IntroductionPurpose
This document serves as the foundation for Koi Flow's information security program. Its primary purpose is to establish a comprehensive security governance framework and set of security policies to safeguard the confidentiality, integrity, and availability of information assets. These are set in accordance to comply with the relevant regulations outlined in this document.
Scope and Applicability
The practices outlined in this document have broad applicability across individuals, processes, and compliance standards. To provide explicit direction and clear alignment to organizational goals, the scope of this document is outlined below.
Organizational Scope
This document applies to all employees, contractors, third-party vendors, and any other individuals who have access to Koi Flow's information systems, networks, and data.
Technical ScopeThe policies and procedures outlined herein pertain to all hardware, software, cloud-based services, networks, and data owned, operated, or maintained by Koi Flow.Compliance ScopeThese policies are designed to ensure compliance with relevant laws, regulations, and industry standards.Document Revision HistoryVersion 1.0 — 2023-12-27Initial release of Security Governance and Policy document.Roles and ResponsibilitiesTechnology Department - led by the Chief Technology Officer (CTO), is responsible for implementing necessary security measures, technical reporting, and periodic security reviews to adhere to this policy.Compliance Department - led by the Chief Compliance Officer (CCO), is responsible for providing guidance on necessary security measures to comply with relevant regulations and best practices. Responsible for monitoring adherence with this policy and may enlist other departments to assist in the enforcement of this policy.Incident Response Team - Key positions within each department across the organization will serve on the Incident Response Team. This team is responsible for responding to and mitigating security incidents. They follow predefined incident response plans to address breaches, vulnerabilities, and other security events.Security PolicyMonitoring and Logging
Infrastructure Logs
Monitoring services are utilized to log certain activities and changes within the Cloud Environment. This includes, but is not limited to, documentation of change management to source code and cloud infrastructure. Logs are further monitored, analyzed for anomalies, and are securely stored to prevent tampering for at least one year.
Access Logs Documentation of access control activities involves maintaining logs of user access, modifications to access permissions, and activities related to privileged accounts.
Monitoring: Automated monitoring and alerting serve as first line of defense against unauthorized activities. Manual review of logs is conducted regularly to supplement and update automated monitoring.
System & Network Security
Access Controls.
All Koi Flow personnel access is via a unique user ID, consistent with the principle of least privilege, requires a VPN, and multi-factor authentication (MFA) and passwords meet or exceed PCI-DSS length and complexity requirements. Role-based access control (RBAC) principles are employed to ensure that users have the necessary permissions to access data and resources perform their duties.
Koi Flow personnel will not access Customer Data except (i) as reasonably necessary to provide Koi Flow Offerings under the Agreement or (ii) to comply with the law or a binding order of a governmental body.
Firewalls & Security Groups.
Koi Flow implements industry standard firewall or security groups technology with deny-all default policies to prevent egress and ingress network traffic protocols other than those that are business-required
.Endpoint Security. For access to the Cloud Environment, Koi Flow personnel use Koi Flow-issued laptops which utilize security controls that include, but are not limited to, (i) disk encryption and (ii) endpoint detection and response (EDR) tools to monitor and alert for suspicious activities and potential malware, viruses and/or malicious computer code (collectively, “Malicious Code”).Separation of Environments. Koi Flow logically separates production environments from development environments. The Cloud Environment is both logically and physically separate from Koi Flow’s corporate offices and networks.Hardening. To protect Koi Flow resources from vulnerabilities, these resources shall be hardened using industry-standard practices, including changing default passwords, removing unnecessary software, disabling or removing unnecessary services, and regular patching as described in this document.Vulnerability Detection & Management.Anti-Virus & Vulnerability Detection. The Cloud Environment leverages advanced threat detection tools with daily signature updates, which are used to monitor and alert for suspicious activities and/or Malicious Code. Koi Flow does not monitor Customer Data for Malicious Code.Penetration Testing & Vulnerability Detection. Koi Flow regularly conducts penetration tests and engages one or more independent third parties to conduct penetration tests of the Service at least annually.Encryption.Encryption of Customer Data. Koi Flow encrypts Customer Data at-rest using AES 256-bit (or better) encryption. Koi Flow uses Transport Layer Security (TLS) 1.2 (or better) for Customer Data in-transit to/from the Service over untrusted networks.Encryption Key Management. Koi Flow’s encryption key management conforms to NIST 800-53 and involves regular rotation of encryption keys. Hardware security modules are used to safeguard top-level encryption keys. Koi Flow logically separates encryption keys from Customer Data.Physical ControlsFacility Access. Koi Flow facilities are controlled by access control devices and monitored by surveillance systems and/or personnel. Identification keys are provided to each employee or visitor and grant access only to necessary premises. These are not to be shared. Within Koi Flow facilities, technical hardware and physical documents will be secured by appropriate means to prevent theft and unauthorized access.Workstation Use & Security. Workstations are to be kept clear of any information that contains or can be used to access sensitive information. Privacy screens are required to prevent unauthorized personnel from viewing screens. Workstation screens need to be locked when employee is not present and actively working.Computers require strong passwords and MFA to prevent unauthorized access in the case of theft or loss.Hardware will be disposed in a secure manner. Any re-use of hardware requires factory reset.External Devices. External hard drives are strictly prohibited from use with Koi Flow machines and will not be recognized when connection is attempted. Other external devices that extend the use of Koi Flow machines will be provided by the IT Support and/or Security team after review.Administrative ControlsPersonnel Security. Koi Flow requires criminal background screening on its personnel as part of its hiring process, to the extent permitted by applicable law.Personnel Training. Koi Flow maintains a documented security awareness and training program for its personnel, including, but not limited to, onboarding and on-going training.Personnel Agreements. Koi Flow personnel are required to sign confidentiality agreements. Koi Flow personnel are also required to sign Koi Flow’s information security policy, which includes acknowledging responsibility for reporting security incidents involving Customer Data.Personnel Access Reviews & Separation. Koi Flow reviews the access privileges of its personnel to the Cloud Environment at least quarterly, and removes access on a timely basis for all separated personnel.Koi Flow Risk Management & Threat Assessment. Koi Flow’s risk management process is modeled on NIST 800–53 and ISO 27001. Koi Flow’s security committee meets regularly to review reports and material changes in the threat environment, and to identify potential control deficiencies in order to make recommendations for new or improved controls and threat mitigation strategies. This is detailed below.Vendor Risk Management. Koi Flow maintains a vendor risk management program for vendors that process Customer Data designed to ensure each vendor maintains security measures consistent with Koi Flow’s obligations in this document.Risk Management & Continuous ImprovementRisk Identification.Data Classification. Identify and classify types of data processed, stored, and transmitted, including sensitive information like healthcare data and payment details.System Security. Employ various testing and threat modeling techniques to discover vulnerabilities to unauthorized access.Audits & History Analysis. Koi Flow retains logs of all reviews and incidents and will employ these records for root cause analysis of potential risks.Risk Assessment. The classification of risk level will be a function of the likelihood of vulnerability and the potential impact of such a compromise.To assess whether a vulnerability is ‘critical’, ‘high’, or ‘medium’, Koi Flow leverages the National Vulnerability Database’s (NVD) Common Vulnerability Scoring System (CVSS), or where applicable, the U.S.-CERT rating.Risk Mitigation. Risk treatment plans can range from reporting & training updates to enterprise-wide security changes and update to policy. Remediation will be governed by relevant stakeholders and subject matter experts and be informed by the Risk Assessment.Continuous Improvement. Policies are initially set to follow industry-standard frameworks with a focus on this organization’s specific goals and operations. Identified reporting patterns of root causes in both resolved and unresolved identified risks will be identified and assessed to create a feedback mechanism that creates a resilient tech stack.AdherenceAudit Framework & Planning.Industry Standards. Security audits are conducted according to established best practices. This may include frameworks such as ISO/IEC 27001, NIST, or industry-specific regulations. For external audits, the framework takes into account any additional standards or requirements imposed by external entities, such as regulatory bodies or industry certification bodies.Internal Policies and Procedures. Audit framework incorporates internal policies and procedures to ensure that our organization-specific security guidelines are consistently applied and evaluated.Risk-Based Approach. The framework embraces a risk-based approach, prioritizing areas of focus based on potential impact and likelihood. This ensures that audits are tailored to address the most significant security risks.Audit Process. The execution will follow a standardized approach that begins with i) definition of scope of the audit, ii) assignment of responsibilities to relevant stakeholders, iii) data collections and findings, iv) recommendations, and v) delivering Corrective Action Remediations (CARs) based on the prioritization guidelines outlined in the Risk Management process.Security Awareness, Training, and Evaluation.Employee Training Programs. Koi Flow implements security awareness training programs for employees to educate them on security policies, best practices, and their responsibilities for importance of data protection.Communication. Security policies are made easily accessible to all employees through centralized repositories and updates are communicated through various channels.Enforcement. Individuals are held responsible for policy violations. Depending on the severity and recurrence of the violation, disciplinary actions, warnings, or additional training may be implemented. Reporting mechanisms are in place to encourage employees to report concerns or potential policy violations, with anonymous reporting channels to foster openness.Monitoring. As detailed earlier in this document, automated and manual monitoring on access logs are used to identify usage that violates policy.Incident ResponseSecurity Incident Reporting. If Koi Flow becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a “Security Incident“), Koi Flow shall notify Customer without undue delay, and in any case, where feasible, notify Customer within 72 hours after becoming aware.Investigation. In the event of a Security Incident as described above, Koi Flow shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident. Any logs determined to be relevant to a Security Incident, shall be preserved for at least one year. This will be led by the Security Team, which reserves the ability to employ other relevant personnel to conduct this investigation.Communication and Cooperation. Koi Flow shall provide Customer timely information about the Security Incident to the extent known to Koi Flow, including, but not limited to, the nature and consequences of the Security Incident, the measures taken and/or proposed by Koi Flow to mitigate or contain the Security Incident, the status of Koi Flow’s investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Notwithstanding the foregoing, Customer acknowledges that because Koi Flow personnel may not have visibility to the content of Customer Data, it may be unlikely that Koi Flow can provide information as to the particular nature of the Customer Data, or where applicable, the identities, number, or categories of affected data subjects. Communications by or on behalf of Koi Flow with Customer in connection with a Security Incident shall not be construed as an acknowledgment by Koi Flow of any fault or liability with respect to the Security Incident.Business Continuity. Koi Flow retains both Cloud-based and non Cloud-based redundant versions of services provided in case of natural disaster or system failure. In the event that the Cloud-based version is inaccessible, Koi Flow will failover to redundant versions to best meet the agreement outlined in the Services Agreement with the Customer.Customer Rights & Shared Security ResponsibilitiesShared Security Responsibilities. Without diminishing Koi Flow’s commitments in this Security document, Customer agrees:Legality of Provided Data. Koi Flow has no obligation to assess the content, accuracy or legality of Customer Data, including to identify information subject to any specific legal, regulatory or other requirement.User Credential Protection. Customer is responsible for managing and protecting its User roles and credentials, including but not limited to (i) ensuring that all Users keep credentials confidential and not share such information with unauthorized parties, (ii) promptly reporting to Koi Flow any suspicious activities related to Customer’s Account (e.g., a user credential has been compromised) by submitting a support ticket, and (iii) maintaining appropriate password uniqueness, length, complexity, and expiration.
