness and training
Security awareness is a key factor in maintaining a high level of information security in Bagel.
Each employee receives an information security briefing upon commencing work in Bagel and is being trained (at least) annually.
Bagel’s management strives for continuous improvement in its information security status. Each Security Steering Committee meeting includes a review of enhancements performed in the previous year and a discussion of further potential improvement.
Mindspace, Greenwork Business Park