Security Statement

Fairmarkit, Inc. Security Statement

Purpose
This policy defines the security goals, strategy and requirements for Fairmarkit information assets. In order to comply with all regulatory, operational, and contractual requirements, Fairmarkit adopted a risk-based management approach to ensure the confidentiality, integrity, and availability of all physical and electronic information assets.

Scope
This policy applies to all Fairmarkit information assets, as well as all information entrusted to the company within its business functions, with a target audience of all company’s employees, business partners, and other third parties dealing with the company’s information assets.

Violations
Any violation of this policy may result in disciplinary action, up to and including termination of employment. The company reserves the right to notify the appropriate law enforcement authorities of any unlawful activity, and to cooperate in any investigation of such activity. Fairmarkit does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’s duties. Accordingly, to the extent permitted by law, Fairmarkit reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy.            

Goals and Strategy

Information and technology assets are necessary for the execution and performance of Fairmarkit business functions. Management recognizes their importance and supports all activities targeted to meet business objectives related to the protection of company’s information assets:

  • Objective 1: Identify the requirements and comply with the applicable laws, regulations, and guidelines.
  • Objective 2: Protect company’s information assets, as well as all information entrusted to the company within its business activities.
  • Objective 3: Ensure the availability and reliability of the infrastructure, technology, and Fairmarkit SAAS application.

In order to meet these objectives, Fairmarkit adopted a list of information security initiatives:

  • Classify all information assets for confidentiality requirements.
  • Distinguish all confidential information.
  • Conduct an organization-wide risk assessment exercise.
  • Identify security risks for critical business assets, processes, and functions.
  • Identify and establish information security controls proportionate to the identified information security requirements.
  • Inform on a regular basis all company’s employees of their responsibility for the protection of business information assets.
  • Provide up-to-date information security awareness material.
  • Conduct formal exercises and training for incident identification and management.
  • Ensure that the company is capable of continuing all critical business functions in the event of a major incident.
  • Develop a formal information security incident management plan.
  • Monitor business IT activities for anomalies and incidents.
  • Ensure that all business partners and other third parties comply with Fairmarkit information security requirements for the entrusted information assets.
  • Execute information security audit exercises of the business IT environment on a regular basis.

Personnel Security

  1. Security responsibility and roles for employees and contractors should be described.
  2. All employees to be placed in positions of trust (i.e. access to confidential information) must pass a background check.
  3. A confidentiality agreement should be signed by employees, contractors, or other third parties who may gain access to confidential information.
  4. Information security policies shall be reviewed with all employees, contractors, and other third parties accessing company’s information assets.
  5. All employees should receive adequate training and updating regarding information security policies.
  6. In the event that an employee, consultant, or contractor’s relationship with the company is terminated, all Fairmarkit property in the custody of that resource shall be returned. All computer and work-related privileges of the individual shall be revoked upon notification.

Risk Management
In order to appropriately respond to evolving information and cyber security threats, Fairmarkit shall adopt a risk-based approach for information security management.

  1. Every information asset shall have an information Owner formally assigned.
  2. All information assets shall be classified for confidentiality. The information Owner shall formally accept the classification level.
  3. To create consistent results, Fairmarkit must adopt and document a formal risk assessment process based on recognized industry standards.
  4. The company should continuously assess the risks and evaluate the need for protective measures. The security controls shall be proportionally applied to the value of the company’s information assets.
  5. The company must specify a set of information security controls that form a baseline for assessments and the required level of assurance for the IT services and business applications.
  6. An overall business-wide risk report should be performed annually and submitted to the CISO and upper management for review and annual plan adjustments.
  7. Whenever sensitive information is to be placed or used differently in business applications, IT services or infrastructure, a risk assessment of the potential security-related impacts must be performed.
  8. The system Owners are responsible for ensuring that risk assessments within their area of responsibility are implemented in accordance with the policy.
  9. Prior to providing any sensitive or private information to an outsourcing firm, business partner, or any other third party, a risk assessment exercise shall be performed. The risks associated with this disclosure shall not present an undue threat to the company’s business interests.
  10. If a risk assessment exercise reveals unacceptable risks, measures must be implemented to reduce the risk to an acceptable level.

Information classification

  1. All Fairmarkit information assets should be classified according to Information Classification Policy. Distinct handling, labeling, and review procedures must be established for each classification level.
  2. The company recognizes three sensitivity classifications: Confidential, Internal, and Public.
  3. The Information Owner is responsible for choosing an appropriate data classification label to be used by all workers who create, compile, alter, or procure production information.
  4. All confidential documents should be clearly identified as such.

Acceptable use of assets

  1. As part of Information Security Management Program, Fairmarkit has Acceptable Use of Assets Policy.
  2. Employees, contractors and any other third parties shall be informed of company’s security and compliance requirements prior accessing business information assets.
  3. Employees, contractors and any other third parties shall be informed that the use of company’s assets may be monitored for performance and security purposes.
  4. Employees shall report all malicious activities or incidents to their immediate manager or CISO.

Physical security

  1. Fairmarkit operates in completely Cloud and distributed environment.
  1. Data center physical security is completely outsourced to the service provider. AWS complies with the highest physical security standards and practices.
  2. Access to every office space and work area containing confidential information shall be physically restricted to limit access to those with a need-to-know.
  3. Appropriate security controls shall be in place in order to protect business IT equipment from theft, while on premises and outside of the business areas.

Communications and operations management

  1. As part of Information Security Management Program, Fairmarkit adopted a list of security policies to comply with best information and cyber security practices for IT management activities.
  2. A comprehensive risk assessment exercise shall be performed before a new information system is developed or acquired. Identified security requirements shall be relevant and aligned to business, compliance and contractual needs.
  3. Identified security controls shall be proportional to identified risks, requirements, and information classification level.
  4. All information systems placed into production must conform to the minimum-security configurations baseline.

Access control

  1. As part of Information Security Management Program, Fairmarkit adopted Access Control Policy.
  2. All access to company’s information assets should be authorized. Authorization should only be granted on a need-to-know basis, and regulated according to business or administrative roles.
  3. Access to company’s confidential information must be provided only after express management authorization has been obtained from the designated owner of such information.
  4. Before any third-party is given access to Fairmarkit information assets, a formal authorization must have been granted by the information Owner.

System acquisition, development and maintenance

  1. As part of Information Security Management Program, Fairmarkit has Software Development Lifecycle Policy.
  2. To maintain effective security, applications must be designed with security in mind.  Each development specification document produced must include information security and compliance requirements.
  3. Each application built or acquired by the company must go through the information classification process.  This exercise shall specify the overall required level of security.
  4. A risk assessment exercise shall determine the appropriate security controls for the required security level.
  5. All software should be thoroughly tested and formally accepted by the system Owner before being transferred to the production environment.
  6. All IT services and business applications must be clearly documented before being transferred to the production environment.
  7. Guidelines for administration and use of encryption for protecting information should be in place. For further information, please refer to the Encryption and Key Management Policy.

Information security incident management

  1. As part of Information Security Management Program, Fairmarkit adopted Incident Management Policy.
  2. All breaches of security, along with the unregulated use of company’s information assets, should be treated as “incidents.”
  3. Incident Response Plan must include roles, responsibilities, and communication strategies in the event of a compromise, including notification of relevant external partners, and clients.
  4. The individuals responsible for handling information systems security incidents must be clearly defined by the CISO.
  5. Every decision about the involvement of law enforcement, related to information security incidents, must be made by the CEO.

Continuity planning

  1. Management must prepare, periodically update, and regularly test a business recovery plan to be able to continue operations in the event of a business interruption.
  2. Every critical IT service and business application must have a contingency plan that permits the restoration of service within the established interval.
  3. Procedures for restoring service must be formally documented, reviewed, tested, and updated at least annually.
  4. The roles and responsibilities for contingency planning and information systems recovery must be reviewed and updated annually.

Compliance and privacy

Compliance

  1. Fairmarkit shall comply with the applicable laws, chosen by the management security standards and information privacy regulations.
  2. Fairmarkit shall periodically perform compliance checks related to information security policies, standards, and procedures, as well as privacy requirements.
  1. Audits and assessment exercises should be planned and conducted in order to minimize risks of disturbing company’s business functions and activities.

Privacy

  1. Fairmarkit does not collect any customer information that is unnecessary for business purposes.
  2. Fairmarkit shall not at any time gather personal information using misrepresentations or pretext statements about its right to receive such information.
  3. Fairmarkit does not collect information from third parties, such as customers, unless these parties are notified about the collection activities before they occur.
  4. The company’s information systems and business applications shall not employ secret serial numbers, secret personal identification numbers, or any other secret mechanisms that might reveal the identity of, or activities of customers.
  5. Personal identifiers/information, such as social security numbers, must not appear on any publicly accessible location managed by or controlled by the company.
  6. Social security numbers and other personal identifying information that the customer does not need to see must not be included in the statements or communications sent to customers.
  7. In order to protect customers against identity theft or other security related incidents, Fairmarkit does not use externally-meaningful identifiers as its own internal customer account numbers. Thus, customer account numbers must never be equivalent to social security numbers, driver's license numbers, or any other identifier, which might be used in an unauthorized fashion by a third party.
  8. If any customer or personal information is collected for business purposes, Fairmarkit shall describe how and when personal data is collected, explain how and when this personal data is used, notify data subjects when their data is transferred to third parties, offer data subjects an opportunity to "opt out" of transfers to third parties, describe relevant privacy and security measures, and explain the mechanisms for data subjects to change inaccurate personal data.
  9. Fairmarkit shall not sell, rent, or otherwise transfer customer information to third parties in any manner.
  10. Fairmarkit shall inform all of its employees of the current privacy statements on a regular basis.

Third-party security management

  1. As part of Information Security Management Program, Fairmarkit adopted Vendor Management Policy.
  2. Fairmarkit shall maintain an inventory of all third-party contractors and service providers used to store or process confidential data.
  3. Prior to outsourcing any IT or information management services, Fairmarkit shall perform a risk assessment exercise to confirm the conformity of the service provider security practices to company’s Information Security Policy requirements.
  4. Prior to sharing any confidential information to a third party, a non-disclosure agreement shall be signed.