Branch Metrics is committed to adopt the following best practices for software development, business operations and data privacy to provide a secure and safe platform service to our customers:
Branch shall create, implement and maintain an enterprise Information Security program (ISMS). Security policies shall be approved by Chief Operating Officer (COO) or Information Security Management Committee (ISMC). Any exception should be authorized by Head of Security or ISMC. Branch shall update security policies at least annually.
Branch shall install a visitor check-in system at Branch’s offices, which will issue visitor badge, and visitors need to bring with them at all times.
Branch shall implement and maintain a secure Mobile Device Management system to secure assets and information access for work. Company-issued devices and laptops are secured using a tested image and are protected using anti-virus and malware scanning software. To protect business data from data theft or exploit, external USB storage devices for laptops are prohibited (mitigated by mobile device management tool). Under BYOD (Bring Your Own Device) policy, personal mobile devices are required to access separate guest wifi network if used in the office.
Branch shall create, implement and maintain a program to ensure personnel's physical access is revoked immediately upon termination or when access is no longer required.
Employees need to use issued security access card to access office premises. There are physical locks inside office building to secure network equipment and assets. Security surveillance recordings are for review in case of any incident.
Branch shall create, implement and maintain policies and procedures, which shall be documented and approved by its senior management, to support the hiring, termination, code of conduct, ethics and background screening of all employees and contractors. Branch shall perform a background check using reliable third-party services for each employee.
Branch shall create, implement and maintain a security and privacy awareness program for employees annually.
Branch shall implement a strong and complex password policy enforced using MFA (Multi-factor Authentication). Branch shall implement account lockout policy when users exceed the threshold of invalid login attempts.
Branch shall implement and maintain a secure system access and remote access mechanism. Only authorized production and customer support can access our production systems backend and customer data on a needs basis via virtual private network (VPN) and multi-factor authentication (MFA).
Our Web services require the use of service accounts and secure API tokens.
Branch shall create, implement and maintain a logical system access provisioning process that meets or exceeds industry standards for all systems that access, process or store customer data and confidential information.
Branch shall implement role-based security access. Branch shall maintain a periodic logical access control review.
Branch shall implement secure software development lifecycle process using agile development methodology, and review periodically security issues identified from static code analysis (aka SAST), Web application vulnerability scanning (aka DAST), penetration testing, and container security vulnerability scanning automated in the build pipeline.
Branch shall engage third party professional security firms are engaged to perform network and application penetration testing in production environment annually. In addition, we also use security researchers from crowd-sourcing communities to identify exploits and security vulnerabilities.
Branch shall create, implement and maintain a vendor and technology risk assessment strategy and risk mitigation methodology. Due diligence process will ensure systems security and data privacy details are reviewed, and security risks are mitigated before adoption.
Branch shall implement and maintain data backup and restore process to secure business data. Nightly backups (snapshots) of data are made and stored in redundant locations. Only authorized personnel may access or restore any data from the backup datasets.
Branch shall implement comprehensive system monitoring for our cloud applications and micro-services. In addition, Branch shall implement and maintain security information and event management (SIEM) system. Branch shall implement vulnerabilities and network intrusion detection controls. These controls will generate proactive alerts to notify platform infrastructure team about any system events and suspicious activities that may be potential security incidents.
Branch shall implement and maintain a security incident response program. The security incident response plan defines steps to be coordinated with the cross-functional incident response team in order to mitigate any security incident timely. All verified security incidents will be reported to the security incident response team timely. Depending on the levels of response, and the customer agreement, customers will be notified timely about the status and the remediation.
Branch shall test the security incident response process annually.
Branch shall create, implement and maintain a Business Continuity / Disaster Recovery Program that meets or exceeds industry standards and that provides a formal framework and methodology, including without limitation, a business impact analysis and risk assessment process to identify and prioritize critical business functions.
Branch shall conduct a Business Continuity test every twelve (12) months, including a review of the Business Continuity Plan, roles and responsibilities, business documentation requirements, recovery strategies, Mean Time to Recovery (MTTR), Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs), testing strategy and frequency.
Branch shall implement and manage a change management system for planned and emergency software changes. There should be workflow approval process in place to ensure change requests are prioritized and assigned.
Branch shall implement a security patch management program for periodic or ad hoc software and security updates. Branch shall also implement and manage a system configuration management system.
Branch shall provide industry standard encryption of customer data and confidential information in transit and also at rest.
Branch shall create, implement and maintain logical data segregation that meets or exceeds industry standards to ensure customer data and confidential information is not viewable by unauthorized users
Branch shall implement input and output validation for data protection in the Dashboard application. Business data is validated and checked for integrity in the backend micro-services and in the API Web services. Data Loss Prevention tool is deployed in our backend storage infrastructure to ensure data integrity.
Branch shall treat all customer data confidential and has implemented different data protection controls to ensure data privacy. This includes protecting data at rest (data encryption), data in transit (secure data transport) and role-based system access control. Data access is restricted to authorized personnel, and production backend systems can be only accessible using MFA, VPN and company-issued laptops.
Branch shall have the necessary processes and procedures in place to execute Data Subject Requests regarding personal data in accordance with applicable law within 30 days in order to meet GDPR and ePrivacy requirements.
Branch shall follow industry security best practices (e.g. Amazon, NIST) to destroy storage media, including cloud storage and also laptop hard drive before disposal.
There is a documented data privacy statement that describe what data Branch captures and how they are protected under https://branch.io/privacy.
Policy Owner : Ray Lai, Head of Security
Updated date: 2020-12-20