Information Security Policy

INFORMATION SECURITY POLICY 

This policy’s intent is to convey Gorilla Gamez LLC’s (the “Company”) expectations regarding the overall information security program so that it meets organizational operational, security, compliance, and/or legal expectations and commitments.  The policy will help ensure the ongoing protection of Gorilla Gamez’s information systems, networks, and data from unauthorized access, damage, loss, theft, or improper disclosure. 

SCOPE  

This policy is intended to protect all data, networks, and information systems used by Gorilla Gamez.  Information covered by this policy includes all data that is: 

• Stored in computers, servers, file shares, or databases 

• Stored in application data repositories, such as Microsoft Outlook 

• Transmitted across internal or public networks 

• Printed or handwritten on any surface, including paper, whiteboards, and computer screens 

• Stored on fixed or removable media, including hard drives, CDs, DVDs, portable hard drives, USB and flash drives, camera drives, and backup systems 

• Stored in cloud or other third-party environments, including Amazon Web Services (AWS), Microsoft Azure, Google Cloud and Google Docs. 

POLICY STATEMENT 

Gorilla Gamez must develop, adopt, and enforce strategies to mitigate cybersecurity risks that threaten the confidentiality, integrity, and availability of the Company’s information systems and data.  An effective information security program will clearly convey the goals, approach, and controls necessary for securing Gorilla Gamez’s information assets. 

This Policy serves as a comprehensive approach to information security and encompasses the following important protocols: 

• Ensure the confidentiality, integrity, and availability of information at all times through the proper application of policies, standards, guidelines, procedures, controls, auditing, and monitoring 

• Protect information assets from internal, external, deliberate and accidental threats, including unauthorized access  

• Develop Incident Response plans for when defenses are breached 

• Develop Business Continuity (BC) and Disaster Recovery (DR) plans enabling the Company to continue operations and maintain confidence of customers and other stakeholders, during and after a crisis 

INFORMATION SECURITY PROGRAM FRAMEWORK 

A security program shall be implemented that generally follows a lifecycle approach, and has the following high-level features: 

1. Creates and maintains security policies that are regularly reviewed and approved by executive management 

2. Performs regular risk assessments 

3. Performs ongoing risk monitoring 

4. Performs ongoing tactical security activities, such as incident response, vulnerability management, security monitoring, etc. 

5. Regularly reports on organizational risk activities and the organization’s risk stance to executive management and the Board of Directors. 

All policies must be reviewed and approved by executive management on an annual basis. 

Alignment with Global Security Frameworks 

Gorilla Gamez’s information security management, strategies, policies, standards and controls will draw from the cybersecurity standards established by the National Institute of Standards and Technology (NIST), the Federal Financial Institutions Examination Council (FFIEC) and global security best practices.  If information security scenarios arise that are not addressed by existing Gorilla Gamez policies and standards, NIST and FFIEC guidance should be consulted.  See the References section of this Policy for a list of helpful documents. 

Information Security Management Scope and Responsibilities 

The Information Security Officer is the owner of the Company’s security information systems, and responsible for ensuring that network, computer, and software systems are effectively designed, configured, managed, and maintained to provide optimal confidentiality, integrity, and availability.   

The Information Security Officer has the following responsibilities that include, but are not limited to:  

• Implementing and maintaining the Company’s Information Security Program 

• Identifying, assessing, tracking and mitigating risks to the Company’s information and cyber assets 

• Developing and maintaining information security policies, standards, guidelines, procedures and contract language 

• Creating and maintaining security classifications for Company data 

• Selecting, deploying, and monitoring security controls that adhere to established best practice frameworks, and support compliance and regulatory requirements  

• Conducting regular vulnerability assessments and penetration testing to verify that security controls are working properly, and to identify and weaknesses 

• Developing, deploying and monitoring systems and processes for detecting intrusions and malicious code 

• Identifying business owners for all systems and information 

• Developing, implementing and testing Business Continuity Plans for critical information systems 

• Assisting with external audits and exams 

• Delivering information security training and awareness 

• Ensuring this policy is communicated to all (relevant) employees on an annual basis, or after significant changes. 

• Reviewing and approving standards and/or procedures on an annual basis. 

• Reporting metrics, risks, and other items to stakeholders as needed. 

Gorilla Gamez Security Policy Framework 

This section summarizes the high-level security requirements that shall be applied to Gorilla Gamez’s systems, processes, and data.   

Acceptable Use 

The Company’s acceptable use standard establishes rules for how Gorilla Gamez company resources may be used, and how adherence to rules will be monitored and enforced. 

Information security may be compromised by insecure computing practices.  Users agree not to use Gorilla Gamez computing systems to download or install unauthorized software, use unapproved third-party services, visit potentially dangerous websites, connect to unapproved hardware devices, or store sensitive information insecurely.  In order to secure its computing infrastructure and enforce Acceptable Use, Gorilla Gamez reserves the right to monitor all electronic communications and data stored on, or passing through, its computing resources.  

Access Controls 

All Gorilla Gamez systems must have a documented access control procedure that conforms with the requirements in this policy.  Gorilla Gamez computing resources shall be protected from unauthorized access, use, modification, disclosure, or destruction to satisfy regulatory, legal, and contractual requirements.   

Role-based access controls (RBAC) shall be applied, where available, to all systems and networks, with roles segregated by Least Privilege and Segregation of Duty principles that inhibit access abuses and collusion. 

Managers must ensure that user access on each system is provisioned according to the concept of least privilege, including group or role membership, thus allowing users to only access systems (including networks, platforms, and applications), as well as data and functions on those systems, that are defined as necessary for their job functions or roles.  

Managers must ensure that each system’s role design, including group membership, is documented.  Privileged access must be limited to appropriate personnel.  Access to all systems, other than default job role access, requires documented approval by the requester’s manager and must include a business justification.  

All Gorilla Gamez systems featuring network layer access controls such as access control lists or firewalls must enforce the principle of “default deny.”  

Gorilla Gamez systems that are not part of “production,” should be appropriately isolated from the production environment. 

Authentication and Password Requirements 

1. Systems should, if possible, leverage the Company’s multi-factor authentication (“MFA”) platform or a multi-factor solution approved by the Security Team.  

2. Other than Company-issued laptops, if a given system’s authentication method is limited to passwords only (i.e., the system does not support more than one factor, and the one factor is password-based), passwords or pass-phrases must contain the following characteristics, as technically feasible: 

1. Adequately resistant to common password-guessing attacks (preferably random or auto generated); and  

2. Stored in an approved password management system.  

3. The provision, allocation and/or management of confidential and sensitive access credentials including, but not limited to, passwords, tokens, or keys (public, private, API, etc.), must be controlled through a documented procedure and limited to authorized personnel and job roles.  

4. Non-production systems should not contain or use production secrets, including, but not limited to, API keys and passwords. 

Accounts  

1. Managers must ensure that systems clearly indicate account types (i.e., individual, group/shared, system, application, guest/anonymous, vendor, and temporary). If the system does not inherently have this ability (via its UI or some other built-in mechanism), documentation should be created. 

2. Shared accounts require review and approval by the Security Team prior to use.  

3. Shared account credentials must be stored in an approved, encrypted password storage system protected by strong authentication methods.  

4. Guest/anonymous and temporary accounts are not allowed without Security Team review and approval.  

Access Review & Removal 

1. All users’ effective access to information and information systems must be removed within 48 hours of the termination of their employment, contract, or service agreement.  

2. Managers must perform, on each system, an annual access review of the necessity and appropriateness of all accounts.  

Application and Database Security 

Information Security shall publish an Application and Database Security Standard that outlines required best practices and controls for all Gorilla Gamez software, web applications and database systems.  Developed, acquired and purchased applications and database systems, as well as third parties contracted to handle Company data or interface with Company systems must meet the protections required by this Information Security Policy. 

At a minimum, applications and database systems must be protected by access controls that provide Segregation of Duty and Least Privilege; defenses that prevent Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL Injection (SQLi), buffer overflows, brute forcing, and other common attacks; and encryption of session tokens, all passwords, and other confidential data. 

Applications shall not contain undocumented features or secret back doors. 

Applications and database systems must log all security-related events, and logs must adhere to Gorilla Gamez logging policies and standards. 

Before production deployment, all applications and database systems must undergo review, approval and testing processes, and all vulnerabilities must be mitigated or managed.  

Asset Management 

Each system used for Gorilla Gamez business shall be inventoried by Information Security and have a named system or data owner responsible for ensuring that protective controls commensurate with the system’s data classification are applied and enforced.   

Information Security will perform regular scans of Gorilla Gamez networks to detect assets that have not been inventoried. Assets discovered must be inventoried or removed from Gorilla Gamez networks.  

All users of Company information systems and data shall undergo security awareness training and agree to follow Information Security policies. 

Security Audits 

Regular audits are critical for identifying and managing risk across the Company and for ensuring accountability.  Information Security will lead annual audits, including a Company-wide review of system access privileges, a penetration test of all perimeters and high-risk systems, and a cyber risk assessment intended to inform Company management of vital security risks.  Any technical findings will be submitted to the CTO and/or senior management for remediation planning.   

Risk Assessments 

The Security Team will conduct Risk Assessments on at least an annual basis to understand the risk landscape of the organization.  

1. Risk assessments, with input from both business stakeholders and security and risk subject matter experts, must identify critical assets (“assets,” in this context, means Company business processes and related technology infrastructure components OR, because Company is a service provider, technology components that comprise core service-delivery functions), reasonably foreseeable threats to those assets, and any relevant vulnerabilities of those assets.  

2. Risk Assessments must assess the probability and impact (“risk”) of a successful attack against those assets, with a bias towards quantitative risk scores versus qualitative scores.  

3. A risk-ranked matrix should be produced that then prioritizes remediation activities.  

The Security Team will analyze the results of Risk Assessments and develop risk treatment plans and recommendations based on the perceived risk to the organization and available options to mitigate, transfer, or accept risks. 

The Security Team will report on Risk Management efforts to the Security Compliance Officer regularly and review the organization’s overall risk management lifecycle.  

Audit Logs 

All Company computing resources must generate and store audit records concerning all events relevant to security.  Authentication attempts, software installation activity, intrusion and malware detections, and attempts to modify or export data are examples of events that should be logged.   

Logs shall contain evidence sufficient to establish the facts of an event, including when and where it occurred, the accountable actors involved, and the systems or objects affected. Information Security shall deploy a mechanism for monitoring and alarming important log events. 

1. Audit trails must be configured to capture at minimum information comprising timestamp(s) (“when”), user(s) or other entity(ies) (“who”), and any action(s) performed (“what”).  

2. Audit trails for critical systems, including those handling, processing, transmitting, or storing sensitive data (as defined in the Data Classification Policy), must be collected in a central location(s) approved by the Security Team. 

3. Central logging platforms must be access-restricted to those with a defined need according to their job role. Audit trails on central logging platforms must be read only and audit trails must be retained or deleted according to data retention policies or as designated by Compliance.  

4. Audit trails should not include sensitive data unless approved by the Security Team, including passwords, API keys, and Personal Identifying Information (PII).  

Backup and Recovery 

Important data must be backed up on a regular basis.  Such data includes, but is not limited to, customer data, financial transaction data, accounting and human resource files, and contracts.  Confidential data will be encrypted in backups. 

Business Continuity (BC) Plan /Disaster Recovery (DR) Plan 

BC/DR plans describe processes and procedures for the protection of Gorilla Gamez’s assets and services from disasters, recovery from service interruptions, and the resumption of key business processes. The DR plan will describe how to fail over and recover computing operations and services during and after a crisis. 

The CEO shall ensure to document, publish, and provide training for a BC plan.  The BC plan will document how to sustain business operations during and after a crisis, including human safety factors, management and business process continuity, and communication and PR plans. 

The Company’s BC and DR plans will be updated and tested on an annual basis. 

Cloud Environments 

Cloud, leased, and other contracted third-party environments that contain Gorilla Gamez computing resources or data must adhere to the Company’s Information Security policies, standards and guidelines. 

Data Classification 

Data classification, in the context of information security, is the categorization of data based on its level of sensitivity and the impact to the Company if the data were disclosed, altered, destroyed without authorization. 

Each system or data owner shall evaluate and classify data for which he/she is responsible, and enforce protective controls recommended by Information Security to protect the data based on its classification level. 

Encryption 

Encryption is required for all Confidential and Privileged information that is stored or in transit.  System and Data Owners are responsible for ensuring that any systems, devices, and data under their purview are encrypted in accordance with this policy.  Gorilla Gamez employees, contractors and vendors using mobile devices or mobile data storage devices are responsible for the protection of sensitive data on those devices. 

Incident Response 

An Incident Response Standard shall be adopted that defines cybersecurity incidents, their severity, and how they should be prioritized and managed so operations can be restored as quickly as possible with minimal impact.  Examples of cybersecurity incidents include attempts to gain unauthorized access to systems or data, attempts to obtain others’ passwords or elevate/increase privileges, bypassing security controls, denials of service (DoS), installation of unauthorized software, and the introduction of malware. 

Malware Protection 

All Company information systems will be protected against potentially malicious software and hardware by using real-time defenses against viruses, spyware, unauthorized remote access, back doors, and worms.  Information Security will adopt defenses that detect and/or block the installation of unauthorized software.  All systems will be scanned periodically for viruses.  Malware-related security incidents will be logged, investigated and remediated by Information Security. 

Third-Party Products, Systems, and Data 

Third-party providers who design, implement, or maintain technologies for Gorilla Gamez must protect the Company’s systems and data using Information Security policies and controls that are equivalent to the Company’s own. 

Contracts with third parties that are handling Company’s sensitive data (as defined in the Data Classification Policy) and/or critical infrastructure must include cybersecurity provisions governing access controls, data classifications and handling, network and host monitoring and protection, data protection and encryption, password standards, incident response, breach notification, service levels, security assessments and testing.  Information Security will collaborate with Gorilla Gamez’s Legal Department or advisors to develop the above provisions into a standard Information Security contract schedule.    No third-party services should be contracted until the contract has been reviewed for compliance with the schedule and the Company’s information security requirements.  

VULNERABILITY MANAGEMENT 

Discovery, Tracking and Assessment  

1. For third-party software vulnerabilities on systems or platforms of which Security is aware, the Security Team must track affected system and/or platform vulnerabilities on a regular basis according to those systems’ or platforms’ public disclosure process – this can range from RSS feeds, to mailing lists, to blog posts, depending on the system or platform. 

2. For vulnerabilities that are submitted via email by external researchers, the Security Team must monitor email and, in the event of a new submission, respond quickly with a commitment to confirm the issue’s relevance as soon as possible, and notify the Security Compliance Officer to consider next steps. Issues will then be reviewed as to relevance and severity; the Security Compliance Officer, or designee, will handle communications and commitments with the researcher. 

3. For vulnerabilities that are submitted through the organization’s Vulnerability Disclosure Program or bug bounty program, the Security Team must monitor email for new issues and will provide an initial response within a reasonable time frame.  

4. Internally-discovered vulnerabilities found via static analysis, dynamic analysis, or other testing approaches, including penetration tests, will follow the process below in “Penetration testing” section. 

5.  Relevant vulnerabilities that Security manually triages must be:  

1. Peer-reviewed and risk-assessed within the Security Team, and ticketed in Security Jira project, prior to engaging other teams. The risk assessment’s intent is to inform whether the issue must be addressed:  

1. Immediately 

2. In the default, 30-day window, or  

3. Not at all.  

2. If indicated, based on the risk assessment:  

1. Other than noted in the sub-bullet below, a ticket for the affected team must be created that includes the vulnerability description, Security’s recommendation regarding the patching timeline, and actions taken, if any.  

2. Escalated to relevant Product personnel and/or affected System Managers with the required patch timeline.  

3. Items requiring immediate attention or potentially causing customer impact, such as server reboots, must be communicated to P&E management and/or other stakeholders, if necessary (such as Support/CX), once a remediation path and timeline has been determined. 

Vulnerability Scanning  

1. The Security Team must run vulnerability scans, or equivalent, across all applicable in-scope platforms that support vulnerability scans on a biweekly basis, if not more frequently.  

1. The Security Team must triage scan results and make a risk determination using documented procedures.  

2. The Security Team must create tickets for the appropriate affected system’s Product personnel, System Manager, or designee, and anticipated deadline for mitigating the issue. 

2. The Security Team, or as otherwise approved by the Security Compliance Officer or designee, is the only team approved to run port scanners, vulnerability scanners, web application assessment tools, penetration testing tools, or software with similar functionality.  

3. Employees must monitor in-scope platforms that do not support vulnerability scanning, but do report vulnerabilities via other methods. 

Penetration Testing  

1. Penetration tests must follow a general process that includes the following phases: 

1. Planning  

2. Discovery  

3. Attack  

4. Reporting  

2. The attack phase noted above, if it results in gaining access, should then include attempts to escalate privilege, if relevant, and lateral movement (which implies a new round of discovery and attack). 

3. Penetration tests must include port scans, vulnerability scans, and manual testing using industry-standard tools, unless the target system’s attack surface is such that one or more of those technologies is not relevant.  

4. Penetration tests must include the network layer, segmentation controls, and be conducted from an “inside” (privileged) vantage point, as well as outside, unless a given target system’s attack surface precludes one or more of the aforementioned requirements.  

5. Each penetration test must include the vulnerabilities listed in PCI DSS Requirement 6.5 unless the target system does not include relevant attack surface.  

6. Penetration test findings must be clearly documented and affected owners (typically, engineering teams) ticketed separately for each finding; exploitable vulnerabilities must be remediated.  

7. A penetration test summary report must be created that includes an executive summary, test scope, high-level findings, and an appendix with technical details.  

8. Penetration test reports and remediation activities must be retained for one year.  

9. Penetration tests must take into account the prior year’s threats and vulnerabilities.  

10. Production resources must not be directly tested unless no comparable test environment is available. 

11. Penetration tests for in-scope systems must occur annually or after any significant change, where “significant” means a change that could materially alter the system’s risk profile.  

12. Penetration tests must be conducted by qualified members of the Security Team, who are designated as such by the Security Compliance Officer.  

Remediation  

1. All security vulnerabilities must be remediated within 30 days by default, including vulnerabilities on systems, platforms, software, etc. of which Security is not aware. Employees are responsible for applying all security patches for whatever they deploy or provision whether or not they have been notified by Security. 

1. Exceptions can be granted, in writing, on a case-by-case basis by the Security Compliance Officer or Executive. 

2. In case of emergencies, such as a zero-day vulnerability for a critical platform or software component that is being widely exploited, the Security Team can recommend a “patch now” response.  

SECURITY TRAINING AND AWARENESS 

Employees and contractors must review, and attest their agreement with, all relevant policies that are applicable to their role at the start of their employment. Security awareness training must occur for all employees upon hire and on an annual basis thereafter. 

COMPLIANCE 

All employees and contractors are required to follow this policy; failure to do so may result in disciplinary action up to and including termination. 

REFERENCES 

This Policy draws from the following sources: 

• Framework for Improving Critical Infrastructure Cybersecurity, v.1.1, National Institute of Standards and Technology (NIST), April 16, 2018 (https://nvlpubs.nist.gov/nistpubs/cswp/nist.cswp.04162018.pdf) 

• Information Security Handbook:  A Guide for Managers, NIST, October 2006 (https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-100.pdf) 

• Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST, September, 1996 (https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=890092) 

• FFIEC Information Technology Examination Handbook, Information Security, FFIEC, September 2016 (FFIEC Information Technology Examination Handbook: Information Security) 

APPROVAL AND REVISION HISTORY