SECURITY POLICIES
Purpose
This Information Security Policy provides an overview of the security controls developed by EGG to ensure that all personnel, tools, and services comply with the rules and guidelines related to security and confidentiality.
Organization
EGG has defined an organizational structure with hierarchical lines, authorities, and responsibilities for the development, implementation, operation, maintenance, and monitoring of systems related to security and confidentiality.
The Compliance Director of EGG acts as the main responsible person for the controls of the EGG security management system.
This policy will be reviewed at least once a year and whenever there are changes that may affect corporate management regarding Information Security.
All personnel are responsible for information security and, therefore, must understand and comply with this policy and associated documents. Failure to do so may result in disciplinary action.
This policy was established and approved by the EGG leadership team in 10/2021.
Policy
New Employees and Contractors
The People & Culture area acts as responsible for developing, implementing, maintaining, and monitoring the process that affects security and confidentiality for new employees/contractors.
Before new employees or contractors have access to any company resources, they must sign copies of all documents listed in the onboarding checklist as part of the onboarding process.
Privacy and Conditions
EGG's privacy policy and conditions for external users are available on the web: //egg.live/privacy-policy/
Due to business and technology changes, EGG may need to modify the Privacy Policy on its public website.
Access Control
EGG applies logical access controls to ensure that data and equipment are secure and that only authorized personnel can access them.
All access to the network and system requires a unique user ID and network password for identification and authorization purposes.
Shared accounts are prohibited. Single sign-on and two-factor authentication methods are implemented to access EGG systems.
EGG conducts access reviews quarterly to ensure that each role has appropriate access to data and information systems.
All access is disabled as indicated in the deactivation policy. Access to the production environment and data is controlled and limited only to the EGG Technology area. Access is managed with the Google authentication system.
EGG applies two-factor authentication for EMPLOYEES and CONTRACTORS using Google 2FA with SMS notifications or Google Authenticator.
Software Development
EGG has a development process based on the agile Scrum methodology that uses Git to manage code and work items through sprints with defined objectives.
Software changes are tracked in Git, code is reviewed and tested in a testing environment before being released to production. These testing and production environments are physically and logically separated. There is a segregation of duties imposed by the system between the developers who generate the code and the developers who publish the changes in the production environment.
The EGG software development team follows the OWASP Top10 guidelines for secure code development.
Production Systems
The EGG platform is hosted on Amazon Web Services. Operational and network security controls are implemented as part of the security standards requirements. Notifications for external providers are evaluated for potential risks.
Penetration tests are conducted at least once a year. The results are reviewed by management and tracked to resolution as part of their risk assessment procedure.
Logging and Analysis
The EGG platform logs every transaction using Segment.io, which persists every event sent in a data warehouse managed by AWS and backed up hourly with monthly snapshots. EGG platforms also maintain a special log entry to detect failed access attempts to the log.
Log reviews are conducted quarterly to determine if a particular event has been previously logged in different reviews. If during this initial investigation there is an event that does not fit the normal profile, it should be flagged and further investigation is required. During an investigation, it may be necessary to collect information from other sources, such as change management systems, antimalware, and IDS, among others.
Data in Transit
EGG uses Grade A+ transport layer security (as measured by ssllabs.com) to encrypt data in transit with TLS1.3
External user passwords for clients registering directly with EGG are stored with hash and salt in the database and cannot be decrypted.
Data Retention
All user data is retained while they exist as a user and is encrypted at rest with AES-256.
Backups
The user data backup process consists of a full database backup every 24 hours, of which we retain 20 days. These backups are stored in S3. Client data only resides in the production environment encrypted at rest with AES-256. Backup data is encrypted using AES-256 with automatic key management and provisioning, as allowed by S3 Storage Encryption's at-rest storage mechanism. Encryption is applied at the storage level.
Subprocessor Security
EGG uses certain subprocessors to assist in providing services; these service providers may store and process personal data.
The list of Subprocessors and their functions within EGG are available to anyone upon request. EGG reserves the right to remove, modify, change, or add subprocessors.
Data Deletion
User agreements establish that students can request full or partial data deletion at any time. This request can only be executed by authorized personnel, and the sender must be a valid user account with administrative rights on the team the user is trying to delete.
The student is notified, through the same ticket used for data deletion requests, immediately that their data deletion request has been completed.
Antivirus
EGG uses ESET antivirus software on all Technology computers; the IT area tracks to ensure that all Antivirus clients are up to date. Information stored on local disks is protected by encryption with ESET FDE.
Training and Awareness
EGG Security Awareness Training is a formal process to educate employees and contractors about computer security and the proper use of information.
Third Party
When there is a business need to disclose any confidential information of EGG to third parties (such as business partners and contractors) or to grant third parties access to confidential information, the Area Director executes a confidentiality agreement or an agreement that incorporates confidentiality provisions.
Information Classification
EGG implements appropriate information classification controls based on the results of the formal risk assessment.
Incident Reporting
Notification of information security incidents related to: breaches, failures, concerns, and other complaints are described in the incident management policy, including guidance on escalation and resolution.
Risk Management
Risk assessments are conducted periodically to identify threats and vulnerabilities to the systems within the scope. Mitigation strategies are analyzed based on the results of the risk assessment. The risk management policy requires an annual review of the risk assessment and updating the implementation plan, policies, and procedures to address changes that could affect the system.
Monitoring
Compliance with the policies and processes described in this document is periodically monitored with independent reviews by Internal and External Audit.
GDPR and CCPA
EGG complies with GDPR and CCPA as an ongoing process, tools, and processes are implemented to comply with all GDPR rights that a person may exercise.
In some circumstances and according to applicable law, a person's data protection rights may be legally restricted.
Any questions or issues related to personal data can be emailed to the Data Protection Office: [email protected]