Please read these Security Practices and Policies.
The purpose of this security policy is to ensure the protection of information and data security for SoaringEd, Inc. Products. This policy establishes high-level controls, assessments, and risk management practices to safeguard sensitive data and mitigate security risks. The policy also outlines the use of security controls, tools, and best practices to maintain a secure environment.
a. All data must be assessed and classified based on the Data Classification section below.
b. Apply relevant controls based on the data classification level.
All systems should undergo assessments against relevant policies and standards, such as ISO 27001 and GDPR, based on targeted regions and sectors.
a. Risk levels and associated assessments will follow the OWASP Risk Assessment Methodology.
b. Use the OWASP Risk Rating Methodology for risk evaluation.
Security Controls and Tools:
a. Use the OWASP Risk Rating Methodology for risk evaluation.
b. Use the following tools:
- Sonarqube for code analysis executed in pipelines.
- Yarn audit for checking package vulnerabilities.
- OWASP ZAP for penetration testing of web applications.
- AWS Services: CloudTrail, GuardDuty, Trusted Advisor, Inspector.
All applications must define cross-functional requirements, including security and privacy categories.
Approval of Major Changes:
The Chief Engineer must approve all major changes, with a specific focus on security controls and data privacy.
a. Conduct external 3rd party penetration testing at least annually on SoaringEd Products.
b. Perform internal security testing or audits quarterly on SoaringEd Products. Examples include:
- Penetration testing of Loree Design.
- Review audit logs of Crane Migration and its access controls.
- Patching for critical external dependencies for Xen.Ed servers.
Internal Cloud Patterns
All systems must align with Internal Cloud Patterns, which highlight key controls and security considerations.
a. Release patch updates at least monthly.
b. Critical vulnerabilities must be patched at the earliest opportunity after discovery.
Automated Security Tests:
Perform automated security tests, including OWASP Top 10 and package vulnerabilities, for all system changes.
Enable audit logging for all systems at all levels.
Conduct a risk assessment for all identified issues.
Exceptions to security policies must be approved by both the Product Owner and the Chief Engineer or CTO.
- Practice Zero Trust Architecture methodologies
- Grant least privileged access only
- Enable Multi-Factor Authentication (MFA) and Single Sign-on (SSO) with Crystal Delta Active Directory for access to Workplace service and Cloud Environments.
In a DevOps enabled environment, prioritize security to protect infrastructure and company assets. Rapidly and effectively address any security issues that arise.
Identity and Access Management:
AWS IAM: Centrally manage users, security credentials, and permissions using AWS Identity and Access Management (IAM). Use IAM roles for defining access permissions to AWS services and resources.
Controlled Use of Administrative Privileges: Control administrative credentials, especially in a continuous deployment and “infrastructure as code” environment. Administrative privileges should be used by configuration management and orchestration systems, not accessible to everyone with repository access.
Secrets Management with AWS KMS: Use AWS Key Management Service (KMS) to manage secrets and encrypt data. Define access control levels for developers and projects. Log key usage with AWS CloudTrail.
Data must be classified to ensure appropriate controls and protection measures are implemented. The data classifications are:
Freely accessible to the public (e.g., user guides, press releases).
Accessible to internal company personnel or authorized employees (e.g., internal communications, business plans).
Requires specific authorization and/or clearance (e.g., TFNs, cardholder data).
Protected by laws such as HIPAA and PCI DSS.
Access to restricted data without authorization may lead to criminal charges, legal fines, or severe damage to the company.
Includes proprietary information, research, and data protected by regulations.
We are working continuously to make our systems secure. If you do find any security issues, whether you are a user or security expert, please reach out to us at email@example.com. We will make sure the issue is fixed and updated ASAP.