Information Security: A Practical Policy that People Read and Follow

In the interest of full transparency, and in making you feel comfortable with how your data is handled, this is the third and final article in our series on data privacy and security.  In previous articles, we described what happens to your form data and how and why we use analytics. In this article, we give an overview of the security policy that all ThinkTilt employees are required to follow.

Although small, the ThinkTilt team is widely distributed, sometimes spanning three continents. We have adopted specific communications practices to ensure that all information is handled securely. Staff do not use email. Rather they communicate via HipChat. All content files are stored in Confluence. ThinkTilt has adapted a Security Policy from Ryan McGeehan's post, An Information Security Policy for the Startup. This was selected as a basis for our security policy because it is applicable everywhere and is written so as to be easily understood by staff.  

Security_ProForma_ThinkTilt

Our security policy directs staff to:

  1. Err on the side of caution
  2. Always handle data in an ethical, professional manner, only using personal data for the purpose for which it was collected
  3. Include the ThinkTilt security team in any decision to share data with another company, and only do so when it meets the organization's security standards
  4. Not compromise the organization by downloading data into an insecure environment or copying or transmitting data through a different system 
  5. Engage with other team members for any process involving cryptography
  6. Appropriately document where data is stored
  7. Ensure that any systems created include centralized, read only usage logs designed for others to look back on during a security incident
  8. Create unique, strong passwords and use a password manager
  9. Not use their personal email accounts for cloud platforms that support the company
  10. Enable multi-factor authentication whenever possible
  11. Never save organization, customer or user data on a removable storage device (USB, etc.)
  12. Ensure that work-related data smartphones is encrypted whenever possible, that phone is set to automatically lock when it is powered up and has an appropriately challenging passcode and that the "Find my..." feature is enabled to be able to find or wipe the device remotely
  13. Encrypt their devices and not use unencrypted backup or cloud storage systems
  14. Enable a password-required screen saver
  15. Use Google Chrome and Click to Play
  16. Enable the "Find my..." feature on laptops 

ThinkTilt also carries out periodic security audits, scheduled at random, to ensure that the processes and controls are being adhered to. This includes:

  1. Having employees/directors review and sign the Security Policy annually
  2. Having employees/directors clean non-active work files off of their computers
  3. Carefully monitoring what systems contractors have access to
  4. Ensuring that no confidential files or information have been inadvertently shared via HipChat
  5. Reviewing the contents of our database to ensure that only necessary data is stored
  6. Verifying that our logs are retained in a separate, secure system for at least 12 months
  7. Reviewing users and administrator rights on each of our systems are up to date and correct

Finally, ThinkTilt has developed a disaster response plan to ensure that in the event of a security incident or natural disaster immediate steps are taken to protect customers, Atlassian and our internal operations. This plan pays particular attention to protecting customer data and confidential information, and includes protocols for responding to vulnerability reports, compromised staff user accounts, loss of laptop (or other relevant device) and natural disasters.

If you have any concerns or suggestions regarding data security, please contact us at security@thinktilt.com.