Projects we have delivered with excellence

Welcome

Smart Development Solutions

Nuba Solutions Logo

Security Policy

Nuba's security policy

1. Introduction

This security policy outlines the principles and practices that Nuba follows to protect sensitive information and ensure the security of our software development and IT support services in general. The principles and practices are informed and derived from the TOGAF Enterprise Architecture framework and the CISSP practice. This policy applies to all employees, contractors, and third parties who access our systems and data, as well as those of our clients.

2. Objectives

  • Protect Client Data: Safeguard all client information and intellectual property from unauthorized access and breaches, with a specific focus on compliance with HIPAA regulations when handling health-related data. Nuba will adhere to its clients security policy or Nuba’s, whichever is stricter, in all engagements.
  • Compliance: Ensure adherence to relevant laws and regulations, including GDPR and CCPA, to protect personal data.
  • Business Continuity: Maintain operations in the event of a security incident, following best practices outlined in methodologies such as SOC 2 and ISO 27001, adapted to our team and clients.

3. Roles and Responsibilities

  • IT Manager: CISSP trained. Oversee the implementation of security measures, conduct regular audits if requested by the client, and ensure compliance with HIPAA and other relevant standards.
  • Developers: Follow secure coding practices, including the use of SSO, OAuth, MFA, etc. for secure user authentication, and report any security vulnerabilities.
  • All Employees: Adhere to the security policy and participate in security trainings.

4. Data Classification

Data will be classified into the following categories:

  • Public: Information that can be shared with anyone (e.g., marketing materials).
  • Internal: Information meant for internal use only (e.g., internal reports).
  • Confidential: Sensitive information that requires protection (e.g., client data, proprietary code), especially data subject to HIPAA regulations.

5. Access Control

  • User Access Management: Access to systems and data will be granted based on the principle of least privilege. Regular reviews around Nuba’s systems will be conducted to ensure appropriate access levels, with SSO, MFA, OAuth used for secure access management.
  • Authentication Methods: All users must use strong passwords and enable two-factor authentication where applicable.

6. Data Protection

  • Data Encryption: All confidential data must be encrypted both at rest and in transit using industry-standard protocols, including TLS 1.2. This ensures that sensitive information remains secure from unauthorized access.
  • Backup Procedures: Regular backups will be performed, and recovery plans will be established to restore data in case of loss, in line with best practices.

7. Network Security

  • Firewall Usage: Firewalls will be employed to protect the network from external threats.
  • Secure Wi-Fi Access: Wi-Fi networks will be secured with strong passwords and encryption.
  • VPN Usage: A Virtual Private Network (VPN) will be used for secure remote access.

8. Software Development Practices

  • Secure Coding Guidelines: Developers must follow best practices for secure coding to minimize vulnerabilities, including adherence to HIPAA standards when applicable.
  • Regular Security Testing: Code reviews, static and dynamic code analysis, as well as penetration testing will be conducted regularly to identify and address security issues, with a focus on practices and recommendations from methodologies such as SOC 2 and ISO 27001.

9. Incident Response Plan

  • Reporting Incidents: All employees must report security incidents immediately to the IT Manager.
  • Incident Management: A defined process will be followed to manage and recover from security incidents, including documentation and analysis.

10. Training and Awareness

  • Regular Training: Employees will receive ongoing training on security practices, including recognizing phishing attempts and social engineering tactics, as well as compliance requirements for GDPR and CCPA.
  • Awareness Programs: Regular awareness campaigns will be conducted to keep security top of mind and ensure familiarity with methodologies like SOC 2 and ISO 27001.

11. Compliance and Legal Requirements

  • Adherence to Laws: Nuba will comply with all relevant data protection laws, including GDPR and CCPA, as well as HIPAA when applicable.
  • Regular Audits: Compliance audits will be conducted periodically to ensure adherence to this policy and relevant standards.

12. Review and Updates

This policy will be reviewed annually, and updates will be made as necessary to address new threats, changes in regulations, and advancements in security practices.

13. Appendices

  • Glossary of Terms: Definitions of key terms used in this policy.

CISSP: CISSP Certification

HIPPA: HIPAA Regulations

ISO27001: ISO 27001 Standards

SOC 2: SOC 2 Standards

TOGAF: TOGAF Framework

This policy incorporates practical experiences and references to relevant standards and regulations, providing a comprehensive framework for Nuba's security policy and practices to better serve our clients.