Information Security Policy


Purpose and Scope

This Information Security Policy addresses the basic information security policy topics which maintain the security, confidentiality, integrity, and availability of Conelike LLC applications, systems, infrastructure, and data.


People Security

Background Check

All personnel are required to complete a background check. An authorized member of Conelike must review each background check in accordance with local laws.

Confidentiality

Prior to accessing sensitive information, personnel are required to sign an industry-standard confidentiality agreement protecting Conelike confidential information.

Secure Coding

Conelike promotes the understanding of secure coding to its engineers in order to improve the security and robustness of Conelike products.

Remote Work

Any Conelike issued devices used to access company applications, systems, infrastructure, or data must be used only by the authorized employee or contractor of such device.

System Access Security

Conelike adheres to the principle of least privilege, specifying that team members will be given access to only the information and resources necessary to perform their job functions as determined by management or a designee. Requests for escalation of or changes to privilege and access are documented and require approval by an authorized manager. System access is revoked upon termination or resignation.

Password Security

Unique accounts and passwords are required for all users. Passwords must be kept confidential and not shared with multiple users. Where possible, all user and system accounts must have a minimum of eight characters including alpha (upper and lower case), one numeric and one non-alphanumeric character. All accounts must use unique passwords not used elsewhere.

Rotation Requirements

If a password is suspected to be compromised, the password should be rotated immediately and the security team should be immediately notified.

Storing Passwords

Passwords must only be stored using a Conelike approved password manager. Conelike does not hard code passwords or embed credentials in static code.

Data Management

Conelike stores and disposes of sensitive data, in a manner that reasonably safeguards the confidentiality of the data, protects against the unauthorized use or disclosure of the data, and renders the data secure or appropriately destroyed. Data entered into Conelike applications must be validated where possible to ensure information quality and mitigate the impacts of web-based attacks on the systems.

Data Classification

Conelike defines the handling and security control requirements for each Conelike data class.

Data Retention and Disposal Policy

The time periods for which Conelike retains customer data depends on the purpose for which it is used. Conelike retains customer data for as long as an account is active, as needed to provide services to the customer, or in accordance with the agreement(s) between Conelike and the customer, unless Conelike is required by law to dispose of it earlier or keep it longer. Conelike may retain and use customer data to comply with its legal obligations, resolve disputes, and enforce agreements.

Except as otherwise set forth in the Conelike policies, Conelike also disposes of customer data when requested by customers.

Conelike maintains a sanitization process that is designed to prevent sensitive data from being exposed to unauthorized individuals. Conelike hosting and service providers are responsible for ensuring the removal of data from disks allocated to Conelike use before they are repurposed and the destruction of decommissioned hardware.

Change and Development Management

To protect against unauthorized changes and the introduction of malicious code, Conelike maintains change management procedures that address the types of changes, required documentation for changes, required review and/or approvals for changes, and emergency changes. Changes to Conelike production infrastructure, systems and applications are documented, tested, and approved before deployment.

Vulnerability and Patch Management

Conelike uses a proactive vulnerability and patch management process that prioritizes and implements patches based on classification. Such classification may include whether the severity is security-related or other additional factors.

If you believe you've discovered a vulnerability, please email us and we will aim to address a critical issue as soon as possible.

Environment Separation

As necessary, Conelike maintains requirements and controls for the separation of development and production environments.

Source Code

Conelike controlled directories or repositories containing source code are secured from unauthorized access.

Logging and Monitoring

Conelike collects and monitors audit logs and alerts on key events stemming from production systems, applications, databases, servers, message queues, load balancers, and critical services, as well as IAM user and admin activities.

Conelike manages logging solution(s) and/or SIEM tool(s) to collect event information of the aforementioned systems and activities. Conelike implements filters, parameters, and alarms to trigger alerts on logging events that deviate from established system and activity baselines. Logs are securely stored and archived for a minimum of 1 year to assist with potential forensic efforts.

Logs are made available to relevant team members for troubleshooting, auditing, and capacity planning activities. System and user activity logs may be utilized to assess the causes of incidents and problems. Conelike utilizes access control to prevent unauthorized access, deletion, or tampering of logging facilities and log information.

Business Continuity and Disaster Recovery

Conelike maintains a plan for continuous business operations if facilities, infrastructure or systems fail. The plan is tested, reviewed and updated at least annually.

Backup Policy

Backups are performed according to the appropriate backup schedules to ensure critical systems, records, and configurations can be recovered in the event of a disaster or media failure.

Security Incident Response

Conelike maintains a plan that defines responsibilities, detection, and corrective actions during a security incident. The plan will be followed during the event of a system compromise, or unintended/unauthorized acquisition, access, use or release of non-public information. The plan is tested, reviewed and updated at least annually.

Conelike utilizes various monitoring and surveillance tools to detect security threats and incidents, but you may be the first to become aware of a problem. Early detection and response can mitigate damages and minimize further risk to Conelike.

Vendor Management

Conelike requires vendor security assessment before third party products or services are used confirming the provider can maintain appropriate security and privacy controls. The review may include gathering applicable compliance audits (SOC 1, SOC 2, PCI, HITRUST, ISO 27001, etc.) or other security compliance evidence. Agreements will be updated and amended as necessary when business, laws, and regulatory requirements change.

Responsibility, Review, and Audit

Conelike reviews and updates its security policies and plans to maintain organizational security objectives and meet regulatory requirements at least annually. The results are shared with appropriate parties internally and findings are tracked to resolution. Any changes are communicated across the organization.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us