Summary of Security at GGWP

Last Updated: 9/1/2023 

GGWP is committed to security. We provide a list of relevant processes below.

Security Updates & Patches

  • Timeliness: Critical vulnerabilities are addressed within a 24-hour internal SLA.
  • Method: Utilizing active CVE subscriptions and container Image Scanning.

Auditing & Logging

  • Real-Time Monitoring: AWS Security Hub, GuardDuty, and real-time alerts ensure immediate attention to suspicious activities.
  • Firewall: Additional protection is in place to monitor and manage network traffic.
  • Review Cycle: Quarterly reviews of Security Hub reports for high-risk items.
  • Access Control: Utilizing OAuth/API keys for secure auditing and logging.

Security Testing

  • Internal: Annual reviews of security workflows, processes, and configurations.
  • External: Annual third-party audits on all public endpoints.
  • Standards: SOC 2 certified

Team Collaboration & Data Privacy

  • Access Control: Time and Role-specific access controls, MFA, and VPN are strictly enforced.
  • Directionality: Defined access directionality to limit the flow of sensitive information.
  • Employee Training: Mandatory annual security and privacy training for team members.
  • Encryption: Data is encrypted both in transit (TLS 1.2) and at rest (AES 256).
  • Segmentation: Multi-tenancy environments with different encryption keys for added security.
  • Logical Isolation: Strict barriers in place for data segregation.
  • User Access Reviews: Periodic reviews of user access to ensure least privilege.

Legal Compliance

  • We adhere to GGWP’s Privacy Policy which addresses data retention periods and compliance with data protection laws like GDPR and CCPA.

Data Backup

  • Storage: Data is stored securely in AWS S3, accessible only on a need-to-know basis.
  • Availability: High-availability ensured, with nightly snapshots, data-integrity checks, multiple variants and versioning.

Incident Response Phases and Actions

  • Detection: Real-time monitoring for unauthorized activity or data breaches.
    • Types of Incidents
      • Information was used by unauthorized Personnel or Third Parties;
      • Information has been downloaded or copied inappropriately from GGWP Inc. AWS environments;
      • Equipment or devices containing Information have been lost or stolen;
      • Equipment or devices containing Information have been subject to unauthorized activity (e.g., hacking, malware).
      • Personal Data has been inappropriately disclosed, accessed or transferred.
  • Analysis: Immediate assessment by our DevOps team upon incident detection to determine probable root cause. Analysis will be logged and documented.
  • Containment: Swift action to mitigate the root cause and prevent further damage. May involve administering additional controls.
  • Eradication: Elimination of vulnerabilities and compromises from our systems including attacker’s access to the environment.
  • Recovery: Coordinated efforts to restore affected systems to full operation.
  • Post Incident:
    • Review by Senior management.
    • Ensure proper communication internally and externally.
    • May involve legal guidance or engagement with law enforcement
    • Preventive Measures: implemented based on post-incident retrospective and review

Disaster Recovery Plan

  • Versioning
    • Version 2.0
    • Reviewed annually and updated when any process gaps are identified
  • Objectives
    • RTO & RPO: 24 hours or less for Severity 1 incidents, as per SLA contracts.
  • Runbooks
    • Low Severity: Includes simple outages, typically resolved by code rollbacks.
    • High Severity: Covers data loss, breaches, and long-term outages. Detailed runbook exists.
  • Personnel
    • Low Severity: Handled by on-call engineers.
    • High Severity: Involves both on-call engineers and DevOps engineers.
  • Procedures
    • Low Severity: Code rollback is the typical resolution.
    • High Severity: Includes code rollback, code roll forward, database restores, and security procedures.
  • Tracking
    • Event Log: Detailed tracking of events and possible resolutions.
  • Testing
    • Annual Review: DR runbook is executed and tested annually, with retrospective analysis.

Customer Communication

  • For severe incidents affecting data integrity or privacy, GGWP will provide notifications as soon as reasonably possible across all available communication channels