Ixenit Security Policies

Ixenit Ltd. has developed a set of corporate policies that help the organization to establish and enforce Information Security and Business Continuity requirements through its information systems and personnel. These policies are set forth by Ixenit Ltd. Management and are reviewed and updated periodically.

Below is a short description of what these policies contain.

Access Management

• User accounts are used to manage access, with minimal possible rights
• Systems are logged and monitored for potential inappropriate access
• Remote access to organiztional systems is automatically provided for Ixenit employees
• Remote access to application systems is provided when needed

Asset Management

• Ixenit maintains an asset inventory
• Asset provided to employees are documented
• Assets are returned to Ixenit if employment is terminated
• Replaced assets may be bought by employees, in which case they are wiped clean before transfer

Business Continuity and Disaster Recovery

• Systems and Services at Ixenit are grouped into tiers with regards to Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
• Plans for recovery must be tested at least once before launch and after each infrastructural change that might affect recovery
• No mission critical systems can be deployed without appropriate continuity plan

Network Security

• Organizational network can be accessed on site - protected by physical security measures - and VPN - protected by cryptographic means and access management regulations
• Access to networks servicing customers must be limited

Cryptography and Encryption

• Sensitive data is encrypted appropriately
• Cryptographic keys are securely managed; Ixenit uses Amazon's Key Management System for managing keys for its cloud services

Software and Backups

• Software installation is limited to necessary software
• Backups are taken regularly and kept separate from the backed up system during their retention period

Use of personal devices

• Personal devices must be identifiable and their use must be requested beforehand
• No customer data can be stored on personal devices
• Compliance and monitoring of used personal devices is done using the least restrictive principles that reasonably achieve the required security objectives

Personnel and Physical Security

• Security responsibilities are outlined in the job descriptions
• Upon employee termination, return of assets and revoking of access right must complete on the employee's last work day
• Access to Ixenit's office is physically restricted and entry is logged