CLOUD SECURITY POLICY
As part of its duty of care to its customers and adhering to best business practices, the Hubble Connected's cloud security policy ensures the confidentiality, integrity and availability of data stored, accessed and manipulated using cloud computing services. It establishes a framework of responsibility and actions required to meet regulatory requirements and security guidelines for cloud computing by a formal information security management program. This program provides a controlled and orderly method by which access to cloud-based Hubble Connected information systems is requested and granted, security of cloud-based systems and data is monitored and analysed, violations of cloud security are addressed and mitigated, and changes to cloud security systems and procedures are requested, tested, approved and communicated for audit and record keeping purposes.
1. This policy addresses all Hubble Connected technology, systems, data and networks implemented in private, hybrid and/or public cloud infrastructures, plus all other Hubble Connected assets implemented in cloud services.
2. Hubble Connected shall define cloud security processes and procedures; secure and utilize specialized software and systems to reduce the threat of cloud security breaches; regularly review the reports of security of the company’s perimeters and the cloud service vendor’s perimeters using penetration tests and other forensic methods; and document all information cloud procedures and controls.
3. Hubble Connected shall prepare and document information security and cybersecurity plans with a focus on cloud services; it shall facilitate the maintenance and review of those plans.
4. Hubble Connected shall periodically conduct a risk assessment of the internal and external threats and vulnerabilities of the IT environment, as applicable to all cloud environments.
5. Hubble Connected shall establish a policy for data media implemented in cloud services, its creation, storage and destruction.
6. Hubble Connected shall establish a policy for accessing Hubble Connected systems, networks, applications and files implemented in cloud services, both locally and remotely, including passwords and other cloud security access controls; this policy also includes authentication of Hubble Connected and non- Hubble Connected users.
7. Hubble Connected shall ensure that malware (e.g., viruses, spam, phishing attacks, denial-of-service attacks and other unauthorized access attempts) is prevented through the use of antivirus software and other appropriate prevention and detection resources. It shall ensure that cloud service vendors have similar antimalware capabilities and that the use of those services shall be approved by Hubble Connected.
8. Hubble Connected shall establish and document a formal process for identifying a possible breach in cloud-based network perimeters (e.g., denial-of-service attack, phishing), assessing the breach, determining the nature and possible impact of the breach, notifying management of the breach, minimizing the impact of the breach as quickly as possible, and documenting the steps taken when dealing with the incident. This process shall apply to all cloud environments, whether internal, hybrid and/or public clouds.
9. Hubble Connected shall establish and document a formal process for identifying a possible internal cloud security breach (e.g., theft of information, social engineering, unauthorized access to systems), assessing the breach, determining the nature and possible impact of the breach, notifying management of the breach, minimizing the impact of the breach as quickly as possible, and documenting the steps taken when dealing with the incident.
10. Hubble Connected shall provide cloud security education, training and awareness programs.
11. Hubble Connected shall include business continuity and disaster recovery in its cloud security controls.
12. Hubble Connected shall define consequences of violations of cloud security policy.
13. Hubble Connected shall define how cloud security incidents are reported and managed.
14. Hubble Connected, in collaboration with the company legal department, shall prepare and have executed the appropriate service level agreements (SLAs) with cloud service providers to ensure acceptable third-party cloud vendor performance.
15. Data in use at Hubble Connected, whether at rest or in motion, within any approved cloud environment, must be encrypted.
16. Hubble Connected employees must sign an employee contract agreeing to accept and comply with organisation policies including the ones which have been established as cloud security policies at the time they are hired and on a regular basis (e.g., annually) through the employee handbook and/or in contract renewals to account for policy changes over time as per the acceptable usage policy of the organisation.
17. All proposed changes to cloud security operations are to be documented in detail.
18. Cloud security breaches that may impact Hubble Connected’s operations are identified in the company’s information security management system and associated plans.
19. Hubble Connected shall develop a schedule of all relevant cloud security activities and shall ensure that these activities are completed on time.
20. Hubble Connected shall ensure all cloud security policies and associated procedures shall comply with appropriate legislative, regulatory and contractual requirements, as well as accepted standards and good practice.
21. All proposed changes to this cloud security policy are to be processed and documented by the company’s change management system.