1.0 Scope
This policy applies to all Vacayou employees, contractors, vendors and third parties.
2.0 Security Policy
2.1 This security policy will be published, reviewed, and updated at least annually.
2.2 The CTO is responsible for publishing, reviewing, and updating all Information Security policies, standards, and operational procedures.
2.3 The CTO is the focal point for all security and compliance-related responsibilities.
2.4 Security risk assessments shall be performed annually or after major changes to the environment to identify new threats and vulnerabilities. Formal risk assessment documents should be developed and provided to line management to address or accept the risk.
2.5 The risk assessment will be incorporated into a risk management strategy.
2.6 New vulnerability information published by various security organizations (such as NIST, SANS, technology vendors, etc.) shall be monitored via mailing lists, media alerts, and Twitter to adapt to a constantly changing threat environment.
2.7 All security policies and procedures will clearly define information security responsibilities for all employees according to job functions.
2.8 All information assets (data) shall be classified according to the data classification section of this policy; we are specifying security controls appropriate for protecting different types of data.
2.9 All information systems will be protected according to the classification of the data hosted.
2.10 All system access (except where public data is involved) shall require authentication and access control mechanisms; all access requests must be formally approved and auditable.
All authentication systems must implement unique user IDs to maintain accountability; access permissions must be auditable.
First-time or reset passwords must be unique for each user, and the user must be forced to change them after use.
The Help Desk and SysOps teams must authenticate password reset requests via 2FA, phone call, email, or the Authenticator App. Authentication systems must be configured to disable user access in case of five or more invalid login attempts.
Password strength must be at least 8 characters, with at least one from each category: uppercase, lowercase, numeric, and special characters.
2.11 System access approvers must follow the need-to-know, minimum access, and segregation of duties principles when granting requests.
2.12 All Vacayou data, systems, and applications must have documented owners who are responsible for granting access (data and systems) and performing maintenance (systems and applications).
2.13 The Ops team is responsible for maintaining the systems inventory, including hardware models, operating system type, purpose and owner of the system.
2.14 All systems (servers and workstations) must have antivirus installed, operational and updated with the latest signatures at least daily.
2.16 All Vacayou employees are required to follow all information security policies applicable for their job functions. The requirements include, but are not limited to the Acceptable Use Policy and the Network Security Policy.
3.0 Data classification
Not all data is of equal value to the company, and as such data protection requirements differ. Below is the Vacayou data classification taxonomy:
3.1 Public (such as our public website, advertisements, press releases etc.): can be disseminated freely and does not require user authentication.
3.2 Internal use only (such as internal announcements, Intranet sites, Slack announcement content, etc.): This data is destined only for Vacayou employees; unauthorized disclosure of such data would not damage the company; however, it is not a good practice.
3.3 Sensitive and confidential (customer data, TripFusion application source code, sensitive reports or customer lists, etc.): These are destined for select groups of Vacayou employees on a job-need-to-know basis; unauthorized disclosure of such data can damage the company to various degrees.
Other categories:
Sensitive or confidential data shall be protected while at rest or in transit.
Sensitive or confidential data shall not be transmitted to third parties via email or FTP; instead, encrypted email attachments or secure (encrypted) FTP shall be distributed.
4.0 Security Education and Awareness
4.1 A formal security awareness program will be implemented, emphasizing the importance of data security.
4.2 All workforce members will be educated upon hire/contract start and at least annually.
4.3 All workforce members must acknowledge in writing that they have read and understand Vacayou’s security policies and procedures.
4.4 Developers must complete secure coding training over and above generic security awareness training.
5.0 Service Providers Contractual Requirements
5.1 All legal contracts with third parties must incorporate security schedules, with requirements commensurate with the sensitivity of the work performed.
6.0 Incident Response
6.1 An incident response plan will be implemented to respond to any potential security incidents.
6.2 The incident response plan will address specific procedures, business recovery and continuity procedures, data backup processes, roles and responsibilities, and communication and contact strategies.
6.3 The incident response plan will be tested at least annually.
6.4 The incident response plan will designate the specific personnel responsible and the training of those persons.
6.5 The incident response plan will address the actions to be taken for specific alerts from intrusion detection and monitoring systems.
6.6 The incident response plan will be modified and amended based on lessons learned and industry developments.
6.7 The CTO is responsible for maintaining the Incident Response process.
7.0 Responsibility
7.1 All Vacayou employees are responsible for protecting the company's data.
7.2 Vacayou’s management is responsible for implementing and complying with all Vacayou’s security policies.
8.0 Compliance
8.1 All employees are required to comply with the Information Security Policy.
Incident Response Plan
I. Policy
The Vacayou Technical team is responsible for responding to reports of incidents, compromises, and breaches of computers, data, and network resources. The purpose of the Incident Response Plan is to establish procedures in accordance with applicable legal and regulatory requirements to address instances of unauthorized access to or disclosure of information. The Incident Response Plan defines the policy, roles, and responsibilities for the involved personnel when reacting to an information security threat.
Vacayou shall provide timely and appropriate notice to affected customers when there has been a security incident, compromise, or breach involving customers' data, computers, or networks. The Chief Technology Officer and the Legal Counsel's Office shall be responsible for reviewing breaches to determine whether notification is required and directing responsible personnel to comply with the notification obligation. All known or suspected security incidents must be reported to the technical team.
II. Definitions
Security Incident - A vulnerability which may compromise the security of TripFusion resources has been discovered and is underway. Generally, this means a weakness in intrusion prevention has been found, an attempted exploit has taken place, or reconnaissance by a hacker has been thwarted. Examples include systematic unsuccessful attempts to gain entry, a PC or workstation infected with a virus, worm, Trojan, botnet, or other malware that has been discovered and removed.
Security Compromise – An escalation of a security incident where the attacker has gained control of a Vacayou account, system or device, and is leveraging that position to control and utilize compromised resources for the purpose of unauthorized acquisitions. At this point, it has been determined that data has not been compromised or stolen.
Security Breach – A confirmed, unauthorized acquisition, modification or destruction of Vacayou’s data or private data has taken place. At this point, a breach has been forensically determined and evidence supports that data was compromised.
Private data - Data about individuals that is classified by law as private or confidential and is maintained by Vacayou in electronic format or medium. “Private data” means data classified as not public and available to the subject of the data, and "confidential data" means data classified as not public but not available to the subject of the data.
Unauthorized acquisition - For the purposes of this plan, this means that a person has obtained Vacayou’s data without statutory authority or the consent of the individual who is the subject of the data, and with the intent to use the data for non-Vacayou’s purposes
Systematic unsuccessful attempts -- continual probes, scans, or login attempts, where the perpetrators obvious intent is to discover a vulnerability and inappropriately access and compromise that device, includes all Vacayou’s owned computers, peripherals, networks and related equipment and software, and the voice and data communications infrastructure.
III. General Incident Response Procedures
1) Intrusion attempts, security breaches, or other technical security incidents perpetrated against Vacayou owned computing or networked resources must be reported to the CTO and/or systems personnel must:
a) Report any security incidents in order to obtain assistance, advice, or to file the incident in the database.
b) Report any systematic unsuccessful attempts (e.g. login attempts, probes. or scans.).
c) Where feasible given the circumstances, a notification will be sent to Vacayou’s customer as soon as the situation is detected; minimally the report should be sent as soon as possible thereafter.
2) Upon receiving a report of a security incident, the Vacayou Technical team will:
a) Ensure that appropriate information is collected and logged per applicable procedures.
b) Immediately assess actual or potential disclosure or inappropriate access to institutional or personal information.
c) Report the situation to the CTO
d) Consult with and/or assign the incident to an engineer for further investigation as necessary.
e) Provide preliminary advice or comment to the functional unit technician as required.
f) Initiate steps to warn other customers
g) Perform or assist in any subsequent investigation and/or perform computer forensics as required.
3) Upon receiving a report of a security incident, the CTO will
a) If circumstances dictate, report to the CEO
b) Ensure that appropriate records are filed.
C) Confirm actual or probable disclosure or inappropriate access to institutional or personal information.
d) Where feasible given the circumstances, a notification will be sent to Vacayou’s customer as soon as the situation is detected; minimally the report should be sent as soon as possible thereafter.
e) Limitations may be implemented through the use of policies, standards, and/or technical methods, and could include (but may not be limited to) usage eligibility rules, password requirements, or restricting or blocking certain protocols or use of certain applications known to cause security problems.
f) Restrictions may be permanently deployed based on a continuing threat or risk after appropriate consultation with affected constituents, or they may be temporarily deployed, without prior coordination, in response to an immediate and serious threat.
g) Restrictions deployed temporarily will be removed when the risk is mitigated to an acceptable level, or where the effect on Vacayou functions caused by the restriction approaches or exceeds risk associated with the threat, as negotiated between the affected constituents and the CTO.
h) Isolation is removed when the risk is mitigated to an acceptable level, or where loss of access or function caused by the isolation approaches or exceeds risk associated with the threat, as negotiated between the responsible functional manager and the CTO.
i) Advance consultation with the appropriate CTO or Legal Counsel, where practical and where circumstances warrant.
4) The reaction to a reported security vulnerability directly corresponds to the potential for damage to the local system (or adjacent systems) or inappropriate disclosure or modification of data. The risk levels are characterized as:
a) Very High Risk, response is immediate:
1. Damage to the system or data is occurring, or
2. Attempts to exploit the vulnerability on that system are occurring, or
3. The TripFusion platform is currently being actively exploited against other similar technologies; probable damage to systems and data is being experienced in those other incidents.
b) High Risk, response is within 1 hour:
1. The vulnerability is known to exist on the system;
2. The exposure is currently being actively exploited against other similar technologies external to the TripFusion platform;
3. Damage to systems and data are being experienced in those other incidents.
c) Medium Risk, response should be within 4 hours:
1. The system is susceptible to the vulnerability given that the system is configured incorrectly;
2. The exposure is currently being actively exploited against other similar technologies external to the core platform.
3. There is some potential for damage to systems and data.
d) Low Risk, response should be within 8 hours:
1. The system is susceptible to the vulnerability given that the system is configured incorrectly;
2. The exposure is currently being actively exploited against other similar technologies external to the core platform.
3. Damage to systems and data is possible but is not considered likely.