API Reference

Security Whitepaper

This Security Whitepaper is a reduced version of the high-level information Security Policy to give customers and partners to understand Mondia's approach to Cyber Security and implemented security measures.

Introduction

Mondia being a data-driven company, protecting Mondia’s & Partners/Clients' information assets should be treated with utmost importance and urgency. Information that is collected, analyzed, stored, communicated, and reported upon may be subject to theft, misuse, loss, and corruption, which exposes Mondia to financial loss, non-compliance with standards and legislation, reputational damages as well as possible judgments being made against Mondia. Therefore Mondia defined a high-level Information Security Policy along with other corresponding policies, standards, and procedures including Information Risk Management Policy and Data Protection Policy to provide a high-level outline of and justification for Mondia’s risk-based information security controls.

The objectives of Mondia Security policy are to:

  • Ensure users can securely access and share information in order to perform their roles
  • Ensure the implemented physical, procedural, and technical controls balance user experience and security
  • Manage the risk of security exposure or compromise;
  • Assure a secure and stable information technology (IT) environment;
  • Identify and respond to events involving information asset misuse, loss, or unauthorized disclosure;
  • Monitor systems for anomalies that might indicate compromise; and
  • Promote and increase awareness of information security.
  • Ensure meeting Mondia’s contractual and legal obligations relating to information security

Mondia Security policy encompasses all systems, automated and manual, for which the Mondia Group or its subsidiaries has administrative responsibility, including systems managed or hosted by third parties on behalf of Mondia. It addresses all information, regardless of the form or format, as well as all Information Technology systems regardless of physical, virtual or cloud based environment, which is created or used in support of business activities.

Policy

It is Mondia’s policy to ensure that information and communication is protected from a loss of:

  • Confidentiality – information will be accessible only to authorised individuals based on the “need to know” “least privilege” principals.
  • Integrity – the accuracy and completeness of information will be maintained
  • Availability – information will be accessible to authorised users and processes when and where required
  • Non-Repudiation - ensures that no one can deny the origin or authenticity of a message.

Mondia has implemented an Information Security Management System (ISMS) is mainly based on ISO 27001 certification standards for information security. Mondia has referenced other internationally accepted engineering and industry best practices including, but not limited to CIS, NIST, CSA, OWASP, ISO, COBIT, SABSA standards, and local laws and regulations of operating countries.

Mondia adopts a risk-based approach to the application of controls:

Information Security Policies, Procedures and Standards

A set of lower level controls, processes and procedures for information security will be defined, in support of the high level Information Security Policy and its stated objectives. This suite of supporting documentation will be approved by the Information Governance Board, published, and communicated to Mondia’s users and relevant external parties.

Organizational Security

Information security requires both an information risk management function and an information technology security function. Mondia has implemented Information Governance Board which is approved by Board of Directors of Mondia to drive the information security strategy, manage risk pertaining to information security and privacy protection, and to oversee the implementation of Information Security Management System (ISMS)

Mondia has appointed:

  • Information Governance Board to influence, oversee and promote the effective management of Mondia’s information
  • Chief Enterprise Architecture and Security Office (CEA/CISO) to chair the Information Governance Board which is accountable for managing information risk
  • Information Security Team (IST) under the lead of the VP Technology (Security Manager) focused on creating a secure-by-design environment and oversee all Information Security engineering functions including- Network Security, Software Development, Log Management, Security Architecture, System Administration, and Identity & Access.
  • Information Asset Owners (IAOs) to assume local accountability for information management; and Information Asset Owners/Managers (IAMs) responsible for day-to-day information management

Separation of Duties

  • To reduce the risk of accidental or deliberate system misuse, separation of duties and areas of responsibility must be implemented where appropriate.
  • Whenever separation of duties is not technically feasible, other compensatory controls must be implemented, such as monitoring of activities, audit trails and management supervision.
  • The audit and approval of security controls must always remain independent and segregated from the implementation of security controls.

Information Risk Management.

  • Information security risk assessments are required for new projects, implementations of new technologies, significant changes to the operating environment, or in response to the discovery of a significant vulnerability.
  • Any system or process that supports business functions must be appropriately managed for information risk and undergo information risk assessments, at a minimum annually, as part of a secure system development life cycle.

Information Classification Policy

  • All information must be classified on an ongoing basis based on its confidentiality, integrity and availability characteristics.
  • All information, which is created, acquired or used in support of business activities, must only be used for its intended business purpose.
  • Information must be properly managed from its creation, through authorized use, to proper disposal.
  • An information asset must be classified based on the highest level necessitated by its individual data elements.

IT Asset Management

  • All IT hardware and software assets must be assigned to a designated business unit or individual.
  • All information assets should be classified according to their legal requirements, business value, criticality and sensitivity, and classification should indicate appropriate handling requirements.
  • All assets (information, software, electronic information processing equipment, service utilities and people) should be documented and accounted for.
  • Processes, including regular scanning, must be implemented to identify unauthorized hardware and/or software and notify appropriate staff when discovered.

Human Resources Security

  • Mondia’s security policies and expectations for acceptable use must be communicated to all users to ensure that they understand their responsibilities and an auditable process must be in place for users to acknowledge that they agree to abide by the policy’s requirements.
  • Information security education and training should be made available to all staff. All security training must be reinforced at least annually and must be tracked by the entity.
  • ITSM team should ensure all issued property is returned prior to an employee’s separation and accounts are disabled and access is removed immediately upon separation.

Information Security Incident Management

  • Information Governance Board must ensure implementation of an incident response plan, consistent standards, to effectively respond to security incidents.
  • All observed or suspected information security incidents or weaknesses are to be reported to appropriate management and the Information Security Team/designated security representative as quickly as possible.
  • The Security Operations Center must be notified of any cyber incident which may have a significant or severe impact on operations or security, or which involves digital forensics, to follow proper incident response procedures and guarantee coordination and oversight.

Physical and Environmental Security

  • Information processing facilities are housed in secure areas, physically protected from unauthorized access, damage and interference by defined security perimeters. Layered internal and external security controls should be in place to deter or prevent unauthorized access and protect assets, especially those that are critical or sensitive, against forcible or surreptitious attack.
  • A periodic risk assessment must be performed for information processing and storage facilities to determine whether existing controls are operating correctly and if additional physical security measures are necessary.
  • All information technology equipment and information media must be secured to prevent compromise of confidentiality, integrity, or availability in accordance with the classification of information contained therein.
  • Visitors to information processing and storage facilities, including maintenance personnel, must be escorted at all times.

Account Management and Access Control

  • Access to all information should be controlled and driven by business requirements based on “need to know” least privilege principals”. Access should be granted or arrangements made for users according to their role and the classification of information, only to a level that should allow them to carry out their duties.
  • A formal user registration and de-registration procedure should be maintained for access to all information systems and services. This should include mandatory authentication methods based on the sensitivity of the information being accessed, and should include consideration of multiple factors as appropriate.
  • All accounts must have an individual employee or group assigned to be responsible for account management. This may be a combination of the business unit and information technology (IT).
  • Information owners are responsible for determining who should have access to protected resources within their jurisdiction, and what those access privileges should be (read, update, etc.).
  • Users of privileged accounts must use a separate, non-privileged account when performing normal business transactions (e.g., accessing the Internet, e-mail).

System Security

  • Systems include but are not limited to servers, platforms, networks, communications, databases and software applications capable of storing, processing or transmitting information.
  • SysOps team is assigned with the responsibility for maintenance and administration of any system deployed on behalf of the Mondia. A list of assigned individuals or groups must be centrally maintained.
  • Environments and test plans must be established to validate the system works as intended prior to deployment in production.
  • Separation of environments (e.g., development, test, quality assurance, production) is required, either logically or physically, including separate environmental identifications (e.g., desktop background, labels).
  • Formal change control procedures for all systems must be developed, implemented and enforced. At a minimum, any change that may affect the production environment and/or production data must be included.

Databases and Software Security

  • All software written for or deployed on systems must incorporate secure coding practices, to avoid the occurrence of common coding vulnerabilities and to be resilient to high-risk threats, before being deployed
    in production.
  • Once test data is developed, it must be protected and controlled for the life of the testing in accordance with the classification of the data.
  • Production data may be used for testing only if a business case is documented and approved in writing by the information owner and the Information Governance Board. The following controls are applied:
    • All security measures, including but not limited to access controls, system configurations and logging requirements for the production data are applied to the test environment and the data is deleted as soon as the testing is completed; or
    • sensitive data is masked or overwritten with fictional information.
  • Development software and tools must not be maintained on production systems.
  • Source code used to generate an application or software must not be stored on the production system running that application or software.
  • Scripts must be removed from production systems, except those required for the operation and maintenance of the system.
  • Privileged access to production systems by development staff must be restricted.
  • Migration processes must be documented and implemented to govern the transfer of software from the development environment up through the production environment.

Network Systems

  • SysOps team maintain network security controls to ensure the protection of information within its networks, and provide the tools and guidance to ensure the secure transfer of information both within its networks and with external entities, in line with the classification and handling requirements associated with that information.
  • SysOps team authorizes internal connections of all Mondia assets not exposed to public Internet or processing Privacy information. Any new system exposed to pubic internet or processing/storing privacy information should only be authorized by CISO or any senior staff member as delegated by Information Governance Board.
  • All connections and their configurations must be documented and the documentation must be reviewed by the information owner and the designated security representative annually, at a minimum, to assure:
    • the business case for the connection is still valid and the connection is still required; and
    • the security controls in place (filters, rules, access control lists, etc.) are appropriate and functioning correctly.
  • Authentication is required for all users connecting to internal systems.
  • Network authentication is required for all devices connecting to internal networks.
  • Only authorized individuals or business units may capture or monitor network traffic.
  • A risk assessment must be performed in consultation with the ISO/designated security representative before the initiation of, or significant change to, any network technology or project, including but not limited to wireless technology.

Vulnerability Management

  • All systems must be scanned for vulnerabilities before being installed in production and periodically thereafter.
  • All systems are subject to periodic penetration testing.
  • Penetration tests are required periodically for all critical environments/systems.
  • Where the entity has outsourced a system to another entity or a third party, vulnerability scanning/penetration testing must be coordinated.
  • Appropriate action, such as patching or updating the system, must be taken to address discovered vulnerabilities. For any discovered vulnerability, a plan of action and milestones must be created, and updated accordingly, to document the planned remedial actions to mitigate vulnerabilities.

Operations Security

  • SysOps team should ensure the correct and secure operations of information processing systems.
  • All systems and the physical facilities in which they are stored must have documented operating instructions, management processes and formal incident management procedures related to information security matters which define roles and responsibilities of affected individuals who operate or use them.
  • System configurations must follow approved configuration standards.
  • Controls must be implemented (e.g., anti-virus, software integrity checkers, web filtering) across systems where technically feasible to prevent and detect the introduction of malicious code or other threats.
  • Controls must be implemented to:
    • disable automatic execution of content from removable media.
    • limit storage of information to authorized locations.
    • allow only approved software to run on a system and prevent execution of all other software.
  • All security patches must be reviewed, evaluated and appropriately applied in a timely manner. This process must be automated, where technically possible.
  • Systems which can no longer be supported or patched to current versions must be removed.
  • Audit logs recording exceptions and other security-relevant events must be produced, protected and kept consistent with record retention schedules and requirements.
  • Monitoring systems must be deployed (e.g., intrusion detection/prevention systems) at strategic locations to monitor inbound, outbound and internal network traffic.
  • Backup copies of entity information, software, and system images must be taken regularly

System Acquisition, Development and Maintenance

  • Information security requirements should be defined during the development of business requirements for new information systems or changes to existing information systems.
  • Controls to mitigate any risks identified should be implemented where appropriate.
  • Systems development should be subject to change control and separation of test, development and operational environments.
  • Any new tool acquisition should done based on the Tool Committee.

Cryptography

  • Information Security Team should provide guidance and tools to ensure proper and effective use of cryptography to protect the confidentiality, authenticity and integrity of information and systems.

Third Party Relationships

Mondia’s information security requirements must be considered when establishing relationships with suppliers, to ensure that assets accessible to suppliers are protected.

Supplier activity should be monitored and audited according to the value of the assets and the associated risk and based on agreed terms and conditions.