Synoptix Information Security Program

1. Purpose

The purpose of Synoptix’s Information Security Program (“InfoSec Program”) is to establish a comprehensive framework that protects the confidentiality, integrity, and availability of Synoptix’s information assets, as well as customer data processed or stored by Synoptix. This program:

• Defines governance, risk management, and security controls
• Describes Synoptix’s approach to securing systems, networks, applications, and physical facilities
• Outlines responsibilities, processes, and continuous-improvement activities
• Demonstrates to customers and partners that Synoptix maintains industry-aligned security practices, even in the absence of formal certifications

By implementing and maintaining this InfoSec Program, Synoptix seeks to preserve trust with our customers, partners, and stakeholders, minimize the likelihood and impact of security incidents, and ensure regulatory and contractual obligations are met.

2. Scope

This InfoSec Program applies to:

• All Synoptix information assets, including Synoptix on-premises servers, Synoptix employee workstations, the Synoptix Cloud environment, cloud services, databases, backup media, and any device or medium that processes, stores, or transmits Synoptix or customer data.
• All Synoptix employees, contractors, interns, and third-party vendors who access or manage Synoptix information assets.
• All business processes involving customer data or internal Synoptix data, including software development, system administration, support, and marketing activities.

3. Information Security Governance

3.1 Program Oversight

• Executive Leadership
  
  • The designated Executive Sponsor is ultimately responsible for ensuring that adequate resources are allocated for the InfoSec Program and for approving major policy changes.
  • The Executive Sponsor receives updates on InfoSec Program status and key metrics (e.g., vulnerabilities identified and remediated, training completion rates, third-party assessment findings).
• Information Security Program Lead
  
  • Synoptix designates an InfoSec Program Lead to coordinate all security activities, maintain and update this InfoSec Program, and serve as a liaison between internal teams and any external consultants.
• Security Champions
  
  • Each department appoints at least one “Security Champion” who:
    
    • Communicates policy updates to their team
    • Ensures staff complete required security training
    • Acts as a secondary point of contact for InfoSec questions in their department

3.2 Policy Management

• This InfoSec Program is reviewed at least annually by the InfoSec Program Lead and Security Champions, or within 30 days of any significant security incident or organizational change.
• Any material changes (e.g., new controls, revised processes) require approval by Executive Leadership.
• A version history is maintained in Section 14 (Revision History).

4. Risk Management

4.1 Risk Assessment

• Synoptix conducts an annual risk assessment to identify and evaluate potential threats and vulnerabilities to company assets and customer data.
• Risk scenarios include (but are not limited to):
  
  1. Unauthorized access to production databases
  2. Data exfiltration via compromised credentials
  3. Unpatched software leading to remote code execution
  4. Phishing attacks targeting employees
• The InfoSec Program Lead coordinates the risk assessment, which involves:
  
  1. Asset Inventory & Classification: Documenting all critical servers, applications, and data sets (e.g., Synoptix Cloud database, source code repositories).
  2. Threat & Vulnerability Identification: Reviewing recent vulnerability scans, industry advisories, and third-party consultant findings.
  3. Risk Analysis: Assigning each risk a likelihood (Low, Medium, High) and impact (Low, Medium, High) rating, producing a prioritized risk register.
  4. Risk Treatment: Determining appropriate mitigation strategies (e.g., patch management, configuration hardening, additional controls).
• Project teams must reference the risk register when implementing new features or deployments to ensure residual risks are accepted by management and are tracked to closure.

4.2 Third-Party Assessments

• While Synoptix does not yet engage in recurring compliance audits (e.g., SOC 2, ISO 27001), we retain a qualified security consultant for periodic vulnerability assessments and penetration tests—especially before major architectural product releases.
• Findings from third-party tests are documented in a Findings Report, which is tracked by the InfoSec Program Lead and remediated in accordance with severity (Critical, High, Medium, Low).
• Once all Critical and High findings are remediated, a summary of actions taken is shared with Executive Leadership and kept on file for future reference.

5. Asset Management

5.1 Inventory of Assets

• Synoptix maintains an Asset Inventory that includes:
  
  • Servers (production, staging, development)
  • Network devices (firewalls, routers, load balancers)
  • Databases (customer environments, internal test environments)
  • Software applications (Synoptix application code, third-party libraries)
  • Endpoint devices (employee laptops, workstations, mobile devices)
  • Storage media (backups, removable drives)
• Each asset is assigned an Owner (e.g., DevOps Manager for servers, DBA Lead for databases) responsible for ensuring the asset’s security.

5.2 Classification & Handling

• Information is classified into three categories:
  
  • Public: Data meant for public consumption (e.g., marketing brochures).
  • Internal/Proprietary: Synoptix–internal documents (e.g., internal process docs, non-sensitive code).
  • Confidential: Customer data, source code, credentials, financial records, and any Personally Identifiable Information (PII).
• Handling Requirements:
  
  • Public: No special security controls beyond standard availability.
  • Internal/Proprietary:
    
    • Stored on authenticated internal drives; encrypted at rest (AES-256) on laptops and servers.
    • Access restricted to employees with a business need-to-know.
  • Confidential:
    
    • Encrypted at rest (AES-256) and in transit (TLS 1.2+).
    • Multi-factor authentication (MFA) enforced for user access (see Section 8: Access Control).
    • Any temporary exports (e.g., CSV of customer data for support) must be stored only on company-managed drives and deleted as soon as purpose is fulfilled.

6. Human Resource Security

6.1 Personnel Screening

• Background Checks:
  
  • All new employees and contractors undergo background checks before gaining access to Synoptix systems or customer data.
  • Any exceptions (e.g., overseas contractors where local laws restrict checks) are subject to additional risk mitigation (e.g., limited access, heightened monitoring).

6.2 Security Training & Awareness

• Onboarding Training:
  
  • All new hires receive mandatory security training within their first 30 days, covering:
    
    • Company security policies (InfoSec Program, IR Program, Acceptable Use)
    • Social engineering awareness (phishing, tailgating)
    • Secure coding best practices (for developers)
    • How to report security incidents (e.g., reporting suspicious emails or behavior)
• Ongoing Training:
  
  • All employees complete biannual refresher training that includes:
    
    • Simulated phishing campaigns (to measure susceptibility and reinforce awareness)
    • Review of any major security incidents or lessons learned from Synoptix or industry
    • Role-specific topics (e.g., developers receive updates on secure SDLC practices; support staff learn secure handling of customer data).

6.3 Employee Termination & Transfer

• Access Revocation:
  
  • Upon termination or transfer to a non-sensitive role, HR notifies IT immediately.
  • The IT/DevOps team disables or reassigns access—removing VPN credentials, revoking SSO access, and disabling any personally issued tokens—within four hours of HR notification.
• Exit Procedures:
  
  • Collect any company-issued devices (laptops, phones, access cards) from departing personnel.
  • Verify that all company data has been removed from personal devices (if BYOD is allowed—see Section 12).
  • Conduct an exit interview to remind departing staff of their continuing confidentiality obligations.
    

7. Access Control

7.1 Account Management

• Access Reviews:
  
  • Every year, managers review user access rights for their team members and confirm that privileges remain appropriate. Any discrepancies are corrected within five business days.
• Role-Based Access Control (RBAC):
  
  • Access to production databases or customer data is restricted to roles that require it (e.g., DBAs, authorized support staff).

7.2 Remote Access & VPN

• VPN Access:
  
  • Employees requiring remote access to internal systems must connect over the company VPN.

7.3 Session Management & Idle Timeouts

• Session Timeouts:
  
  • Inactive sessions to Synoptix Cloud or internal applications automatically time out after 15 minutes of inactivity.
• Automatic Logoff:
  
  • Synoptix enforces auto-logoff after 30 minutes of idle time.

8. Network & Infrastructure Security

8.1 Firewalls & Intrusion Prevention

• Perimeter Firewalls:
  
  • Hardware firewalls (next-generation appliances) inspect inbound and outbound traffic. Default deny-all rules are in place; only explicitly allowed ports (e.g., HTTPS, SSH from jump boxes) are open.
• Web Application Firewall (WAF):
  
  • All public-facing application endpoints are protected by a WAF, which blocks known exploit patterns (e.g., SQL injection signatures, cross-site scripting attempts). WAF rules are reviewed and updated monthly or when major vulnerabilities (e.g., OWASP Top 10) surface.
• Intrusion Detection & Prevention (IDS/IPS):
  
  • Although Synoptix does not have 24×7 security monitoring, IDS/IPS systems are configured to log and alert on suspicious activity. Critical alerts (e.g., repeated port scans, denial-of-service patterns) are emailed to DevOps staff, who escalate if deemed urgent.

8.2 Encryption & Certificate Management

• Data:
  
  • Synoptix uses TLS 1.2 or higher with an AES-256 cipher for all web traffic; customers need to ensure their systems are configured to support these protocols.
  • Production database volumes and file storage in Synoptix Cloud are encrypted at rest with AES-256.

9. Application Security

9.1 Secure Software Development Lifecycle (SSDLC)

• Requirements & Design:
  
  • Security requirements (e.g., input validation, output encoding, authentication controls) are captured at the design phase for new features.
• Code Review & Static Analysis:
  
  • Developers run static code-analysis tools (e.g., SonarQube) on all code before merging into the main branch. Critical and high-severity findings must be remedied before deployment to staging.
• Dynamic Testing & Penetration Testing:
  
  • Prior to major releases, QA teams perform dynamic application testing (DAST) on staging environments. Observations are logged and tracked.
  • Synoptix engages a third-party vendor for penetration testing; results feed back into the risk register.
• Deployment & Change Management:
  
  • All production changes (application code, infrastructure configurations) follow a release process.

9.2 Vulnerability Management

• Dependency & Library Management:
  
  • Application dependencies (e.g., third-party libraries) are reviewed. Any known vulnerabilities (CVE scores ≥ 7.0) trigger an immediate review and patch or upgrade action within 30 days.

10. Data Protection & Privacy

10.1 Customer Data

• Customer-Controlled Environments:
  
  • By default, Synoptix’s software integrations are non-destructive, meaning data is read-only on the customer’s ERP system. This ensures customer data remains under the customer’s control and behind their firewall, minimizing risk of data leakage.
• Data Minimization:
  
  • Synoptix only collects and stores the minimum set of data required for functionality.
• AI & PII Handling:
  
  • Any data submitted to cloud-based AI models is first reviewed by the customer or anonymized by Synoptix to remove PII. Synoptix uses only AI providers with publicly documented, strong security practices (e.g., enterprise-grade encryption, SOC 2 compliance).
  • Synoptix does not store or re-purpose customer PII for training or analytics in any public-facing AI model.

10.2 Personnel Access to Customer Data

• Logging & Monitoring:
  
  • Customers control access to production databases; Synoptix personnel may only access production data when explicitly authorized by the customer.

10.3 Privacy Commitment

• Synoptix does not share customer data with third parties.
• If Synoptix becomes aware of any unauthorized disclosure of customer PII, the Incident Response Program (Section 6) takes effect, including notifying affected customers within 48 hours of confirmation.

11. Physical & Environmental Security

• Office Access:
  
  • Employee entrances require a key.
• Workstation Security:
  
  • Employees must lock screens when leaving their workstation (automatic lock after 10 minutes of inactivity).
• Environmental Protections:
  
  • Offices are equipped with smoke and fire detection, and comply with local building codes.
  • Critical infrastructure (e.g., on-prem development servers) is backed up nightly to encrypted media stored in off-site, secured locations.

12. Media Use & Handling

12.1 Removable Media & Portable Devices

• Company-Issued Devices:
  
  • All laptops, external hard drives, and USB tokens issued by Synoptix must be encrypted at rest (e.g., BitLocker, FileVault).
• Prohibited Usage:
  
  • Employees are prohibited from using personal USB drives to store or transfer company or customer data.
  • Any unauthorized copying or sharing of customer data (e.g., to personal Dropbox, Google Drive) is strictly forbidden.

12.2 Data Backup & Retention

• Customer Backups (Synoptix Cloud):
  
  • Automated backups run nightly; backups are stored encrypted for 30 days before being rotated off-media.
  • Historical backups (older than 30 days) are automatically deleted to limit data exposure.
• Internal Backups:
  
  • Synoptix maintains separate backups of critical on-premises assets (source code, infrastructure configurations).

12.3 Secure Disposal & Sanitization

• Digital Media:
  
  • Any storage media (hard drives, SSDs, tapes) containing Synoptix or customer data that reach end-of-life undergo one of two processes:
    
    1. Cryptographic Erasure: Data is securely wiped using NIST SP 800-88 compliant methods.
    2. Physical Destruction: Media is shredded by a certified destruction service and verified with a chain-of-custody certificate.

13. Vendor & Third-Party Management

13.1 Contractual Security Requirements

• All vendor contracts or DPAs include:
  
  • Data Protection Clauses: Encryption at rest/in transit, breach notification timelines (maximum 48 hours), data return or destruction upon contract termination.
  • Right to Audit: Synoptix reserves the right to perform security assessments or request third-party audit reports (e.g., SOC 2 reports) for High-risk vendors.
  • Subprocessor Disclosure: Vendors must disclose any subprocessors handling Synoptix or customer data.

13.2 Ongoing Vendor Oversight

• Service Provider Changes:
  
  • Vendors must notify Synoptix at least 30 days in advance of any major changes (e.g., data center migration, security-process changes).

14. Security Awareness & Training

• Mandatory Trainings:
  
  • Onboarding: Security fundamentals, policy overview, incident reporting procedures.
  • Biannual Refresher: Phishing simulations, secure coding, social engineering.
  • Role-Based Modules:
    
    • Developers: Secure development principles, code-review best practices
    • Support Staff: Secure handling of customer data, least-privilege support methods
    • DevOps/Infrastructure: Patch management, secure configuration standards
• Security Champions Program:
  
  • Champions in each department hold quarterly “Security Huddles” to discuss:
    
    • Recent vulnerability disclosures (e.g., critical CVEs affecting technologies in use)
    • Practical security tips (e.g., configuring MFA on personal accounts)
    • Summaries of any minor internal incidents or near-misses
• Performance Metrics:
  
  • Training completion rates are tracked centrally, with a target of 100% completion for required courses.

15. Monitoring & Logging

15.1 Review & Analysis

• Daily Reviews:
  
  • During normal business hours, on-call DBAs/DevOps staff review high-severity alerts (e.g., repeated failed logins, WAF block events).
• Quarterly Audits:
  
  • The InfoSec Program Lead, with assistance from Security Champions, performs a quarterly log-review audit to detect anomalous patterns (e.g., large data exports, unusual access times).
  • Any suspicious findings trigger an entry in the Incident Response ticketing system.

15.2 Alerting & Escalation

• Alert Configuration:
  
  • Critical thresholds (e.g., ≥ 10 failed admin login attempts within 5 minutes, detection of known malicious IPs) trigger immediate email alerts to on-call engineers.
• Off-Hours Escalation:
  
  • If an alert is received outside normal business hours, it is forwarded as an SMS/text to the on-call engineer. The engineer must acknowledge the alert within 15 minutes and escalate to the IRT lead by phone if verified as a valid threat.

16. Business Continuity & Disaster Recovery

16.1 Business Continuity Planning (BCP)

• Scope & Objectives:
  
  • Ensure that critical business functions (e.g., support operations, production monitoring) can continue or resume within 4 hours of a disruptive event (e.g., data-center outage, natural disaster).

16.2 Disaster Recovery (DR)

• Backup Frequency & Testing:
  
  • Nightly backups of production databases and configurations.
  • DR tests include verifying data integrity, performance benchmarks, and reconfiguring DNS to point to DR environment.
• Recovery Time Objectives (RTO) & Recovery Point Objectives (RPO):
  
  • RTO: 4 hours for critical systems, 24 hours for non-critical systems.
  • RPO: 1 hour for transactional databases, 4 hours for file storage and logs.

16.3 Documentation & Review

• After any DR test, a “DR Lessons-Learned Report” is produced to identify gaps and update the plan accordingly.

17. Continuous Improvement & Program Review

17.1 Annual Program Review

• The InfoSec Program Lead convenes a formal review of this program each year (or sooner after any Level 2/3 incident).
• Review tasks include:
  
  • Updating the Risk Register and risk-treatment plans
  • Assessing effectiveness of controls (e.g., patch-management metrics, access-review findings)
  • Reviewing third-party assessment results and ensuring all critical/high findings are resolved
  • Verifying compliance with all internal training and policy requirements

17.2 Performance Metrics & Reporting

• Key Metrics:
  
  • Patch-management cycle times (Critical/High/Medium)
  • Number of successful simulated phishing attempts (and subsequent training interventions)
  • Number of open vulnerabilities in the risk register, by severity
  • On-time completion rate for access reviews and user-deprovisioning activities
  • Third-party assessment findings closed vs. open
• Reporting Cadence:
  
  • Quarterly security-status reports are delivered to Executive Leadership, summarizing metrics, upcoming risks, and remediation progress.
  • Annual “Security Program Effectiveness Report” highlights major improvements, challenges, and planned initiatives for the next year.

18. Key Contacts & Escalation

19. Appendix & References

A. Policy & Standard References

• Password Policy Standards: NIST SP 800-63B guidelines on digital authentication
• Encryption Standards: NIST FIPS 140-2 encryption modules (AES-256)
• Infrastructure Benchmarks: CIS (Center for Internet Security) Benchmarks for Unix, Windows, and RDBMS
• Secure Coding Guidelines: OWASP Top 10 and OWASP Cheat Sheets

B. Related Synoptix Policies

• Security Incident Response Program (Document V1.1)
• Access Control Policy (forthcoming Document)
• Media Use & Handling Policy (forthcoming Document)
• Acceptable Use Policy (covers employee use of corporate resources)
• Privacy Policy (customer-facing, describes how PII is handled)

C. Glossary of Terms

• AES: Advanced Encryption Standard
• CVE: Common Vulnerabilities and Exposures
• EDR: Endpoint Detection and Response
• MFA: Multi-Factor Authentication
• OS: Operating System
• PKI: Public Key Infrastructure
• RBAC: Role-Based Access Control
• RDP: Remote Desktop Protocol
• RPO: Recovery Point Objective
• RTO: Recovery Time Objective
• SIEM: Security Information and Event Management
• SSO: Single Sign-On
• SSDLC: Secure Software Development Lifecycle
• TLS: Transport Layer Security

20. Revision History