Summary of Security at GGWP
Last Updated: 9/1/2023
GGWP is committed to security. We provide a list of relevant processes below.
Security Updates & Patches
- Timeliness: Critical vulnerabilities are addressed within a 24-hour internal SLA.
- Method: Utilizing active CVE subscriptions and container Image Scanning.
Auditing & Logging
- Real-Time Monitoring: AWS Security Hub, GuardDuty, and real-time alerts ensure immediate attention to suspicious activities.
- Firewall: Additional protection is in place to monitor and manage network traffic.
- Review Cycle: Quarterly reviews of Security Hub reports for high-risk items.
- Access Control: Utilizing OAuth/API keys for secure auditing and logging.
- Internal: Annual reviews of security workflows, processes, and configurations.
- External: Annual third-party audits on all public endpoints.
- Standards: SOC 2 certified
Team Collaboration & Data Privacy
- Access Control: Time and Role-specific access controls, MFA, and VPN are strictly enforced.
- Directionality: Defined access directionality to limit the flow of sensitive information.
- Employee Training: Mandatory annual security and privacy training for team members.
- Encryption: Data is encrypted both in transit (TLS 1.2) and at rest (AES 256).
- Segmentation: Multi-tenancy environments with different encryption keys for added security.
- Logical Isolation: Strict barriers in place for data segregation.
- User Access Reviews: Periodic reviews of user access to ensure least privilege.
- Storage: Data is stored securely in AWS S3, accessible only on a need-to-know basis.
- Availability: High-availability ensured, with nightly snapshots, data-integrity checks, multiple variants and versioning.
Incident Response Phases and Actions
- Detection: Real-time monitoring for unauthorized activity or data breaches.
- Types of Incidents
- Information was used by unauthorized Personnel or Third Parties;
- Information has been downloaded or copied inappropriately from GGWP Inc. AWS environments;
- Equipment or devices containing Information have been lost or stolen;
- Equipment or devices containing Information have been subject to unauthorized activity (e.g., hacking, malware).
- Personal Data has been inappropriately disclosed, accessed or transferred.
- Analysis: Immediate assessment by our DevOps team upon incident detection to determine probable root cause. Analysis will be logged and documented.
- Containment: Swift action to mitigate the root cause and prevent further damage. May involve administering additional controls.
- Eradication: Elimination of vulnerabilities and compromises from our systems including attacker’s access to the environment.
- Recovery: Coordinated efforts to restore affected systems to full operation.
- Post Incident:
- Review by Senior management.
- Ensure proper communication internally and externally.
- May involve legal guidance or engagement with law enforcement
- Preventive Measures: implemented based on post-incident retrospective and review
Disaster Recovery Plan
- Version 2.0
- Reviewed annually and updated when any process gaps are identified
- RTO & RPO: 24 hours or less for Severity 1 incidents, as per SLA contracts.
- Low Severity: Includes simple outages, typically resolved by code rollbacks.
- High Severity: Covers data loss, breaches, and long-term outages. Detailed runbook exists.
- Low Severity: Handled by on-call engineers.
- High Severity: Involves both on-call engineers and DevOps engineers.
- Low Severity: Code rollback is the typical resolution.
- High Severity: Includes code rollback, code roll forward, database restores, and security procedures.
- Event Log: Detailed tracking of events and possible resolutions.
- Annual Review: DR runbook is executed and tested annually, with retrospective analysis.
- For severe incidents affecting data integrity or privacy, GGWP will provide notifications as soon as reasonably possible across all available communication channels