Security Policy

1 - Security by design

In order to minimize the attack surface of deliverables, ESKADENIA  shall:

• Respect state-of-the-art security configuration practices or third-party security best practices applicable to each deliverable;
• Design deliverables to use only necessary components, features and services (e.g. by removing unnecessary files, process permissions, libraries and network ports); and
• Ensure that deliverables do not contain any Back Doors.

Each Deliverable shall:

• Be free of vulnerabilities;
• Be robust against unexpected inputs (such as SQL Injection);
• Always act in a predictable way even in overload situations; and
• Use standard cryptographic algorithms recommended by institutions (such as BSI, ANSSI and NIST) at the time the contract is agreed or renewed.

ESKADENA may deliver evidence about the security of each Deliverable such as security audit reports, vulnerability scans and code robustness analysis. 
Software and hardware deliverables shall allow authentication data (such as passwords) and cryptographic keys to be modifiable according state-of-art robustness by the purchaser.
ESKADENIA may implement the mutually agreed security Statement of Compliance applicable for each project.

2 - Organization Security

2.1 Point of Contact

ESKADENIA shall nominate both, a contact person for security related matters and an upper-management contact or key-account manager to handle escalation matters. The contacts shall be provided for each project and changes shall be communicated promptly.

2.2 Security incidents

ESKADENIA  shall notify the Purchaser in case an incident related to the Supplier may have an impact on the Purchaser (for example, loss, alteration, disclosure or non-authorized access to source code, data, personal data or information, etc.) and shall use all efforts to remediate and/or solve the incident and inform the Purchaser of progress and end-of-incident.

2.3 Access to Purchaser’s systems

Purchaser shall  grant ESKADENIA access to their systems, ESKADENIA shall:

• Be responsible for any actions performed on the Assets of the Purchaser under user and Service Accounts attributed to the Supplier;
• Comply with any process and means of remote access provided by the Purchaser;
• Ensure that there is no breach of confidentiality, availability or integrity on any Assets or services whilst remotely connected to Purchaser technical and operational systems
• Ensure unique accounts for every user. Exceptions must be agreed in writing by the Purchaser;
• Promptly notify the Purchaser when a user account is no longer required;
• Provide a periodic user account review report at minimum once a year; and
• Ensure that Service Accounts are not used by individuals to log in to Purchaser systems.

2.3 Documentation

ESKADENIA shall deliver to the Purchaser all necessary information to assess the security of Deliverables and to securely configure the Deliverables and shall keep the documentation delivered to the Purchaser up-to-date.

2.4 Asset management

ESKADENIA  shall identify, document and protect all Assets (information, software, hardware, computers, USB stick, badge, tablet, smartphone…) of the Purchaser that have been entrusted to her by the client. 

2.5 Human Resources Security

ESKADENIA shall ensure that its employees and any third parties appointed  for the performance of the Agreement:
- Possess the appropriate security skills; and
- Know and implement the applicable security rules for the performance of tasks.
Upon request of ESKADENIA Customer must  provide the applicable security rules before the start of any tasks.
Anybody acting on behalf of ESKADENIA, who needs remote or local access to the Purchaser’s information system, is required to provide identification information. ESKADENIA shall strive that any access on its behalf is not abused and assumes legal responsibilities according to the applicable laws.
Where the Supplier uses subcontractors to fulfil the Agreement with the Purchaser, the Supplier shall specifically identify them as subcontractors and ensure that the same due care will always be applied.
Upon request of the Purchaser, ESKADENIA   commits to use security checked personnel, i.e., screened by national authorities, for handling of sensitive Deliverables prior to deployment in the Purchaser's Network, as well as for maintenance of sensitive Deliverables during the whole operational phase.

2.6 Information & Access Management

ESKADENIA  shall process, use and transmit Purchaser information involved in the Service only for Service provision and only for the duration of the Agreement.
ESKADENIA shall ensure that:

• Access to Purchaser information is based on a strict “need-to-know” basis;
• Access to Purchaser information is logged and retained for the duration agreed in NPA and/ or Order including associated documents (e.g. Non-Disclosure Agreement or Data Protection Agreement) or 6 months by default.  Extracts of retained logs shall be provided to the Purchaser on request; and
• Unauthorized access (e.g. by other customers or third parties) to Purchaser information does not occur .

In the event of a security incident, Purchaser may suspend access or request suspension of access until the incident is resolved. It is understood that PMO office will be affected at the time. ESKADENIA will be given the time to solve such incidents.
In addition, ESKADENIA shall implement the following measures on information classed as confidential by the Purchaser:

• Data shall be encrypted when stored and transmitted; and
• A strong authentication system shall be implemented.

3 - Business continuity management

ESKADENIA implements in compliance with the maintenance conditions agreed in the Agreement, all necessary means (architecture, event detection and response, backup plan, continuity plan…) to protect the Services from unwanted or voluntary incidents that could threaten the continuity of the Services.

4 - Separation of development, testing and production environments

ESKADNEIA  shall separate development, testing and production environments and shall not use production data for testing activities according to its CMMi Level -3 process. 

5 - Reporting

The Purchaser may request from ESKADENIA  a security report related to the Services no more than once a year. This security report shall include but is not limited to the following information:

• The number of security incidents detected over the last 12 months, separately for internal and external causes if relevant;
• Details of security incidents over the period (detection time, nature and impact, solution, service recovery time, closing time, time for resolution);
• Follow up of action plans; and
• Future scheduled operations and Service evolutions that may impact the security level.

6 - Use of Third Party services

ESKADENIA  shall inform the Purchaser if Third Party services (e.g. data center services) are involved or planned to be involved in the provision of the Service and shall strive to insure that Third Party services are always compliant with the security requirements applicable to the Service.