...
The content management system, customer relationship management, and e-commerce databases and database exports should always be treated as confidential since these contain personal information.
The uploaded files directory may need to be treated as confidential if the client site has any access-controlled content.
The site source code can normally be treated as non-confidential unless this includes proprietary code from the client or 3rd parties.
The contents of the project management site (e.g., Trac, JIRA, TrelloGithub, etc.), e-mail lists, and related communication tools will normally contain a mixture of confidential and non-confidential information:
Information authored by Axelerant for clients will generally be non-confidential unless an NDA binds us. However, Axelerant may from time to time produce content for a client-owned by the client and/or includes proprietary IP (such as trademarks or copyrighted text), which should not be disseminated to third parties used by Axelerant except by express permission of the client.
Information authored by clients or 3rd parties should generally be treated as confidential unless it is clearly public-facing. Then its use other than as outlined in the engagement agreement may still require client permission. If in doubt, ask your supervisor or the General Counsel
Non-confidential materials can be sourced for distribution or repurposing but should be reviewed and redacted, if needed, to ensure no confidential information remains.
...
Axelerant Google Apps (Gmail, Hangouts, Docs, Drive, etc.)
Web-based collaboration accounts such as
Our home site
Intranet (internal team collaboration)
Project management site (TracJira, JIRAGithub, Balsamiq, GitLab, ...)
3rd party collaboration tools (such as Slack, TrelloZoom, ...)
IP telecommunications/conferencing accounts
...
Usage must be directly related to your work with Axelerant; personal use (including personal projects) must be approved in advance by the CIO.
Usage that in any way would be harmful to Axelerant, our partners, or their end-clients is forbidden.
Storing confidential personal information from client website users (for example, CSV exports from CiviCRMCMS) on internal collaboration systems should be avoided wherever possible, especially on 3rd party services such as Google Docs.
Confidential information (other than personal information) should only be stored in areas restricted by access control, such as the project management area.
Binary software executable files should not be distributed via internal collaboration systems, as we do not have anti-virus scanning in place. Uploading human-readable source code and scripts (PHP, Bash, Perl, etc.) is acceptable (but should be considered a risk).
...
If a system is believed to be compromised, either through theft, loss, remote access, virus/malware infection, Axelerant IT people operations team should be informed immediately.
...
A password manager (such as LastPass1Password) can easily create and maintain hundreds of different 16 character (or more!) passwords. It is a must for all employees to use LastPass 1Password as a password manager at Axelerant. Be sure to choose a strong password for your password manager.
...
Security Awareness & Tools
We maintain a Security Awareness and Tools document that dives deeper into some additional topics, including:
...
All engineering team members are encouraged to use GNU/Linux and OS X based systems that are not so vulnerable to virus attacks.
All Axelerant employees should have Antivirus installed on their endpoints irrespective of the project/engagement.
Currently, we are in the process of purchasing an anti-virus solution and till then if any specific project needs virus protection, respective Project Managers/Tech Leads can raise a ticket at SRE Service Desk requesting the same for their team members.
Team members receive an annually subscribed Norton business antivirus license. The same is handed over to them and ensured that it's installed by the SRE team. This bundle is maintained by email-based subscriptions per employee and can be used on multiple devices including smartphones and tablets.
By default, automated anti-virus updates are enabled on the end-points and the web interface provided by the Norton Antivirus reports the status of antivirus installation and update for each user. We have also configured the email alerts on this interface that notifies the SRE team of any pending updates.
Since the subscription is based on emails the decommissioning is done when the employee is offboarded from the project or organization.
Logging and Monitoring Policy
Tech Leads and PMs are responsible to make sure that all team members and endpoint logging and monitoring in place as part of the project onboarding. The ticket can be raised at SRE Service Desk requesting the same.
SRE team helps to set up a dev-util(ansible-playbook) which installs a log shipper along with several other utils based on the requirement. This log shipper will collect syslogs and user/auth logs from the employee’s laptop and sends them to a central ELK stack hosted in AWS.
A system log is a file containing events that are updated by the operating system components. It may contain information such as device drivers, events, operations, or even device changes. They can usually be found by the name system.log or syslog or sys.log.
Since many of the employees get a BYOD device to work, they are encouraged to use a separate account(admin privileges) for doing all work stuff. The same account is configured with all these dev-utils. Any other personal account is not monitored for any network activities.
The dev-util is disabled and un-linked as the host inventory from the server-side too when the person is taken out of the project or resigned from the company.
Types of logs collected
syslogs and user/auth logs are collected from the endpoints. For logging/monitoring any other logs, reach out to the SRE team.
A system log is a file containing events that are updated by the operating system components. It may contain information such as device drivers, events, operations, or even device changes. They can usually be found by the name system.log or syslog or sys.log.
How are logs being monitored?
Logs are reviewed by the SRE team periodically to check for any malicious process.
Steps to setup logging/monitoring
The steps to set up these are as follows:
Install ansible using the following steps recommended for your operating system from this link.
Download this script folder from this link(please use this link until 5th May 2021).
After unzipping the folder in your desired location navigate to the folder in your terminal.
Run the command ansible-playbook filebeat.yml -K from the unzipped folder.
Once the command is run it’ll ask for your laptop’s password and for the elasticsearch password which is shared with you via LastPass under the name of “Filebeat Credentials”
Once the script is run successfully without any errors please confirm with the SRE team to see if your logs are being traced or not.
Got Questions?
...
Got Questions?
Contact your manager or Axelerant people operations team immediately.