GoMyRO employs strict security standards and measures throughout the entire organization. Every team member is trained and kept up to date on the latest security protocols. We regularly undergo testing, training, and auditing of our practices and policies.
What is this document, why does it exist, what does it cover, and who is in charge of it?
This policy defines behavioral, process, technical, and governance controls pertaining to security at GoMyRO that all personnel are required to implement in order to ensure the confidentiality, integrity, and availability of the GoMyRO service and data (“Policy”). All personnel must review and be familiar with the rules and actions set forth below.
This Policy defines security requirements for:
In the event of a conflict, the more restrictive measures apply.
This Policy was created in close collaboration with and approved by GoMyRO executives. At least annually, it is reviewed and modified as needed to ensure clarity, sufficiency of scope, concern for customer and personnel interests, and general responsiveness to the evolving security landscape and industry best practices.
The GoMyRO security team oversees the implementation of this Policy, including
The security team maintains a Risk Management Framework derived from NIST SP 800-39 - “Managing Information Security Risk: Organization, Mission, and System View” and NIST SP 800-30 - “Guide for Conducting Risk Assessments”. Risk assessment exercises inform prioritization for ongoing improvements to GoMyRO’s security posture, which may include changes to this Policy itself.
Our Risk Management Framework incorporates the following:
What are GoMyRO’s expectations of its personnel and the workplace regarding systems and data?
GoMyRO is committed to protecting its customers, personnel, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly in the context of its established employment culture of openness, trust, maturity, and integrity.
This section outlines expected personnel behaviors affecting security and the acceptable use of computer systems at GoMyRO. These rules are in place to protect our personnel and GoMyRO itself, in that inappropriate use may expose customers and partners to risks including malware, viruses, compromise of networked systems and services, and legal issues.
The first line of defense in data security is the informed behavior of personnel, who play a significant role in ensuring the security of all data, regardless of format. Such behaviors include those listed in this section as well as any additional requirements specified in the employee handbook, specific security processes, and other applicable codes of conduct.
Training
All employees and contractors must complete the GoMyRO security awareness and data handling training
programs at least annually.
Unrecognized Persons and Visitors
It is the responsibility of all personnel to take positive action
to maintain physical security. Challenge
any
unrecognized person present in a restricted office location. Any challenged person who does not respond
appropriately should be immediately reported to supervisory staff and the security team. All visitors to
GoMyRO offices must be registered as such or accompanied by a GoMyRO employee.
Clean Desk
Personnel should maintain workspaces clear of sensitive or confidential material and
take care to clear
workspaces of such material at the end of each workday.
Unattended Devices
Unattended devices must be locked. All devices will have an automatic screen
lock function set to automatically
activate upon no more than fifteen minutes of inactivity.
Use of Corporate Assets
Systems are to be used for business purposes in serving the interests of
the company, and of our clients and
partners in the course of normal business operations. Personnel are responsible for exercising good judgment
regarding the reasonableness of personal use of systems. Only GoMyRO-managed hardware and software is permitted
to be connected to or installed on corporate equipment or networks and used to access GoMyRO data.
GoMyRO-managed hardware and software includes those either owned by GoMyRO or owned by GoMyRO personnel but
enrolled in a GoMyRO device management system. Only software that has been approved for corporate use by
GoMyRO may be installed on corporate equipment. All personnel must read and understand the list of prohibited
activities outlined in this Policy. Modifications or configuration changes are not permitted without explicit
written consent by the GoMyRO security team.
Removable Storage, No Backups, Use of Cloud Storage
Use of removable media such as USB drives is
prohibited. Personnel may not configure work devices to make backups
or copies of data outside corporate policies. Instead, personnel are expected to operate primarily “in the cloud”
and treat local storage on computing devices as ephemeral. GoMyRO data must be saved to company-approved secure
cloud storage (e.g. Google Docs) to ensure that even in the event of a corporate device being lost, stolen,
or damaged, such artifacts will be immediately recoverable on a replacement device.
Prohibited Activities
The following activities are prohibited. Under certain conditions and with
the explicit written consent of the
security team, personnel may be exempted from certain of these restrictions during the course of their
legitimate job responsibilities (e.g. planned penetration testing, systems administration staff may have a need
to disable the network access of a host if that host is disrupting production services).
The list below is by no means exhaustive, but attempts to provide a framework for activities which fall into the category of unacceptable use.
Centralized System Configuration
Personnel devices and their software configuration are managed remotely by members of the security team
via configuration-enforcement technology, also known as MDM software. Such technology may be used for
purposes
including
auditing/installing/removing software applications or system services, managing network configuration,
enforcing password policy, encrypting disks, remote wipe & recovery, copying data files to/from employee
devices,
and any other allowed interaction to ensure that employee devices comply with this Policy.
Data and Device Encryption
All devices must use modern full disk encryption to protect data in the event of a lost device. An example
of valid full disk encryption is Apple FileVault 2 using XTS-AES-128 encryption with a 256-bit key. This is
enforced
using MDM software.
Device Heartbeat and Remote Wipe
Devices must support the ability to report their status and be remotely wiped. This is enforced using MDM
software.
Prevent Removable Storage
Devices must prevent usage of removable storage. This is enforced using MDM software.
Devices must automatically install and configure the GoMyRO provided antivirus software for endpoint protection. Configured software will report status and potential threats, allowing for remote administration and reporting by the security team. This is enforced using MDM software.
Retention of Ownership
All software programs, data, and documentation generated or provided by personnel while providing services
to GoMyRO or for the benefit of GoMyRO are the property of GoMyRO unless otherwise covered by a contractual
agreement.
Personnel Privacy
While GoMyRO’s network administration desires to provide a reasonable level of privacy, users should be
aware that the data they create on the corporate systems remains the property of GoMyRO. Due to the need to
protect
GoMyRO’s network, management does not intend to guarantee the privacy of personnel’s personal information
stored on any network device belonging to GoMyRO. Personnel are responsible for exercising good judgment
regarding the reasonableness of personal use such as general web browsing or personal email. If there is any
uncertainty, personnel should consult the security team or their manager.
Personnel should structure all electronic communication with recognition of the fact that the content could be monitored and that any electronic communication could be forwarded, intercepted, printed, or stored by others.
GoMyRO reserves the right, at its discretion, to review personnel’s files or electronic communications to the extent necessary to ensure all electronic media and services are used in compliance with all applicable laws and regulations as well as corporate policies.
GoMyRO reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. For security and network maintenance purposes, authorized individuals within GoMyRO may monitor equipment, systems and network traffic at any time.
Background Checks
Background checks are conducted for personnel with access to production
infrastructure prior to their start
date.
The consequences of problematic background check results may range from a limitation of security privileges,
to revocation of employment offer, to termination.
Training
The security team maintains a company-wide security awareness program delivered to all
personnel at least
annually. The program covers security awareness, policies, processes, and training to ensure that personnel
are
sufficiently informed to meet their obligations. Those most responsible for maintaining security at GoMyRO,
including the security team itself as well as key engineering/operations staff, undergo more technical
continuing education.
Separation
In the case of personnel termination or resignation, the security team coordinates with
human resources to
implement a standardized separation process to ensure that all accounts, credentials, and access of outgoing
employees are reliably disabled.
Access to GoMyRO offices is mediated by a staffed front office and programmable door control access. All
doors
shall remain locked or staffed under normal business conditions. The security team may provide approval to
unlock
doors for short periods of time in order to accommodate extenuating physical access needs.
Internet-based security cameras are positioned to record time-stamped video of ingress/egress, which are
stored
off-site.
Internet access shall be provided to devices via wired ethernet and WPA2 wifi. A network firewall that blocks all WAN-sourced traffic shall be put in place. WAN-accessible network services shall not be hosted within the office environment.
How does GoMyRO define, control, and maintain user identity and permissions for personnel?
Each individual having access to any GoMyRO-controlled system does so via a user account denoting their system identity. Such user accounts are required to have a unique username, a unique strong password of at least 8 characters.
Logging into GoMyRO Systems
Logins by personnel may originate only from GoMyRO-managed devices.
. Repeated failed attempts to authenticate may result in the offending user account being locked or revoked.
Revocation and Auditing of User Accounts
User accounts are revoked (that is, disabled but not
deleted) immediately upon personnel separation. As a
further precaution, all user accounts are audited at least quarterly, and any inactive user accounts are
revoked.
GoMyRO adheres to the principle of least privilege, and every action attempted by a user account is subject to access control checks.
Role-based Access Control
GoMyRO employs a role-based access control (RBAC) model utilizing
Google-supplied facilities such as
organizational units, user accounts, user groups, and sharing controls.
Web Browsers and Extensions
GoMyRO may require use of a specified web browser(s) for normal
business use and for access to corporate
data
such as email. For certain specified roles such as software development and web design, job activities
beyond
those mentioned above necessitate the use of a variety of browsers, and these roles may do so as needed for
those activities.
Any browser that is allowed to access corporate data such as email is subject to a whitelist-based restriction on which browser extensions can be installed.
Administrative Access
Access to administrative operations is strictly limited to security team
members and further restricted
still
as a function of tenure and the principle of least privilege.
Regular Review
Access control policies are reviewed regularly with the goal of reducing or refining
access whenever possible. Changes in job function by personnel trigger an access review as well.
Upon termination of personnel, whether voluntary or involuntary, the security team will follow GoMyRO’s personnel exit procedure, which includes revocation of the associated user account and reclamation of company-owned devices, office keys or access cards, and all other corporate equipment and property prior to the final day of employment.
How does GoMyRO build, adopt, configure, and maintain technology to fulfill its security intentions?
GoMyRO stores source code and configuration files in private GitHub repositories. The security and development teams conduct code reviews and execute a static code analysis tool on every code commit. Reviewers shall check for compliance with GoMyRO’s conventions and style, potential bugs, potential performance issues, and that the commit is bound to only its intended purpose.
Security reviews shall be conducted on every code commit to security-sensitive modules. Such modules include those that pertain directly to authentication, authorization, access control, auditing, and encryption.
All major pieces of incorporated open source software libraries and tools shall be reviewed for robustness, stability, performance, security, and maintainability.
The security and development teams shall establish and adhere to a formal software release process.
Sensitive data which does not need to be decrypted (e.g. passwords) is salted and hashed using approved functions such as Bcrypt.
Sensitive data which must be decrypted (e.g. tokens) must use an approved encryption provider for HSM functions, such as KMS.
The GoMyRO security and development teams shall document the configuration of all adopted systems and services, whether hosted by GoMyRO or are third party hosted. Industry best practices and vendor-specific guidance shall be identified and incorporated into system configurations. All configurations shall be reviewed on at least an annual basis. Any changes to configurations must be approved by appointed individuals and documented in a timely fashion.
System configurations must address the following controls in a risk-based fashion and in accordance with the remainder of this policy:
For every third-party service or sub-processor that GoMyRO adopts, the compliance team shall review the service and vendor, on an annual basis, to gain assurance that their security posture is consistent with GoMyRO’s for the type and sensitivity of data the service will store or access.
How does GoMyRO manage data classifications and data processing?
GoMyRO maintains the following Data Confidentiality Levels:
Data Confidentiality is determined by:
Additionally, data may be separated into data type classifications to enforce processing rules for customer data. For each data class, the GoMyRO security and development teams may provision and dedicate specific information systems to store and process data of that class, and only data of that class, unless otherwise explicitly stated. For all classes of customer data, data must be encrypted at rest and in transit. Corresponding systems may store and process data items needed to keep each customer’s data properly segmented, such as GoMyRO customer identifiers.
Customer User Account Data - This is data pertaining to login accounts for the www.GoMyRO.com customer web interface, used by GoMyRO customer agents. User account credentials shall be hashed in such a manner that the plaintext passwords cannot be recovered.
Customer Contact Data - This is contact data about GoMyRO customers and customer agents.
Customer Preferences Data - This is data pertaining to the customer-specific preferences and configurations of the GoMyRO service made by customer agents.
Customer Recorded Data - This is data that the GoMyRO service collects during session recording.
Customer Event Transaction Metadata - This is metadata about transactions conducted on all other classes of customer data. This includes customer organization and user identifiers, standard syslog data pertaining to customer users, and instances of Customer Contact Data and Customer Preferences Data. This class does not include Customer Recorded Data.
Customer Contact Data, Customer Preferences Data, and Customer Event Transaction Metadata may be stored and processed in systems hosted in different environments, as approved by the security team.
Resources must maintain accurate data classification tagging policies for their entire lifecycle, including during decommissioning or when removed from service temporarily.
GoMyRO employees may access Customer Data only under the following conditions.
GoMyRO provides web user interfaces (UIs), application programming interfaces (APIs), and data export facilities to provide customers access to their data.
The security team in conjunction with executive management may approve emergency exceptions to any of the above rules, in response to security incidents, service outages, or significant changes to the GoMyRO operating environment, when it is deemed that such exceptions will benefit and protect the security and mission of GoMyRO, GoMyRO customers, and visitors of GoMyRO customers’ websites.
GoMyRO protects all data in transit with TLS 1.2 and all data at rest with AES-256 encryption. Cryptographic keys are assigned to specific roles based on least privilege access and keys are automatically rotated yearly. Usage of keys is monitored and logged.
Resources must maintain data encryption at rest and in transit for their entire lifecycle, including during decommissioning or when removed from service temporarily.
Each customer is responsible for the information they create, use, store, process and destroy.
On expiration of services, customers may instruct GoMyRO to delete all customer data from GoMyRO’s systems in accordance with applicable law as soon as reasonably practicable, unless applicable law or regulations require otherwise.
GoMyRO uses Amazon Web Services for all infrastructure. AWS provides the following guidance regarding their data lifecycle policies:
Media storage devices used to store customer data are classified by AWS as Critical and treated accordingly, as high impact, throughout their life-cycles. AWS has exacting standards on how to install, service, and eventually destroy the devices when they are no longer useful. When a storage device has reached the end of its useful life, AWS decommissions media using techniques detailed in NIST 800-88. Media that stored customer data is not removed from AWS control until it has been securely decommissioned.
How does GoMyRO detect, and respond to vulnerabilities and security incidents?
The GoMyRO security and development teams shall use all of the following measures to detect vulnerabilities that may arise in GoMyRO’s information systems.
The GoMyRO security team shall evaluate the severity of every detected vulnerability in terms of the likelihood and potential impact of an exploit, and shall develop mitigation strategies and schedules accordingly. Suitable mitigations include complete remediation or implementing compensating controls.
The GoMyRO security team maintains an internal Incident Response Policy which contains steps for preparation, identification, containment, investigation, eradication, recovery, and follow-up/postmortem.
The GoMyRO security team shall use all of the following measures to detect security incidents.
The GoMyRO security team shall make a determination of whether every indicator is representative of an actual security incident. The severity, scope, and root cause of every incident shall be evaluated, and every incident shall be resolved in a manner and timeframe commensurate with the severity and scope.
In the event that a data breach affecting a customer has been detected, GoMyRO will maintain communication with the customer about the severity, scope, root cause, and resolution of the breach.
How will GoMyRO prevent and recover from events that could interfere with expected operations?
GoMyRO services shall be configured in such a manner so as to withstand long-term outages to individual servers, availability zones, and geographic regions. GoMyRO infrastructure and data is replicated in multiple geographic regions to ensure this level of availability. GoMyRO availability and status information can be found at status.GoMyRO.com.
GoMyRO targets a Data Recovery Point Objective (RPO) of 24 hours.
Due to the distributed nature of GoMyRO services, Recovery Time Objectives (RTO) are near-zero for geographic disasters. RTO for systemic disasters involving data recovery is targeted at 48 hours.
GoMyRO tests backup and recovery processes on at least a monthly basis.
Business Risk Assessment and Business Impact
Analysis
GoMyRO's risk assessment committee will include business risk assessment and business
impact analysis for
each Key
Business System that is used by the organization. The outcome of ongoing risk assessments will update or
create
recovery plans for Key Business Systems and update prioritization of systems compared to other key systems.
Distribution, Relocation, and Remote Work
GoMyRO prioritizes policies, tools, and equipment which
enables independent, distributed remote work for
all staff if emergencies or disasters strike. If the organization’s primary work site is unavailable, staff
can
work from home or an alternate work site shall be designated by management.
Notification and Communication
GoMyRO has established internal communications using secure,
distributed providers using industry standard
security protocols. Staff and management will be notified via existing channels during any emergency event,
or
when
any data recovery plan is initiated or deactivated.