Cryptography and key management

Policy Statement

Everperform is responsible for ensuring the confidentiality, integrity, and availability of its data and that of customer data stored on its systems. Everperform has an obligation to provide appropriate protection against unauthorised access to everperform systems which could adversely affect the security of the system or its data entrusted on the system. Effective implementation of this policy is aimed at limiting the exposure and adverse effects of any harmful attacks or threats to the systems within this scope.

Purpose

The purpose of this Policy is to outline the steps taken to protect the confidentiality, integrity and availability of data managed by Everperform. Through the application of appropriate cryptographic controls and working closely with Everperform Employees to ensure continued use of the industry best practice when handling sensitive information, we work to mitigate any risk to the aforementioned tenets. 

Scope

This policy applies to any user interacting with infrastructure that exists as part of the Everperform network. This includes systems that contain Everperform or Customer data owned or managed by Everperform regardless of location and data stored within.

Policy Intention

Policy Statement

Everperforms information system resources are business critical. As such these assets demand appropriate levels of information security be instituted and maintained. It is Everperforms policy that appropriate encryption control measures are implemented to protect its sensitive or critical information system resources against accidental or malicious destruction, damage, modification or disclosure, and to maintain appropriate levels of confidentiality, integrity and availability of such information system resources. 

Policy Objectives

The objectives of this policy with regard to the protection of information system resources against unauthorised access are to: 

  • Minimise the threat of accidental, unauthorised or inappropriate access to critical or sensitive electronic information owned by Everperform or Everperform Customers

  • Minimise Everperform’s network exposure, which could result in a compromise of network integrity, availability and confidentiality of information system resources

  • Minimise reputation exposure, which may result in loss, disclosure or corruption of critical or sensitive information and breach of confidentiality.

Policy Overview

Everperform information system resources are business critical assets, vulnerable to access by unauthorised individuals or unauthorised remote electronic processes. Sufficient precautions are required to prevent unwanted access by applying a level of encryption to critical and sensitive data which is proportionate to the business risk. Users should be made aware of the dangers of unauthorised access.

Policy Requirements

Everperforms information system resources shall be appropriately protected to prevent unauthorised access by applying an appropriate level of encryption to sensitive or critical information which is proportionate to the business risk.

General Principles

  • All data transferred across networks using the Everperform Application is encrypted

  • Portable electronic devices such as Phones, Laptops or Tablets must be protected by passwords/PIN numbers.

  • All remote access should must take place via terminal services and require IP whitelisting among other multi-factor authentication methods to gain access

  • All communication between users and the Everperform application must take place over a secure network, failure to do so will result in the application refusing to communicate.

  • Sensitive or business critical data must not be sent or attached as part of an E-mail and a secure alternative method must be used wherever possible.

Encryption of Data in Transit

All data transferred across networks using the Everperform Application may only take place using https:// failure to comply or attempting to communicate in any other format will result in the application redirecting to a secure connection. 

Key Management

Keys required to access business critical information are user unique and protected through multi-factor authentication. All keys are distributed at the direction of the Chief Security Officer and only when deemed business critical. 

Roles and Responsibilities

All users and employees are responsible for ensuring that sensitive or critical information is stored safely and securely.

Avoiding Adverse Impacts from Encryption

Where necessary, encryption keys are kept securely in a managed central location such that all information encrypted by Everperform can be decrypted if required.

Reporting Security Incidents

For information on actions to take when reporting Security Incidents please view Everperform’s Security Incidents Management Policy Document

User Awareness

Users shall be made aware of their responsibilities in the prevention of unauthorised access to Everperform resources, including, but not limited to:

  • The need to encrypt all sensitive or critical data which is to be transported or transmitted

  • That suspicious activity is to be reported immediately to the CSO or Everperform Support

  • The need to be aware of this Policy and all its provisions.

Enforcement

Implementation and enforcement of this policy is ultimately the responsibility of all employees of Everperform. The Chief Security Officer may conduct random assessments to ensure compliance with policy without notice. Any workstation or network found in violation of this policy shall require immediate corrective action.  Violations shall be reported to both the Chief Security Officer and the owner of Everperforms Information Security Management Policy. Repeated failures to follow policy could lead to disciplinary action.