Rodrigo Rodriguez (Pragmatismo) b7ff346c1f - From 8 to 13.5

2025-11-24 13:02:30 -03:00

30 KiB

Raw Blame History

General Bots Security Policy

Overview

This comprehensive security policy establishes the framework for protecting General Bots systems, data, and operations. It covers information security, access control, data protection, incident response, and ongoing maintenance procedures.

1. Information Security Policy

1.1 Purpose and Scope

This Information Security Policy applies to all users, systems, and data within the General Bots infrastructure. It establishes the standards for protecting confidential information, maintaining system integrity, and ensuring business continuity.

1.2 Information Classification

We classify information into categories to ensure proper protection and resource allocation:

Unclassified: Information that can be made public without implications for the company (e.g., marketing materials, public documentation)
Employee Confidential: Personal employee data including medical records, salary information, performance reviews, and contact details
Company Confidential: Business-critical information such as contracts, source code, business plans, passwords for critical IT systems, client contact records, financial accounts, and strategic plans
Client Confidential: Client personally identifiable information (PII), passwords to client systems, client business plans, new product information, and market-sensitive information

1.3 Security Objectives

Our security framework aims to:

Request your free IT security evaluation • Reduce the risk of IT problems • Plan for problems and deal with them when they happen • Keep working if something does go wrong • Protect company, client and employee data • Keep valuable company information, such as plans and designs, secret • Meet our legal obligations under the General Data Protection Regulation and other laws • Meet our professional obligations towards our clients and customers

This IT security policy helps us achieve these objectives.

1.4 Roles and Responsibilities

• Rodrigo Rodriguez is the director with overall responsibility for IT security strategy • Pragmatismo Data Center is the IT partner organisation we use to help with our planning and support • Pragmatismo Data Center is the data protection officer to advise on data protection laws and best practices • All employees are responsible for following security policies and reporting security incidents • System administrators are responsible for implementing and maintaining security controls • Department heads are responsible for ensuring their teams comply with security policies

1.5 Review Process

We will review this policy yearly, with the next review scheduled for [Date]. In the meantime, if you have any questions, suggestions or feedback, please contact security@pragmatismo.com.br

2. Access Control Policy

2.1 Access Management Principles

Least Privilege: Users receive only the minimum access rights necessary to perform their job functions
Need-to-Know: Access to confidential information is restricted to those who require it for their duties
Separation of Duties: Critical functions are divided among multiple people to prevent fraud and error
Regular Reviews: Access rights are reviewed quarterly to ensure they remain appropriate

2.2 User Account Management

Account Creation:

New accounts are created only upon approval from the user's manager
Default accounts are disabled immediately after system installation
Each user has a unique account; shared accounts are prohibited

Account Modification:

Access changes require manager approval
Privilege escalation requires security team approval
All changes are logged and reviewed monthly

Account Termination:

Accounts are disabled within 2 hours of employment termination
Access is revoked immediately for terminated employees
Contractor accounts expire automatically at contract end
All company devices and access credentials must be returned

2.3 Access Review Procedures

Monthly Reviews:

Review privileged account usage
Check for inactive accounts (>30 days)
Verify administrative access justification

Quarterly Reviews:

Department heads review all team member access
Remove unnecessary permissions
Document review results and actions taken

Annual Reviews:

Comprehensive review of all user accounts
Validate role-based access assignments
Audit system administrator privileges

3. Password Policy

3.1 Password Requirements

Complexity:

Minimum 12 characters for standard users
Minimum 16 characters for administrative accounts
Must include: uppercase, lowercase, numbers, and special characters
Cannot contain username or common dictionary words

Lifetime:

Standard accounts: 90-day rotation
Administrative accounts: 60-day rotation
Service accounts: 180-day rotation with documented exceptions

History:

System remembers last 12 passwords
Cannot reuse previous passwords

3.2 Password Storage and Transmission

All passwords are hashed using Argon2id algorithm
Passwords are never stored in plaintext
Passwords are never transmitted via email or unencrypted channels
Password managers are recommended for secure storage

3.3 Multi-Factor Authentication (MFA)

Required For:

All administrative accounts
Remote access connections
Access to confidential data
Financial system access

MFA Methods:

Time-based One-Time Passwords (TOTP) - Preferred
Hardware tokens (YubiKey, etc.)
SMS codes - Only as backup method
Biometric authentication where available

4. Data Protection Policy

4.1 Data Encryption

Encryption at Rest:

Database: AES-256-GCM encryption for sensitive fields
File storage: AES-256-GCM for all uploaded files
Backups: Encrypted before transmission and storage
Mobile devices: Full-disk encryption required

Encryption in Transit:

TLS 1.3 for all external communications
mTLS for service-to-service communication
VPN required for remote access
Certificate pinning for critical services

4.2 Data Retention and Disposal

Retention Periods:

User data: Retained as long as account is active + 30 days
Audit logs: 7 years
Backups: 90 days for full backups, 30 days for incremental
Email: 2 years unless legal hold applies

Secure Disposal:

Digital data: Secure deletion with overwrite
Physical media: Shredding or degaussing
Certificates of destruction maintained for 3 years

We will only classify information which is necessary for the completion of our duties. We will also limit access to personal data to only those that need it for processing. We classify information into different categories so that we can ensure that it is protected properly and that we allocate security resources appropriately: • Unclassified. This is information that can be made public without any implications for the company, such as information that is already in the public domain. • Employee confidential. This includes information such as medical records, pay and so on. • Company confidential. Such as contracts, source code, business plans, passwords for critical IT systems, client contact records, accounts etc. • Client confidential. This includes personally identifiable information such as name or address, passwords to client systems, client business plans, new product information, market sensitive information etc.

User Rights:

Right to access personal data
Right to correction of inaccurate data
Right to deletion (right to be forgotten)
Right to data portability
Right to restrict processing

Data Breach Notification:

Breach assessment within 24 hours
Notification to authorities within 72 hours if required
User notification without undue delay
Documentation of all breaches

5. Incident Response Plan

5.1 Incident Classification

Severity Levels:

Critical (P1):

Active data breach with confirmed data exfiltration
Ransomware infection affecting production systems
Complete system outage affecting all users
Compromise of administrative credentials

High (P2):

Suspected data breach under investigation
Malware infection on non-critical systems
Unauthorized access attempt detected
Partial system outage affecting critical services

Medium (P3):

Failed security controls requiring attention
Policy violations without immediate risk
Minor system vulnerabilities discovered
Isolated user account compromise

Low (P4):

Security alerts requiring investigation
Policy clarification needed
Security awareness issues
Minor configuration issues

5.2 Incident Response Procedures

Detection and Reporting (0-15 minutes):

Security incident detected via monitoring or reported by user
Initial assessment to determine severity
Incident logged in tracking system
Security team notified immediately for P1/P2, within 1 hour for P3/P4

Containment (15 minutes - 2 hours):

Isolate affected systems from network
Disable compromised accounts
Preserve evidence for investigation
Implement temporary security controls
Notify management and stakeholders

Investigation (2-24 hours):

Gather logs and forensic evidence
Analyze attack vectors and scope
Identify root cause
Document findings
Determine if external authorities need notification

Eradication (1-3 days):

Remove malware and unauthorized access
Patch vulnerabilities
Reset compromised credentials
Apply additional security controls
Verify systems are clean

Recovery (1-5 days):

Restore systems from clean backups if needed
Gradually return systems to production
Enhanced monitoring for re-infection
Validate system functionality
User communication and support

Post-Incident Review (Within 1 week):

Document complete incident timeline
Analyze response effectiveness
Identify lessons learned
Update security controls
Improve detection capabilities
Update incident response procedures

5.3 Contact Information

Internal Contacts:

Security Team: security@pragmatismo.com.br
IT Support: support@pragmatismo.com.br
Management: Rodrigo Rodriguez

External Contacts:

Law Enforcement: [Local authorities]
Legal Counsel: [Legal firm contact]
Data Protection Authority: [DPA contact]
Cyber Insurance: [Insurance provider]

5.4 Communication Plan

Internal Communication:

Immediate: Security team and management
Within 2 hours: Affected department heads
Within 4 hours: All staff if widespread impact
Daily updates: During active incidents

External Communication:

Customers: Within 24 hours if their data affected
Partners: Within 12 hours if systems shared
Authorities: Within 72 hours per GDPR requirements
Public/Media: Only through designated spokesperson

6. Backup and Recovery Procedures

6.1 Backup Schedule

Full Backups:

Weekly on Sundays at 2:00 AM
All databases, file storage, and configurations
Retention: 12 weeks
Stored in geographically separate location

Incremental Backups:

Daily at 2:00 AM
Changed files and database transactions only
Retention: 30 days
Stored locally and replicated off-site

Continuous Backups:

Database transaction logs every 15 minutes
Critical configuration changes immediately
Retention: 7 days
Enables point-in-time recovery

6.2 Backup Verification

Automated Testing:

Daily: Backup completion verification
Weekly: Sample file restoration test
Monthly: Full database restoration test to isolated environment

Manual Testing:

Quarterly: Full disaster recovery drill
Bi-annually: Complete system restoration to alternate site
Annually: Business continuity exercise with stakeholders

6.3 Recovery Procedures

Recovery Time Objective (RTO):

Critical systems: 4 hours
Important systems: 24 hours
Non-critical systems: 72 hours

Recovery Point Objective (RPO):

Critical data: 15 minutes
Important data: 24 hours
Non-critical data: 1 week

Recovery Steps:

Assess damage and determine recovery scope
Verify backup integrity before restoration
Restore to isolated environment first
Validate data integrity and completeness
Test system functionality
Switch users to recovered systems
Monitor for issues
Document recovery process and timing

7. Change Management Procedures

7.1 Change Categories

Standard Changes:

Pre-approved routine changes
Security patches (within 48 hours of release)
User account modifications
No approval needed beyond manager sign-off

Normal Changes:

Non-emergency changes requiring testing
Software updates and new features
Infrastructure modifications
Requires Change Advisory Board approval

Emergency Changes:

Critical security patches
System outage fixes
Active threat mitigation
Expedited approval from Security Director

7.2 Change Request Process

Submission: Complete change request form with details
Risk Assessment: Evaluate potential security impact
Approval: Get appropriate approvals based on change type
Testing: Test in non-production environment
Scheduling: Schedule during maintenance window
Implementation: Execute change with rollback plan ready
Verification: Confirm change successful
Documentation: Update configuration documentation

7.3 Change Testing Requirements

Test Cases:

Functionality validation
Security control verification
Performance impact assessment
User acceptance testing
Rollback procedure verification

Test Environments:

Development: Individual developer testing
Staging: Integration and security testing
Pre-production: User acceptance testing
Production: Phased rollout with monitoring

8. Security Incident Procedures

8.1 Reporting Security Incidents

How to Report:

Email: security@pragmatismo.com.br
Phone: [Security hotline]
Web form: [Internal incident reporting portal]
In-person: Contact IT department

What to Report:

Suspicious emails or phishing attempts
Lost or stolen devices
Unauthorized access or unusual system behavior
Malware alerts
Data leaks or exposures
Policy violations
Security concerns or vulnerabilities

When to Report:

Immediately for critical incidents
Within 1 hour for high-priority incidents
Same business day for medium/low priority

8.2 Employee Response to Incidents

Do:

Report immediately to security team
Preserve evidence (don't delete suspicious emails)
Disconnect device from network if compromised
Document what happened
Follow instructions from security team

Don't:

Try to fix the problem yourself
Delete or modify potential evidence
Discuss incident on social media
Blame others
Ignore suspicious activity

9. Data Breach Response Procedures

9.1 Immediate Response (0-24 hours)

Containment: Stop ongoing breach
Assessment: Determine scope and data affected
Notification: Alert security team and management
Evidence: Preserve logs and forensic data
Documentation: Begin incident timeline

9.2 Investigation Phase (1-3 days)

Forensics: Detailed analysis of breach
Scope Determination: Identify all affected systems and data
Root Cause: Determine how breach occurred
Impact Analysis: Assess damage and risks
Legal Review: Consult with legal team on obligations

9.3 Notification Requirements

Internal Notification:

Management: Immediate
Legal: Within 2 hours
PR/Communications: Within 4 hours
Affected departments: Within 8 hours

External Notification:

Data Protection Authorities: Within 72 hours (GDPR requirement)
Affected individuals: Without undue delay
Business partners: Within 24 hours if their data affected
Law enforcement: As required by jurisdiction

9.4 Remediation and Prevention

Apply security patches and fixes
Reset compromised credentials
Enhance monitoring and detection
Update security controls
Provide additional security training
Review and update policies
Implement lessons learned

10. Regular Maintenance Tasks

10.1 Weekly Tasks

Security Updates:

Review and apply critical security patches
Update antivirus/antimalware signatures
Review security alerts and events
Check backup completion status
Monitor system resource usage

Automated Processes:

Vulnerability scans run automatically
Log analysis and correlation
Backup integrity checks
Certificate expiration monitoring

10.2 Monthly Tasks

Access Reviews:

Review new user accounts created
Audit privileged account usage
Check for inactive accounts (>30 days)
Review failed login attempts
Validate group membership

System Maintenance:

Apply non-critical patches
Review system performance metrics
Update system documentation
Test disaster recovery procedures
Review incident reports

10.3 Quarterly Tasks

Compliance Audits:

Review security policy compliance
Audit access controls and permissions
Verify encryption implementations
Check backup and recovery processes
Validate security configurations

Security Assessments:

Internal vulnerability assessments
Phishing simulation exercises
Security awareness training
Review third-party security
Update risk assessments

10.4 Annual Tasks

Penetration Testing:

External penetration test by certified firm
Internal network penetration test
Application security testing
Social engineering assessment
Remediation of findings within 90 days

Disaster Recovery Testing:

Full disaster recovery drill
Alternate site failover test
Business continuity exercise
Update recovery procedures
Document lessons learned

Policy and Documentation:

Annual policy review and updates
Security training for all staff
Update security documentation
Review vendor security agreements
Strategic security planning

10.5 Bi-Annual Tasks

Disaster Recovery Testing:

Complete system restoration to alternate site
Database recovery to point-in-time
Application functionality verification
Network failover testing
Communication system testing

Business Continuity:

Test emergency communication procedures
Verify contact information current
Review and update business continuity plan
Test backup data center capabilities
Validate recovery time objectives

11. Employees Joining and Leaving

We will provide training to new staff and support for existing staff to implement this policy. This includes: • An initial introduction to IT security, covering the risks, basic security measures, company policies and where to get help • Each employee will complete the National Archives ‘Responsible for Information’ training course (approximately 75 minutes) • Training on how to use company systems and security software properly • On request, a security health check on their computer, tablet or phone • Access to necessary systems and resources based on job role • Assignment of appropriate security tools (VPN, password manager, MFA device)

Onboarding Security Checklist:

Background check completed (where applicable)
Security policy acknowledgment signed
Security training completed
NDA and confidentiality agreements signed
User account created with appropriate permissions
MFA configured for all accounts
Company devices issued and configured
VPN access configured if needed
Password manager account created
Emergency contact information collected

When people leave a project or leave the company, we will promptly revoke their access privileges to all systems.

Offboarding Security Checklist:

Disable all user accounts within 2 hours
Revoke VPN and remote access
Remove from all groups and distribution lists
Collect company devices (laptop, phone, tokens)
Collect access cards and keys
Reset any shared account passwords they knew
Remove from third-party systems (GitHub, AWS, etc.)
Transfer ownership of documents and files
Exit interview covering security obligations
Documentation of access revocation completed

12. Data Protection Officer Responsibilities

The company will ensure the data protection officer is given all appropriate resources to carry out their tasks and maintain their expert knowledge. The Data Protection Officer reports directly to the highest level of management and must not carry out any other tasks that could result in a conflict of interest.

DPO Duties:

Monitor compliance with GDPR and other privacy regulations
Advise on data protection impact assessments
Cooperate with supervisory authorities
Act as contact point for data subjects
Maintain records of processing activities
Provide data protection training
Conduct privacy audits
Review privacy policies and procedures

13. Technical Documentation Requirements

13.1 Network Architecture Documentation

Required Documentation:

Network topology diagrams (logical and physical)
IP address allocation schemes
Firewall rules and security zones
VPN configurations
DMZ architecture
Network device inventory
VLAN configurations
Routing protocols and tables

Update Frequency: Within 48 hours of any network change

13.2 System Configuration Documentation

Required Elements:

Server inventory with roles and specifications
Operating system versions and patch levels
Installed software and versions
Service configurations
Database schemas and configurations
Application architecture diagrams
API documentation
Integration points and dependencies

Update Frequency: Within 24 hours of configuration changes

13.3 Security Controls Documentation

Control Documentation:

Access control lists (ACLs)
Security group configurations
Intrusion detection/prevention rules
Data loss prevention policies
Endpoint protection configurations
Email security settings
Web filtering rules
Security monitoring dashboards

Review Frequency: Monthly with quarterly comprehensive review

13.4 Encryption Standards Documentation

Required Documentation:

Encryption algorithms in use (AES-256-GCM, TLS 1.3)
Key management procedures
Certificate inventory and renewal schedule
Data classification and encryption requirements
Encryption at rest implementations
Encryption in transit configurations
Cryptographic library versions

Update Frequency: Immediate upon any encryption-related change

13.5 Logging and Monitoring Documentation

Logging Requirements:

Log sources and types collected
Log retention periods
Log storage locations and capacity
Log analysis tools and procedures
Alert thresholds and escalation
Monitoring dashboards and reports
SIEM configuration and rules

Review Frequency: Quarterly with annual comprehensive audit

14. Compliance Records Management

14.1 Risk Assessment Reports

Risk Assessment Frequency:

Annual: Comprehensive organizational risk assessment
Quarterly: Targeted assessments for new systems/services
Ad-hoc: After significant incidents or changes

Report Contents:

Identified assets and their value
Threat identification and analysis
Vulnerability assessment
Risk likelihood and impact ratings
Risk treatment plans
Residual risk acceptance
Review and approval signatures

Retention: 7 years

14.2 Audit Logs

Log Types:

Authentication and authorization events
Administrative actions
Data access (read/write/delete)
Configuration changes
Security events and alerts
System errors and failures
Network traffic logs

Retention Periods:

Security logs: 7 years
System logs: 1 year
Application logs: 90 days
Network logs: 30 days

Protection Requirements:

Read-only after creation
Encrypted in transit and at rest
Backed up daily
Monitored for tampering

14.3 Training Records

Training Requirements:

New hire security orientation (within first week)
Annual security awareness training (all staff)
Role-specific security training (as applicable)
Phishing simulation exercises (quarterly)
Incident response training (security team, annually)

Documentation Required:

Training completion dates
Training content and version
Assessment scores if applicable
Certificates of completion
Refresher training schedule

Retention: Duration of employment + 3 years

14.4 Incident Reports

Report Requirements:

Incident detection date and time
Incident classification and severity
Systems and data affected
Timeline of events
Response actions taken
Root cause analysis
Lessons learned
Corrective actions implemented

Distribution:

Internal: Management, security team, affected departments
External: As required by regulations and contracts

Retention: 7 years

14.5 Access Review Records

Review Documentation:

Date of review
Reviewer name and title
List of accounts reviewed
Access changes made
Justification for access granted
Exceptions and approvals
Follow-up actions required

Review Schedule:

Standard users: Quarterly
Privileged users: Monthly
Service accounts: Bi-annually

Retention: 3 years

15. Compliance Framework

15.1 Applicable Regulations

GDPR (General Data Protection Regulation):

Data protection impact assessments
Privacy by design and by default
User consent management
Data subject rights fulfillment
Breach notification procedures

SOC 2 (Service Organization Control):

Security controls documentation
Availability monitoring
Confidentiality protection
Privacy practices
Annual audit compliance

ISO 27001 (Information Security Management):

Information security management system (ISMS)
Risk assessment and treatment
Security controls implementation
Continuous improvement process
Regular internal audits

15.2 Compliance Monitoring

Automated Monitoring:

Security control effectiveness
Policy compliance scanning
Configuration drift detection
Vulnerability management
Patch compliance tracking

Manual Reviews:

Quarterly compliance assessments
Annual third-party audits
Internal audit program
Management review meetings
Regulatory requirement updates

16. Third-Party Security

16.1 Vendor Security Assessment

Pre-Contract:

Security questionnaire completion
Security certification review (SOC 2, ISO 27001)
Data processing agreement
Security requirements in contract
Incident notification requirements

Ongoing Monitoring:

Annual security re-assessment
Review of security incidents
Audit report review
Performance against SLAs
Security scorecard maintenance

Requirements:

Data processing agreement in place
Minimum necessary data shared
Encryption for data in transit
Access controls and monitoring
Right to audit vendor security

Approval Process:

Security team review required
Legal review of agreements
Privacy impact assessment
Management approval for sensitive data
Documentation in vendor register

17. Vulnerability Management

17.1 Vulnerability Identification

Sources:

Automated vulnerability scanning (weekly)
Penetration testing (annual)
Security research and advisories
Bug bounty program
Internal security testing
Third-party security assessments

17.2 Vulnerability Remediation

Severity Levels and Response Times:

Critical: Remediate within 24 hours
High: Remediate within 7 days
Medium: Remediate within 30 days
Low: Remediate within 90 days or accept risk

Remediation Process:

Vulnerability confirmed and documented
Impact and exploitability assessed
Remediation plan developed
Patch/fix tested in non-production
Change management process followed
Fix deployed to production
Verification testing completed
Documentation updated

17.3 Reporting a Vulnerability

External Researchers:

Email: security@pragmatismo.com.br
PGP Key: Available on website
Response time: Initial response within 48 hours
Bug bounty: Rewards for qualifying vulnerabilities

Internal Staff:

Report via internal security portal
Email security team for critical issues
Include: Description, affected systems, reproduction steps
Response time: Within 24 hours

You can expect to get an update on a reported vulnerability in a day or two.

18. Security Metrics and KPIs

18.1 Key Performance Indicators

Security Metrics:

Mean time to detect (MTTD) incidents: Target <15 minutes
Mean time to respond (MTTR) to incidents: Target <4 hours
Percentage of systems with latest patches: Target >95%
Failed login attempts per day: Baseline <100
Security training completion rate: Target 100%
Vulnerabilities remediated within SLA: Target >90%
Backup success rate: Target 100%
Access review completion: Target 100% on schedule

Reporting:

Weekly: Security incidents and critical metrics
Monthly: Comprehensive security dashboard
Quarterly: Metrics trends and analysis
Annually: Security posture assessment

19. Policy Enforcement

19.1 Policy Violations

Types of Violations:

Unauthorized access attempts
Password sharing
Installation of unauthorized software
Data exfiltration or leakage
Policy non-compliance
Failure to report incidents

Consequences:

First offense: Warning and retraining
Second offense: Written warning and management review
Third offense: Suspension or termination
Severe violations: Immediate termination and legal action

19.2 Exception Process

Exception Request:

Written justification required
Risk assessment completed
Compensating controls identified
Time-limited approval (max 90 days)
Management and security team approval
Regular review of active exceptions

20. Document Control

Document Information:

Document Owner: Rodrigo Rodriguez, Security Director
Last Updated: [Date]
Next Review: [Date + 1 year]
Version: 2.0
Status: Approved

Change History:

Version 1.0: Initial policy creation
Version 2.0: Comprehensive expansion with detailed procedures