Information Security Policy

Osborn Design Works (ODW) recognizes the paramount importance of safeguarding user information and we are committed to maintaining the highest standards of user data protection.

This Information Security Policy outlines our objectives and high level technical measures that ensure compliance with common regulations: CPRA, CCPA, HIPAA, and GDPR.

Updated: May 7, 2024

Summary

1. Introduction

  • Overview of the policy's purpose
  • Statement of commitment to information security
  • Scope of application (applies to all employees, contractors, partners, and clients)

2. Information Security Objectives

  • Protect the confidentiality, integrity, and availability of client data
  • Compliance with CPRA, HIPAA and GDPR regulations
  • Foster a culture of security awareness

3. Risk management strategy

  • Incident response plan (reporting, investigation, and remediation)
  • Employees and contractors: Compliance with security policies
  • Clients: Understanding shared responsibilities

4. Technical Security Controls

  • Access controls (authentication, role-based access)
  • Data encryption (in transit and at rest)
  • System and network monitoring (intrusion detection, logging)
  • Data management, retention and deletion policies
  • Third-party security

6. Continuous Improvement

  • Periodic review of policies and procedures
  • Audits and assessments to identify gaps
  • Updating the policy to reflect new regulations and threats

Introduction and scope

Osborn Design Works (ODW) prioritizes protecting the data of our app users, clients, and their users. Our Information Security Policy establishes a framework to ensure that the websites, applications, and software we build—and the data stored on servers we manage—adhere to local regulations in addition more stringent discretionary or strategic business requirements.

We have developed products compliant with the CCPA & CPRA regimes, HIPAA, and GDPR. Our proprietary software, utilized by over 50,000 designers globally, is consistently updated to align with evolving data security standards. This Information Security Policy applies to all employees, contractors, and clients, ensuring compliance requirements are tailored according to relevant local laws.

Information Security Objectives

  • Protect the Confidentiality, Integrity, and Availability of Client Data:
    Ensure that client data remains protected from unauthorized access, tampering, and breaches, guaranteeing the highest standards of data security.
  • Ensure Compliance with CPRA, HIPAA, and GDPR Regulations:
    Adhere to the latest data privacy and security requirements, demonstrating commitment to regional and international regulatory standards as needed.
    • CPRA Compliance:
      • Implement measures for consumer data rights (access, correction, deletion)
      • Opt-Outs and Risk Assessments: Enable clear opt-out options for data selling/sharing and perform annual risk assessments
      • Privacy Notices: Ensure transparent, accurate privacy notices that outline data collection and usage
      • Conduct regular risk assessments for sensitive information
    • HIPAA Compliance:
      • Establish safeguards for protected health information (PHI)
      • Conduct bi-annual audits of access controls, encryption, and security policies
      • Train client staff on privacy and security standards
      • Business Associate Agreements: Ensure that third-party vendors and contractors comply with HIPAA through Business Associate Agreements (BAAs)
    • GDPR Compliance:
      • Maintain transparent data processing practices and secure a lawful basis for processing
      • Provide mechanisms for data subjects to exercise their rights (access, rectification, erasure)
      • Ensure breach notification protocols and support an internal Data Protection Officer (DPO) when required
      • Coordinate Data Protection Impact Assessments (DPIAs)
    • Foster a Culture of Security Awareness:
      Cultivate a workplace environment where every team member understands their role in upholding robust security practices, promoting continuous education and vigilance.

Risk Management Strategy

Each project's risk management strategy must be tailored to its unique requirements and the technologies involved. Our approach ensures that the chosen measures address the specific threats and vulnerabilities inherent in the project's architecture and tech stack. By planning and adapting the strategy to align with these factors, ODW can deliver an incident response plan, enforce policy compliance, and allocate responsibilities effectively, ensuring comprehensive security.

Incident Response Plan:

  • Reporting:
    • Implement automated logging and alert systems to monitor and identify data security incidents in real time.
    • Ensure employees are trained to recognize and report security incidents using established internal protocols.
  • Investigation:
    • Utilize low-level tools to log health metrics, network traffic, and system behavior.
    • Conduct root cause analysis to identify vulnerabilities exploited and assess potential data exposure.
  • Remediation:
    • Isolate affected systems to prevent further compromise.
    • Apply security patches, update configurations, and strengthen access controls to address identified vulnerabilities.
    • Communicate findings and action plans with stakeholders and regulators as required.

Employees and Contractors:

  • We ensure all personnel follow established security policies via periodic training and access restrictions based on roles.
  • We conduct regular audits to verify compliance and revoke access promptly when employment or contracts end.

Clients:

We clearly outline data security responsibilities in agreements and provide guidelines on secure data handling. In cases where ODW can serve as a subject matter expert, we share best practices and periodic updates to help clients maintain compliance with evolving security requirements.

  • CPRA:
    Clear agreements and guidelines help ensure that personal data is handled in compliance with consumer rights for data access, correction, and deletion, while also meeting notification requirements.
  • HIPAA:
    Guidelines emphasize secure handling of protected health information (PHI) through training, technical safeguards, and business associate agreements.
  • GDPR:
    Agreements clarify data processing practices and uphold data subjects' rights, such as consent and data portability, while providing clients with the best practices to remain compliant with changing EU data protection rules.

Technical Security Controls

The following technical security controls outline general practices we employ at ODW. While these standards apply broadly, specific implementations depend on each project's unique requirements and tech stack.

By adapting access controls, encryption, and monitoring measures to the architecture in use, we ensure optimal protection of client data across all our solutions. This flexible approach helps us maintain a high standard of security tailored to the technologies involved in each project.

Access Controls (Authentication, Role-Based Access):

  • Implement multi-factor authentication (MFA) to verify user identities.
  • Enforce least privilege principles via role-based access, restricting data and system access based on specific roles.

Data Sharing and Transmission Procedures:

  • Data Encryption (In Transit and At Rest):
    Encrypt sensitive data using strong algorithms (e.g., AES-256) both in transit and at rest to prevent unauthorized access.
  • Enforce policies restricting data sharing based on access controls and encryption.
  • Use secure protocols like TLS for data transmission over networks.

System and Network Monitoring (Intrusion Detection, Logging):

  • We maintain logs for system events, access attempts, and network traffic for auditing and analysis for at least 90 days.
  • We leverage tools with Intrusion Detection Systems (IDS) capabilities like:
  • AWS: AWS provides several services that can help with intrusion detection:
    • AWS GuardDuty: Offers threat detection by continuously monitoring for malicious activity and unauthorized behavior in AWS accounts.
    • AWS CloudTrail: Logs account activity to identify potential unauthorized access.
    • Amazon VPC Flow Logs: Tracks network traffic for suspicious behavior.
  • Stripe: Stripe offers a secure infrastructure that includes tools for detecting fraudulent transactions and other security threats. Their monitoring systems can analyze transaction data to identify unusual activity indicative of fraud or compromise.

Data Management Standards

Classification and Labeling of Data:

  • We classify data based on sensitivity levels (e.g., public, internal, confidential) to ensure proper handling and use across development, staging and production environments.

Data Retention and Deletion Policies:

  • Retention periods are aligned with legal and business requirements.
  • Secure Deletion: We implement automated deletion processes that securely and permanently erase data once it exceeds the retention period, ensuring compliance with individuals' rights to request data deletion.

Contracts to Ensure Compliance with Security Standards:

  • ODW establishes clear contracts requiring third parties to follow specific security standards, including data protection requirements and confidentiality clauses.

Continuous Improvement

ODW prioritizes continuous improvement in our security practices by:

Periodic Review of Policies and Procedures:

  • We schedule regular reviews of our security policies to ensure alignment with emerging best practices.
  • This commonly means revising coding guidelines, rotating keys, issuing and installing new SSL certificates, and updating privacy policies to address new security vulnerabilities and compliance requirements.

Audits and Assessments to Identify Gaps:

  • We conduct internal and third-party audits to identify security gaps and areas for enhancement.
  • Updating the Policy to Reflect New Regulations and Threats:
    We stay updated on evolving regulations and threats, revising our security policy promptly to remain compliant and resilient.