Terms & services

Security Practices

Please read these Security Practices and Policies.

Purpose

The purpose of this security policy is to ensure the protection of information and data security for SoaringEd, Inc. Products. This policy establishes high-level controls, assessments, and risk management practices to safeguard sensitive data and mitigate security risks. The policy also outlines the use of security controls, tools, and best practices to maintain a secure environment.

Policy

Data Classification

  1. All data must be assessed and classified based on the Data Classification section below.
  2. Apply relevant controls based on the data classification level.

Compliance and Assessments:

All systems should undergo assessments against relevant policies and standards, such as ISO 27001 and GDPR, based on targeted regions and sectors.

Risk Assessments:

  1. Risk levels and associated assessments will follow the OWASP Risk Assessment Methodology.
  2. Use the OWASP Risk Rating Methodology for risk evaluation.

Security Controls and Tools:

  1. Use the OWASP Risk Rating Methodology for risk evaluation.
  2. Use the following tools:
    • Sonarqube for code analysis executed in pipelines.
    • Yarn audit for checking package vulnerabilities.
    • OWASP ZAP for penetration testing of web applications.
    • AWS Services: CloudTrail, GuardDuty, Trusted Advisor, Inspector.

Cross-Functional Requirements:

All applications must define cross-functional requirements, including security and privacy categories.

Approval of Major Changes:

The Chief Engineer must approve all major changes, with a specific focus on security controls and data privacy.

Controls

Penetration Testing

  1. Conduct external 3rd party penetration testing at least annually on SoaringEd Products.
  2. Perform internal security testing or audits quarterly on SoaringEd Products. Examples include:
    • Penetration testing of Loree Design.
    • Review audit logs of Crane Migration and its access controls.

Internal Cloud Patterns

All systems must align with Internal Cloud Patterns, which highlight key controls and security considerations.

Patch Releases:

  1. Release patch updates at least monthly.
  2. Critical vulnerabilities must be patched at the earliest opportunity after discovery.

Automated Security Tests:

Perform automated security tests, including OWASP Top 10 and package vulnerabilities, for all system changes.

Audit Logging

Enable audit logging for all systems at all levels.

Risk Assessment:

Conduct a risk assessment for all identified issues.

Exceptions

Exceptions to security policies must be approved by both the Product Owner and the Chief Engineer or CTO.

Security Practices:

  • Practice Zero Trust Architecture methodologies
  • Grant least privileged access only
  • Enable Multi-Factor Authentication (MFA) and Single Sign-on (SSO) with Crystal Delta Active Directory for access to Workplace service and Cloud Environments.

Data Classifications

Data must be classified to ensure appropriate controls and protection measures are implemented. The data classifications are:

Public Data:

Freely accessible to the public (e.g., user guides, press releases).

Internal-only Data:

Accessible to internal company personnel or authorised employees (e.g., internal communications, business plans).

Confidential Data:

Requires specific authorisation and/or clearance (e.g., TFNs, cardholder data).
Protected by laws such as HIPAA and PCI DSS.

Restricted Data:

Access to restricted data without authorisation may lead to criminal charges, legal fines, or severe damage to the company.

Includes proprietary information, research, and data protected by regulations.

Disclosure

We are working continuously to make our systems secure. If you do find any security issues, whether you are a user or security expert, please reach out to us at contact@soaringed.com. We will make sure the issue is fixed and updated ASAP.