Purpose

The purpose of this security policy is to ensure the protection of information and data security for SoaringEd, Inc. Products. This policy establishes high-level controls, assessments, and risk management practices to safeguard sensitive data and mitigate security risks. The policy also outlines the use of security controls, tools, and best practices to maintain a secure environment.

Policy

Data Classification

a. All data must be assessed and classified based on the Data Classification section below.

b. Apply relevant controls based on the data classification level.

Compliance Assessments:

All systems should undergo assessments against relevant policies and standards, such as ISO 27001 and GDPR, based on targeted regions and sectors.

Risk Assessment:

a. Risk levels and associated assessments will follow the OWASP Risk Assessment Methodology.

b. Use the OWASP Risk Rating Methodology for risk evaluation.

 Security Controls and Tools:

a. Use the OWASP Risk Rating Methodology for risk evaluation.

b. Use the following tools:

• • • • Sonarqube for code analysis executed in pipelines.
      • Yarn audit for checking package vulnerabilities.
      • OWASP ZAP for penetration testing of web applications.
      • AWS Services: CloudTrail, GuardDuty, Trusted Advisor, Inspector.

Cross-Functional Requirements:

All applications must define cross-functional requirements, including security and privacy categories.

Approval of Major Changes:

The Chief Engineer must approve all major changes, with a specific focus on security controls and data privacy.

Controls

Penetration Testing

a. Conduct external 3rd party penetration testing at least annually on SoaringEd Products.

b. Perform internal security testing or audits quarterly on SoaringEd Products. Examples include: 

• • • • • Penetration testing of Loree Design.
        • Review audit logs of Crane Migration and its access controls.
        • Patching for critical external dependencies for Xen.Ed servers.

Internal Cloud Patterns

All systems must align with Internal Cloud Patterns, which highlight key controls and security considerations.

Patch Releases: 

a. Release patch updates at least monthly.

b. Critical vulnerabilities must be patched at the earliest opportunity after discovery.

Automated Security Tests: 

Perform automated security tests, including OWASP Top 10 and package vulnerabilities, for all system changes.

Audit Logging

Enable audit logging for all systems at all levels.

Risk Assessment: 

Conduct a risk assessment for all identified issues.

Exceptions

Exceptions to security policies must be approved by both the Product Owner and the Chief Engineer or CTO.

Security Practices: 

• Practice Zero Trust Architecture methodologies
• Grant least privileged access only
• Enable Multi-Factor Authentication (MFA) and Single Sign-on (SSO) with Crystal Delta Active Directory for access to Workplace service and Cloud Environments. 

Cloud Security

Software Security

In a DevOps enabled environment, prioritize security to protect infrastructure and company assets. Rapidly and effectively address any security issues that arise.

Identity and Access Management:

AWS IAM: Centrally manage users, security credentials, and permissions using AWS Identity and Access Management (IAM). Use IAM roles for defining access permissions to AWS services and resources.

Controlled Use of Administrative Privileges: Control administrative credentials, especially in a continuous deployment and “infrastructure as code” environment. Administrative privileges should be used by configuration management and orchestration systems, not accessible to everyone with repository access.

Secrets Management with AWS KMS: Use AWS Key Management Service (KMS) to manage secrets and encrypt data. Define access control levels for developers and projects. Log key usage with AWS CloudTrail.

Data Classifications

Data must be classified to ensure appropriate controls and protection measures are implemented. The data classifications are:

Public data: 

Freely accessible to the public (e.g., user guides, press releases).

Internal-only data: 

Accessible to internal company personnel or authorized employees (e.g., internal communications, business plans).

Confidential data: 

Requires specific authorization and/or clearance (e.g., TFNs, cardholder data).
Protected by laws such as HIPAA and PCI DSS.

Restricted data: 

Access to restricted data without authorization may lead to criminal charges, legal fines, or severe damage to the company.
Includes proprietary information, research, and data protected by regulations.

Disclosure

We are working continuously to make our systems secure. If you do find any security issues, whether you are a user or security expert, please reach out to us at support@soaringed.com. We will make sure the issue is fixed and updated ASAP.