playgen.io

Documentation

Data privacy

Information Security Policies and Procedures

Table of Contents

  1. Introduction
  2. Purpose
  3. Scope
  4. Information Security Policies
  5. Procedures
  6. Review and Update
  7. Appendices

Introduction

This document outlines the information security policies and procedures for R. N. Studio Jogo, a SaaS provider specializing in generating puzzles using AI and curated content. Leveraging technologies such as AWS for cloud hosting and MongoDB Atlas for database management, our platform ensures the creation and delivery of engaging and secure puzzle content. This policy establishes guidelines to protect our information assets, ensure data integrity, and maintain service continuity in our cloud-based, AI-driven puzzle generation environment.

Purpose

The purpose of these policies is to safeguard sensitive data, protect against security threats, and comply with legal and regulatory requirements, thereby ensuring trust and reliability for our users and stakeholders.

Scope

These policies apply to all employees, contractors, and third-party service providers who access our cloud infrastructure. It covers all hardware, software, network resources, and data used in our operations.

Information Security Policies

User Access Control

  • Policy: Access to AWS and MongoDB Atlas is governed by the principle of least privilege. Users are granted access rights based on job requirements, and access is reviewed and adjusted periodically. Multi-factor authentication is mandatory for all access.

Data Protection

  • Policy: All sensitive data stored in AWS and MongoDB Atlas is encrypted at rest and in transit. Regular backups are performed, and data retention policies are strictly followed. Personal data is handled in compliance with GDPR and CCPA.

  • AWS compliance center

  • MongoDB Atlas trust center

MFA

  • Policy: Multi-Factor Authentication (MFA) is mandatory for accessing our Content Management System (CMS) to provide an additional layer of security. Upon logging in, users will receive a one-time code sent to their registered email, which they must enter to complete the login process. This ensures that even if a user's password is compromised, unauthorized access is prevented without email verification.

    Procedure:

    • Users will enter their password and then receive a code in their registered email.
    • If users do not have access to their email or cannot authenticate, they must contact support for assistance.

Incident Response

  • Policy: We have an Incident Response Plan to address security breaches or data loss. The plan includes immediate containment, investigation, notification (as per legal requirements), and remediation steps.

Network Security

  • Policy: Our network architecture on AWS is designed for security and resilience, with firewalls, intrusion detection systems, and regular vulnerability assessments. Access to MongoDB Atlas databases is restricted to authorized networks and personnel.

Physical Security

  • Policy: While our core infrastructure is cloud-based, utilizing AWS and MongoDB Atlas which handle physical security for their data centers, our operational physical security is equally important. Our company operates from a co-working space provided by Regus, which has robust security measures in place.
    • Regus Security Measures: Regus, as a professional co-working space provider, manages physical access controls to the building. This includes secured entry points, visitor management systems, and surveillance cameras to monitor common areas.
    • Employee Access: Employees are provided access badges by Regus, which are required for entry into the workspace. These badges are programmed to allow access only during specific hours, aligning with our operational needs.
    • Surveillance and Monitoring: The co-working space is equipped with surveillance systems that are monitored by Regus’ security personnel. This ensures any suspicious activities within the premises are promptly addressed.
    • Environmental Protections: Regus provides a safe working environment with fire safety measures, climate control, and regular maintenance checks to protect our on-premises equipment and personnel.
    • Incident Response: In the event of a security incident at the co-working space, Regus has protocols in place for immediate response. Our employees are instructed to promptly report any security concerns to both Regus management and our internal security team.
    • Regular Security Reviews: We conduct regular reviews of the physical security measures provided by Regus to ensure they align with our security standards and expectations. Any gaps identified are addressed through coordination with Regus management.

  • Policy: We adhere to a comprehensive set of industry standards and legal requirements to ensure the highest level of information security and compliance. Recognizing our reliance on third-party cloud services, our compliance framework is designed to leverage and integrate the certifications and standards maintained by our cloud service providers, AWS and MongoDB Atlas.

    • Cloud Service Provider Certifications:
      • AWS Compliance: AWS maintains a wide range of compliance certifications which we inherit for our underlying infrastructure. These include ISO/IEC 27001 for information security management, SOC 1, SOC 2, and SOC 3 reports, among others.
      • MongoDB Atlas Compliance: MongoDB Atlas, as our chosen database service, also adheres to key compliance standards, including GDPR for data protection, and offers a secure and compliant data storage environment.
    • Our Compliance Responsibilities:
      • Data Protection Laws: We ensure compliance with data protection regulations such as GDPR and CCPA, particularly in aspects of data handling and processing that are under our direct control.
      • Industry-Specific Regulations: Where applicable, we comply with industry-specific regulations, adapting our use of AWS and MongoDB Atlas services to meet these requirements.
    • Collaboration with Cloud Providers:
      • Our security and compliance teams work closely with AWS and MongoDB Atlas to ensure that our use of their services aligns with both their compliance offerings and our regulatory requirements.

  • AWS trust center

  • MongoDB Atlas trust center

Password Policy

  • Policy: All user accounts must adhere to a stringent password policy to enhance security and prevent unauthorized access. The requirements for passwords are as follows:

    • Minimum Length: Passwords must be at least 12 characters long.
    • Complexity Requirements: Passwords must include a combination of uppercase and lowercase letters, numbers, and special characters (e.g., @, #, $, %, &).
    • Expiration: Passwords are required to be changed every 180 days.
    • Reuse Limitation: Users cannot reuse any of their last five passwords.
    • Failed Login Attempts: Accounts will be temporarily locked after five failed login attempts, with a 15-minute lockout period.

    These requirements help mitigate the risk of unauthorized access and are enforced across all platforms where user accounts are present.

Procedures

Security Incident Reporting

  • Procedure: We have established a comprehensive procedure for reporting and managing security incidents to ensure prompt and effective response, minimizing the impact on our operations and protecting our clients' and users' data.

    • Identification and Reporting:

      • Employee Responsibility: All employees are responsible for reporting any suspected or actual security incidents immediately. This includes but is not limited to data breaches, unauthorized access, and service disruptions.
      • Reporting Channels: A dedicated email address and a phone number are available for employees to report incidents.

    • Initial Assessment:

      • Upon receiving a report, a steakholder performs an initial assessment to determine the severity and impact of the incident.
      • Critical incidents are escalated to a the management team, which includes positions from different departments such as IT, legal, and communications.

    • Incident Logging:

      • Every reported incident is logged into our system, with details about the nature of the incident, affected systems, and initial findings.

    • Communication:

      • Internal Communication: Key stakeholders, including senior management, are kept informed about the incident and the response actions being taken.
      • External Communication: In cases where external parties are impacted or need to be informed (such as customers, partners, or regulatory bodies), an appropriate communication is executed. This is done in accordance with legal obligations and contractual commitments.

    • Investigation and Containment:

      • A thorough investigation is conducted to understand the cause and extent of the incident. This may involve collaborating with AWS and MongoDB Atlas if their services are impacted.
      • Immediate steps are taken to contain the incident, such as isolating affected systems, revoking access, or implementing temporary controls.

    • Resolution and Recovery:

      • Actions are taken to resolve the incident, which may include system patches, restoring data from backups, or implementing additional security measures.
      • Efforts are made to return to normal operations as quickly and safely as possible.

    • Post-Incident Review:

      • After the incident is resolved, a post-incident review is conducted to analyze the cause, the effectiveness of the response, and lessons learned.
      • This review leads to improvements in our security posture and incident response procedures.

  • Documentation:

    • All security incidents and response actions are documented and retained for a designated period for auditing and continuous improvement purposes.

Access Management for Role Changes

  • Policy: Access to systems is immediately adjusted when roles or responsibilities shift, ensuring permissions match current needs only.

    Procedure:

    • Revocation: Access rights are reviewed and updated promptly based on role changes.
    • Role-Based Control: Access is granted strictly per role requirements and reviewed regularly.
    • Logging: Changes in access are logged and audited to ensure compliance.

Regular Audits and Assessments

  • Procedure: To ensure the ongoing security and integrity of our systems, we engage in regular audits and assessments, incorporating both internal checks and external tools.

    • Basic Security Checkups:

      • Monthly security checkups include reviewing system logs, monitoring for unusual activity, and verifying the application of security patches.

    • AWS and MongoDB Atlas Reviews:

      • Regular reviews of our AWS and MongoDB Atlas configurations are conducted to ensure alignment with best security practices.
      • We utilize security tools and reports provided by these platforms to assist in these reviews.

    • Vulnerability Scans:

      • Automated vulnerability scans are run on our web applications to identify common security vulnerabilities.

    • GitHub Security Scanners and Snyk:

      • Our code repositories are hosted on GitHub, where we utilize GitHub's built-in security scanners to automatically detect vulnerabilities.
      • Additionally, we integrate Snyk into our development workflow for enhanced vulnerability detection and dependency management. Snyk continuously scans our codebase and dependencies, providing alerts and recommendations for any identified security issues.
      • These tools help in early detection and prompt remediation of potential security flaws in our code.

    • Access Control Reviews:

      • Quarterly access level reviews are performed to ensure adherence to the principle of least privilege.

    • External Assistance:

      • For more in-depth assessments, we occasionally engage external security consultants as needed.

  • Documentation and Reporting:

    • Findings from these audits and assessments are documented, with key insights reviewed by our management team for decision-making on security enhancements.

Training and Awareness

  • Current Status:

    • Currently, we do not have a unified source for our security and privacy training. Instead, we utilize a variety of courses available on platforms like LinkedIn Learning and Udemy. These resources cover a range of topics relevant to our needs in information security and data privacy.

  • Future Enhancement Plan:

    • To further enrich our training program, we are planning to introduce structured courses from ESET Cybersecurity Awareness Training and TeachPrivacy Training Packages.
    • These will provide more focused training on phishing, online scams, internet best practices, and compliance with regulations such as HIPAA, GDPR, and CCPA.

  • Main Topics Covered in ESET Cybersecurity Awareness Training::

    • Phishing Recognition:

      • Training on recognizing and avoiding phishing attacks.

    • Internet Best Practices:

      • Guidelines for safe and responsible internet usage.

    • Single Topic Learning Modules:

      • 19 modules covering a range of specific security topics for focused learning.

  • Implementation and Monitoring:

    • The integration of these new training sources will be systematically phased into our onboarding and ongoing employee development programs.
    • We will assess the effectiveness of these programs through regular feedback and performance reviews, ensuring continuous improvement in our training approach.

Third-Party Security Reviews/Assessments/Penetration Tests

  • AWS Security Assessments:

    • AWS undergoes regular independent third-party audits, resulting in AWS System and Organization Controls (SOC) Reports. These include AWS SOC 1, SOC 2, and SOC 3 reports, demonstrating AWS's compliance with key controls and objectives.
    • The audits are conducted by Ernst & Young LLP, with SOC 1 reports issued quarterly and SOC 2 / 3 reports twice per year.

  • MongoDB Atlas Security Assessments:

    • MongoDB Atlas has a SOC 2 Type II report for MongoDB Cloud, as a result of independent third-party audits conducted by Schellman and Company, LLC. This report covers MongoDB’s security controls, focusing on data security, availability, and confidentiality.
    • The SOC 2 Type II report provides an independent assessment of how well MongoDB Cloud manages data, with reports released annually.

Review and Update

  • These policies and procedures are reviewed annually or in response to significant changes in our infrastructure or regulatory environment. Updates are communicated to all relevant parties promptly.

Contact

Previous

Data Handling

Next

Troubleshooting and Support

On this page