Security Policy

1. Purpose

Information security is the protection of information against accidental or malicious disclosure, modification or destruction. Information is an important, valuable asset which is managed with care.
Access controls are put in place to protect information by controlling who has the rights to use different information resources and by guarding against unauthorised use.
Formal procedures control how access to information is granted and how such access is changed.
This policy also mandates a standard for the creation of strong passwords, their protection and frequency of change.

2. How you can protect yourself

2.1 Choosing Passwords

Passwords are the first line of defence for our ICT systems and together with the user ID help to establish that people are who they claim to be.
A poorly chosen or misused password is a security risk and may impact upon the confidentiality, integrity or availability of our computers and systems.

2.1.1 Weak and strong passwords

A weak password is one which is easily discovered, or detected, by people who are not supposed to know it. Examples of weak passwords include words picked out of a dictionary, names of children and pets, car registration numbers and simple patterns of letters from a computer keyboard.
A strong password is a password that is designed in such a way that it is unlikely to be detected by people who are not supposed to know it, and difficult to work out even with the help of a computer.
Everyone must use strong passwords with a minimum standard of:

2.2 Protecting Passwords

It is of utmost importance that the password remains protected at all times. The following guidelines should be adhered to at all times:

2.3 Changing Passwords

All user-level passwords should be changed as often as possible, or whenever a system prompts you to change it. Default passwords should also be changed immediately. If you become aware, or suspect, that your password has become known to someone else, you should change it immediately and report your concern to the Exentriq IT Helpdesk.
Users should not reuse the same password within many password changes.

2.4 User Responsibilities

It is a user's responsibility to prevent their userID and password being used to gain unauthorised access to Exentriq Platform by:

3. How we protect you

3.1 User Access Management

Formal user access control procedures are documented, implemented and kept up to date for each application and information system to ensure authorised user access and to prevent unauthorised access. Such access control procedures cover all stages of the lifecycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access.
User access rights are reviewed at regular intervals to ensure that the appropriate rights are still allocated. System administration accounts are provided only to users that are required to perform system administration tasks.
Automation is used at full scale to detect anomalies and enforce compliance.

3.2 System Administration Standards

The password administration process for individual Exentriq systems is well-documented and available to designated individuals.
All Exentriq IT systems are configured to enforce the following:

3.3 Supplier's Remote Access to Exentriq Infrastructure

Partners or 3rd party suppliers are not given details of how to access Exentriq Infrastructure without permission from IT Helpdesk. Any changes to supplier’s connections are immediately sent to the IT Helpdesk so that access can be updated or ceased. All permissions and access methods are controlled by IT Helpdesk and a log of activity is maintained.

3.4 Operating System Access Control

Access to operating systems is controlled by a secure process. The access control defined in the User Access Management and the login procedure is also protected by:

All access to operating systems is via a unique login id that will be audited and can be traced back to each individual user. The login id does not give any indication of the level of access that it provides to the system (e.g. administration rights).
System administrators have individual administrator accounts that will be logged and audited. The administrator account is not used by individuals for normal day to day activities.

3.5 Application and Information Access

Access within Exentriq Infrastructure is restricted using the security features built into the individual product. The IT Helpdesk is responsible for granting access within the Exentriq Infrastructure. The access is:

3.6 Incident Management

We notify customers of security incidents that impact their data or service and work with the customer in good faith to address any known breach of security obligations. We log all changes in user permissions and revoke access when no longer required.

3.7 CSA STAR Registry

Exentriq is aligned to the security guidelines of the Cloud Security Alliance, more Information about security and privacy related practices can be found in the Cloud Security Alliance registry at the following URL
Exentriq CAIQ CSA STAR Registry:

Exentriq Website, updated 16/09/2020