Information Security Policy

Introduction

It has become common in today’s world for businesses to be under the attack of cybercriminals. An incident like this is very harmful when the organization is storing, transmitting and processing customer’s sensitive information. To address this issue, it is a standard practice for companies to maintain their own information security policy. This policy addresses the general overview of the various operations in the company. We at Paradiso take security consideration in mind and are committed and focused towards protecting the sensitive information of our customers and we maintain stringent security policies and procedures through which our goals and objectives would not be compromised in maintaining confidentiality, integrity and availability of the information assets at Paradiso.

Purpose

The purpose of this Policy is to establish and state the policy, practices, principles and procedures employed by Paradiso to protect the information received, collected, stored, processed or used by Paradiso’s software products or during the performance of technical support and consulting services. ThisPolicy covers the architecture of Paradiso’s products and services, the supporting systems and infrastructure and the administrative, technical and physical controls applied to those systems and the data they manage/handle. This Policy also applies to all Provider team members including all employees of any Provider subsidiary or affiliate. Compliance with this Policy is mandatory and conditional on employment, assignment or doing business with the Provider.

Policy Statements

1. Employment and Resource management

It is Paradiso’s policy to perform thorough background and reference checks for potential employees except where prohibited by law. All employees are bound by a written non‑disclosure obligation. All employees are required to acknowledge and sign this Policy and the Paradiso’s Code of Conduct which includes an express obligation of confidentiality and protection information resources and tools. As part of On‑boarding, all new members of staff are informed of security policies and trained on the importance of protection of information resources. Individuals contracting for Paradiso go through a similar background check and on-board process as employees. Paradiso personnel responsible for handling classified information from public sector sources are required to have government security clearance (country specific).

Paradiso employees must complete mandatory training on an annual basis that explains their responsibility to uphold certain global policies and standards for Information Security, General Data Protection Regulation (GDPR), Ethics, Data Privacy, Anti-corruption and Global Trade and Sanctions. This training is delivered annually in the mandatory Code of Conduct training and from time to time through mandatory individual topical training exercises. In addition to this, certain employees are required to follow Paradiso’s Secured Source Code policy that covers corporate controls on proper data handling and source code control.

2. Physical Security

Paradiso’s physical security meets with the following guidelines: –

• Access to buildings, facilities and other physical premises shall be controlled based upon business necessity, sensitivity of assets and each individual’s role and responsibilities.
• Wherepossible, all facilities must be secured by card‑based access control.
• All areas that contain either sensitive/critical information or information processing facilities must be secured at all times by keyed lock or access card control and monitored by centrally managed cameras.
• Individuals requiring access to facilities and/or resources shall be issued appropriate and unique physical access credentials and instructed not to allow or enable other individuals to access the Paradiso’s facilities or resources using their unique credentials. Locations that do not have this system are required to have an alternative access security strategy.
• Visitors who require access to Paradiso’s facilities must enter through a staffed and/or main facility entrance;
• Locked shred bins are provided on most sites to enable secure destruction of confidential information and/or personal data.
• Where possible Paradiso’s premises must be protected by security alarms with alarm contacts and motion sensors.
• All visitors must sign‑in at reception and be issued with a visitor badge.
• Visitors must be accompanied at all times.

3. Information Security

Paradiso complies with confidentiality undertakings under various standard legal agreements in place as a matter of doing business.

• All employees and 3rd party contractors are required to sign an NDA before access to confidential information is granted
• Regular employment contractual agreements are required with all Paradiso’s personnel which include code of conduct and confidentiality policy undertakings. Personnel includes all employees, contractors, both corporate and individual.

The above agreements include:

• The protection of Customer Confidential Information within Paradiso’s environment and/or protection of Customer Confidential information by specific Paradiso’s personnel
• A prohibition on disclosure of Confidential Information to any other party without specific and unambiguous consent and approval from the Customer prior to disclosure

In case a personnel fails to comply with the above policy in spite of notifying the personnel with multiple warnings, he/she shall be subjected to be removed from Paradiso under the direct interjection from the management.

4. Security Incident and Response Plan

Security incident response plan

Paradiso maintains a security incident response policy, plan and procedures which address the measures Paradiso will take in the event of loss of control, theft, unauthorized disclosure, unauthorized access or unauthorized acquisition of personal data. These measures include incident analysis, containment, response, remediation, reporting and the return to normal operations.

Response controls

Controls are in place to detect and protect against malicious use of assets and malicious software. If a potentialbreach is identified it is reported to the AWS infrastructure team. This team calls the legal department. If you must leave a message, indicate that you have an urgent matter to discuss, as well as your name and a number where you can be reached. Controlsmay include, but are not limited to information security policies and standards, restricted access, designated development and test environments, virus detection on servers, desktop and notebooks, virus email attachment scanning, system compliance scans, intrusion prevention monitoring and response, firewall rules, logging and alerting on key events, information handling procedures based on datatype, e‑commerce application and network security and system and application vulnerability scanning. Additional controls are implemented based on risk.

5. Data Transmission control and Encryption

Reasonable steps are taken to ensure that information transmissions or transfers over any public network or network not owned or maintained by Paradiso cannot be read, copied, altered or removed without proper authority during its transmission or transfer. These steps that are included:

Implementing approved encryption practices when transmitting any of the following data:

1. Personal Identifiable Data
2. Confidential Data
3. Source Code Data

Whenever possible, applications are enabled to support OAuth 2.0 (or greater) for authentication.

6. Access Control

Access to Paradiso’s systems is restricted to authorized users only. Formal procedures and controls are implemented to govern how access is granted to authorized individuals and the level of access that is required and appropriate for that individual to perform their job duties. Such procedures must include admission controls (i.e. measures that prevent persons from unauthorized use of data within systems) and access controls (i.e. measures that prevent unauthorized access to systems). Where possible, multi‑factor authentication (MFA) controls are utilized to govern access to Paradiso’s environments. If key internal environments do not employ MFA or MFA is not feasible, layered approval access, and role‑based security to protect the environment has been implemented. User access reviews are conducted regularly and if necessary, access controls are adjusted accordingly. Remote access to Paradiso’s network and systems is permitted only as described in Paradiso’s Remote Access VPN policy.

Additional controls include:

1. Only Paradiso managed systems/ services can connect to the Paradiso’s production network
2. If a Paradiso’s Information Services managed system cannot be utilized, a managed virtual desktop is used

7. Data Access Control

The following controls are adhered to regarding the access and use of personal data:

• Only the minimum amount of personal data necessary in order to achieve Paradiso’s relevant business purposes must be used. Except as contemplated for the delivery of services, and particularly cloud-related, Personal data must never be copied or moved to any storage or electronic device that is not owned or controlled by Paradiso.
• Personnel must not read, copy, modify or remove personal data unless necessary in order to carry out their work duties
• All third party use of personal data is governed through contractual terms and conditions between the third party and Paradiso which impose limits on the third party’s use of personal data and restricts such use to what is necessary for the third party to provide services. Any use outside of these terms is prohibited

8. Availability Control

Personal data is protected against accidental destruction or loss by following these controls:

• Personal data is retainedin accordance with law and customer contract or, inits absence, Paradiso’s record management policy and practices, as well as legal retention requirements
• Hard copy personal data is disposed of in a secure disposal bin or a crosscut shredder such that the information is no longer decipherable;
• When disposing of devices that contain electronic personal data, each device is given to Paradiso’s IT Asset Management team for proper disposal;
• Approved backups, UPS (Uninterruptible Power Supplies), hardware redundancy and fault tolerance measures are in place fordata center and server hardware containing data

9. Data Input Controls

Provider’s policy on the control of data input is as follows:

• Where appropriate, measures are designed to log/record when, where and by whom, personal data has been entered into data processing systems, and/or whether such data has been modified or removed
• All access to relevant applications is logged/recorded.

10. Cryptography

Cryptographic controls are designed and implemented to protect the confidentiality, integrity and availability of assets. All employees and service providers must adhere to the IS Business Applications IS Infrastructure Operations Cryptographic Policy.

11. Privacy Requirements

Where personal information is being processed, all employees and service providers will also adhere to the Data Privacy Policy.

12. Vulnerability Management

Paradiso’s policy on vulnerability management is as follows:

• Publicly released third party vulnerabilities are reviewed for applicability to Providers’ environment.
• Based on risk to Paradiso’s business and customers, there are pre‑determined time frames for remediation are followed.
• Vulnerability scanning, testing or assessments are performed on new and key applications or infrastructure or on a regular basis and is performed based on risk.
• Code reviews and testing is performed in the development environment prior to deploying to production to proactively detect coding vulnerabilities.

13. Cloud Service Security

To address the specifics of Cloud Services, Paradiso’s Engineering teams have established, as part of their existing Software Development Lifecycle (SDLC), additional policies and practices. These policies are comprehensive, based on industry best practices and reviewed regularly by its leadership. Security and Privacy are key priorities of the Development and Operations teams. This section addresses the provision of Provider cloud services to include the following:

• Baseline information security requirements applicable to the design and implementation of Provider cloud services;
• Multi-tenancy and cloud service customer isolation including virtualization and virtualization security;
• Risks from authorized insiders; Access to cloud service customer assets by Providers’ staff and access control procedures, e.g., strong authentication for administrative access to cloud services;
• Communications to cloud service customers during change management;
• Access to and protection of cloud service customer data;
• Lifecycle management of cloud service customer accounts;
• Communication of breaches and information sharing guidelines to aid investigations and forensics

14. Enforcement

Employees who violate this Policy will be subject to appropriate disciplinary action or other remedial measures up to and including termination of employment if warranted under the circumstances and permissible under applicable law. Assigned workers and third parties who violate this Policy are subject to being denied access to Provider facilities, personnel and assets, permission to perform services on Provider’s behalf, or being terminated as a Provider authorized partner.

15. Policy Maintenance and Compliance

Compliance: Responsible parties will verify compliance with this policy through various methods, including but not limited to, periodic walk-throughs, internal audits and inspection and will provide feedback to the policy owner and appropriate business manager.

Non-Compliance: An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Policy Maintenance: This policy is reviewed and approved annually. Updates are madeannually or more frequently as required