Skip to content
Architecture & Design doc sample where senior engineers review the architecture and design of the system to make sure it is secureCode review - checks, settings - to ensure only approved code gets mergedError and application monitoring - To monitor the system in UAT before pushing to prodCode sample of encryption of critical data like voucher card number and pin
List of vendors - Vendors security review meetingWe made a major change to our app and backend architecture in January. Post this we got our system assessed in February by a CERT-in vendor.We made another architecture change in June in our checkout flow. Post this change also we got that area of our system audited.Security events on production servers - This doesn’t apply to us as we are using AWS managed container service ECS to run our applications. With ECS, no one can SSH into the servers.DBs - We are again using AWS RDS. To capture the critical events, we will switch on the audit logs. We will have this up by Jan 15For Infra, we have Infrastructure As Code. Any change to Infra structure is reviewed just like how we do code review.
DR Drill ReportBCP planISO Certificate Audit report year is 2013API rate limitingEvidence of configurationCERT-in audit of APISASTEvidence
Infosec Review
Dec 27 - Evidences and responses from Hubble for the pending items
Evidences
Section
Item
Evidence
Comments
Policies and standards
Submit the ISO certificate.
Evidence for periodic security review meeting
Data Protection and Access Control
Evidence for access revoking within 24 hrs
Evidence for periodic reports
Evidence for “Is Multi Factor Authentication (MFA) required for employees/contractors to log in to production systems remotly?”
The users who don’t have mfa setup are not actual people.
They are created for the purpose of programmatic access.
Software Supply Chain
Secure coding guideline process shared. Please share the evidences for implementing the policy
Proactive security
IT and Application layer - Please provide the timeframe for patching critical vulnerabilities
For the critical vulnerabilities, the core team does a review immediately after the vulnerability is identified.
If the fix the vulnerability is identified, then within 6 hours, we push out the fix.
In case the fix is not easily identifiable, we turn off or modify the affected area of the system, till we figure out the fix.
There are no rows in this table
Risks
Section
Item
Update
Policies and standards
We don’t have a dedicated infosec team
We don’t have a dedicated team.
The backend team along with our admin owns this area. The team comprises of 4 members - our tech lead and two senior engineers and the admin. This is the team that primarily worked on getting the system in place to get ISO27001.
We don’t have a policy exception process
We are working with the vendor who helped us with ISO to set this up.
We will have this by Jan 31.
Data Protection and Access Control
Encryption at field level
Currently we don’t do field level encryption for user PII.
We will start working on this from Jan 5 onwards and go live by Jan 15.
Do you regularly audit/assess your critical vendors' information security
Most of our vendors we have are SAAS services. We have verified that they have ISO27001 or SOC2/3 compliance.
For the vendors that are not SAAS Services also, we verify that they have ISO27001 and other data security related compliance in place. I have setup a periodic process for to review this starting from next month.
Evidences
Software Supply Chain
Integrating SAST and DAST into our pipelines.
SAST - we will integrate this into our pipeline by Jan 31.
DAST - we will integrate this into our pipeline by Feb 15.
Proactive security
Is there a process of periodic Application Security Assessment on these web applications/ APIs? What is the frequency?
We don’t have a periodic process in place for this. We do application security assessment post a major change to the system.
We will setup a process for getting our systems audited yearly. Does that work?
Are all security events (authentication events, SSH session commands, privilege elevations) in production servers, DBs, network infra etc. logged?
Are these logs getting monitored for suspecious activities, and required action taken?
We will route the logs from major services to Cloudtrail and leverage Cloudtrail’s anomaly detection facility to detect suspicious events. We will get this up and running by Jan 31.
Reactive security
How security log alerts are monitored and acted upon? (w.r.t logs from OS, Database, Applications, firewalls, Cloud assets etc.)
We will route the logs from major services to Cloudtrail and leverage Cloudtrail’s anomaly detection facility to detect suspicious events. We will get this up and running by Jan 31.
Do you have a formal service level agreement (SLA) for incident response?
We will work on this and share by Jan 5
Do you have formally defined criteria for notifying a client during an incident that might impact the security of their data or systems? What are your SLAs for notification to Niyo? 1.
We will work on this and share by Jan 5
Customer Facing Appsec
Does your API implement rate limiting?
Yes. We have WAF setup.
How does your application store API keys securely?
Yes.
Evidences
Does application support IP whitelisting for API access?
Compliance
Internal audit - conducting, scope and frequency
Given we don’t have a dedicated Infosec team, can we take this as an acceptable risk?
BCP/DR
Drills and drill reports
DR
Although we haven’t done any drills, we have setup our Infra in such a way that it is highly available. I have shared a document elaborating the same.
We will explore vendors who can help us with the DR drill. We can give an timeline only post knowing the scope of this activity.
BCP
No team in the company is in anyway dependent on anything particular in our office. In the event of any emergency or disaster, our team is well setup to work from home. In fact, we have folks working out of their homes and hometown regularly.
There are no rows in this table
4 Jan 2024
Want to print your doc?
This is not the way.
This is not the way.
Try clicking the ··· in the right corner or using a keyboard shortcut (
CtrlP
) instead.