Introduction
The operations of the organization largely depend on the information that is processed, produced, and communicated. This information is extensive and can exist on paper or in digital form. It includes, among other things, personal information of customers and staff, intellectual property produced by developers, as well as strategic and administrative internal documentation.
Like any other organization, Unicorne faces a multitude of threats that can compromise the confidentiality, integrity, and availability of our information. These threats, whose nature is constantly evolving, include, among others, identity theft and the theft of confidential information, fraud, industrial espionage, and the theft of intellectual property, as well as the unauthorized use, disclosure, and destruction of information, technical failures, natural events, and human error.
In this context, Unicorne implements, maintains, and enforces an information security policy that establishes the implementation of formal information security processes, including risk management, information access management, and incident management.
The organization is committed to notifying the Commission d’accès à l’information du Québec (CAI) as well as all affected individuals if it becomes the target of a cyber attack or any other similar incident. Additionally, a security officer is appointed to ensure compliance with this policy and to oversee the necessary actions in case of an issue.
Responsible Person: Patrice Naud, Vice President of Operations
Objective
The main objective of this policy is to affirm the organization’s determination and commitment to effectively and efficiently manage information security risks. The approach advocated aims at identifying stakeholders and defining their roles, raising user awareness of risks, and designing and implementing measures that effectively ensure information security throughout its lifecycle.
Scope
Information security is everyone’s responsibility. This policy applies to any individual (developers, managers, administrative staff, consultants, and visitors), or any legal entity that uses or accesses the organization’s information resources.
This policy applies to all information held by the organization in the course of its functions or under its custody, throughout its lifecycle, regardless of its form, medium, or location.
There are no restrictions on the use of Unicorne’s computers for personal purposes by an employee. However, all activities and software installations must be carried out following the recommendations of this policy.
Control Measures
To ensure compliance with this policy, the responsible person undertakes to conduct an internal audit of employees at least once per calendar year.
Employees will be randomly selected.
They must, during a meeting with the responsible person, demonstrate that they have implemented the security measures of this policy.
Audit results will be kept according to Annex 1.
Any breaches will result in one or more corrective actions in the report. These must be corrected within a maximum period of one week.
Administrative Measures and Sanctions
In the event of a breach of this policy:
The user is personally responsible for any breach of this policy; the same applies to any person who, through negligence or omission, fails to adequately protect the information.
Any member of the organization who violates the legal framework, this policy, and/or the resulting information security measures is subject to sanctions according to the nature, severity, and consequences of the violation, under the law or applicable internal disciplinary rules.
Likewise, any violation by a supplier, partner, guest, consultant, or external organization exposes them to sanctions under the contract binding them to the organization or under the provisions of applicable legislation.
When an audit or investigation gives reason to believe that an offense against a law or regulation has been committed, the security officer may also refer the matter to any other competent authority to verify, in particular, whether there are grounds for prosecution. He/she may then transmit to this authority the information collected during this audit or investigation. Any violation of this policy may result, in addition to the measures provided for in laws, regulations, policies, or agreements, in the following consequences, depending on the nature, severity, and repercussions of the act or omission:
a) Cancellation of access privileges to the organization’s information assets. Cancellation may be made without notice depending on the nature and severity of the breach.
b) The obligation to reimburse the organization for any amount that it would be required to pay as a result of unauthorized, fraudulent, or unlawful use of its services or information assets.
Protection Measures
Confidential information collected must not be disclosed during informal discussions or conversations. The communication of information must be objective, without judgment, and without prejudice. All information about client projects must be considered confidential information to be protected.
Each person must ensure the security of the information they have collected. Confidential information must be stored securely when the person responsible for it is absent. This responsibility also applies to information appearing on a computer screen.
Duty to Protect
Information Protection
All staff members must protect all information (records) they are responsible for. Failure to comply with the provisions of this confidentiality policy may result in disciplinary action, up to and including dismissal.
Reporting
All staff members, consultants, clients, or partners must notify the security officer if they notice a situation that could harm the security or confidentiality of the information.
External Disclosure
Written consent is required before disclosing information to a third party not affiliated with the company.
Protection Methods
Two-Factor Authentication
To limit unauthorized access, we require activating two-factor authentication on all accounts where this feature is possible (AWS, GitLab, Google, GitHub, Bitbucket, Jira, Confluence, 1Password). Use a tool like Google Authenticator or Authy to store your MFA.
Software and Operating System Updates
To ensure better equipment and information security, all automatic update options must be enabled on workstations and servers. Activate automatic updates for your operating systems and browsers. For any other software that does not have these options, updates must be done within 48 hours of receiving a notification.
Firewall
To limit unauthorized access, we require activating firewalls on workstation and server operating systems.
Password Manager
To secure login information, we require using the password manager provided by the organization, 1Password only. Avoid using password managers integrated into your browser.
Password Sharing
If login information needs to be shared, it must be done securely. Exchanging passwords by email or text, for example, is prohibited. The 1Password password manager has an option for sharing this type of information.
Secure Your Wi-Fi
Use secure WiFi networks. Ensure WPA2 activation, router updates, and secure passwords. A VPN must be used for public networks such as coworking spaces, conferences, client networks, or others. If you do not have a personal VPN, you can use the one provided by Unicorne.
Secure Your Mobile Device
If you use your mobile device for work-related communications (Slack, Email, etc.), activate security codes with a minimum of 6 characters.
Avoid Document Printing
Avoid printing documents. If necessary, ensure they are handled with the appropriate level of security and destroyed properly when necessary.
Encryption
Encrypt your computer’s hard drive to prevent data theft in case of loss or theft of your computer.
Public Locations
When working in a public location, such as a coworking space, always lock your computer when you are not present. Also, the computer should never be left unattended.
Hard Drive Backups
Apple’s “Time Machine” software must be used with an external hard drive to make encrypted backup copies of the hard drive. Backups can be done automatically if the external drive is connected, otherwise, they must be done at least once a week. All of this is configurable in the computer’s settings.
Hiring Employees/Contractors
Coordinate with the HR responsible person to conduct background checks for each new employee or contractor
Access Configuration
Access configuration must always be done with the minimum access necessary to accomplish the task.
Example:
- Contracts with subcontractors can be shared with the project manager related to this subcontractor and the administrative team;
- The Google Drive directory “ClientAdministration” containing contracts and financial data of clients should not be shared with all employees. Only the project manager of the client, as well as the administrative team, have access to this directory;
- The “Client” Google Drive spaces containing files necessary for development teams can be shared internally at Unicorne;
- The “Confluence” spaces by client can be shared among team members;
- Employee folders should only be shared with the employee’s immediate supervisors;
- AWS access is given to people when they are active in the client’s project with the Principle of Least Privilege.
Amazon Web Services
At Unicorne, we are committed to ensuring the security of our clients’ data and infrastructure. As an AWS Partner, we adhere to industry security standards and best practices to protect your sensitive information and maintain the integrity of your systems.
Understanding AWS Security Processes and Technologies
As part of our security commitment, we ensure our clients understand the security processes and technologies provided by Amazon Web Services (AWS). AWS offers a comprehensive set of security services and features designed to protect data, systems, and infrastructure hosted on the AWS platform.
AWS Well-Architected Framework Security Pillar
We follow the guidelines outlined in the Security Pillar of the AWS Well-Architected Framework. This framework provides best practices and guidance for designing, building, and maintaining secure AWS environments. By leveraging the Security Pillar, we assist our clients in implementing security measures compliant with industry standards and regulatory requirements.
Key Principles of the AWS Well-Architected Framework Security Pillar
Data Protection
We implement robust data encryption and access control mechanisms to ensure the confidentiality and integrity of your data.
Identity and Access Management (IAM)
Principle of Least Privilege
When granting permissions in AWS Identity and Access Management (IAM), it’s imperative to follow the principle of least privilege. This means that IAM users and roles should only be granted the permissions necessary to perform their specific tasks.
Guidelines
- Avoid using wildcards such as asterisks (*) in action and resource elements as much as possible;
- Limit permissions to the specific actions and resources required by each IAM principal.
Use of Dedicated Credentials
Anyone needing access to an AWS account should use credentials dedicated for that purpose. This practice ensures traceability and security of access.
Guidelines
- Access credentials assigned to partners must be exclusively dedicated to their collaboration with our organization;
- It is strictly forbidden to share credentials between individuals or entities, even within the same organization.
Detection and Response
We use proactive monitoring, logs, and alerts to detect and respond to security incidents proactively.
Infrastructure Protection
We implement network segmentation, firewalls, and other security controls to protect AWS infrastructure against unauthorized access and cyber threats.
Incident Management
We have established incident management procedures to effectively respond to security incidents and minimize their impact on your business operations.
Continuous Improvement
Security is an ongoing process, and we are committed to continuously improving our security practices to address emerging threats and vulnerabilities. We regularly review and update our security policies, procedures, and controls to ensure their effectiveness in risk reduction.
Customer Awareness and Education
We believe that security is a shared responsibility, and we work closely with our clients to raise awareness of security best practices and help them make informed decisions regarding their AWS environments. We provide training, resources, and guidance to help our clients understand and effectively implement security measures.
Conclusion
By choosing Unicorne as your trusted AWS partner, you can rest assured that your data and infrastructure are protected by industry-leading security measures and practices. We are committed to maintaining the highest standards of security and assisting you in safely achieving your business goals on the AWS platform.
For more information about our security practices or to discuss your specific security needs, please contact us at info@unicorne.cloud.