Information Security Policy

1. Purpose, Overview, and Applicability
   1. The purpose of this policy is as follows:
      1. Ensure that the company’s information resources are appropriately protected from destruction, alteration, or unauthorized access.
      2. Ensure that this protection is accomplished in a manner consistent with the business and workflow requirements of the company.
      3. Ensure that the industry’s best security practices are implemented in order to reduce vulnerabilities, increase safety, and provide guidance to the company on the expected threats.
      4. Provide a concise set of standards in order to attain consistency across the entire information infrastructure about securing systems and networks.
      5. Provide an information security management system that supports compliance with present and future applicable laws and regulations. 
      6. Define Akeyless’ obligation in regard to privacy, private information and especially PII.

2. Definitions
   1. Information Security – All technological and organizational means used to mitigate risk pertaining to the confidentiality, integrity, and availability of information stored in IT systems.
   2. CISO – The person responsible for the overall information security program to ensure the adequate protection of the company’s information assets and technology.
   3. Identification – Means to identify a person or system while attempting access and authorizing processes in an IT system.
   4. Sensitive Information – Data defined as sensitive by the company’s management. 
   5. User – A unique and identifiable entity within a system that represents a person or a service.
   6. Password – A string of characters known only to the user, used for identification confirmation of the user and typed as part of the user identification process while logging on.
   7. Information Security Management System (ISMS) – A long term framework that aims to enhance information security throughout the organization (Part of ISO27001 framework).

3. Board and Management Commitment
   1. Consistent with their responsibility for proper management of the company, the company’s management and board of directors are committed to maintaining a high level of information security.
   2. The company’s management is obliged to provide adequate resources to maintain an appropriate level of information security in the company and to budget for an annual work plan. 
   3. The company’s management has defined the ISMS as a cornerstone of its security and technological viewpoint. 
      
      
4. Information Security Goals
   The company’s information security goals are as follows:
   1. Allow the company to maintain the confidentiality, integrity, and availability of information.
   2. Protect the company’s and customers’ information from unauthorized and malicious activity by effectively and efficiently implementing an information security management system.
   3. Enable the company’s business strategy and maintain services for customers in a manner consistent with the proper application of security and privacy guidance and risk management.
   4. Serve as the basis for information security policies, procedures and controls.
   5. Provide guidance on how to locate and manage risks and exposures of information stored in the system, including prints, scans, tapes, or other hard copies.
   6. Define tools and processes required to actively enhance the security awareness of the company’s personnel and suppliers. 

5. Information Security Business Principles
   The company’s information security business principles are as follows:
   1. Create a security culture through information security governance.
   2. Assess risks through understanding, evaluating, and testing.
   3. Enforce the information security policy through technological processes (where applicable) education, monitoring, and metrics.
   4. Adhere to applicable regulatory requirements that include international and local laws and regulations.

6. Organization of Information Security
   1. The company’s organizational chart is in Appendix A.
   2. The organization of information security is led by the CISO that was appointed by Akeyless’  management.  CISO’s responsibilities are as follows:
      • Presenting information security topics to the management.
      • Providing the board of directors with an annual information security review.
      • Leading the Steering Committee.
      • Implementing the information security policy and procedures and providing guidance on implementation to relevant personnel.
      • Initiating and implementing an annual work plan.
      • Performing audits on information security implementation in the Company.
      • Investigating and handling information security events and breaches.
      • Conducting information security awareness training.
      • Defining and developing and integrating processes and tools related to information security.
      • Defining information security levels of the IS and its components in compliance with decisions of the Steering Committee.
      • Handling responses to security incidents and malfunctions.
      • Specifying processes and methods about the levels of sensitivity and information classification to which third parties may be exposed. 
   3. Information security technical means are implemented by either DevOps or IT.
   4. Akeyless runs an Information security steering committee with the following charter
      1. The information security steering committee (the “Steering Committee”) is the highest body dictating the information security strategy and approving information security plans.
      2. The members of the Steering Committee are:
         • President
         • CEO 
         • CTO
         • VP R&D
         • CISO
      3. The Information Security Steering Committee meets at least once in 3 months

7. Security of Human Resources
   Aspects of information security are implemented by the company in all the procedures and stages of recruitment and employment of employees, as specified hereunder:
   1. Prior to employment:
      1. It is the responsibility of the company to ensure that each employee of the company and third-party employee (contractor’s employee) is suitable for the employee’s intended position, and that the employee fully understands the responsibilities imposed on him or her, in order to prevent events of failure, fraud, or abuse of information and assets of either the company or its customers.
      2. The management of the company shall define with respect to each of the roles in the company:
         • The necessary qualifications
         • Responsibility and authority
         • Requirements of reliability
         • Access rights to information systems
      3. Employee reliability will be determined through a process of multiple interviews and gathering of recommendations. Employees of third-party providers engaged in delivering services to the company will be interviewed, and two references will be obtained and checked. 
      4. Each employee, at any hierarchic level whatsoever, shall sign a confidentiality agreement, whereby the employee will maintain the rules of information security and privacy, as a condition of working with the company. 
      5. Prior to commencement of work with the company, a new employee will undergo a security and privacy training, in order to become familiarized with the company and its policies, including but not limited to information security.
         
   2. Within the process of employment:
      1. The CISO is responsible for the holding of periodic training for all the employees at least annually, in order to increase their awareness of the following issues:
         • Information security policy.
         • Familiarization with possible risks and threats to the company and to the information. 
         • Proper and ethical utilization of assets of the company. 
         • Manner of protection against possible failures. 
         • Manner of conduct upon occurrence of an exceptional event. 
         • Proper and correct use of protections and controls. 
         • Rules of usage of information systems of the company. 
           
   3. Completion of employment or change of positions:
      1. The HR manager is responsible for ensuring that employees, contractual employees or third-party users of the information systems will leave the organization or change positions in an orderly and safe manner. 
      2. If an employee changes position in the company, access authorizations and controls given to the employee in the employee’s previous position should be examined to determine whether it is suitable to continue them. As a default, the authorizations of the previous position shall be revoked, and new authorizations suitable for the new position will be given to the employee.
      3. If an employee leaves the company, for any reason, the HR manager should verify that:
         • All possibilities of the employee accessing information, supporting systems and assets from the company or outside of it were blocked.
         • The employee returned all the assets and equipment that belong to the company (computer equipment, documents, etc.). 
         • The employee received guidance with respect to ongoing commitment to the information of the company and its protection. 
      4. Training and awareness
         1. Every employee will attend annual information security awareness training. 
         2. Every new employee must attend an information security awareness training within one month of commencing employment at the company. 
         3. On completion of the information security awareness training, each employee must sign a statement confirming that they have attended the training, understood the material presented, and had an opportunity to ask questions.
   4. Privacy
      Human resources information is private by its nature and must be secured accordingly:
      1. Employees and candidates’ information must be stored in a dedicated HR application or restricted folders.
      2. Private information must never be shared via email or any other unsecure communication methods.
         

8. Asset management and Risk Assessment Approach
   1. A periodic risk assessment is the basis for an ongoing information security activity. The assessment is applied to both the technological and non-technological aspects of information security. 
   2. Risk assessment shall include identifying assets and the risks related to them, internal and external audits, penetration tests, system configuration reviews, and shall represent risks based on the potential risk and occurrence likelihood. The assessments and surveys shall be performed in accordance with business requirements and professional advice.
   3. The risk assessment shall aid with building the work plan that aims to minimize organizational and technological risks, as well as plan specific IT activities.
      
      
9. Access control
   Access control management is detailed in 05 Akeyless User Access Rights Procedure.

10. Cryptographic controls
    Cryptographic controls are detailed in 15 Akeyless – Encryption and Key Management Policy

11. Physical Security
    1. Access security to company offices
       1. The entrance to company premises shall be secured and monitored at all times (during work hours and thereafter). 
       2. The entrance doors to the offices shall be closed and locked at all times
       3. Upon completion of the workday, the offices of the company shall be locked and the alarm of the security company shall be activated 
       4. Security in work areas
       5. Employees of the company work at different locations, at home or at public places. In public places employees should make sure to have their laptops with them at all times, including when getting up from their seats. 
       6. If a situation arises that requires an employee to leave a laptop unattended, that computer should be locked using a password protected screensaver. 
       7. When going on vacation, employees shall turn off their computers or put them into hibernate mode (as this forces encryption sequence).
          
          
12. Clear Desk and Screen
    1. Non-electronic information and equipment
       1. Where practically possible, paper should be stored in suitable forms of secure furniture when not in use, especially outside working hours.
       2. At the end of each session all sensitive information should be removed from the workplace and stored in a locked area. This includes all personable information, as well as business critical information such as salaries and contracts.
       3. All staff are responsible for ensuring that any hard copy documents which could be classed as company intellectual property are shredded if they are no longer required and do not legally need to be retained. 
       4. Hard copies containing PII (i.e. candidates resumes) must be shredded when they are no longer needed.
       5. Hard copies of sensitive information or that contain PII must be kept in a locked drawer or cabinet when not in use.
       6. Confidential, sensitive or classified information, or PII when printed, should be cleared from printers immediately.
          
    2. Electronic or computerized information and equipment
       1. Electronic data and equipment will not be treated differently from manual records and equipment, as they contain the same type of confidential and personal information. Computing and all other equipment containing data will therefore be treated with the same level of security as paper-based resources.
       2. Computers and laptops must not be left logged on when unattended, and must be protected by passwords, screensavers and other controls. The options available will be dependent upon the type of equipment. Any concerns should be raised with the IS Manager.
       3. Screens must be locked by the user when leaving their computer terminal, irrespective of the amount of time spent away from the unattended screen. All computers should have an auto-lock after 15 minutes of non-use.
       4. Sensitive items such as personal identifiers must be cleared from printers and fax machines immediately on completion. If these are no longer required, the items must be shredded or sent for secure disposal.
          
          
13. Change Management
    All change management aspects are covered in 11 Akeyless – Change Management and Segregation of Duties

14. Communication Security
    All aspects of communication security are detailed in 15 Akeyless – Encryption and Key Management Policy.

15. Secure development 
    Secure development is detailed in the “04 Akeyless Secure Development Policy”

16. Vendor Security
    All aspects of vendor security are covered in 12 Akeyless – Vendor Security Management Policy.

17. Incident Response Plan
    All security incidents aspects are detailed in 03 Akeyless Information security incident response and breach policy.

18. Business Continuity Plan
    All aspects of business continuity are detail in 11 Business Continuity Plan

19. Data Classification 
    1. Sensitive information must be identified as such and treated securely according to its level of sensitivity. Akeyless has determined the following sensitivity levels:
       • Confidential
       • Internal
       • Public
    2. Confidential refers to information that its exposure may result in severe damage to Akeyless business including financial loss, damage to reputation and non-compliance with the law and regulations. For example:
       • Akeyless Internal information with limited access
       • Personal Identifiable Information
       • Customer confidential information
       • Confidential information must be kept in restricted access folders or systems, or in locked cabinets.
    3. Internal information refers to information that its exposure may result in some damage to Akeyless. For example:
       • Akeyless internal communication
       • Akeyless finance information (unless defined differently)
       • Internal information must be kept in internal systems either maintained or used by Akeyless
    4. Public information refers to information that its exposure will not have any effect on Akeyless, such as Information that has been approved to be released to the public. Public information may be kept on any mean of storage
    5. As part of the general purpose of ensuring the security of documents, all documents created within the company are defined as internal confidential information, unless specifically designated otherwise.

20. Compliance
    Identified relevant laws and regulations are detailed in 01 Akeyless IS Policy Statement.

21. Customer Data Protection 
    1. Customer data is only accessible by customer users. All stored data is kept encrypted.
    2. Each customer is provisioned with a unique ID. All application processes are based on that unique ID per customer to help ensure no cross-customer data events occur. 
    3. Data is encrypted in transit.
    4. Data at rest (on servers, file storage, database) is encrypted using Akeyless DFC technology and standard encryption technology.
       
       
22. Patch and vulnerability management
    1. Vulnerabilities in Akeyless’ platform may be identified either during a penetration test, from our bug bounty program or by an independent researcher.
    2. Identified vulnerabilities will be remediated according to the following time tables:
       • Critical – As soon as possible and no longer than 1 week of identification.
       • High – No longer than 1 month from identification
       • Medium – No longer than 3 month from identification.
       • Low – According to best effort and availability.

23. Responsibility 
    1. The CISO is responsible for implementing and maintaining this policy.
    2. Each employee is responsible for complying with this policy
       
       
24. Document Revision History

Author	Revision	Comments	Date	Approved by
Evgeny Pesetsky	1.0	Release version	01/04/2020
Yuval Yelin	2.0	Update version	25/04/2021	Shai Onn
Yuval Yelin	2.1	Rearranging sections	02/09/2021	Shai Onn
Yuval Yelin	2.2	Added privacy to HR section	25/10/2021	Shai Onn
Yuval Yelin	2.3	Adjust to SoA chapters	8/12/2021	Shai Onn
Yuval Yelin	2.4	Added patch management	19/01/2022	Shai Onn
Yuval Yelin	2.5	Added clean desk and screen	30/05/2022	Shai Onn