- handbook
- Company
- Company
- Board
- Communications
- Decision making
- Guides
- KPIs and OKRs
- principles
- Remote Work
- Security
- Asset Management Policy
- Business Continuity & Disaster Recovery Policy
- Data Management Policy
- Information Security Roles and Responsibilities
- Operations Security Policy
- Risk Management Policy
- Third-Party Risk Management Policy
- Human Resources Security Policy
- Access Control Policy
- Incident Response Plan
- Cryptography Policy
- Information Security Policy and Acceptable Use Policy
- Secure Development Policy
- strategy
- values
- Operations
- Product
- Feedback
- Metrics
- Node-RED Dashboard
- personas
- Pricing Principles
- Principles
- Product Categories
- Responsibilities
- Strategy
- Versioning
- Customer department
- Customer
- Hubspot
- Marketing
- How we work
- Marketing
- Video
- Boiler Plate Descriptions
- Marketing - Website
- Customer Stories
- Webinars
- Social Media
- blog
- Sales
- Engineering & Design Practices
- Design
- Engineering
- contributing
- Front End
- Packaging Guidelines
- Platform Ops
- Project Management
- Releases
- Security Policy
- tools
- Website A/B Testing
- Internal Operations
- People Ops
# Information Security Policy and Acceptable Use Policy
| Policy owner | Effective date |
|---|---|
| @ZJvandeWeg | 2023-05-01 |
# Overview
This Information Security Policy is intended to protect FlowFuse’s employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.
FlowFuse systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations.
Effective security is a team effort involving the participation and support of every FlowFuse employee or contractor who deals with information and/or information systems. It is the responsibility of every team member to read and understand this policy, and to conduct their activities accordingly.
# Purpose
The purpose of this policy is to communicate our information security policies and outline the acceptable use and protection of FlowFuse’s information and assets. These rules are in place to protect customers, employees, and FlowFuse. Inappropriate use exposes FlowFuse to risks including virus attacks, compromise of network systems and services, financial and reputational risk, and legal and compliance issues.
The FlowFuse "Information Security Policy" is comprised of this policy and all FlowFuse policies referenced and/or linked within this document.
# Scope
This policy applies to the use of information, electronic and computing devices, and network resources to conduct FlowFuse business or interact with internal networks and business systems, whether owned or leased by FlowFuse, the employee, or a third party. All employees, contractors, consultants, temporary, and other workers at FlowFuse and its subsidiaries are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with FlowFuse policies and standards, and local laws and regulations.
This policy applies to employees, contractors, consultants, temporaries, and other workers at FlowFuse, including all personnel affiliated with third parties. This policy applies to all FlowFuse-controlled company and customer data as well as all equipment, systems, networks and software owned or leased by FlowFuse.
# Security Incident Reporting
All users are required to report known or suspected security events or incidents, including policy violations and observed security weaknesses. Incidents shall be reported immediately or as soon as possible by sending an email to security@flowfuse.com.
In your email please describe the incident or observation along with any relevant details.
Any security issue related to vulnerabilities in the product should be reported via our disclosure policy.
# Device Policy
All end-user devices (e.g., mobile phones, tablets, laptops, desktops) must comply with this policy.
-
System level and user level passwords must comply with the Access Control Policy.
-
Providing access to another individual, either deliberately or through failure to secure a device is prohibited.
-
All end-user, personal (BYOD) or company owned devices used to access FlowFuse information systems (i.e. email) must adhere to the following rules and requirements:
-
Devices must be secured with a password (or equivalent control such as biometric) protected screensaver or screen lock.
-
Devices must not be left unattended in public.
-
Users must report any suspected misuse or theft of a mobile device immediately to security@flowfuse.com
-
Avoid sharing credentials. Secrets must be stored safely, using features such as GitHub Secrets. For accounts and other sensitive data that need to be shared use the company-provided password manager, 1Password, and ensure an appropriate scope of sharing is used.
-
Confidential information must not be stored on portable media such as USB drives
-
Accessing FlowFuse systems on public "shared" computers, such as hotel kiosks is strictly prohibited
-
Upon termination users agree to return all company owned devices and delete all company information and accounts from any personal devices
# Acceptable Use Policy
FlowFuse proprietary and customer information stored on electronic and computing devices, whether owned or leased by FlowFuse, the employee or a third party, remains the sole property of FlowFuse for the purposes of this policy.
Employees and contractors must ensure through legal or technical means that proprietary information is protected in accordance with the Data Management Policy.
Google Drive should be used to store and share files within the company, ensuring proper access controls are applied.
You have a responsibility to promptly report the theft, loss, or unauthorized disclosure of FlowFuse proprietary information or equipment. You may access, use or share FlowFuse proprietary information only to the extent it is authorized and necessary to fulfill your assigned job duties.
Employees are responsible for exercising good judgment regarding the reasonableness of personal use of company-provided devices.
For security and network maintenance purposes, authorized individuals within FlowFuse may monitor equipment, systems and network traffic at any time. FlowFuse reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
Employees must ensure the software they use is properly licensed and used as intended.
# Unacceptable Use
Under no circumstances is an employee of FlowFuse authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing FlowFuse-owned resources or while representing FlowFuse in any capacity.
# Additional Policies and Procedures Incorporated by Reference
Personnel are responsible for reading and complying with all policies relevant to their roles and responsibilities.
The following table lists the policies that form our Information Security model.
This table will be updated with links to the individual policy documents as they get added to the handbook and adopted.
| Role | Purpose |
|---|---|
| Access Control Policy | To limit access to information and information processing systems to authorized parties in accordance with business objectives. |
| Asset Management Policy | To identify organizational assets and define appropriate protection responsibilities. |
| Business Continuity & Disaster Recovery Plan | To prepare FlowFuse in the event of extended service outages caused by factors beyond our control (e.g., natural disasters, man-made events), and to restore services to the widest extent possible in a minimum time frame. |
| Cryptography Policy | To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. |
| Data Management Policy | To ensure that information is classified and protected in accordance with its importance to the organization. |
| Human Resources Policy | To ensure that employees and contractors meet security requirements, understand their responsibilities, and are suitable for their roles. |
| Incident Response Plan | Policy and procedures for suspected or confirmed information security incidents. |
| Operations Security Policy | To ensure the correct and secure operation of information processing systems and facilities. |
| Physical Security Policy | To prevent unauthorized physical access or damage to the organization’s information and information processing facilities. |
| Risk Management Policy | To define the process for assessing and managing FlowFuse's information security risks in order to achieve the company’s business and information security objectives. |
| Secure Development Policy | To ensure that information security is designed and implemented within the development lifecycle for applications and information systems. |
| Third Party Risk Management Policy | To ensure protection of the organization's data and assets that are shared with, accessible to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery in line with supplier agreements. |
# Policy Compliance
FlowFuse will measure and verify compliance to this policy through various methods, including but not limited to ongoing monitoring, and both internal and external audits.
# Exceptions
Requests for an exception to this policy must be submitted to the CTO or CEO for approval by raising an issue on the admin repository or via email if confidentiality is required.
# Violations & Enforcement
Any known violations of this policy should be reported to the CTO or CEO. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.
# Whistleblower Policy
Our Whistleblower Policy is intended to encourage and enable employees and others to raise serious concerns internally so that we can address and correct inappropriate conduct and actions. It is the responsibility of all employees to report concerns about violations of our code of ethics or suspected violations of law or regulations that govern our operations. It is contrary to our values for anyone to retaliate against any employee or who in good faith reports an ethics violation, or a suspected violation of law, such as a complaint of discrimination, or suspected fraud, or suspected violation of any regulation. An employee who retaliates against someone who has reported a violation in good faith is subject to discipline up to and including termination of employment. Anonymous reports may be submitted via FlowFuse’s Whistleblower Channel.
Policy derived from JupiterOne/security-policy-templates (CC BY-SA 4 license) and Vanta