Security Addendum
This Managed Cloud Exchange Security Addendum (MCESA) sets forth the administrative, technical, and physical safeguards Crest Data (Crest) takes in general as well as in Managed Cloud Exchange (MCE) to protect Confidential Information, including Customer Content. Crest may update this MCESA from time to time to reflect changes in Crest’s security posture, provided such changes do not materially diminish the level of security herein provided.
Purpose
1.1 This MCESA describes the generic as well as MCE information security standards that Crest maintains to protect Confidential Information, including Customer Content, in addition to any requirements set forth in the Agreement.
1.2 The MCESA is designed to protect the confidentiality, integrity, and availability of Confidential Information, including Customer Content, against anticipated or actual threats or hazards; unauthorized or unlawful access, use, disclosure, alteration, or destruction; and accidental loss, destruction or damage in accordance with laws applicable to the provision of the Service.
Crest Security Standards
2.1 Security Program
2.1.1 Scope and Content. Crest Security Program: (a) complies with industry-recognized information security standards such as ISO 27001:2013 and SOC2; (b) includes administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of Confidential Information, including Customer Content; and (c) is appropriate to the nature, size, and complexity of Crest’s business operations.
2.1.2 Security Policies, Standards, and Methods. Crest maintains security policies, standards, and methods (collectively, Security Policies) designed to safeguard the processing of Confidential Information, including Customer Content, by employees and contractors in accordance with this MCESA.
2.1.3 Security Program Office. Crest’s Chief Information Security Officer (CISO) leads Crest’s Security Program and the CISO Office develops, reviews, and approves, together with appropriate stakeholders, Crest’s Security Policies.
2.1.4 Security Program Updates. Crest Security Program Policies are available to employees via the corporate intranet. Crest reviews, updates and approves Security Policies annually to maintain their continuing relevance and accuracy. Employees receive information and education about Crest’s Security Policies during onboarding and annually thereafter.
2.1.5 Security Training & Awareness. New employees are required to complete security training as part of the new hire process and receive annual and targeted training (as needed) thereafter to help maintain compliance with Crest’s Security Policies, as well as other corporate policies, such as the Crest Code of Conduct. This includes requiring Crest employees to acknowledge the Code of Conduct and other Crest policies as appropriate. Crest conducts periodic security awareness campaigns to educate personnel about their responsibilities and provide guidance to create and maintain a secure workplace.
2.2 Risk Management
2.2.1 Crest manages cybersecurity risks in accordance with its Risk Assessment Method, which defines how Crest identifies, prioritizes, and manages risks to its information assets and the likelihood and impact of them occurring.
2.2.2 Crest management reviews documented risks to understand their potential impact on the business, and determine appropriate risk levels and treatment options. Mitigation plans are implemented to address material risks to business operations, including data protection.
2.3 Incident Response and Breach Notification
2.3.1 Crest has an incident response plan (the Crest Incident Response Framework or CIRF) and team to assess, respond, contain, and remediate (as appropriate) identified security issues, regardless of their nature (e.g., physical, cyber, or product). Crest reviews and updates the CIRF annually to reflect emerging risks and “lessons learned.”
2.3.2 Crest notifies Customers without undue delay after becoming aware of a Data Breach. As used herein, Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Content under the applicable Agreement.
2.3.3 In the event of a Data Breach involving Personal Data, if a customer reasonably determines notification is required by law, Crest will provide reasonable assistance to the extent required for the Customer to comply with applicable data breach notification laws, including assistance in notifying the relevant supervisory authority and providing a description of the Data Breach.
2.4 Governance and Audit
2.4.1 Crest conducts internal control assessments on an ongoing basis to validate that controls are designed and operating effectively. Issues identified from assessments are documented, tracked, and remediated as appropriate.
2.4.2 Third-party audits are performed as part of our certification process (further below) to validate the ongoing governance of control operations and their effectiveness. Issues identified are documented, tracked, and remediated as appropriate.
2.5 Access and User Management
2.5.1 Crest implements reasonable controls to manage user authentication for employees or contractors with access to Customer Content, including without limitation, assigning each employee or contractor with unique and/or time-limited user authorization credentials for access to any system on which Customer Content is accessed and prohibiting employees or contractors from sharing their user authorization credentials.
2.5.2 Crest allocates system privileges and permissions to users or groups on a “least privilege” principle and reviews user access lists and permissions to critical systems on a regular basis.
2.5.3 New users must be pre-approved before Crest grants access to Crest corporate and cloud networks and systems. Pre-approval is also required before changing existing user access rights.
2.5.4 Crest promptly disables application, platform, and network access for terminated users upon notification of termination.
2.6 Secure Development
2.6.1 Crest’s Software Development Life Cycle (SDLC) methodology governs the acquisition, development, implementation, configuration, maintenance, modification, and management of software components.
2.6.2 For major and minor product releases, Crest uses a risk-based approach when applying its standard SDLC methodology, which includes such things as performing security architecture reviews, open source security scans, code reviews, dynamic application security testing, and network vulnerability scans. Crest performs security code review for critical features if needed; and performs code review for all features in the development environment. Crest ensures that the packaged software is free from trojans, viruses, malware, and other malicious threats.
2.6.3 Crest utilizes a code versioning control system to maintain the integrity and security of application source code. Access privileges to the source code repository are reviewed periodically and limited to authorized employees.
2.7 Network Security
2.7.1 Crest uses industry standard technologies to prevent unauthorized access or compromise of Crest’s network, servers or applications, which include such things as logical and physical controls to segment data, systems and networks according to risk. Crest monitors demarcation points used to restrict access such as firewalls and security group enforcement points.
2.7.2 Users must authenticate with two-factor authentication prior to accessing Crest networks containing Customer Content.
2.8 Physical Security
2.8.1 Crest grants physical access to Crest facilities (including Crest-operated data centers where applicable) based on role. Crest removes physical access when access is no longer required, including upon termination.
2.8.2 Employees and visitors must visibly display and wear identity badges when in Crest facilities. Visitors must always be accompanied. Crest logs visitor access to Crest facilities.
2.8.3 Crest reviews data center physical access, including remote access, on a quarterly basis to confirm that access is restricted to authorized personnel.
2.8.4 Crest employs additional measures to protect its employees and assets, including video surveillance systems, onsite security personnel, and other technologies deemed industry best practice.
2.9 Asset Management and Disposal
2.9.1 Documented, standard build procedures are utilized for installation and maintenance of production servers.
2.9.2 Documented data disposal policies are in place to guide personnel on the procedure for disposal of Confidential Information, including Customer Content.
2.9.3 Upon expiration or termination of the Agreement, Crest will return or delete Customer Content in accordance with the terms of the Agreement. If deletion is required, Customer Content will be securely deleted, except that Customer Content stored electronically in Crest’s backup or email systems may be deleted over time in accordance with Crest’s records management practices.
2.10 Human Resources Security
2.10.1 Crest personnel sign confidentiality agreements and acknowledge Crest’s Acceptable Use Policy during the new employee onboarding process.
2.10.2 Crest conducts background verification checks for potential Crest personnel with access to Confidential Information, including Customer Content, in accordance with relevant laws and regulations. The background checks are commensurate to an individual's job duties.
MCE Security Standards
This section depicts the additional MCE specific security standards being followed.
3.1 Change Management
3.1.1 The MCE Support Team deploys changes to the Services during maintenance windows, details of which are posted to the MCE Support portal or communicated to customers using secure communication channels as needed as set forth in the MCE Platform Maintenance Policy.
3.1.2 MCE follows documented change management policies and procedures for requesting, testing, and approving application, infrastructure, and product-related changes.
3.1.3 Changes undergo appropriate levels of review and testing, including security and code reviews, regression testing, and user acceptance prior to approval for implementation.
3.1.4 Software development and testing environments are maintained and logically separated from the production environment.
3.2 Password Management and Authentication Controls
3.2.1 Authorized users must identify and authenticate to the network, applications, and platforms using their user ID and password. Crest’s enterprise password management system requires minimum password parameters.
3.2.2 Authorized users are required to change passwords at pre-defined intervals consistent with industry standards.
3.2.3 Two-factor authentication (2FA) is required for remote and privileged account access for Customer Content production systems via the MCE System workflow.
3.3 Encryption and Key Management
3.3.1 MCE uses industry-standard encryption techniques to encrypt Customer Content in transit. The MCE System is configured by default to encrypt user data files using transport layer security (currently, TLS 1.2+) encryption for web communication sessions.
3.3.2 MCE relies on policy controls to help ensure sensitive information is not transmitted over the Internet or other public communications unless it is encrypted in transit or explicitly passed by the user by using non SSL/TLS port in the configuration wherever possible.
3.3.3 Wherever applicable, MCE uses encryption at rest with a minimum encryption protocol of Advanced Encryption Standard (AES) 256-bit encryption.
3.3.4 MCE uses encryption key management processes to help ensure the secure generation, storage, distribution, and destruction of encryption keys.
3.4 Threat and Vulnerability Management
3.4.1 MCE has a process of Threat and Vulnerability Management (TVM) for the components like product source images, application deployment Helm chart, and Cloud infrastructure. This enables security scanning of the aforementioned MCE components using industry standard tools for product’s Docker images scan, Helm chart scan, and Cloud infrastructure scan. All the scans are performed as a part of the mandatory process tied with every release of the MCE.
3.4.2 MCE has an appropriate process in place to conduct remediation and track remediation to resolution as needed pertaining to the vulnerabilities that are discovered internally through vulnerability scans and employees; or externally reported by vendors, researchers or others.
3.5 Logging and Monitoring
3.5.1 Monitoring tools and services are used to monitor systems across MCE for application, infrastructure, network and storage events, and utilization.
3.5.2 Event data is aggregated and stored using appropriate security measures designed to prevent tampering.
3.5.3 The MCE Support Team continuously reviews alerts and follows up on suspicious events as appropriate.
3.6 Disaster Recovery Plan
3.6.1 MCE has a well-defined Disaster Recovery Plan to manage significant disruptions to MCE Cloud Platform operations and infrastructure.
3.6.2 Data backup, replication, and recovery systems/technologies are deployed to support the resilience and protection of Customer Content.
3.6.3 Backup systems are configured to encrypt backup media.
3.7 Asset Management and Disposal
3.7.1 MCE maintains and regularly updates an inventory of Cloud Platform infrastructure assets and reconciles the asset list on a regular basis.
3.7.2 Documented, standard build procedures are utilized for installation and maintenance of production environments.
3.7.3 Documented data disposal policies are in place to guide personnel on the procedure for disposal of Confidential Information, including Customer Content.
3.7.4 Upon expiration or termination of the Agreement, MCE will return or delete Customer Content in accordance with the terms of the Agreement. If deletion is required, Customer Content will be securely deleted, except that Customer Content stored electronically in MCE’s backup or email systems may be deleted over time in accordance with MCE’s records management practices.
3.7.5 MCE retains Customer Content stored in its cloud computing services for at least seven (7) days after the expiration or termination of the Agreement.