Security is a Branch priority

General security

Branch Metrics is committed to adopting the following best practices for software development, business operations, and data privacy to provide a secure and safe platform service to our customers:

Governance

Branch maintains documented policies, procedures, and processes for the effective management of the Information Security program (ISMS). Security policies are approved by the Chief Operating Officer (COO) or Information Security Management Committee (ISMC). The Head of Security or ISMC should authorize any exception. Branch updates security policies at least annually.

General and workplace security policy

Branch maintains an office check-in system that issues visitor badges to be worn and displayed by all office visitors.

Branch uses a Mobile Device Management system to secure assets and information access for work. Company-issued devices and laptops are secured using a tested image and are protected using anti-virus and malware scanning software. To protect business data from data theft or exploit, external USB storage devices for laptops are prohibited (mitigated by Mobile Device Management system). Under Branch’s bring your own device (BYOD) policy, personal mobile devices are required to access a separate guest wifi network if used in the office.

Branch conducts Security Awareness Training annually. Branch requires that all employees complete annual security and privacy awareness training.

Physical security policy

Branch implements physical security controls such as door locks, employee badges, building access controls, and surveillance. Our physical security controls are designed to safeguard Branch employees and the workplace.

Branch maintains a formally documented access control program to ensure personnel’s physical access is revoked immediately upon termination or when access is no longer required.

Employees are required to use an issued security access card to access office premises. There are physical locks inside the office building to secure network equipment and assets. Security surveillance recordings are for review in case of any incident.

Branch leverage AWS as our IaaS provider. AWS data center’s physical security controls can be found at https://aws.amazon.com/compliance/data-center/controls/.

Lock and key control

Branch maintains enforced technical controls to secure physical access keys, cards, passwords, etc., used to enter or gain access to information systems and network hosting facilities.

Building access control

Branch maintains a formally documented access control program to ensure personnel’s physical access is revoked immediately upon termination or when access is no longer required.

Employees are required to use an issued security access card to access office premises. There are physical locks inside the office building to secure network equipment and assets. Security surveillance recordings are for review in case of any incident.

Organization controls

Branch maintains documented policies and procedures, approved by senior management, to support the hiring, termination, code of conduct, ethics, and background screening of all employees and contractors. Branch conducts a background check for each employee using reliable third-party services.

Branch conducts Security Awareness Training annually. Branch requires that all employees complete annual security and privacy awareness training.

Authorized software standards

Branch maintains a formal process for the approval of new software and maintains a catalog of approved software.

Branch implements technical controls to restrict the installation of unauthorized software in the company-issued devices or environment.

Acceptable use

Branch maintains an acceptable use policy that defines the acceptable use of information, electronic and computing devices, and network resources to conduct Branch business or interact with internal networks and business systems, whether owned or leased by Branch, a user, or a third party.

Mobile device acceptable use

Branch has documented procedures, and technological restrictions for users who have legitimate business requirements to use a private or Branch-issued mobile device that can access Branch’s electronic resources.

Mobile device security standards

Branch maintains mobile device security standards that define specific rules and security configurations to be applied to all Branch-issued mobile devices.

Identity theft

Branch maintains an Identity Theft Program that includes minimum standards that must be maintained throughout the company to protect identity information and reduce identity theft risk. This program helps protect Branch, its customers, partners, and other associated personnel from the loss or misuse of any identity information.

Network security

Branch maintains a documented network security policy that includes security controls related to network segregation, encryption, passwords, logical access, and remote access to the network.

Authentication and password policy control

Branch maintains policies for the use of strong passwords and MFA (Multi-factor Authentication). An account lockout policy is in place that determines how systems respond when users exceed a threshold of invalid login attempts.

System and data access

Branch maintains secure system access and remote access controls. Only authorized production and customer support personnel can access production systems or those storing or processing customer data. Branch follows a Least Privilege Access model enforced by RBAC.

Branch Web services require the use of service accounts and secure API tokens.

Logical data access

Branch maintains a logical system access provisioning process that meets or exceeds industry standards for all systems that access, process, or store customer data and confidential information.

Branch maintains RBAC (Role Based Access Controls) and conducts periodic reviews of these controls.

Operations security

Secure software development lifecycle process

Branch maintains and follows a secure SDLC (Software Development Lifecycle) process using an agile development methodology. The process is supported by source code reviews performed using solutions for SAST (Static Application Security Testing), Dynamic Application Security Testing (DAST), web application vulnerability scanning, penetration testing, and automated container security vulnerability scanning.

Branch engages third-party professional security firms to perform annual network and application penetration testing of the production environment. Branch maintains a Bug Bounty  program that considers research and testing from members of the information security community.

Risk management

Branch maintains documented policies for vendor and technology risk assessment and risk management. Branch reviews the standing of 3rd party information security and privacy programs, including systems security, data privacy, and regulatory compliance obligations, prior to onboarding.

Branch maintains a documented risk registry where risks are identified and tracked against a risk management framework.

Backup and restore

Branch maintains a formal data backup and restoration process to secure business data. Only authorized personnel can access or restore data from backup.

Security monitoring and logging

Branch maintains system monitoring and logging controls for cloud applications and microservices and maintains a SIEM (Security Information and Event Management) system. Branch maintains vulnerability assessment and intrusion detection controls that alert and notify the platform infrastructure team of suspicious activity or potential security threats.

Security incident response process

Branch maintains a formal incident response program that defines processes for cross-functional incident response during an incident. Verified security incidents are reported to the security incident response team. In the event of a security or privacy incident, customers are notified in a timely manner.

Branch performs annual testing of the security incident response process.

Business continuity

Branch maintains a BCDR (Business Continuity and Disaster Recovery) plan that meets or exceeds industry standards and provides a formal framework and methodology, including without limitation, a business impact analysis and risk assessment process to identify and prioritize critical business functions.

Branch conducts annual business continuity tests, including a review of the Business Continuity Plan, roles and responsibilities, business documentation requirements, recovery strategies, MTTR (Mean Time to Recovery), RTO (Recovery Time Objectives),RPO (Recovery Point Objectives), and testing process.

Change management

Branch maintains a change control management system for documenting and tracking planned and emergency software changes. A workflow approval process in place to ensure change requests are prioritized and assigned.

Branch maintains a security patch management process for periodic or ad hoc software and security updates. Branch uses a systems configuration management system to ensure continuous monitoring and evaluation of resource configurations.

Critical systems changes first undergo a formal review and approval process that involves sign-off by senior-level management and leadership.

Vulnerability management

Branch maintains a security vulnerability management program that includes policies and procedures for identifying and managing security vulnerabilities from regularly executed vulnerability assessments, penetration tests, and findings from the Bug Bounty program.

Data security and privacy

Data classification

Branch maintains a formal information classification process to classify or assign a label to customer and business data. Asset owners are responsible for assigning classification to information assets.

Data retention and destruction

Branch maintains company-wide requirements and practices for the retention of customer data, company records, including electronically stored documents and emails.

Branch follows industry security best practices (e.g., NIST, Amazon AWS Security Best Practices) for secure deletion or destruction of electronically stored data and physical records.

Data encryption and integrity

Branch uses industry-standard encryption algorithms to encrypt customer data and ensure information confidentiality in transit and at rest.

Branch implements logical data segregation that meets or exceeds industry standards to ensure customer data and confidential information is not viewable by unauthorized users.

Branch implements input and output validation for data protection within the Dashboard application. Business data is validated and checked for integrity within the backend microservices and the API Web services. Data Leakage Prevention tool is deployed to ensure data integrity within the backend storage infrastructure.

Data management and protection

Branch classifies all customer data as confidential and has implemented different data protection controls to ensure data privacy. This includes protecting data at rest (data encryption), data in transit (secure data transport), and role-based system access control. Data access is restricted to authorized personnel, and production back-end systems can only be accessible using MFA, VPN, and company-issued laptops.

Branch maintains necessary processes and procedures in place to execute Data Subject Requests regarding personal data in accordance with applicable laws, including GDPR and ePrivacy requirements.

Data privacy

A documented data privacy statement describes what data Branch captures, how the data is protected, and can be found under https://www.branch.io/security/#privacy.

Policy Owner : Jamie Fullerton, Head of Security
Version: v3.1.2
Updated date: 2022-09-28