Security Policy

  • Home
  • Security Policy
  1. Purpose

    This document outlines the general security policy for MRF Geosystems Corporation. It aims to ensure the protection of the company's digital assets, intellectual property, client data, and the integrity of our software products.

  2. Scope

    This policy applies to all employees, contractors, and third-party partners who access or interact with company systems, networks, and data.

  3. Roles and Responsibilities

    • Management: Responsible for endorsing and enforcing this security policy.

    • Employees and Contractors: Required to comply with all security protocols and procedures.

  4. Data Protection

    Ensuring the security and integrity of data, particularly when hosted in the cloud with services like AWS, is crucial. MRF Geosystems Corporation commits to robust data protection practices as outlined below:

    1. 4.1 Data Classification and Handling

      • All data will be classified according to its sensitivity (e.g., public, internal, confidential, highly confidential) and handled accordingly.

      • Employees will be trained on the proper handling and sharing of data based on its classification.

    2. 4.2 Secure Data Storage

      • All sensitive and confidential data, including client information and intellectual property, will be stored in encrypted form.

      • AWS S3 buckets will be used for storage, with encryption enabled to protect data at rest.

      • AWS Identity and Access Management (IAM) will be used to control access to AWS resources, ensuring that only authorized personnel have access to sensitive data.

      • All data is stored on AWS infrastructures located within Canada.

    3. 4.3 Data Encryption

      • Data in transit will be encrypted using secure protocols such as TLS (Transport Layer Security).

      • AWS's Key Management Service (KMS) will be utilized to manage encryption keys, providing an additional layer of security and control.

    4. 4.4 Data Backup and Recovery

      • Regular data backups will be scheduled and stored within, AWS infrastructures located in Canada to ensure data availability and business continuity.

      • A clear data recovery process will be established to minimize downtime in the event of data loss or system failure.

    5. 4.5 AWS Cloud Security Features

      • Utilization of AWS Shield for DDoS (Distributed Denial of Service) protection.

      • Implementation of AWS CloudTrail for logging and monitoring all AWS cloud activities, providing visibility into user and resource activity.

      • Employing AWS Config to continuously monitor and record AWS resource configurations to assess compliance with internal policies and standards.

    6. 4.6 Compliance with AWS Best Practices

      • Regularly reviewing and implementing AWS security best practices and guidelines.

      • Conducting periodic security assessments using AWS tools such as AWS Inspector to check for vulnerabilities.

    7. 4.7 Data Access and Sharing

      • Implementation of strict controls over data sharing, ensuring that data is shared only with authorized personnel and third-party partners under secure conditions.

      • Regular audits to track data access and sharing activities for compliance and security purposes.

    8. 4.8 End-of-Life Data Procedures

      • Secure procedures for data deletion and disposal will be established to ensure that data is irretrievably deleted from all systems, including AWS cloud services, when it is no longer needed.

    9. 4.9 Authentication & Access Control

      • MRF enforces role-based access control within the system, ensuring user have appropriate access to actions/feature.

      • Multi-factor authentication (MFA) is supported for all accounts and uses methods such as time-based tokens. While MFA is not enforced by default, it can be activated based on client preference and policy requirements.

  5. Network Security

    Network security is critical in protecting company assets and client data from cyber threats. MRF employs a multi-layered approach to safeguard its network infrastructure.

    1. 5.1 Firewall Implementation

      • Deploy state-of-the-art firewalls to create a barrier between the trusted, secure internal network and untrusted external networks, such as the internet.

      • Configure firewalls to restrict unauthorized access and filter out potentially harmful traffic.

    2. 5.2 Intrusion Detection and Prevention Systems (IDPS)

      • Utilize IDPS to monitor network traffic for suspicious activity and known threats.

      • Implement automated responses to detected threats, including immediate alerts and traffic blocking.

    3. 5.3 Secure VPN Access

      • Provide secure VPN (Virtual Private Network) access for remote employees to ensure that data transmitted over public networks is encrypted and secure.

      • Regularly update and patch VPN software to address security vulnerabilities.

    4. 5.4 Network Access Control (NAC)

      • Implement Network Access Control to enforce security policy compliance on all devices attempting to access network resources.

      • NAC systems will assess the security posture of devices (e.g., antivirus updates, system patches) before granting access.

    5. 5.5 Regular Security Assessments

      • Conduct regular security assessments, including vulnerability scanning and penetration testing, to identify and mitigate potential vulnerabilities within the network.

      • Engage third-party security experts for independent assessments.

    6. 5.6 Wireless Network Security

      • Secure wireless networks with strong encryption protocols like WPA3.

      • Regularly change Wi-Fi passwords and hide SSIDs to minimize unauthorized access risks.

    7. 5.7 Segmentation and Isolation

      • Segment the network to isolate critical systems and data from general network traffic.

      • Implement strict access controls on segments containing sensitive information.

    8. 5.8 Endpoint Security

      • Ensure that all devices connecting to the network, including employee workstations and mobile devices, are equipped with updated antivirus software and firewalls.

      • Regularly conduct security patches and software updates on all endpoints.

    9. 5.9 Employee Training and Awareness

      • Regularly train employees on network security best practices, including safe browsing habits and recognition of phishing attempts.

      • Encourage employees to report any unusual network activity.

    10. 5.10 Monitoring and Response

      • Continuously monitor network traffic for unusual patterns that may indicate a security breach.

      • Implement an incident response plan to quickly address any security incidents, minimize damage, and restore normal operations.

  6. Password Management

    • Strong, unique passwords are required for all systems.

    • Passwords must be changed regularly and not shared among employees.

  7. Software Development and Maintenance

    • Security shall be integrated into the software development lifecycle.

    • Regular code reviews and vulnerability assessments will be conducted.

  8. Incident Response

    • A clear incident response plan will be in place to address security breaches or data loss.

    • Employees must report any suspicious activities or security incidents immediately.

  9. Training and Awareness

    • Regular training on security best practices and awareness will be provided to all staff.

    • Updates on emerging threats and security updates will be communicated.

  10. Compliance

    • Compliance with relevant legal, regulatory, and contractual obligations regarding data protection and privacy.

    • Regular audits will be conducted to ensure adherence to this policy.

  11. Policy Review and Update

    • This policy will be reviewed annually and updated as necessary to reflect changes in technology, threats, and business operations.

  12. Acknowledgement

    • All employees and contractors must acknowledge that they have read, understood, and agreed to comply with this policy.