The goal at Stord as it pertains to cybersecurity/information security is to align the overall business objectives with the information security program as a holistic strategy focused on protecting the security of Stord’s client’s data, personnel, information systems, and information assets. Defining, implementing, maintaining, and continuously assessing our security posture is an essential component of Stord’s infrastructure that safeguards all of our systems against internal and external risks.
Stord has implemented a formalized information security program, supported by documented policies and procedures. The Information Risk Council has been established as the governing body for information security and risk management within the organization, which includes overseeing the annual risk assessment, internal audits, and risk treatment plans.
Additionally, the Stord has implemented vendor management security practices to ensure that vendors are assessed for security risks, and that appropriate supply chain security practices are adopted. Insurance Policies are maintained to transfer risk as a part of the risk management policy.
Human resources processes are in place to ensure that all employees go through a background check process, security awareness training, and performance evaluations. These are designed to align employees with Stord’s security practices.
Complaints about Stord employees for code of conduct and/or performance issues should be reported to: firstname.lastname@example.org.
In order to support the functioning of internal control, Stord leverages system monitoring tools, reviews, and reports on system performance.
In accordance with the Incident Response Policy, Stord has procedures in place for responding to security incidents, confidentiality incidents, and compliance concerns from internal and external users. Please contact email@example.com to report operational failures, incidents, problems, concerns, and complaints
Stord has implemented role-based access controls that limit access to sensitive information to only those individuals who require access based on job function, active employment, business need, and requires management approval for any changes.
Management performs a periodic user access review of systems quarterly.
For all endpoints managed by Stord, Stord has implemented mobile device management (MDM) tools that enforce device hardening. In addition to these, Stord also has anti-virus/anti-malware software installed on all endpoints.
Access to all Stord’s systems requires a unique username and password aligned with Stord’s Password Complexity Standards. A Password Manager, 2-Factor Authentication, and Single-Sign-On features are also utilized where possible.
Stord performs incremental backups of its critical information systems on a daily basis, and full backups are performed on a weekly basis. Stord engineers are alerted in the case of a backup failure, and backup failures are tracked to remediation.
Standards exist for infrastructure and software hardening and configurations for key system components and infrastructure.
Stord has implemented an incident management and response policy that outlines the requirements for responding to anomalies that are indicative of malicious acts, natural disasters, and errors affecting the Stord's ability to meet its objectives. Security events are documented, reviewed, and tracked to final remediation by management. A root cause analysis is conducted to determine the cause and mitigate the risk of such an incident occurring in the future.
Stord has established a business continuity and disaster recovery plan, which is reviewed, tested and updated on an annual basis.
The Stord platform and supporting infrastructure are subject to a thorough change management process, including maintaining a Software Development Life Cycle policy and procedures. Access to source code and source code promotion permissions are carefully managed, with a notification system for when code is promoted into production.
All changes to our systems are documented via tickets, and are subject to peer reviews prior to code being promoted into production. Stord maintains separate development, staging and production environments, which are all maintained within the Google Cloud Platform.
Stord has implemented a data confidentiality program, supported by policies and procedures to ensure data confidentiality is maintained throughout its lifecycle. Components of this program include defined data retention periods, access controls, backups, encryption, and disposal processes.
The security and confidentiality of customer confidential information is of the utmost importance to Stord. Our employee covenants require Stord employees to keep customer’s data confidential and comply with technical and organizational measures to protect it.