Security Management Program (SMP)
Security is our top priority. Our customer-focused culture ensures that security is a top priority. We are open and transparent with our security program so you can feel safe using our products and services.
Introduction to our Information Security Management Program
We're proud of our company values. These values guide everything that we do. One particular value that stands out is our Open Company value.
We've heard from our customers, that they would like to know more about how we run our business, and how we run our operations. As such, we'd like to take the time to share how we run our Security Management Program, or as the ISO27001 Security Management Standard calls it – our Information Security Management System (ISMS).
At 3Pikas, we pride ourselves on being a little different – our company values, or our approach to community building. We have extended this approach to our Security Management Program.
The importance of a structured management program?
There is value in management systems, whether you evaluate quality management systems, defect management systems, the kaizen method for continuous improvement, or a structured methodology to evaluate capability maturity. These management programs have been tested in the field, published, peer reviewed, and refined. Our 3Pikas Security Program is based on the ISO27001 Information Security Management System standard. The basis of the ISO27001 standard is:
This International Standard can be used by internal and external parties to assess the organization’s ability to meet the organization’s own information security requirements.
Value of International Standards as Guidance
As with any organization, especially those who are responsible for hosting and handling our customer's data, there are understandably a lot of questions from our customers as to whether 3Pikas, as a cloud service provider, is taking due care for the protection and confidentiality of our customer's data. Any customer who is considering utilizing cloud services faces similar decisions in choosing to host any key applications or service.
While each of our customers has their own security requirements, 3Pikas’ Security Management Program takes those security requirements into consideration and arrives at a set of requirements unique to our company and our environment. The ISO27001 approach to planning, operating, evaluating performance, and improving allows for continuous evaluation of how our program is operating, and improve the program over time to take into consideration new threats, new requirements or improve the overall performance of our operation.
We evaluate International Standards as a set of well-structured guidelines, but consider each of the controls and whether those controls are appropriate for our particular environment. We take a similar approach to the overall applicability of these international standards to our environment.
Policy Management Program
The basis of the SMP is our Policy Management Program. We have structured our policies to cover the domains included in both the ISO27001 standard as well as the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM). We have developed a couple of foundational principles to our Policy Management Program:
- Be posted and available – we make it clear the bar our teams are expected to meet;
- Be supported by the security team to make it easy for you to comply – we are here to help our teams, help us;
- Outline our security objectives – we like to have goals and be clear;
- Show commitment to meet our regulatory obligations – we don't want to go to jail;
- Be focused on continual iteration and improvement – we continue to evaluate risks in our environment and in our program, and reflect those in our policies;
- Provide for an Exception Process – for when we absolutely can meet the policies for a short window;
- Review annually – including updating our policies as we observe new threats and risks
Risk Management Program
In order to continuously evaluate risks to our environments and our products, we perform on-going risk assessments. In many cases, especially in the case of our products, these are performed as technical risk assessments or code reviews. However, we also evaluate each of our entire product stack or a portion of our organization to uncover higher level business risks. Generally, we have adopted the ISO27005 or ISO31010 Risk Management methodology and apply that methodology it to a particular scope. Our approach to risk management includes:
- Conduct risk assessment activities – including executing risk assessments, facilitating risk treatment decisions. This includes identifying the scope and the assets under that scope, identifying risks, assessing the impact and likelihood, review and report on the risks.
- Monitor and report on projects intended to manage security risks – continue to monitor and report on programs or projects designed to manage security risks.
- Support the SMP – through continued risk evaluation as a mechanism to improve the environment and to ensure that the implemented security controls effectively manage identified security risks.
Information Security Management Forum (ISMF)
Finally, we maintain a structured Security Management Forum to ensure that we seek and receive input on how to apply security controls and how to manage risks. We have created a few separate forum meetings to ensure coverage of particular topics as well as appropriate input.
The ISMF’s purpose is to:
- Agree on priorities and actions required to protect 3Pikas and our customers from security threats
- Champion and drive activities within each business division to address deficiencies or vulnerabilities that may allow an attack to occur
- Provide direction and support to working groups on critical security risks and compliance programs
- Champion a security awareness culture throughout the organization
We maintain the following forum meetings on an on-going basis and are recorded through one of our main communication channels. The structure and frequency of these exchanges ensure we are continuously reviewing our threat profile, as well as our response to those threats.
There are as many different approaches to managing a security organization, as there are organizations out there. We believe we have set up a program to be flexible, responsive, but also with enough structure to ensure we are evaluating and addressing new threats and risks to both us, as well as our customers.
Cloud Security Statement
Civicly Cloud is the online engagement platform designed and used by us to deliver Civicly applications as a service. 3Pikas uses AWS to power the Civicly Cloud and doesn’t own servers. Each subscriber to Civicly Cloud applications is located on a server at a third-party data center in Canada. Our data center partners provide power, network and backup services and we area responsible for monitoring, managing, and for providing support to Civicly Cloud subscribers.
Our Civicly Cloud platform was designed and optimized by us specifically to host Civicly applications and has multiple levels of redundancy built in. The applications themselves run on a separate front-end node where the data is stored. Application data is stored on a storage node, which is replicated to a secondary storage node. If the primary storage node has a problem or becomes unavailable, the applications can be switched over to the secondary storage node.
Access to the data centers is limited to authorized personnel only. Physical security measures include on-premises security guards, closed circuit video monitoring, and additional intrusion protection measures. Our data centers are located in Canada. However, we provide customers the flexibility to place instances and store data within multiple geographic regions outside Canada upon request. 3Pikas will not move customers’ content from the selected regions without notifying the customer unless required to comply with the law or requests of governmental entities.
People and access
Our support team maintains an account on all cloud systems and applications for the purposes of maintenance and support. This support team accesses hosted applications and data only for purposes of application health monitoring and performing system or application maintenance, and upon customer request via our support system.
Within 3Pikas, only authorized 3Pikas employees and contractors have access to application data. Authentication is done via individual passphrase-protected keys, rather than passwords, and the servers only accept incoming SSH connections from 3Pikas. Civicly Cloud is designed to allow application data to be accessible only with appropriate credentials, such that one customer cannot access another customer's data without explicit knowledge of that other customers' login information. Customers are responsible for maintaining the security of their own login information.
We select data center providers that maintain industry-standard certifications. Our data centers are SOC compliant. AWS Service Organization Control (SOC) Reports are independent third-party examination reports that demonstrate how AWS achieves key compliance controls and objectives.
Certifications address physical security, system availability, network and IP backbone access, customer provisioning and problem management.
Application database backups for 3Pikas Cloud occur on the following frequencies: On-site backups are performed daily and retained for seven days; Tape backups are taken weekly, which are then stored off-site and retained for four weeks. All backup data is encrypted.
Report a vulnerability
We love hearing about ways we can improve the security of our products. Our commitment to delivering awesome and secure software for our customers is aided by our community – so thanks in advance!
If you wish to report a potential security concern, please contact us at [email protected].
When submitting an issue, please provide a technical description that allows us to assess exploitability and impact of the issue.
- Provide steps to reproduce the issue, including any URLs or code involved.
- If you are reporting a cross-site scripting (XSS), your exploit should at least pop up an alert in the browser. It is much better if the XSS exploit shows user's authentication cookie.
- For a cross-site request forgery (CSRF), use a proper CSRF case when a third party causes the logged in the victim to perform an action.
- For a SQL injection, we want to see the exploit extracting database data, not just producing an error message.
- HTTP request / response captures or simply packet captures are also very useful to us.
Please refrain from sending us links to non-3Pikas’ websites, or issues in PDF / DOC / EXE files. Image files are OK. Make sure the bug is exploitable by someone other than the user (e.g. "self-XSS").
We are unable to respond to generic scanner reports. If you have had a security practitioner examine a generic scan report and they have isolated specific vulnerabilities that need to be addressed, we request that you use to contact us directly to report them individually. It's a simple process and helps us to act quickly. If you wish to respond to a generic scanner, please contact us at [email protected].
Report an incident
Notice a compromise of our products or services? We want to know. We're committed to responding to security incidents consistently and comprehensively. We'll always listen and treat your report with respect.
If you wish to report an incident, please contact us at [email protected].
This Security Management Program Policy was last updated on June 26th, 2017.
Security Bug Fix Policy
3Pikas makes it a priority to ensure that customers' systems cannot be compromised by exploiting vulnerabilities in 3Pikas products.
This page describes when and how we release security bug fixes for our products. It does not describe the complete disclosure process that we follow.
Security Bug Fix Service Level Agreement (SLA)
We attempt to meet the following timeframes for fixing security issues.
- Critical severity bugs should be fixed in the product within 3-4 days of being reported.
- High severity bugs should be fixed in the product within 4 weeks of being reported.
- Medium severity bugs should be fixed in the product within 6 weeks of being reported.
When a Critical security vulnerability is discovered by 3Pikas or reported by a third party, 3Pikas will do all of the following:
- Issue a new, fixed release for the current version of the affected product as soon as possible.
- Issue a new maintenance release for a previous version.
When a security issue of a High, Medium or Low severity is discovered, 3Pikas will include the fix in the next scheduled maintenance release.
You don’t have to worry about upgrading your installation in order to fix the vulnerability.
Severity level of vulnerabilities is calculated based on the following security levels
3Pikas security includes a severity level:
We will continuously evaluate our policies based on customer feedback and will provide any updates or changes on this page.
Severity Level: Critical
Vulnerabilities that score in the critical range usually have most of the following characteristics:
- Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.
- Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.
Severity Level: High
Vulnerabilities that score in the high range usually have some of the following characteristics:
- The vulnerability is difficult to exploit.
- Exploitation could result in elevated privileges.
- Exploitation could result in a significant data loss or downtime.
Severity Level: Medium
Vulnerabilities that score in the medium range usually have some of the following characteristics:
- Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.
- Denial of service vulnerabilities that are difficult to set up.
- Exploits that require an attacker to reside on the same local network as the victim.
- Vulnerabilities where exploitation provides only very limited access.
- Vulnerabilities that require user privileges for successful exploitation.
Severity Level: Low
Vulnerabilities in the low range typically have very little impact on an organization's business. Exploitation of such vulnerabilities usually requires local or physical system access.
This Security Bug Fix Policy was last updated on June 6th, 2017.