Security Policy

1

INTRODUCTION AND GENERAL OVERVIEW

Channel99 maintains security procedures designed to ensure information we own, license and process is not accessed by any unauthorized person or business. We use a variety of multi-level security systems to control access to our services and information products.  We also regularly conduct internal risk assessments and audits on our internal and external information systems. These security measures help us continually assess our ability to maintain the security of our data. Our network security operations center maintains real-time monitoring for information system vulnerabilities and unauthorized access attempts into Channel99’s systems.  

 

2

PERSONNEL

ORGANIZATION STRUCTURE

The Security team coordinates all security programs across Channel99. The Security team reports to the Head of Engineering who reports directly to the CEO.  

 

SECURITY AND DATA PRIVACY TRAINING

Employees and third-party contractors attend on-boarding orientation and must complete security awareness and data privacy training. System access is revoked for any employees and third-party contractors who do not complete their security awareness and data privacy training in a timely manner.

Employees and third-party contractors must complete annual Security Awareness and Data Privacy training modules.

 

INFORMATION SECURITY POLICIES

Employees and third-party contractors review and acknowledge Channel99’s Information Security Policies and Procedures during on-boarding and annually thereafter.

 

LOGICAL ACCESS

All access by employees and third-party contractors to Channel99 systems requires successful authentication using multi-factor authentication “MFA”. In addition, another layer of authentication mechanism is required to access the virtual private network “VPN” and virtual private cloud “VPC” access to AWS.

Upon termination of employment or contract, access to Channel99 systems and offices is immediately revoked.

 

3

NETWORK AND APPLICATION SECURITY

ARCHITECTURE

Channel99 uses Amazon Web Services (AWS) as the primary cloud service. Channel99 utilizes the shared security responsibility model, where the cloud provider is responsible for the security of the underlying cloud infrastructure (i.e. physical infrastructure, geographical regions, availability zones, operating, managing and controlling components from the host system, security of cloud native services, virtualization layer and storage) and Channel99 is responsible for securing the application platform and configuration deployed in the cloud provider’s infrastructure.

 

CLOUD SECURITY

Channel99 works within the security models provided by our cloud providers. The use of security groups enables the analysis of traffic and determines whether access is allowed based on the rules. Channel99 has adopted a role-based framework. Access is provisioned using Identity and Access Management (IAM) role-based access to resources. Furthermore, access is granted based on the role and context of the entity (grantee) and not just on the sources. Environments are physically and logically separated by function – e.g. development, staging and production. Channel99’s corporate locations are insulated by firewall technologies, utilize active threat monitoring, and provide active traffic and log analysis on central security components and endpoints. 

 

SYSTEM EVENT LOGGING, MONITORING AND ALERTING

Monitoring tools and services are used to monitor systems including network devices, security events, operating system events, resource utilization, user access audit records, cloud infrastructure and associated event logs, audit and security logs, application operations events and application account audit logs.

Alerting logic processes these events and actions are taken to initiate any applicable remediation. Logs of all production servers are stored and retrievable from a centralized repository.

 

APPLICATION SECURITY

At Channel99, security is integrated into the software development lifecycle (SDLC) process.

  • Design: Security implications are considered as part of the  application design process.
  • Development: Peer review of source code is part of the SDLC process. Security checklists are included in the code review template to enable engineers to check for security flaws consistently as part of the review process.
  • Testing: Security testing is performed at various stages of the development lifecycle:
  • Automated tests: Security testing for business logic is automated as much as possible to catch any regressions to existing features.
  • Manual tests: Manual security testing is conducted as part of release testing to flag any security issues.
  • Security scans: Static and dynamic application security tests are run regularly in production and development environments to detect and flag any issues.
  • Vulnerability management: Security issues are triaged regularly, prioritized based on severity, and tracked to remediation in accordance with published SLAs.
 

DATA INTEGRITY

Confidential and sensitive data is retained only as long as required for legal, regulatory and business requirements. However, upon request Channel99 will delete customer data within sixty days of written notification.

 

ENCRIPTYON DURING TRANSIT

Channel99 encrypts traffic during transit with Transport Layer Security “TLS” using Channel99 security standard cipher-suites when communicating across an untrusted network. This applies to external and internal communications. The high entropy and perfect forward secrecy negate the need for the storage of symmetric keys.

 

ENCRYPTION FOR DATA AT REST

Encryption of data applies to the following use cases:

  • Personal and Customer Data: Any data that identifies personal data through unique field values that would reveal personal identity information of a Channel99 customer. Example: customer email or phone number.
  • Tag Visit Metadata: Any data that is required to be shared with the Tag events, participating websites, or partners that is abstracted from an individual identity but can be used as an identifying field for analysis. An example of such information is a cookie or first three octets of an IP address.
 

ENCRYPTION FOR STORAGE/BACKUPS

  • Data storage: All Channel99 data stores are encrypted via Amazon S3 encryption via AWS Key Management Service (KMS) regardless of data classification. 
  • Key management: Keys used for data encryption or key encryption are stored in the cloud KMS.
  • Access management: Identity and Access Management (IAM) roles are used for encrypt/decrypt permissions based on policies of \ least privilege access to data.

 

4

DISASTER RECOVERY PLAN

Channel99 maintains a Disaster Recovery Plan in connection with our SaaS applications and a Business Continuity Plan. Both plans are reviewed, tested, and updated annually.

 

5

RISK MANAGEMENT

RISK MANAGEMENT

The Channel99 Risk Management process is designed to identify, assess, and prioritize security risks with the aim of minimizing, monitoring, and mitigating risks based on priority.

RISK MANAGEMENT PROCESS ANT METHODOLOGY:

The Channel99 Security team conducts a risk review of all business assets, processes and services (external and internal) at least annually in a series of meetings with key stakeholders and business owners. We use the Open Threat Taxonomy standard to guide the risk assessment exercise. All risks are reviewed against the four threat categories: physical, resource, personnel, and technical. A risk register is produced as the outcome of the review process, consisting of a prioritized list of identified risks. The risk register is presented to Channel99 Executive Management along with recommendations for minimizing and controlling the risks. Mitigation plans are formulated and executed against.

In addition to annual reviews, an exceptional risk review is conducted whenever a major physical, environmental, personnel-related, regulatory, or technological change is undertaken.

THIRD-PARTY RISK MNAGEMENT

Channel99 requires all technology companies with integrations or access to customer or company confidential data to complete a security questionnaire, and execute a Data Processing Agreement as part of the onboarding and contract renewal process.

INCIDENT RESPONSE POLICY

The Channel99 Security team has an established incident management policy in place which defines the individuals responsible for responding to a security incident, the responsibilities of those individuals during each phase of the incident response process – detection, analysis, containment, eradication, recovery, and post-incident activities, communication channels, escalation procedures, and procedures to record and track evidence during the incident investigation process.

Suspected security incidents must be reported immediately to the Channel99 Security team by email via [email protected] In addition, Channel99 customers can report security issues directly to the account manager representative in charge of the account or by using the email link on our website to contact customer support.