Branch Metrics is committed to adopt the following best practices for software development, business operations and data privacy to provide a secure and safe platform service to our customers:
Branch has documented policies, procedures, and processes for the effective management of the Information Security program (ISMS). Security policies are approved by the Chief Operating Officer (COO) or Information Security Management Committee (ISMC). The Head of Security or ISMC should authorize any exception. Branch updates security policies at least annually.
Branch has installed a visitor check-in system at Branch’s offices, which will issue a visitor badge that visitors need to bring with them at all times.
Branch uses a Mobile Device Management system to secure assets and information access for work. Company-issued devices and laptops are secured using a tested image and are protected using anti-virus and malware scanning software. To protect business data from data theft or exploit, external USB storage devices for laptops are prohibited (mitigated by mobile device management tool). Under BYOD (Bring Your Own Device) policy, personal mobile devices are required to access a separate guest wifi network if used in the office.
Branch maintains a formally documented access control program to ensure personnel's physical access is revoked immediately upon termination or when access is no longer required.
Employees need to use issued security access card to access office premises. There are physical locks inside the office building to secure network equipment and assets. Security surveillance recordings are for review in case of any incident.
Branch creates, implements, and maintains policies and procedures, which will be documented and approved by its senior management, to support the hiring, termination, code of conduct, ethics, and background screening of all employees and contractors. Branch conducts a background check using reliable third-party services for each employee.
Branch conducts Security and privacy awareness program for employees annually.
Branch enforces a strong and complex password policy that includes an MFA (Multi-factor Authentication). Account lockout policy is in place when users exceed the threshold of invalid login attempts.
Branch has implemented secure system access and remote access mechanisms. Only authorized production and customer support can access our production systems backend and customer data on a need basis via a virtual private network (VPN) and multi-factor authentication (MFA).
Our Web services require the use of service accounts and secure API tokens.
Branch has adopted a logical system access provisioning process that meets or exceeds industry standards for all systems that access, process, or store customer data and confidential information.
Branch implemented a role-based security access control. Branch conducts access reviews periodically
Branch has adopted a secure software development lifecycle process using an agile development methodology. This includes a periodic review of issues identified during static code analysis (aka SAST), web application vulnerability scanning (aka DAST), penetration testing, and container security vulnerability scanning automated in the build pipeline.
Branch engages third-party professional security firms to perform network and application penetration testing in the production environment annually. Besides, we also use security researchers from crowd-sourcing communities to identify exploits and security vulnerabilities.
Branch has formally documented policies for vendor and technology risk assessment and risk management. Branch’s due diligence process will ensure systems security and data privacy details are reviewed, and security risks are mitigated before adoption.
Branch has adopted a formal data backup and restoration process to secure business data. Nightly backups (snapshots) of data are made and stored in redundant locations. Only authorized personnel can access or restore any data from the backup datasets.
Branch implemented comprehensive system monitoring for our cloud applications and micro-services. Besides, Branch deployed a security information and event management (SIEM) system. Branch implemented vulnerabilities and network intrusion detection controls. These controls will generate proactive alerts to notify the platform infrastructure team about any system events and suspicious activities that may be potential security incidents.
Branch has formally documented incident response programs in place. The security incident response plan defines steps to be coordinated with the cross-functional incident response team to timely mitigate any security incident.
All verified security incidents will be reported to the security incident response team timely. Depending on the response levels and the customer agreement, customers will be notified timely about the status and the remediation.
Branch shall test the security incident response process annually.
Branch adopted a Business Continuity / Disaster Recovery Process that meets or exceeds industry standards and that provides a formal framework and methodology, including without limitation, a business impact analysis and risk assessment process to identify and prioritize critical business functions.
Branch conducts a Business Continuity test every twelve (12) months, including a review of the Business Continuity Plan, roles and responsibilities, business documentation requirements, recovery strategies, Mean Time to Recovery (MTTR), Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs), testing strategy and frequency.
Branch Business Continuity / Disaster Recovery Process owner is Ray Lai, Head of the Security
Branch uses a change management system for documenting and tracking planned and emergency software changes. A workflow approval process in place to ensure change requests are prioritized and assigned.
Branch has adopted a security patch management process for periodic or ad hoc software and security updates. Branch also uses a system configuration management system to ensure continuous monitoring and evaluation of resource configurations.
Any high risk or critical systems changes to system configurations will undergo a formal approval process. Such approval process involves senior-level management (such as senior managers/directors) and head of Security.
Branch uses industry-standard encryption algorithms to encrypt customer data and ensure information confidentiality in transit and at rest.
Branch has implemented logical data segregation that meets or exceeds industry standards to ensure customer data and confidential information is not viewable by unauthorized users.
Branch has implemented input and output validation for data protection in the Dashboard application. Business data is validated and checked for integrity in the backend micro-services and the API Web services. Data Leakage Prevention tool is deployed in our backend storage infrastructure to ensure data integrity.
Branch treats all customer data as confidential and has implemented different data protection controls to ensure data privacy. This includes protecting data at rest (data encryption), data in transit (secure data transport), and role-based system access control. Data access is restricted to authorized personnel, and production back-end systems can only be accessible using MFA, VPN, and company-issued laptops.
Branch has the necessary processes and procedures in place to execute Data Subject Requests regarding personal data in accordance with applicable law within 30 days to meet GDPR and ePrivacy requirements.
Branch follows industry security best practices (e.g., Amazon, NIST) to destroy storage media, including cloud storage and laptop hard drives before disposal.
A documented data privacy statement describes what data Branch captures, how the data is protected, and can be found under https://branch.io/privacy.
Policy Owner : Ray Lai, Head of Security
Updated date: 2020-10-22