Ensuring Safety: Our Security-First Principle

Fundamentals of Our Security Policy

Definition and Purpose

Our security policy consists of a set of guidelines aimed at protecting the integrity, confidentiality, and availability of Symbio6's and our clients' data. These guidelines are vital for preventing unauthorised access and ensuring compliance with legal and regulatory standards. Core objectives are:

• Data protection: Ensuring all our and client data is shielded from unauthorised access and potential threats.
• Access control: Implementing robust mechanisms to control who can view or use company and client data.
• Regulatory compliance: Adhering to laws and standards, such as GDPR and ISO/IEC 27001, and industry best practices like those of the Dutch Baseline Information Security Government (BIO).
• Safeguard our reputation: Safeguard our reputation and our clients trust.

Why Security-First?

We employ the security-first principle since it has various advantages over a compliance-oriented approach:

• Proactivity vs. reactivity: Security-first is proactive, focusing on preventing security issues from the start, whereas compliance-centric is reactive, often addressing issues only after they occur to meet regulations.
• Risk management: Security-first involves detailed risk assessments and tailored security measures, while compliance-centric relies on generic checklists aimed at meeting minimum standards.
• Organisational engagement: Security-first promotes security as a shared responsibility across the organisation, while compliance-centric often isolates security within specific departments like IT.
• Adaptability: Security-first continuously adapts to changing threats, whereas compliance-centric updates are often prompted only by new regulatory demands.
• Business objectives alignment: Security-first aligns with our business objectives to enable operations and build client trust. Compliance-centric views security as a regulatory hurdle, potentially impeding business processes.

Symbio6 adopts the security-first principle because it provides a more dynamic, comprehensive, and proactive framework for security management compared to the narrower, reactive, compliance-oriented approach.

Physical Security Measures

• Clear desk and clear screen: To protect sensitive information from unauthorised access and thereby enhance overall organisational security.
• Privacy screen protectors: We equip all our device screens in public areas with privacy screen protectors. These improve security by keeping visible information away from undesired viewers.
• Secure infrastructure: Controlled access to buildings and data centres, equipped with modern surveillance and monitoring technologies.
• Document security policies: Secure physical documents in locked cabinets or rooms. When documents are no longer needed, they are shredded.
• Visitor management: All visitors undergo a strict registration and screening process, accompanied by escorts within secure areas.

Digital Security Measures

User Security

• Multi-Factor Authentication (MFA): We require MFA for all access to the organisation's network and systems to ensure that only authorised users can gain access, providing an additional layer of security beyond just passwords.
• Password requirements: All passwords are at least 16 characters long, containing a variety of character types or long unrelated passphrases (easier to remember), and are checked for regularly used or compromised passwords, as well as reuse and variants on previously used passwords.
• Account lockout policies: To prevent brute-force attacks, an account lockout temporarily disables an account after numerous failed login attempts.

Secure Communication and Data Storage

• Mandatory use of a secure e-mail server: All our employees are required to use our secure e-mail server for all internal and external e-mails. This server is in a non-fourteen-eyes country with end-to-end and zero-access encryption to ensure privacy.
• Mandatory use of encrypted cloud storage: We store all our data with the cloud provider with a zero-knowledge architecture in a non-fourteen-eyes country, guaranteeing user privacy. with state-of-the-art encryption like AES with a key size of 256 bits. This means that the provider does not have the ability to decrypt the information stored on its servers.
• Use of VPNs and secure gateways: All remote access is via Virtual Private Networks (VPNs) or other secure gateway solutions, employing state-of-the-art encryption to protect data integrity and confidentiality.
• Set browsers to maximum privacy: By default, we configure our browsers to prioritise maximum privacy settings. Using modes such as incognito or private browsing improves security by guaranteeing that no details about our browsing session are stored on our devices. While these features improve security, this mode doesn't make us invisible on the internet.
• Approved remote access tools: Employees only use remote access tools and software approved by Symbio6. This list is regularly updated.

Data Protection

• Mandatory PDF/A conversion: We convert all documents designated for clients and long-term storage to PDF/A format to ensure content remains readable and intact.
• Mandatory digital shredding: When you remove a file on a computer, it is not permanently deleted. The file and its contents can be easily recovered and viewed. You must shred the data to remove the remnants and tracks left by deleted files. Therefore, files should not be deleted in a recycle bin but rather digitally shredded in accordance with the DoD 5220.22-M standard.

Vendor and Software Management

• Vendor selection and approval: We always specify security standards for all vendors, including adherence to ISO/IEC 27001, GDPR, and relevant industry regulations, and requiring routine security audits.
• Advanced cybersecurity tools: We are committed to adopting next-generation firewalls, endpoint protection platforms, and network intrusion detection systems to safeguard our infrastructure from cyber threats.
• Preference for open source software: We prefer to use open source software where possible for its transparency, which allows for thorough security audits by the global community.

Operational Security Procedures

Data Protection

• Minimal Data Collection: We reduce the organisation's attack surface and vulnerability to breaches by limiting the amount of (sensitive) information that could be exposed or misused.
• Anonymisation of data: Identifiable data can be anonymised after consultation with the client. We establish guidelines to ensure this remains useful for analysis and research while safeguarding individual privacy. We always examine the risk of re-identification and determine the level of anonymisation required. While data anonymisation can significantly enhance data privacy and security, it is not entirely foolproof.
• Specify retention periods: We always set retention periods for data and then shred it securely when it is no longer required.
• Encrypt all our data: To avoid misconceptions, we treat all data as sensitive and store all our data in the cloud, encrypted. So bright and safe for everyone.

Access, Authentication and Password Management

• Access control policies: We implement and document strict access controls that limit remote access based on user roles and the principle of least privilege. This ensures that employees have access only to the resources necessary for their specific tasks.
• Use of Password Managers: We require the use of approved password management tools to securely store and manage passwords, reducing the risk of weak password practices and facilitating compliance with password complexity requirements.

Data Handling and Security

• Data Loss Prevention (DLP): We carry out DLP controls to detect and prevent unauthorised data exfiltration.
• Regular backups: We perform regular backups and store them securely to ensure data availability.
• Secure file sharing: We prohibit e-mailing files to ensure that they are safeguarded from unauthorised access while being transmitted. We distribute files by providing a link to our clients to a protected, encrypted, temporary standalone exchange environment that allows us to manage who has access to the material. Sharing files via a link is simple, can handle huge files, and requires no extra software or accounts from the client other than an internet connection. This system has no connection to our internal network.
• Document lifecycle management: We integrate PDF/A into our document lifecycle management process, including guidelines for when and how documents should be converted to PDF/A, where they should be stored, and the retention schedule.

Incident Management

• Roles and responsibilities: We define and document the responsibilities of employees, managers, and IT staff in implementing and maintaining security in our organisation and appoint a Data Protection Officer (DPO).
• Incident response: We have an incident response plan and team with automated tools for quick detection, response, and recovery from security breaches.
• Incident reporting: We have a clear mechanism in place to report security incidents, particularly those involving cloud storage, such as suspected data breaches or unauthorised access events. We are also prepared to notify the relevant supervisory body within 72 hours of becoming aware of a data breach, and we will notify individuals affected if the breach is deemed to pose a significant risk to their rights and freedoms.

Client and Vendor Management

• Transparent client communication: We maintain a dedicated client liaison for security concerns to address any questions or issues promptly.
• Processing agreement: Regardless of whether the data is personal or not, we always enter into a processing agreement when processing data provided by a client to guarantee that the data processing is understood by both parties.
• Security clauses in contracts: We include mandatory security clauses in all our vendor contracts that require adherence to specified security standards, immediate incident reporting, and periodic audits by our organisation.
• PGP-communication: We support Pretty Good Privacy (PGP) encryption, allowing clients and vendors to communicate securely with us using our public PGP key.

Training and Awareness

Comprehensive Training Program

Every employee is required to receive biannual cybersecurity training that covers current risks like phishing and ransomware. Training sessions will also cover secure digital shredding processes.

Secure communication practices will be thoroughly covered during training. This is about best practices such as Wi-Fi safety, the risks of public Wi-Fi networks, and the significance of physical security, particularly when working remotely.

Another aspect of the training is how to establish and efficiently manage strong passwords and cloud storage usage. Employees will learn the best practices for safely storing data in the cloud, as well as how to use encryption tools and comprehend cloud security configurations.

Awareness Campaigns

To reinforce the concepts gained in training, we conduct ongoing awareness initiatives. These initiatives keep security issues, such as password security and the concept of least privilege, at the forefront of employees' minds. By consistently emphasising the hazards associated with poor security practices as well as the benefits of adhering to our security policy, we hope to foster a security-conscious culture at all levels of the organisation.

“Security is an ongoing process, not a one-time action.”

Continuous Maintaining

Monitoring and Real-Time Intelligence

• Threat intelligence collaboration: We work together with leading cybersecurity firms to receive timely alerts and intelligence on emerging cyber threats, enhancing our ability to preemptively address potential risks.
• Remote access monitoring: We maintain comprehensive logging and continuous monitoring of all remote access connections. This is to promptly detect and act upon any anomalous activities. Logs will be regularly reviewed to pinpoint potential security threats or incidents.

Audits and Compliance Checks

• Compliance monitoring: We regularly monitor our compliance with legal and regulatory standards, facilitating the immediate identification and remediation of compliance issues.
• Data Protection Impact Assessment (DPIA): We regularly undertake DPIAs to identify and minimise risks associated with data processing operations, particularly those that are likely to pose a high-risk to individuals' rights and freedoms.
• Regular security audits: We perform both external and internal audits bi-annually, complemented by routine penetration testing conducted by third-party security experts, to validate the integrity of our security measures.
• Security audits: We conduct bi-annual internal and external security audits, along with routine penetration tests, and perform regular security assessments to evaluate the effectiveness of our remote access controls. Based on these assessments, we adjust our policies accordingly to ensure optimal security.
• Usage and access audits: We regularly audit cloud storage and e-mail usage to ensure compliance with our security policies, checking for unauthorised access and adherence to encryption standards.

Technology Upgrades and Provider Evaluations:

• Ongoing technology investments: We continue to invest continuously in the latest security technologies to maintain robust defences.
• Provider assessments: We periodically assess our cloud storage and secure e-mail providers to ensure they meet required security and encryption standards.

Policy Review and Stakeholder Engagement:

• Adaptive security policies: Review and update security policies semi-annually to adapt to changes in the security landscape and technological advancements.
• Stakeholder meeting: Hold an annual security meeting with stakeholders to discuss policy updates and technology changes and gather feedback.

Conclusion

Our dedication to security is the foundation of our client relationships. While security-first may entail extra effort in some cases, we will not undermine this principle. We strive for continuous improvement and proactive risk management, always ensuring the highest degree of security.

Key Contacts

For assistance, enquiries, or suggestions regarding our security policies, please contact your account manager or supervisor.