WaterSmart’s Information Security Policy Overview describes our core approach for keeping customer information safe and secure.
- ACCESS CONTROL WaterSmart will ensure that only approved users are granted appropriate to access to our systems. To this end, all systems that face an external network are secured according to best practices including but not limited to: a minimum of open network ports, ssh-key based server access (no passwords), revocable SSL client-certificates for webservice access, etc. All access to servers is logged and automated agents are enabled to report suspicious logins. Semi-annual 3rd party validation and penetration tests are used to confirm our defenses against external vulnerabilities.
- ENCRYPTION AT REST AND IN TRANSFER WaterSmart does not transfer customer data across our system boundaries in an unencrypted fashion. Data files delivered by utility partners are immediately encrypted and remain encrypted while within system boundaries. Personally Identifiable Information (PII) that is stored within our databases is encrypted at rest. Furthermore, all data transmitted between WaterSmart and a customer or cloud partner is always transferred in an encrypted fashion, using either SSL, SSH, PGP, or TLS as appropriate for the channel.
- PARTNER SELECTION WaterSmart will select only best-in-class cloud vendors for asset management, physical & environmental security, and encryption capability. We use only highly reputable server vendors such as AWS. These vendors have 24/7 physical security, redundant networking and power, and ISO27001-type compliance documentation. We choose only reputable print and mail vendors that can support transfer encryption.
- CHANGE MANAGEMENT AUTOMATION All changes to WaterSmart products, servers, and databases will be done via rigorous change management procedures. This includes but is not limited to: permanent documentation of each application or configuration change, scripting to enact each change, commit of all changes and change scripts to a permanent source control repository, sequentially scripted database migrations, and server configuration automation via Chef.
- APPLICATION SECURITY WaterSmart’s web applications will adhere to industry best practices for application security as documented in the OWASP Top 10 guidelines. We will utilize 3rd party to validate our defenses against vulnerabilities to (A1) injection, (A2) session management, (A3) cross-site scripting, (A4) insure object references, (A5) security misconfigurations, (A6) sensitive data exposure, (A7) access control, (A8) cross-site forgery requests, (A9) safe components, and (A10) unvalidated redirects.
- HUMAN RESOURCES WaterSmart employees will be subject to information security controls. This includes background checks, the signing of non-disclosure agreements, and a signed acknowledgement of our acceptable use and security policy. Employee onboard training will include explanation of our security controls and education about how to report potential problems.
- THIRD PARTY VALIDATION WaterSmart uses a certified third party security firm to test external network vulnerability, conduct penetration tests, and to validate web application security. A letter of attestation will be provided to clients upon request.
Information Security Policy Overview | Revised January 25, 2019