Skip to content
English
  • There are no suggestions because the search field is empty.

SponsorCloud Security Policies

    Network Security Policy

    Purpose and Scope

    The purpose of this document is to define basic rules and requirements for network security and ensure the protection of information within and across networks and supporting information processing facilities.

    This document applies to the security of all services, architecture, software and systems that make up SponsorCloud's product/service.

    Users of this document are all employees and applicable contractors who work on network engineering, security, and maintenance at SponsorCloud.

    Network Controls

    SponsorCloud manages, controls, and secures its networks, the connected systems, applications, and data-in-transit to safeguard against internal and external threats.

    Firewalls & Threat Defense

    SponsorCloud must utilize network firewalls, web application firewalls, and/or equivalent mechanisms to safeguard applicable internet connections, internal network zones, and applications from threats. SponsorCloud configures appropriate firewall alerts and alarms for timely response and investigation. This also applies to applicable wireless networks.

    SponsorCloud ensures networking ports and protocols are restricted based on the principle of least functionality. Ports and network routes should only be open when there is proper business justification. Firewall configurations and rulesets are maintained. Firewall rules are implemented to minimize exposure to external threats. Significant changes to network services and configurations should be tracked in accordance with the Change Management Policy.

    As an additional layer of defense, SponsorCloud utilizes monitoring solutions to detect and alert on network-based intrusions and/or threats.

    Network Diagramming

    Nav Rajput maintains network and data flow diagrams. Diagrams are reviewed and updated when significant network infrastructure changes occur.

    Network Access Control

    In addition to the Network Security Policy, SponsorCloud establishes, documents, and reviews the Access Control and Termination Policy based on business and security requirements. This policy also encompasses network access control.

    SponsorCloud segregates networks based on the required groups of information services, users, and systems. SponsorCloud utilizes firewall configurations to restrict connections between untrusted networks and trusted networks.

    Additionally, SponsorCloud may utilize security groups and network access control lists (NACLs) to improve network security for individual virtual machines.

    Network Engineering

    SponsorCloud implements security functions in a layered approach, minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.

    SponsorCloud utilizes a defense-in-depth (DiD) architecture to protect the confidentiality, integrity, and availability of information systems and data, i.e. placing information systems that contain sensitive data in an internal network zone, segregated from the DMZ and other untrusted networks.

    SponsorCloud synchronizes clocks of all applicable information systems to the same time protocol to enforce consistent and accurate time-stamping.

    Network Service Level Agreements (SLAs)

    Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.

    Exceptions

    SponsorCloud business needs, local situations, laws and regulations may occasionally call for an exception to this policy or any other SponsorCloud policy. If an exception is needed, SponsorCloud management will determine an acceptable alternative approach.

    Enforcement

    Any violation of this policy or any other SponsorCloud policy or procedure may result in disciplinary action, up to and including termination of employment. SponsorCloud reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. SponsorCloud does not consider conduct in violation of this policy to be within an employee’s or contractor’s course and scope of work.

    Any personnel who is requested to undertake an activity that he or she believes is in violation of this policy must provide a written or verbal complaint to his or her manager or any other manager of SponsorCloud as soon as possible.

    The disciplinary process should also be used as a deterrent to prevent employees and contractors from violating organizational security policies and procedures, and any other security breaches.

    Responsibility, Review, and Audit

    SponsorCloud reviews and updates its security policies and plans to maintain organizational security objectives and meet regulatory requirements at least annually. The results are shared with appropriate parties internally and findings are tracked to resolution. Any changes are communicated across the organization.

    Information Security Policy

    Purpose and Scope

    This Information Security Policy addresses the information security policy topics and requirements which maintain the security, confidentiality, integrity, and availability of SponsorCloud applications, systems, infrastructure, and data. The topics and requirements called out in this policy should be continuously improved upon to maintain a secure information security posture. From time to time, SponsorCloud may update this policy and implement different levels of security controls for different information assets, based on risk and other considerations. This policy is guided by security requirements specific to SponsorCloud including compliance with applicable laws and regulations.

    This policy applies to all SponsorCloud assets utilized by personnel acting on behalf of SponsorCloud or accessing its applications, infrastructure, systems or data. All personnel are required to read, accept and follow all SponsorCloud policies and plans upon starting and at least annually.

    Information Security Communication

    Please contact privacy@sponsorcloud.io if you have any questions about the SponsorCloud information security program.

    People Security

    Background Check

    All SponsorCloud personnel are required to complete a background check. An authorized member of SponsorCloud must review each background check in accordance with local laws.

    Confidentiality

    Prior to accessing sensitive information, personnel are required to sign an industry-standard confidentiality agreement protecting SponsorCloud confidential information.

    Security Awareness Training

    SponsorCloud has a security awareness training program in place to promote the understanding of security policies and procedures. All personnel are required to undergo training following initial employment and annually thereafter. Completion of the training program is logged by SponsorCloud.

    Secure Coding

    SponsorCloud promotes the understanding of secure coding to its engineers in order to improve the security and robustness of SponsorCloud products.

    Physical Security

    Clear Desk

    SponsorCloud personnel are required to ensure that all sensitive information in hardcopy or electronic form is secure in their work area when it is unattended. This requirement extends to both remote and in-office work.

    SponsorCloud personnel must remove hardcopies of sensitive information from desks and lock the information in a drawer when desks are unoccupied and at the end of the work day. Keys used to access sensitive information must not be left at an unattended desk.

    Clear Screen

    SponsorCloud employees and contractors must be aware of their surroundings at all times and ensure that no unauthorized individuals have access to see or hear sensitive information. All mobile and desktop devices must be locked when unoccupied. Session time-outs and lockouts are enforced through technical controls for all systems containing covered information.

    All devices containing sensitive information, including mobile devices, shall be configured to automatically lock after a period of inactivity (e.g. screen saver).

    Physical Office Security

    Reference the Physical Security Policy.

    Remote Work

    Any SponsorCloud issued devices used to access company applications, systems, infrastructure, or data must be used only by the authorized employee or contractor of such device.

    Employees or contractors accessing the SponsorCloud network or other cloud-based networks or tools are required to use HTTPS/TLS 1.2+ at a minimum to protect data-in-transit.

    If you are in a public space, ensure your sight lines are blocked and do not have customer conversations or other confidential conversations. If someone is close to you, assume they can see and hear everything. Connecting directly to a public wireless network that doesn't employ, at minimum, WPA-2 or an equivalent wireless protocol is prohibited.

    While working at home, employees and applicable contractors should be mindful when visitors (e.g. maintenance personnel) are at their residences, as visitors could become privy to sensitive information left up on computer screens.

    System Access Security

    SponsorCloud adheres to the principle of least privilege, specifying that team members will be given access to only the information and resources necessary to perform their job functions as determined by management or a designee. Requests for escalation of privileges or changes to privileges and access permissions are documented and require approval by an authorized manager. System access is revoked immediately upon termination or resignation.

    Account Audits

    Audits of access and privileges to sensitive SponsorCloud applications, infrastructure, systems, and data are performed regularly and reviewed by authorized personnel.

    Password Security

    Unique accounts and passwords are required for all users. Passwords must be kept confidential and not shared with anyone. Where possible, all user and system accounts must invoke password complexity requirements specified in the Access Control and Termination Policy. All accounts must use unique passwords not shared with any other accounts.

    Rotation Requirements

    If a password is suspected to be compromised, the password should be rotated immediately and the security team should be immediately notified.

    Storing Passwords

    Passwords must only be stored using a SponsorCloud approved password manager. SponsorCloud does not hard code passwords or embed credentials in static code.

    Asset Security

    SponsorCloud maintains a Configuration and Asset Management Policy designed to track and set configuration standards to protect SponsorCloud devices, networks, systems, and data. In compliance with such policy, SponsorCloud may provide team members laptops or other devices to perform their job duties effectively.

    Data Management

    SponsorCloud stores and disposes of sensitive data, in a manner that; reasonably safeguards the confidentiality of the data; protects against the unauthorized use or disclosure of the data; and renders the data secure or appropriately destroyed. Data entered into SponsorCloud applications must be validated where possible to ensure quality of information processed and to mitigate the impacts of web-based attacks on the systems.

    Data Classification

    SponsorCloud defines the handling and classification of data in the Data Classification Policy.

    Data Retention and Disposal Policy

    The time periods for which SponsorCloud must retain customer data depends on the purpose for which it is used. SponsorCloud retains customer data as long as an account is active, as needed to provide services to the customer, or in accordance with the agreement(s) between SponsorCloud and the customer. An exemption to this policy would include if SponsorCloud is required by law to dispose of data earlier or keep data longer. SponsorCloud may retain and use customer data to comply with its legal obligations, resolve disputes, and enforce agreements.

    Except as otherwise set forth in the SponsorCloud policies, SponsorCloud also disposes of customer data when requested by customers.

    SponsorCloud maintains a sanitization process that is designed to prevent sensitive data from being exposed to unauthorized individuals. SponsorCloud hosting and service providers are responsible for ensuring the removal of data from disks allocated to SponsorCloud use before they are repurposed or destroyed.

    Change and Development Management

    To protect against unauthorized changes and the introduction of malicious code, SponsorCloud maintains a Change Management Policy with change management procedures that address the types of changes, required documentation, required review and/or approvals, and emergency changes. Changes to SponsorCloud production infrastructure, systems, and applications must be documented, tested, and approved before deployment.

    Vulnerability and Patch Management

    SponsorCloud uses a proactive vulnerability and patch management process that prioritizes and implements patches based on classification. Such classification may include whether the severity is security-related or based on other additional factors. SponsorCloud schedules third party penetration tests and/or performs internal assessments at least annually.

    If you believe you have discovered a vulnerability, please email privacy@sponsorcloud.io and SponsorCloud will aim to address the vulnerability, if confirmed, as soon as possible.

    Environment Separation

    As necessary, SponsorCloud maintains requirements and controls for the separation of development and production environments.

    Source Code

    SponsorCloud controlled directories or repositories containing source code are secured from unauthorized access.

    Logging and Monitoring

    SponsorCloud collects & monitors audit logs and alerts on key events stemming from production systems, applications, databases, servers, message queues, load balancers, and critical services, as well as IAM user and admin activities. SponsorCloud manages logging solution(s) and/or SIEM tool(s) to collect event information of the aforementioned systems and activities. SponsorCloud implements filters, parameters, and alarms to trigger alerts on logging events that deviate from established system and activity baselines. Logs are securely stored and archived for a minimum of 1 year to assist with potential forensic efforts.

    Logs are made available to relevant team members for troubleshooting, auditing, and capacity planning activities. System and user activity logs may be utilized to assess the causes of incidents and problems. SponsorCloud utilizes access control to prevent unauthorized access, deletion, or tampering of logging facilities and log information.

    When events and alerts are generated from monitoring solutions and mechanisms, SponsorCloud correlates those events and alerts across all sources to identify root causes and formally declare incidents, as necessary, in accordance with the Security Incident Response Policy and Change Management Policy.

    Additionally, SponsorCloud utilizes threat detection solution(s) to actively monitor and alert on network and application-based threats.

    Business Continuity and Disaster Recovery

    SponsorCloud maintains a plan for continuous business operations if facilities, infrastructure or systems fail. The plan is tested, reviewed and updated at least annually.

    Backup Policy

    Backups are performed according to appropriate backup schedules to ensure critical systems, records, and configurations can be recovered in the event of a disaster or media failure.

    Security Incident Response

    SponsorCloud maintains a plan that defines responsibilities, detection, and corrective actions during a security incident. The plan will be executed following the discovery of an incident such as system compromise, or unintended/unauthorized acquisition, access, use or release of non-public information. The plan is tested, reviewed and updated at least annually.

    SponsorCloud utilizes various monitoring and surveillance tools to detect security threats and incidents. Early detection and response can mitigate damages and minimize further risk to SponsorCloud.

    A message should be sent to privacy@sponsorcloud.io if you believe there may be a security incident or threat.

    Risk Management

    SponsorCloud requires a risk assessment to be performed at least annually. For risks identified during the process, SponsorCloud must classify the risks and develop action plans to mitigate discovered risks.

    Vendor Management

    SponsorCloud requires a vendor security assessment before third party products or services are used confirming the provider can maintain appropriate security and privacy controls. The review may include gathering applicable compliance audits (SOC 1, SOC 2, PCI DSS, HITRUST, ISO 27001, etc.) or other security compliance evidence. 

    Agreements will be updated and amended as necessary when business, laws, and regulatory requirements change.

    Exceptions

    SponsorCloud business needs, local situations, laws and regulations may occasionally call for an exception to this policy or any other SponsorCloud policy. If an exception is needed, SponsorCloud management will determine an acceptable alternative approach.

    Enforcement

    Any violation of this policy or any other SponsorCloud policy or procedure may result in disciplinary action, up to and including termination of employment. SponsorCloud reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. SponsorCloud does not consider conduct in violation of this policy to be within an employee’s or contractor’s course and scope of work.

    Any employee or contractor who is requested to undertake an activity that he or she believes is in violation of this policy must provide a written or verbal complaint to his or her manager or any other manager of SponsorCloud as soon as possible.

    The disciplinary process should also be used as a deterrent to prevent employees and contractors from violating organizational security policies and procedures, and any other security breaches.

    Responsibility, Review, and Audit

    SponsorCloud reviews and updates its security policies and plans to maintain organizational security objectives and meet regulatory requirements at least annually. The results are shared with appropriate parties internally and findings are tracked to resolution. Any changes are communicated across the organization.

    Vulnerability and Patch Management Policy

    Purpose and Scope

    This Vulnerability Management Policy defines an approach for vulnerability management to reduce system risks and integrate with patch management. From time to time, SponsorCloud may update this policy and implement different levels of security controls for different information assets, based on risk and other considerations. This policy is guided by security requirements specific to SponsorCloud including applicable laws and regulations.

    This policy applies to all SponsorCloud assets utilized by personnel acting on behalf of SponsorCloud or accessing its applications, infrastructure, systems or data. All personnel are required to read, accept, and follow all SponsorCloud policies and plans.

    Vulnerability and Patch Management Program

    SponsorCloud maintains a vulnerability management process that is integrated into the Change Management Process.

    SponsorCloud may periodically test the security posture of its applications and systems through third-party testing as well as vulnerability scanning.

    SponsorCloud also monitors multiple security alert lists such as the CVE Database and US-CERT to get up to date information on the latest vulnerabilities and threats.

    Third-Party Penetration and Vulnerability Tests

    SponsorCloud schedules third party security assessments, penetration tests, and/or dynamic analysis tests at least annually. SponsorCloud periodically performs vulnerability scans.

    Identifying Vulnerabilities

    SponsorCloud reviews third-party penetration test reports and vulnerability scan results to verify vulnerabilities and determine impact. 

    Scoring Vulnerabilities

    Vulnerabilities are derived from the Common Vulnerabilities and Exposures (CVE) Database and are documented and scored based upon the Common Vulnerability Scoring System (CVSS) standard.

    Mitigating Vulnerabilities

    If remediation is required, the appropriate team member at SponsorCloud will be notified of the requirements to remediate or mitigate the vulnerability and the time frame of such requirement will depend on the severity and risk of the vulnerability. Such tracking of vulnerabilities must be done through the company's change management tool and in accordance with the Change Management Process.

    The information obtained from the vulnerability scanning process will be shared with appropriate personnel throughout the organization on a “need to know” basis to help eliminate similar vulnerabilities in other information systems.

    Patching

    All system components, software and production environments shall be protected from known vulnerabilities by installing applicable vendor supplied security patches. Other patches not designated as critical by the vendor shall be applied on a normal maintenance schedule as defined by normal systems maintenance and support operating procedures.

    System and Non-Company Application Patching

    Patching includes updates to all operating systems and third party applications as provided by the appropriate vendor.

    SponsorCloud Application Patching

    SponsorCloud applications are patched in accordance with the Change Management Policy. Patches deemed to be of a high or critical nature may be rolled out in a compressed schedule as set forth in such policy.

    Patching Exceptions

    Patching production systems (e.g. servers and enterprise applications) may require complex testing and installation procedures. In certain cases, risk mitigation rather than patching may be preferable. The risk mitigating alternative should be determined through a documented risk analysis.

    Exceptions

    SponsorCloud business needs, local situations, laws, and regulations may occasionally call for an exception to this policy or any other SponsorCloud policy. If an exception is needed, SponsorCloud management will determine an acceptable alternative approach.

    Enforcement

    Any violation of this policy or any other SponsorCloud policy or procedure may result in disciplinary action, up to and including termination of employment. SponsorCloud reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. SponsorCloud does not consider conduct in violation of this policy to be within an employee’s or contractor’s course and scope of work.

    Any personnel who is requested to undertake an activity that he or she believes is in violation of this policy must provide a written or verbal complaint to his or her manager or any other manager of SponsorCloud as soon as possible.

    The disciplinary process should also be used as a deterrent to prevent employees and contractors from violating organizational security policies and procedures, and any other security breaches.

    Responsibility, Review, and Audit

    SponsorCloud reviews and updates its security policies and plans to maintain organizational security objectives and meet regulatory requirements at least annually. The results are shared with appropriate parties internally and findings are tracked to resolution. Any changes are communicated across the organization.


    👤 For questions or help with the process, email us at success@sponsorcloud.io or Schedule a meeting. An experienced Customer Success Manager will reach out to assist you.