Scale Data Security Policy
You can view the most up to date version of this policy at this secure share link.
Last Updated: March 20, 2020
Created By: Brian Fritton
What is This Policy?
This Data Security Policy outlines behaviors expected of employees when dealing with data and provides a classification of the types of data with which you should be concerned.
- System Owners, Data Owners, and their designated custodians are responsible for properly classifying and protecting data (Public/Internal/Restricted).
- Data in use at Scale is to be used only for its intended purpose.
- Physical security measures including access control for employees and visitors must be implemented and enforced.
- Encrypt data as outlined in this policy to provide security and integrity.
- Mobile devices present additional risk to Scale; as such they require additional protections.
Overview, Purpose, and Scope
Effective security is a team effort, which means everybody at Scale has a crucial role to play. This policy outlines behaviors expected of employees when dealing with data and provides a classification of the types of data with which you should be concerned.
This Data Security Policy applies to everyone who works for Scale, including our employees, contractors, and third parties who have access to any Scale data.
Roles & Responsibilities
It is the responsibility of every employee to know these guidelines, and to conduct their activities accordingly. Scale management reviews and approves this policy, but if you identify an issue you should bring it to the attention of your manager.
At Scale we have access to different types of information. Some of it is more sensitive and needs special protection; this could be due to a law or industry regulation, or the information could have some business value.
We use the levels of data classification in the table below to determine how sensitive information is and what protection mechanisms are required. It is the responsibility of the system owner, data owner, and any custodians to ensure any data and systems are properly classified.
|Level||Definition & Examples||Dos & Don’ts|
|Public||Information may be shared with anyone.
e.g. Information on company website such as HQ address, published financial statements, marketing materials.
|Do: Share it!
Don’t: Assume information is public unless you can verify it
|Internal||Information may be shared only internally or with external parties under an NDA; may require a valid need to know.
e.g. Company directory, company policies, unpublished financial statements, business plans
|Do: Verify a user’s need to know (e.g. job function) before sharing. Check with your manager if you’re unsure. Use secure sharing methods, e.g. encrypted cloud storage.
Don’t: Share outside the company without verifying an NDA is signed. Send without encrypting.
|Restricted||Access is tightly restricted; only users with a verified need to know are allowed access.
e.g. HR data, Customer-provided data, Personally Identifiable Information, PCI data
|Do: Implement tight access controls and encryption. Use extra diligence, such as formal access requests and approvals.
Don’t: Share this information.
Scale data requires protection in accordance with its classification label. Once data has been classified, the owner and/or custodian must ensure that appropriate safeguards are in place.
Minimum Standards for Protection
The table below details appropriate protection required for data, based on classification:
|Classification||Minimum Protection Required||Primary Focus|
|Public||– adequate backup and restoration capability
– measures to prevent unauthorized changes to data after it is published by Scale
|Data Availability, Integrity|
|Internal||– manual encryption
– manual measures to prevent unauthorized changes (e.g. manual public key cryptography, auditing)
|Data Confidentiality, Integrity|
|Restricted||– systematic enforcement of encryption
– systematic enforcement of measures to prevent unauthorized changes
|Data Confidentiality, Integrity|
Appropriate Use for Intended Purpose
Data in use at Scale may be highly sensitive, and is only to be used for its intended, management-approved purpose. All data collected must have a defined purpose (e.g. to support the service we provide to our customers, for regulatory compliance, etc.). Any use of this data must be in support of that defined purpose. Use for any other purpose, including personal snooping, unauthorized sharing with business partners, or other uses is prohibited.
Asset End of Life and Disposal
Data present on any assets must be handled appropriately when the asset reaches the end of its useful life. Data destruction must follow an approved method (see Backup & Retention Policy, Destruction Procedures), based on the classification of the data and the type of asset being disposed of.
Assets which require special handling include but are not limited to: removable optical media (CD/DVDs), USB thumb drives, smartphones, tablets, and cloud storage services. Devices containing hard disk drives (HDDs) and solid state drives (SSDs) must also be handled appropriately, including servers, workstations, laptops, printers, network devices, and cloud applications.
All Scale-owned resources must have identified Resource Custodians, who are responsible for securing their resources from unauthorized physical access. Resources can include facilities, computing systems, or devices such as laptops or tablets. The following physical security requirements must be met for all resources:
- Need to know: Access must be allowed only for personnel who need to maintain devices and/or media, including restrictions on physical access to restricted areas and facilities containing Scale-owned resources.
- Physical access control devices: Physical access control devices such as key card readers, doors, and cabinet locks must produce audit trails. Such devices should be tested prior to use and on a periodic basis (e.g. annually). The audit logs must contain sufficient details to support security incident investigation. An inventory/review of physical access control devices and permissions should be conducted regularly, and any inappropriate access promptly removed.
- Marking restricted areas: Restricted areas should display signs to designate that access is for authorized personnel only. Facilities containing Scale-owned resources should give minimum indication of their purpose, with no obvious signs identifying the presence of covered data or related functions.
- Unauthorized removal: Resources such as server hardware, desktop computers, and storage media should be locked down to physical restraints that prevent unauthorized removal from restricted areas.
- Visitors: Visitors to Scale must be escorted by an authorized employee at all times. The employee is responsible to restrict access to only appropriate areas. If you identify an unknown, unescorted, or otherwise unauthorized individual in Scale, immediately notify the appropriate personnel.
- Clean desk/Clear screen: Ensure that any hardcopy media, including printed materials or data storage devices are not left unattended at your workstation. When leaving your workstation, activate a screensaver or put it to sleep – even in Scale facilities.
- Device Loss or Theft: You must immediately notify Scale in the event that a device containing in scope data is lost (e.g. smartphones, laptops, tablets, etc).
- Surveillance: Physical facilities in use by Scale must undergo surveillance appropriate to the type of data they process or store. This might include a routine guard presence, surveillance sweeps by guards or law enforcement, Closed Circuit Television (CCTV) monitoring, etc.
Scale information requires protection, to ensure both confidentiality and integrity when data is stored or transmitted. Appropriate encryption should be used to protect all data classified Internal or Restricted; additional protection methods should also be used to provide layered security.
Encryption at Rest
Data should be encrypted at all times, where feasible, when stored on any medium. This includes removable storage such as USB drives, portable devices including laptops and tablets, and production environments such as servers or cloud hosting.
Encryption in Transit
All data in transit across untrusted networks must be encrypted, e.g. when transmitted across the internet. Data in transit across trusted networks should be encrypted. Data in transit may be encrypted via one or both of the following two methods:
- Encryption of the data itself prior to transmission
- Encryption of the communication channel.
Acceptable Algorithms and Key Management
When encryption is used, it must follow industry best practices, as well as any applicable laws and regulations. Guidance for acceptable encryption algorithms can be found in FIPS 140-2 and ISO/IEC 19790:2012; if there is a doubt regarding requirements, seek guidance from Scale management.
Acceptable Encryption Technologies
Bitlocker or Filefault full disk encryption for endpoint devices, A password manager that utilizes vault encryption based off the the user’s password so as that the password manager vendor is unable to decrypt the vault independently, Any acceptable encryption algorithm found in FIPS 140-2 or ISO/IEC 19790:2012 frameworks.
Cryptographic keys are considered Restricted data under Scale’s data classification scheme, and therefore require additional protection. These should ideally be generated, stored, managed, and destroyed using a key management system; if manual procedures are used they should be documented and audited regularly.
Scale’s mobile devices are at increased risk due to their portability – it is much easier for them to be lost or stolen. It is therefore essential that such devices be considered especially when implementing protections.
A mobile device is any computing device capable of storing Scale data which is inherently portable. Examples include laptops, smartphones, tablets, USB drives, portable hard drives, smartwatches, etc.
Minimum Security Capabilities
Portable devices must meet the following security capabilities in order to be used for storing, processing, or transmitting Scale data:
- Inventoried: all devices storing accessing data must be tracked. This inventory should ideally be automatic, e.g. when a user authenticates the device is registered. If no automated method is available, a routine process for reconciling the inventory should be implemented.
- Encrypted: any mobile device storing Scale data must support encryption methods that meet or exceed the encryption requirements in this policy. If encryption is not available, compensating controls must be present, such as the use of additional physical security measures.
- Mobile Device Management (MDM): any device capable of storing and processing data must support some form of MDM. This may include device authentication requirements (password/biometrics), the ability to revoke access to Scale data or services, remote wipe/deletion abilities, and remote lock capabilities.
- Additional physical security: Due to their inherent portability, mobile devices should support additional physical security. This could include the use of a locking cable, inconspicuously marked bag/carrier, or additional procedure requirements such as use of a hotel safe when traveling.
Use of Untrusted Networks
Mobile devices which support network connectivity must support encryption in line with the Encryption in Transit requirements of this policy, especially when connecting to untrusted or public networks. Acceptable security on untrusted networks includes secure protocols such as HTTPS and TLS, a Scale-managed VPN, or the like.
Any exceptions to this policy must be approved by senior management in writing.
Any user found to have violated this policy will be subject to disciplinary actions, up to and including termination of employment.
Any exception to this policy must be approved in writing by management. Such exceptions will only be granted when there is a legitimate business need and adequate compensating controls exist to reduce the risk of the policy exception.