This statement provides an overview of OffshoreAlert’s approach to cyber security.
Our policies address the handling of personal, sensitive and confidential information. Policies are reviewed and communicated to all staff.
Like many organizations, we use third parties to host or process customer information. We conduct technical due diligence against these third parties for their cyber risks and ensure our legal agreements with them appropriately address security and data handling. Where personal data will be processed outside the United States, we ensure appropriate safeguards are in place.
Employee security practices
We check our employee’s ID, references, and right to work. Cyber security is covered at employee inductions and training is offered on an ongoing basis, including bespoke training if relevant to the role. Violations of relevant policies could result in HR process enacting disciplinary action, up to and including dismissal.
Physical office & data center facilities
Our major offices and all data center facilities we use entry controls and we have controls in place to protect our systems from unauthorized access. These data centers are in the United States.
We install anti-virus/malware on laptops and desktops. We install anti-virus/malware on servers that are normally affected. Our policy is to apply critical security patches immediately, and less severe updates within one month on servers, where practical. Our user and system networks are segregated. We deploy Network Intrusion Detection systems, run regular vulnerability scans, proactively scan encrypted connection (Transport Layer Security) configurations, and source code for vulnerabilities. Security logs are collected centrally (Security Event Information Management system).
We encrypt all public system traffic in transit to international standards, and internally for all new systems. It is our policy to encrypt at rest where possible and practical. We dispose of old equipment securely and ethically. We limit access to production environments to only those who need access, and have environments for development, test and production.
We centrally manage access to many services. We use two-factor authentication wherever possible, especially for administrative access on key systems and for all staff using our remote access VPN. Our users have named accounts, and we prohibit shared users. We log activity and access for audit reasons and have password complexity and rotation policies in place. Users who have privileged or network access are reviewed on a regular basis and those who no longer need this access are removed.
Security requirements and design are considered for all projects and products, and we follow secure development practices. We have access controls on source code, and access is managed. All releases are tested. Our release checklist includes considering security issues. Where we do store user credentials (passwords) they are hashed. We use a third party to run periodic penetration tests of our systems, and review code, and we follow best application practices. We also have a bug bounty program to encourage responsible disclosure.
Business & incident management
We have cyber security incident response policies and plans in place. These cover detection, response, and reporting. We also have a 24×7 incident team.