Data Governance and Breach Incident Response Plan

Whole9yards maintains Data Privacy and Handling Policy and an Incident Response Plan that not only provides a well-defined, organized approach for handling any potential threat to the organization’s application, but also details the appropriate action to be taken when the source of the intrusion or incident at a third party is traced back to the organization. The plan identifies and describes the roles and responsibilities of the Incident Response Team, who is responsible for putting the plan into action.

Responsibilities:

• Determine the nature, scope and severity of the incident
• Ensure proper evidence gathering, chain of custody, and preservation practices are in place
• Document the types of personal information that may have been breached
• Assess the need to change privacy policies, procedures and practices because of a breach
• Analyzes network traffic for signs of denial of service or other external attacks
• Runs tracing tools such as sniffers, Transmission Control Protocol (TCP) port monitors, and event loggers
• Monitors for signs of a firewall breach
• Takes necessary action to block traffic from a suspected intruder
• Ensures backups are in place for all critical systems
• Examines system logs of critical systems for unusual activity
• Reviews systems every 6 months to ensure compliance with information security policies and controls and/or after major infrastructure changes
• Inform Amazon of any such data breach within 24 hours of any such security breach by reaching out to security@amazon.com.

 

Security Measures:

Access Management: Access to our server is controlled by Access-Control List (ACL). Every user has a unique ID that is governed by the role of the employee in the company. Our system admin reviews each user and its role on a regular basis to ensure eligibility of permission and removes accounts that no longer need access. Our system is completely web based and hence all the data is stored either in AWS file server or RDS DB. No data is stored on a user's local device. We also maintain and enforce "account lockout" by detecting anomalous usage patterns and numerous log-in attempts and disable accounts with access to Personally Identifiable Information (PII) as and when needed.  

Encryption of Data: Our system retrieves, processes and stores all PII data using AES-256-CBC algorithm. We use AWS RDS to store the data that can only be accessed by the EC2 instance and is not publicly accessible. The cryptographic materials and cryptographic capabilities can only be accessed by the developer’s processes and services. 

Additional Security Requirements Specific to Personally Identifiable Information

Whole9yards adheres to stringent data privacy guidelines that focus on data collection that is relevant, lawful, and not excessive. This data is retained for no longer than is necessary to fulfill its intended purpose and is stored in a secure environment. To maintain both the integrity and privacy of this data, we take the following precautions:

• Access to sensitive data is monitored and restricted to authorized personnel only
• Our application only stores PII for not more than 30 days post an order’s shipment since such data is only used to fulfil an order. 
• Our application follows a standard Data protection policy that can be found here. Our developers keep an inventory of all assets and software that have access to PII which is always current. 
• Procedures are in place for reporting privacy breaches and data misuse
• Data is stored and deleted in a secure manner
• We are using RDS monitoring and throttling alarm tools that alerts of any irregular activities.
• We make use of the RDS monitoring tool and our internal logs on a regular basis to check DB for any hacks or unauthorized access. Also, we change the DB access credentials frequently and implement in our programs accordingly. Our software allows only administrators to set business rules that classify confidential and sensitive information so that it cannot be disclosed maliciously or accidentally by unauthorized end users.