diff --git a/Procfile b/Procfile new file mode 100644 index 0000000..920b24c --- /dev/null +++ b/Procfile @@ -0,0 +1 @@ +web: npm run explore diff --git a/data/settings.json b/data/settings.json index 0e6309d..319e2c8 100644 --- a/data/settings.json +++ b/data/settings.json @@ -4,17 +4,21 @@ "section": "Introduction", "topics": [ { - "title": "Getting started", - "slug": "getting-started" + "title": "Purpose and Scope", + "slug": "purpose" + }, + { + "title": "Roles and Responsibilities", + "slug": "roles" } ] }, { - "section": "Setup", + "section": "Policies", "topics": [ { - "title": "Theme configuration", - "slug": "theme-configuration" + "title": "Policies", + "slug": "policies" } ] } diff --git a/docs/getting-started.md b/docs/getting-started.md deleted file mode 100644 index 5107573..0000000 --- a/docs/getting-started.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -title: Getting started -date: 2018-09-15 07:42:34 -slug: getting-started ---- - -## What is Jamdocs - -Jamdocs is a documentation theme for Gridsome, built to spin up quick, beautiful and static documentation sites fast without hassle. Since there is no theming system for Gridsome yet, Jamdocs comes with Gridsome, plug-ins and packages as dependencies. - -## Local installation - -Even though Jamdocs is so simple, you dont really need to set it up localy (you could just fork it on github to edit styles and md-files) - if you want to change it up a bit I recommend setting up localy for a better developer experience. - -To set up a new instance of Jamdocs, and start developing just clone the project from Github like, go to the directory and run gridsome: - -```bash -git clone https://github.com/samuelhorn/jamdocs project-name -cd project-name -gridsome develop -``` diff --git a/docs/policies.md b/docs/policies.md new file mode 100644 index 0000000..8b5a52c --- /dev/null +++ b/docs/policies.md @@ -0,0 +1,540 @@ +--- +title: "Compliance Policies" +metaDescription: "The goal of this policy is to guide and direct Datica workforce members on how to defend its assets against internal, external, deliberate or accidental threats." +date: 2018-09-15 07:42:34 +slug: policies +--- + +## Access Management Policy + +Applicable Standards from the HITRUST Common Security Framework: + +* 01.b User Registration +* 01.c Privilege Management +* 01.e Review of User Access Rights +* 01.j User Authentication for External Connections +* 01.n Network Connection Control +* 01.q User Identification and Authentication +* 01.v Information Access Restriction +* 02.i Removal of Access Rights +* 05.i Identification of Risks Related to External Parties +* 06.e Prevention of Misuse of Information Assets +* 08.j Equipment Maintenance +* 09.c Segregation of Duties +* 09.m Network Controls +* 09.s Information Exchange Policies and Procedures +* 09.v Electronic Messaging + +## Asset Management Policy + +Applicable Standards from the HITRUST Common Security Framework: + +* 07.a Inventory of Assets + +## Auditing, Logging and Monitoring Policy + +Applicable Standards from the HITRUST Common Security Framework: + +* 01.v Information Access Restriction +* 06.e Prevention of Misuse of Information Assets +* 06.g Compliance with Security Policies and Standards +* 09.aa Audit Logging +* 09.ab Monitoring System Use +* 09.ad Administrator and Operator Logs +* 09.j Controls Against Malicious Code + +## Change Management Policy + +It is Datica’s goal to make all reasonable and appropriate attempts to maintain the confidentiality, integrity, and availability of its production systems when changing, updating, modifying, or otherwise introducing new applications or technologies into the production environment. All change records shall be stored for 6 years. This policy establishes overarching change control measures used to achieve this goal. + +A designated team of people within Datica comprise the Change Advisory Board (CAB). This team will review changes, approve them where required (or not), and review emergency changes after the emergency has been resolved. A designee from the CAB will report emergency changes to the SCG Group. The CAB is comprised of technical and customer support department heads and members of the Information Security/Risk Management/Compliance team. + +**Three categories of change:** + +1. A **Standard Change** is a low-risk configuration change, release, or update that has little or no chance to affect the availability of Tier 1 or Tier 2 systems or applications. A list of examples of changes that are likely to fall into the Standard category can be found in the Change Management SOP. These changes do not require approval by the CAB prior to execution. The change procedures are reviewed periodically by the CAB to ensure compliance with the process. Standard changes do need to be reviewed by a qualified individual, such as the relevant department head, to confirm that the change is, in fact, a routine and low-risk change. These changes require some planning for how the change will be deployed, who is performing the change, QA testing, and a rollback plan. Standard Changes follow a pre-approved, well-defined procedure. These changes have a very low likelihood of causing interruption of service, are changes that have been developed and tested in a documented, repeatable way, have undergone peer review as part of their development, and have a documented and/or automated release/deployment process. Changes that do not affect the stability, availability, or security of production systems and services (Tier 1 systems) would likely fall into this category. A standard change requires that a standard change management ticket be created and filled out prior to completion or implementation of the change. +2. A **Controlled Change** is any change that is not in the list of the types of changes that are categorized as a standard change. Controlled changes are changes that might require downtime or might affect the stability of Tier 1 or Tier 2 systems and applications. These changes have either higher risk or difficult to define risks associated with them and as a result, require review and approval from technical experts in the company. These changes follow a defined approval process that includes a predefined information set. The approvals can be quick and resolved electronically in a Change Management ticket. Any of the approvers can escalate the review of the change to a more rigorous review where additional evaluation can occur. Changes that affect the stability, availability, or security of production systems and services (Tier 1 systems) would likely fall into this category. A controlled change requires a controlled change management ticket to be created and filled out. The Change Advisory Board or delegate will then review and approve the ticket. If necessary, additional analysis and requests for information can be made before approval is granted. These changes also require a declared maintenance window that is communicated with customers in advance of the change. Controlled changes require extensive QA testing, appropriate staffing during the change, documented test plan to ensure that the change was successful, and a complete rollback plan to follow in the event the change needs to be reverted. +3. An **Emergency Change **is the result of an outage, failure, or incident. These changes are intended to return production environments to a working state. They require that after the environment is stable and returned to normal function that a Root Cause Analysis be performed and documented that details the cause of the emergency, the nature of the fix, the extent of damage or loss, the individuals involved in the change and measures to be taken to ensure that the issue does not happen again. The CAB or delegate leads the analysis and ensures that the documentation is sufficient and communicated to the appropriate parties. An Emergency Change process is utilized in situations where immediate action is required and delays in the implementation of the change can detrimentally impact Datica and/or its customers. Whenever possible, obtain approval for Emergency Changes from your Team Lead or Manager. These changes shall be applied as quickly as prudently possible. After the critical situation is resolved, a formal review must take place. The review shall: + + * Assess the root cause(s) that necessitated the change + * Evaluate the approach for the resolution to learn from the process + * Ensure that additional risk was not introduced + * Review the Emergency Change ticket involved to gather the necessary pre-change information and then gather and capture necessary post-change information + +Applicable Standards from the HITRUST Common Security Framework: + +* 09.b Change Management +* 09.m Network Controls +* 10.h Control of Operational Software +* 10.k Change Control Procedures + +## Classification Policy + +### Information Classification + +The minimum classification of an information store, application, or system is inheritable. For example, an application that stores, processes, or transmits Tier 1 (Protected) data is automatically considered a Tier 1 (Protected) application. + +**Tier 1 - Protected** + +This tier includes all information that is mandated to be protected under a specific compliance regime. It is assumed that any customer information store falls into this category. Tier 1 information is considered extremely sensitive and must be safeguarded in order to protect the privacy of individuals, the security and integrity of systems, to guard against fraud, and to reduce the risk of unauthorized disclosure. Tier 1 information may include, but is not limited to: + +* Protected Health Information (PHI) - governed under HIPAA/HITECH +* Cardholder Data (CHD) - governed under PCI-DSS/PA-DSS +* Personal Data for an EU Citizen - governed under GDPR +* Social Security Numbers +* Credit and debit card numbers +* Bank account or other financial account numbers +* Clear-text passwords, passphrases, PINs, security and access codes +* Information and data elements governed by State-specific privacy laws + +This may also include data that is not related to a customer and is, instead, Datica’s sole responsibility. + +Under no circumstances can Tier 1 (Protected) data be stored outside protected environments. When at rest, Tier 1 (Protected) data must be encrypted and, when transmitted across untrusted networks (including inter-system communication in cloud environments. Essentially, all networks that are not located inside a Datica-owned facility are considered untrusted), the transmission must be encrypted. Datica makes it a matter of policy to not access customer protected data stores unless explicitly allowed by the customer and only after support request, notification is made to the customer that such access is necessary, or to restore system functionality. + +Under no circumstances can Tier 1 (Protected) information be used in non-production environments. + +Access to Tier 1 (Protected) data is limited only to those with a business need. Access must be authenticated using two-factor authentication mechanisms. The information in this category must not be stored on any mobile computing device or physical storage device such as a laptop, smartphone, PDA, USB drive, flash drive, or any mobile media, regardless of whether the device is owned by Datica, is personally owned, or owned by any other external party or persons. + +See the System Security Policy, Data Integrity Policy and Encryption Standard for detailed enumeration of the controls necessary to protect Tier 1 (Protected) data at rest and in transit. + +**Tier 2 - Confidential** + +Tier 2 contains restricted information that is required to be maintained in a highly confidential manner as directed by Datica’s Privacy Officer, applicable law or regulation, contractual obligation, or subject to any applicable legal privilege or protection. Examples include, but are not limited to: + +* Business critical intellectual property, proprietary data, and/or trade secrets +* Application source code +* Legal contracts +* HR records (e.g., background check reports, salary, DoB, employment records etc.) +* Non-public tax and accounting data +* Passwords, passphrases and password storage databases +* Encryption keys +* Device or system configurations, virtual machine images, snapshots +* Network and infrastructure designs +* Customer lists and contacts +* Security, system, and application audit logs +* Internal information security protocols, plans, and processes + +Access to Tier 2 (Confidential) data is limited to Datica employees and third parties operating under an executed non-disclosure agreement. This information should never be stored on a computing device or electronic storage media that is personally owned unless expressly permitted. + +See the System Security Policy, Data Integrity Policy and Encryption Standard for detailed enumeration of the controls necessary to protect Tier 2 (Confidential) data at rest and in transit. + +**Tier 3 - Private** + +This tier includes "official use only" information about the business and its personnel that can be shared with Datica staff and its authorized partners, but will not be routinely made available to the public without explicit authorization from the Privacy Officer or CSO or delegate. Information in this category includes, but is not limited to: + +* Operational procedures +* Employee benefits "brochure" information +* Business application data that does not fall into Tier 1 or 2 categories +* Email that does not contain Tier 1 or 2 information +* Interpersonal communication (e.g., Slack, Zoom, Google Hangouts) +* IP addresses, system names, account names + +Access to this information is limited to Datica employees or third parties operating under an executed non-disclosure agreement. This information should never be stored on a computing device or electronic storage media that is personally owned. + +**Tier 4 - Public** + +This tier includes data and information that are considered to freely exist in the public domain and contain no information from Tier 1, 2, or 3. + +### Application Classification + +Application classification follows the type of information that the application handles (stores, processes, or transmits). If an application handles Tier 1 (Protected) data, then the application is considered a Tier 1 (Protected) application. + +**Tier 1 - Protected** + +Any application that is involved with the storage, processing, or transmission of Tier 1 data is considered a Tier 1 (Protected) application. + +**Tier 2 - Confidential** + +Any application that stores, processes, or transmits Tier 2 (Confidential) information is considered a Tier 2 (Confidential) application. + +**Tier 3 - Private** + +Any application that stores, processes, or transmits Tier 3 (Private) information is considered a Tier 3 (Private) application. + +**Tier 4 - Common Tools and Applications** + +Tier 4 applications represent tools that are commonly installed with most modern operating systems (SSH, Internet browser and plugins, SFTP client, password safes, etc…) and which might be used to work with higher Tier information, but only as a way to administer or consume the information. Many of the standards (or the Acceptable Use Policy) will outline specific configuration and usage restrictions for the use of these common tools. + +### System Classification + +A "System" can be a range of technology mechanisms that perform a discrete function or service. A System may be a single process running in a container or VM, or a set of processes spanning multiple containers and/or VMs. + +**Tier 1 - Production - Customer Facing** + +Systems that host customer containers or services or which directly affect or have an impact on the information security (e.g., confidentiality, availability, integrity) or compliance posture of those containers or services are considered a Tier-1 (Production) systems. + +**Tier 2 - Stage/Test/QA - Internet Facing (Non-Customer)** + +Systems that host customer staging, test, or QA containers or services or Datica-administered services that are directly accessible from the Internet are considered Tier 2 (Confidential) systems. Note that by policy, staging, test, or QA systems are forbidden to store, process, or transmit Tier 1 (Protected) data. + +**Tier 3 - Development environments / Workstations (Company-managed system)** + +Datica administered systems that host development environments and Datica-purchased workstations (including other mobile computing devices) are considered Tier 3 Dev systems. + +**Tier 4 - Unsecured (Personal/unmanaged system)** + +Any computing system that is not purchased or administered by Datica is considered a Tier 4 Unsecured system. This includes employee-owned workstations, mobile computing devices, and cloud-based environments and services. + +Applicable Standards from the HITRUST Common Security Framework: + +* 01.w Sensitive System Isolation +* 06.c Protection of Organizational Records +* 06.d Data Protection and Privacy of Covered Information +* 10.a Security Requirements Analysis and Specification + +## Credential Management Policy + +Applicable Standards from the HITRUST Common Security Framework: + +* 01.b User Registration +* 01.c Privilege Management +* 01.d User Password Management +* 01.q User Identification and Authentication + +## Data Integrity Policy + +Applicable Standards from the HITRUST Common Security Framework: + +* 01.v Information Access Restriction +* 05.i Identification of Risks Related to External Parties +* 09.j Controls Against Malicious Code +* 09.v Electronic Messaging +* 10.h Control of Operational Software + +## Data Retention and Media Destruction Policy + +Applicable Standards from the HITRUST Common Security Framework: + +* 06.c Protection of Organizational Records +* 08.l Secure Disposal or Re-Use of Equipment +* 09.aa Audit Logging +* 09.p Disposal of Media + +## Disaster Recovery and Business Continuity Policy + +Applicable Standards from the HITRUST Common Security Framework: + +* 09.e Service Delivery +* 09.l Back-up +* 09.n Security of Network Services +* 12.b Business Continuity and Risk Assessment +* 12.c Developing and Implementing Continuity Plans Including Information Security +* 12.d Business Continuity Planning Framework + +## Incident Response Policy + +Datica has implemented an information security incident response plan and detailed process to provide an effective, efficient, and orderly approach to managing incidents (security-related and otherwise). The incident response plan must, at a minimum, provide documentation of the procedures to be taken by Datica staff members in the event of an incident, ensure that the incident is efficiently and systematically handled and communicated to the appropriate parties, facilitate the rapid recovery of the affected systems and identification of the cause of the incident, and provide a clear path for adopting preventive measures designed to address future incidents. Ultimately the Chief Security Officer or delegate is the owner of this plan and its implementation. The plan was developed to meet compliance obligations including: + +* Effectively and quickly identify the nature of the incident, its scope and severity. +* Identify a single point of coordination and communication. +* Establish the criteria for the recognition of a potential security breach and document the requirements for reporting the breach. +* Establish the criteria for the declaration of a disaster and the subsequent invocation of the Disaster Recovery and Business Continuity Plan. +* Ensure that all employees and contractors are aware of their obligations to recognize and report potential incidents, and the sanctions if these instructions are not followed. +* Identify the specific individuals that need to be contacted in the event of an incident. This includes internal as well as external entities. +* Identify all employees involved in the incident. +* Testing the plan at least annually, or if the plan changes and using the results of the test (and lessons learned from any actual incident response events) to improve the plan. + +### Breach Notification + +To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ePHI occurs. Breach notification will be carried out in compliance with the American Recovery and Reinvestment Act (ARRA)/Health Information Technology for Economic and Clinical Health Act (HITECH) as well as any other federal or state notification law. + +The Federal Trade Commission (FTC) has published breach notification rules for vendors of personal health records as required by ARRA/HITECH. The FTC rule applies to entities not covered by HIPAA, primarily vendors of personal health records. The rule is effective September 24, 2009 with full compliance required by February 22, 2010. + +The American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law on February 17, 2009. Title XIII of ARRA is the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH significantly impacts the Health Insurance Portability and Accountability (HIPAA) Privacy and Security Rules. While HIPAA did not require notification when patient protected health information (PHI) was inappropriately disclosed, covered entities and business associates may have chosen to include notification as part of the mitigation process. HITECH does require notification of certain breaches of unsecured PHI to the following: individuals, Department of Health and Human Services (HHS), and the media. The effective implementation of this provision is September 23, 2009 (pending publication HHS regulations). + +### Datica HIPAA Breach Policy + +1. Discovery of Breach: A breach of ePHI shall be treated as "discovered" as of the first day on which such breach is known to the organization, or, by exercising reasonable diligence would have been known to Datica (includes breaches by the organization's Customers, Partners, or subcontractors). Datica shall be deemed to have knowledge of a breach if such breach is known or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or Partner of the organization. Following the discovery of a potential breach, the organization shall begin an investigation (see organizational policies for security incident response and/or risk management incident response) immediately, conduct a risk assessment, and based on the results of the risk assessment, begin the process to notify each Customer affected by the breach. Datica shall also begin the process of determining what external notifications are required or should be made (e.g., Secretary of the Department of Health & Human Services (HHS), media outlets, law enforcement officials, etc.) +2. Breach Investigation: The Datica Security Officer shall name an individual to act as the investigator of the breach (e.g., privacy officer, security officer, risk manager, etc.). The investigator shall be responsible for the management of the breach investigation, completion of a risk assessment, and coordinating with others in the organization as appropriate (e.g., administration, security incident response team, human resources, risk management, public relations, legal counsel, etc.) The investigator shall be the key facilitator for all breach notification processes to the appropriate entities (e.g., HHS, media, law enforcement officials, etc.). All documentation related to the breach investigation, including the risk assessment, shall be retained for a minimum of six years. +3. Risk Assessment: For an acquisition, access, use or disclosure of ePHI to constitute a breach, it must constitute a violation of the HIPAA Privacy Rule. A use or disclosure of ePHI that is incident to an otherwise permissible use or disclosure and occurs despite reasonable safeguards and proper minimum necessary procedures would not be a violation of the Privacy Rule and would not qualify as a potential breach. To determine if an impermissible use or disclosure of ePHI constitutes a breach and requires further notification, the organization will need to perform a risk assessment to determine if there is significant risk of harm to the individual as a result of impermissible use or disclosure. The organization shall document the risk assessment as part of the investigation in the incident report form noting the outcome of the risk assessment process. The organization has the burden of proof for demonstrating that all notifications to appropriate Customers or that the use or disclosure did not constitute a breach. Based on the outcome of the risk assessment, the organization will determine the need to move forward with breach notification. The risk assessment and the supporting documentation shall be fact specific and address: + + * Consideration of who impermissibly used or to whom the information was impermissibly disclosed; + * he type and amount of ePHI involved; + * he cause of the breach, and the entity responsible for the breach, either Customer, Datica, or Partner. + * The potential for significant risk of financial, reputational, or other harm. + +4. Timeliness of Notification: Upon discovery of a breach, notice shall be made to the affected Datica Customers no later than 4 hours after the discovery of the breach. It is the responsibility of the organization to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of delay. +5. Delay of Notification Authorized for Law Enforcement Purposes: If a law enforcement official states to the organization that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, the organization shall: + + * If the statement is in writing and specifies the time for which a delay is required, delay such notification, noice, or posting of the timer period specified by the official; or + * If the statement is made orally, document the statement, including the identify of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described above is submitted during that time. + +6. Content of the Notice: The notice shall be written in plain language and must contain the following information: + + * A brief description of what happened, including the date of the breach and the date of the discovery of the breach, ifknown; + * A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code or oter types of information were involved), if known; + * ny steps the Customer should take to protect Customer data from potential harm resulting from the breach. + * A brief description of what Datica is doing to investigate the breach, to mitigate harm to individuals and Cutomers, and to protect against further breaches. + * Contact procedures for individuals to ask questions or learn additional information, which may include a toll-free telephone number, an e-mail address, a website, or postal address. + +7. Methods of Notification: Datica Customers will be notified via email and phone within the timeframe for reporting breaches, as outlined above. + +### Datica Customer GDPR Breach Policy + +1. Discovery of Breach: A breach of personal information regarding EU data subjects shall be treated as "discovered" as of the first day on which such breach is known to the organization, or, by exercising reasonable diligence would have been known to Datica (includes breaches by the organization's Customers, Partners, or subcontractors). Datica shall be deemed to have knowledge of a breach if such breach is known or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or Partner of the organization. Following the discovery of a potential breach, the organization shall begin an investigation (see organizational policies for security incident response and/or risk management incident response) immediately, conduct a risk assessment, and based on the results of the risk assessment, begin the process to notify each Customer affected by the breach. Once the breach has been confirmed by the Datica Security Officer, notice should be provided as soon as possible to Datica’s representative in the Union: + +``` +William Fry +Solicitors +2 Grand Canal Square +Grand Canal Dock +Dublin 2 +Ireland ++353 1 639 5000 +``` + + +1. Breach Investigation: The Datica Security Officer shall name an individual to act as the investigator of the breach (e.g., privacy officer, security officer, risk manager, etc.). The investigator shall be responsible for the management of the breach investigation, completion of a risk assessment, and coordinating with others in the organization as appropriate (e.g., administration, security incident response team, human resources, risk management, public relations, legal counsel, etc.) The investigator shall be the key facilitator for all breach notification processes to Datica Customers. All documentation related to the breach investigation, including the risk assessment, shall be retained indefinitely. + +2. Risk Assessment: For an acquisition, access, use or disclosure of personal information regarding persons from the European Union, the loss of information must cause a "high risk to the rights and freedoms of natural persons." For example, if the personal information exposed is fully encrypted, and unable to be decrypted by unauthorized persons, the loss of that information would not constitute a breach. To determine if an impermissible use or disclosure of personal information constitutes a breach and requires further notification, the organization will need to perform a risk assessment to determine if there is a high risk to the rights and freedoms of the natural persons as a result of impermissible use or disclosure. The organization shall document the risk assessment as part of the investigation in the incident report form noting the outcome of the risk assessment process. The organization has the burden of proof for demonstrating that all notifications to appropriate Customers or that the use or disclosure did not constitute a breach. Based on the outcome of the risk assessment, the organization will determine the need to move forward with breach notification. The risk assessment and the supporting documentation shall be fact specific and address: + + * Consideration of who impermissibly used or to whom the information was impermissibly disclosed; + * The type and amount of personal information involved; + * The cause of the breach, and the entity responsible for the breach, either Customer, Datica, or Partner. + * The potential for significant risk of financial, reputational, or other harm. + +3. Timeliness of Notification: Upon discovery of a breach, notice shall be made to the affected Datica Customers without unreasonable delay, no later than 4 hours after the discovery of the breach. It is the responsibility of the organization to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of delay. Datica is a "data processor" in relation to Customers, who are “data controllers”. Under GDPR, the data controller is responsible for providing notifications to all supervisory authorities and affected data subjects. Datica should not provide breach notification to anyone besides affected customers unless directed by an affected customer. + +4. Delay of Notification Authorized for Law Enforcement Purposes: If a law enforcement official states to the organization that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, the organization shall: + + * If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting of the timer period specified by the official; or + * If the statement is made orally, document the statement, including the identify of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described above is submitted during that time. + +5. Content of the Notice: The notice shall be written in plain language and must contain the following information: + + * A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; + * A description of the types of personal information that were involved in the breach (such as whether full name, national identifier, date of birth, home address, account number, diagnosis, disability code or other types of information were involved), if known; + * A description of the likely consequences of the breach to affected individuals (e.g. risk of identity theft, risk of damage to reputation, etc.) + * Any steps the Customer should take to protect Customer data from potential harm resulting from the breach. + * A brief description of what Datica is doing to investigate the breach, to mitigate harm to individuals and Customers, and to protect against further breaches. + * Contact procedures for individuals to ask questions or learn additional information, which may include a toll-free telephone number, an email address, a website, or postal address, including, but not limited to the contact information for Datica’s GDPR Data Protection Officer and its GDPR representative in the Union. + +6. Methods of Notification: Datica Customers will be notified via email and phone within the timeframe for reporting breaches, as outlined above. + +### Datica Platform Customer Responsibilities + +1. The Datica Customer that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured ePHI shall, without unreasonable delay and in no case later than 60 calendar days after discovery of a breach, notify Datica of such breach. The Customer shall provide Datica with the following information: + + * A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of records and Customers affected, if known. + * A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.), if known. + * A description of the action taken with regard to notification of patients regarding the breach. + * Resolution steps taken to mitigate the breach and prevent future occurrences. + +2. Notice to Media: Datica Customers are responsible for providing notice to prominent media outlets at the Customer's discretion. + +3. Notice to Secretary of HHS: Datica Customers are responsible for providing notice to the Secretary of HHS at the Customer's discretion. + +### Breach notifications involving EU personal information collected by Datica + +As a result of business activities that we undertake in the European Union, Datica may come into contact directly with personal information regarding European Union data subjects that results in Datica being considered a "data controller" under GDPR (ex. website account information collected from persons located in the geographic boundaries of the European Union). In the event of a breach of such information, a different procedure applies than the one that is used to respond to the loss of customer information. + +1. Discovery of Breach: A breach of personal information shall be treated as "discovered" as of the first day on which such breach is known to the organization, or, by exercising reasonable diligence would have been known to Datica (includes breaches by the organization's Partners, or subcontractors). Datica shall be deemed to have knowledge of a breach if such breach is known or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or Partner of the organization. Following the discovery of a potential breach, the organization shall begin an investigation (see organizational policies for security incident response and/or risk management incident response) immediately, conduct a risk assessment, and based on the results of the risk assessment, begin the process to notify each Customer affected by the breach. Datica shall also begin the process of determining what external notifications are required or should be made (e.g., relevant European Union supervisory authorities, media outlets, law enforcement officials, etc.). Once the breach has been confirmed by the Datica Security Officer, notice should be provided as soon as possible to Datica’s representative in the Union: + +``` +William Fry +Solicitors +2 Grand Canal Square +Grand Canal Dock +Dublin 2 +Ireland ++353 1 639 5000 +``` + + +1. Breach Investigation: The Datica Security Officer shall name an individual to act as the investigator of the breach (e.g., privacy officer, security officer, risk manager, etc.). The investigator shall be responsible for the management of the breach investigation, completion of a risk assessment, and coordinating with others in the organization as appropriate (e.g., administration, security incident response team, human resources, risk management, public relations, legal counsel, etc.) The investigator shall be the key facilitator for all breach notification processes to the appropriate entities (e.g., supervisory authorities, media, law enforcement officials, etc.). All documentation related to the breach investigation, including the risk assessment, shall be retained indefinitely. + +2. Risk Assessment: For an acquisition, access, use or disclosure of personal information to constitute a breach, the loss of information must cause a "high risk to the rights and freedoms of natural persons." For example, if the personal information exposed is fully encrypted, and unable to be decrypted by unauthorized persons, the loss of that information would not constitute a breach. To determine if an impermissible use or disclosure of personal information constitutes a breach and requires further notification, the organization will need to perform a risk assessment to determine if there is significant risk of harm to the individual as a result of impermissible use or disclosure. The organization shall document the risk assessment as part of the investigation in the incident report form noting the outcome of the risk assessment process. The organization has the burden of proof for demonstrating that all notifications to appropriate Customers or that the use or disclosure did not constitute a breach. Based on the outcome of the risk assessment, the organization will determine the need to move forward with breach notification. The risk assessment and the supporting documentation shall be fact specific and address: + + * Consideration of who impermissibly used or to whom the information was impermissibly disclosed; + * The type and amount of personal information involved; + * The cause of the breach, and the entity responsible for the breach, either Datica, or Partner. + * The potential for significant risk of financial, reputational, or other harm. + +3. Timeliness of Notification: Upon discovery of a breach, notice shall be made to the relevant EU supervisory authority without unreasonable delay, no later than 72 hours after the discovery of the breach. It is the responsibility of the organization to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of delay. + +4. Content of the Notice: The notice shall be written in plain language and must contain the following information: + +* A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; +* A description of the types of personal information that were involved in the breach (such as whether full name, national identifier, date of birth, home address, account number, diagnosis, disability code or other types of information were involved), if known; +* A description of the likely consequences of the breach. +* A brief description of what Datica is doing to investigate the breach, to mitigate harm to individuals and to protect against further breaches. +* Contact procedures for Datica’s GDPR Data Protection Officer and its representative in the Union. + +5. Methods of Notification: The appropriate supervisory authority will be notified via email and phone. + +### Breach Accounting and Additional Considerations + +The following applies to all breaches, regardless of the type of information involved in the breach. + +* Maintenance of Breach Information/Log: As described above and in addition to the reports created for each incident, Datica shall maintain a process to record or log all breaches regardless of the number of records and Customers affected. The following information should be collected/logged for each breach: + + * A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of records and Customers affected, if known. + * A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.), if known. + * A description of the action taken with regard to notification of patients regarding the breach. + * Resolution steps taken to mitigate the breach and prevent future occurrences. + +* Workforce Training: Datica shall train all members of its workforce on the policies and procedures with respect to personal information (including ePHI) as necessary and appropriate for the members to carry out their job responsibilities. Workforce members shall also be trained as to how to identify and report breaches within the organization. +* Complaints: Datica must provide a process for individuals to make complaints concerning the organization's patient privacy policies and procedures or its compliance with such policies and procedures. +* Sanctions: The organization shall have in place and apply appropriate sanctions against members of its workforce, Customers, and Partners who fail to comply with the privacy policies and procedures. +* Retaliation/Waiver: Datica may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any privacy rights. The organization may not require individuals to waive their privacy rights as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits. + +Applicable Standards from the HITRUST Common Security Framework: + +* 02.e Information Security Awareness, Education, and Training +* 02.f Disciplinary Process +* 05.a Management Commitment to Information Security +* 06.d Data Protection and Privacy of Covered Information +* 06.e Prevention of Misuse of Information Assets +* 11.a Reporting Information Security Events +* 11.c Responsibilities and Procedures +* 11.d Learning from Information Security Incidents + +## Physical Security Policy + +There are two principal workforce operating environments where physical security is under partial or full control of Datica: the corporate offices and third party cloud provider’s data center operations. Although different controls are applied at the different facilities, the physical security goals are largely the same: access to all Datica facilities is restricted to only authorized workforce members and security safeguards are in place to effectively minimize and manage risk to an acceptable level while remaining in compliance with Datica’s obligations to ensure the confidentiality, integrity, and availability of its, and its customers' assets. Corporate offices, authorized remote and teleworking locations, and all Datica information systems, shall not and do not store Tier 1 (Protected) physical or electronic data, such as ePHI and Cardholder Data. All workforce members are made aware of this requirement and routinely reminded that it is their responsibility to report an incident of unauthorized access or storage of covered data to Datica’s Chief Security Officer and/or Privacy Officer. + +Datica works with third party vendors to assure restriction of physical access to Datica Systems. Datica and its subcontractors control access to the physical buildings/facilities that house these systems/applications, or in which Datica workforce members operate, in accordance with applicable compliance requirements (e.g., HIPAA, HITRUST, GDPR, etc.) and their implementation specifications. The following mandatory physical safeguards and workforce member obligations shall be constantly enforced at Datica: + +* Visitor and third party support access is recorded and supervised. All visitors shall be escorted by employees or authorized delegates. +* Fire extinguishers and detectors are installed according to applicable laws and regulations; the fire authorities are automatically notified if a fire alarm is activated. +* Facility maintenance is controlled and conducted by authorized personnel in accordance with contractual obligations, supplier-recommended intervals, insurance policies, and the organization’s maintenance program. All maintenance work requiring physical interaction shall be tracked. Datica maintains a list of authorized maintenance organizations or personnel, ensures that non-escorted personnel performing maintenance on the information system have required access authorizations, and designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. +* Electronic and physical media containing covered information is securely destroyed (or the information securely removed) prior to disposal. Any surplus equipment must be stored securely while not in use, and disposed of or sanitized when no longer required. +* In situations where the physical mailing of covered and/or confidential materials is required, workforce members shall ensure the materials are not externally visible through the use of privacy envelopes, tamper-proof/evident mailers, etc.; the Office Administrator will facilitate the procurement and distribution of these supplies. +* Physical access is restricted using smart locks that track all access. + * Restricted areas and facilities are locked and when unattended (where feasible). + * Only authorized workforce members receive access to restricted areas (as determined by the Chief Security Officer). + * The CSO or authorized delegate shall review the physical access list and authorization credentials periodically but no less than quarterly; and removes individuals from the facility access list when access is no longer required + * Electronic and physical access and keys shall be revoked upon termination of workforce members. + * Workforce members must report a lost and/or stolen key(s) to the Chief Security Officer. + * The Chief Security Officer or authorized delegate facilitates the changing of physical lock(s) within 7 days of a key being reported lost/stolen. +* Enforcement of Facility Access + * Workforce members are required to immediately report violations of this policy to the Chief Security Officer. + * Workforce members in violation of this policy are subject to disciplinary action, up to and including termination. + +Datica will review subcontractors compliance certifications annually to ensure that mandatory security requirements are enforced. + +## Policy Management Policy + +Applicable Standards from the HITRUST Common Security Framework: + +* 04.b Review of the Information Security Policy +* 10.b Input Data Validation + +## Risk Management Policy + +Applicable Standards from the HITRUST Common Security Framework: + +* 00.a Information Security Management Program +* 02.d Management Responsibilities +* 03.b Performing Risk Assessments +* 03.c Risk Mitigation +* 03.d Risk Evaluation +* 04.b Review of the Information Security Policy +* 05.a Management Commitment to Information Security +* 05.h Independent Review of Information Security +* 06.g Compliance with Security Policies and Standards +* 09.s Information Exchange Policies and Procedures +* 10.a Security Requirements Analysis and Specification +* 10.h Control of Operational Software + +## System Development Lifecycle Policy + +Applicable Standards from the HITRUST Common Security Framework: + +* 10.a Security Requirements Analysis and Specification + +## System Security Policy + +Applicable Standards from the HITRUST Common Security Framework: + +* 01.m Segregation in Networks +* 01.n Network Connection Control +* 01.o Network Routing Control +* 01.t Session Time-out +* 01.v Information Access Restriction +* 06.d Data Protection and Privacy of Covered Information +* 09.j Controls Against Malicious Code +* 09.k Controls Against Mobile Code +* 09.m Network Controls +* 09.s Information Exchange Policies and Procedures +* 10.b Input Data Validation +* 10.f Policy on the Use of Cryptographic Controls +* 10.h Control of Operational Software + +## Third Party Vendors and Due Diligence Policy + +Applicable Standards from the HITRUST Common Security Framework: + +* 01.l Remote Diagnostic and Configuration Port Protection +* 05.i Identification of Risks Related to External Parties +* 05.j Addressing Security When Dealing with Customers +* 05.k Addressing Security in Third Party Agreements +* 08.b Physical Entry Controls +* 08.d Protecting Against External and Environmental Threats +* 08.j Equipment Maintenance +* 09.e Service Delivery +* 09.f Monitoring and Review of Third Party Services +* 09.m Network Controls +* 09.n Security of Network Services +* 09.p Disposal of Media +* 09.s Information Exchange Policies and Procedures +* 10.a Security Requirements Analysis and Specification +* 10.h Control of Operational Software +* 10.l Outsourced Software Development + +## Tools Policy + +Applicable Standards from the HITRUST Common Security Framework: + +* 09.v Electronic Messaging +* 10.a Security Requirements Analysis and Specification + +## Training and Awareness Policy + +Applicable Standards from the HITRUST Common Security Framework: + +* 01.y Teleworking +* 02.a Roles and Responsibilities +* 02.e Information Security Awareness, Education, and Training +* 02.f Disciplinary Process +* 04.a Information Security Policy Document +* 05.a Management Commitment to Information Security +* 07.c Acceptable Use of Assets +* 09.j Controls Against Malicious Code +* 09.s Information Exchange Policies and Procedures + +## Vulnerability Management Policy + +Applicable Standards from the HITRUST Common Security Framework: + +* 06.h Technical Compliance Checking +* 10.b Input Data Validation +* 10.m Control of Technical Vulnerabilities + +## Compliance + +Violations of this standard and its procedures by employees may result in disciplinary action, up to and including termination of employment. Violation of this standard and procedures by others, including business associates and workforce members may result in termination of the relationship and/or associated privileges. Violation may also result in civil and criminal penalties as determined by federal and state laws and regulations. Datica reserves the right to notify law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. + +Datica does not consider conduct in violation of this policy to be within a workforce member’s, business associate’s, or partner’s course and scope of employment or partnership, or the direct consequence of the discharge of the employee’s or partner’s duties. Accordingly, to the extent permitted by law, Datica reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy. + +If an employee, workforce member, business associate, or partner believes he or she has been requested to undertake an activity which he or she believes is in violation of this policy, he or she must provide a written or verbal complaint to the Human Resources Manager or any manager as soon as possible. + +## Version Tracking + + + + + + + + + + + + + + + + + +
Version NumberApproval DateSummary of Changes
2020-v1.011/30/2020Original - Effective
+ diff --git a/docs/purpose.md b/docs/purpose.md new file mode 100644 index 0000000..4ec0da9 --- /dev/null +++ b/docs/purpose.md @@ -0,0 +1,16 @@ +--- +title: "Purpose and Scope" +metaDescription: "The goal of this policy is to guide and direct Datica workforce members on how to defend its assets against internal, external, deliberate or accidental threats." +date: 2018-09-15 07:42:34 +slug: purpose +--- + +## Purpose + +This Information Security Policy has been established to ensure the business continuity of Datica and to minimize the risk of damage by preventing security incidents and reducing their potential impact. It defines the technical, administrative, and physical controls and configurations that users and administrators are required to implement in order to ensure the confidentiality, integrity, and availability of the data environments owned and operated by Datica. The goal of this policy is to guide and direct Datica workforce members on how to defend its assets against internal, external, deliberate or accidental threats. Adherence to the policy and associated standards referenced herein is mandatory for all employees and incorporates elements involving defined processes, integration, culture, and infrastructure management, and serves as the central security policy that all Datica employees must be familiar with and have working knowledge thereof. + +## Scope + +The policy requirements and restrictions defined in this policy shall apply to all Datica personnel and systems. The policy covers Datica network systems which is comprised of various hardware, software, communication equipment and other devices designed to assist Datica and its customers in the creation, receipt, storage, processing, and transmission of data and information. + +Datica’s portfolio of cloud-based products include the following: 1) Compliant Platform as a Service (CPaaS) 2) Compliant Kubernetes Service (CKS) and 3) Compliant Managed Integration (CMI). These products are cited throughout Datica policies, standards, and procedures as customers in each category inherit different standards, procedures, and obligations from Datica. It is the responsibility of the Chief Security Officer and Chief Privacy Officer to maintain this policy and ensure the contents of the policy are continually monitored and enforced. diff --git a/docs/roles.md b/docs/roles.md new file mode 100644 index 0000000..e5daee2 --- /dev/null +++ b/docs/roles.md @@ -0,0 +1,149 @@ +--- +title: "Roles and Responsibilities" +metaDescription: "The goal of this policy is to guide and direct Datica workforce members on how to defend its assets against internal, external, deliberate or accidental threats." +date: 2018-09-15 07:42:34 +slug: roles +--- + +### Chief Security Officer + +**Ted Bienapfl** +`ted.bienapfl@datica.com` + +The Chief Security Officer (CSO) is responsible for working with user management, owners, custodians, and users to develop and implement prudent security policies, procedures, and controls, subject to the approval of Datica. In HIPAA terms, the CSO is considered the "Security Officer" for Datica. Specific responsibilities include: + +* Ensuring security policies, procedures, and standards are in place and adhered to by entity. +* Providing basic security support for all systems and users. +* Advising owners in the identification and classification of computer resources. See Information Classification Section, below. +* Advising systems development and application owners in the implementation of security controls for information on systems, from the point of system design and development, through testing and production implementation. +* Educating custodian and user management with comprehensive information about security controls affecting system users and application systems. +* Providing on-going employee security education. +* Performing security audits +* Reporting regularly to the Information Security and Risk Management Committee on Datica’s status with regard to risk and information security. + +### Data/Application Owner + +The owner of a collection of information is usually the manager responsible for the creation of that information or the primary user of that information. This role often corresponds with the management of an organizational unit. In this context, ownership does not signify proprietary interest, and ownership may be shared. The owner may delegate ownership responsibilities to another employee. It should be noted that Datica takes every effort to ensure that customer data is stored only in customer-owned and maintained environments. At no time does Datica have intentional access to customer production data. The owner of information has the responsibility for: + +* Knowing the information for which she/he is responsible. +* Reviewing and approving all requests for their application access authorizations +* Determining a data retention period for the information, relying on advice from the Legal Department - or ensuring that guidance already exists in the Data Retention and Media Destruction Standard. +* Ensuring appropriate procedures are in effect to protect the integrity, confidentiality, and availability of the information used or created within the organizational unit. +* Authorizing access and assigning custodianship. +* Specifying controls and communicating the control requirements to the custodian and users of the information. +* Reporting promptly to the CSO or delegate the loss or misuse of Datica (or customer) information. +* Initiating corrective actions when problems are identified. +* Promoting employee education and awareness by utilizing programs approved by the CSO or delegate, where appropriate. +* Following existing approval processes within the respective organizational unit for the selection, budgeting, purchase, and implementation of any computer system/software to manage information. + +### Data/Application Custodian + +The custodian of information is generally responsible for the processing and storage of the information. The custodian is responsible for the administration of controls as specified by the owner. Responsibilities may include: + +* Providing and/or recommending physical safeguards. +* Providing and/or recommending procedural safeguards. +* Administering access to information. +* Releasing information as authorized by the Information Owner and/or the Information Privacy/ Security Officer for use and disclosure using procedures that protect the privacy of the information. +* Evaluating the cost effectiveness of controls. +* Maintaining information security policies, procedures and standards as appropriate and in consultation with the CSO or delegate. +* Promoting employee education and awareness by utilizing programs approved by the Privacy Officer, where appropriate. +* Reporting promptly to the CSO or delegate the loss or misuse of Datica information. +* Identifying and responding to security incidents and initiating appropriate actions when problems are identified. + +### Manager + +Managers are Datica employees who supervise other employees in the capacities described below. User management is responsible for overseeing their employees' use of information, including: + +* Initiating security change requests to keep employees' security record current with their positions and job functions. +* Promptly informing appropriate parties of employee terminations and transfers, in accordance with local entity termination procedures. +* Revoking physical access to terminated employees, i.e., confiscating keys, changing combination locks, etc. +* Providing employees with the opportunity for training needed to properly use the computer systems. +* Reporting promptly to the CSO or delegate the loss or misuse of Datica information. +* Initiating corrective actions when problems are identified. +* Following existing approval processes within their respective organization for the selection, budgeting, purchase, and implementation of any computer system/software to manage information. + +### User + +The user is any person who has been authorized to read, enter, or update information. A user of information is expected to: + +* Understand, abide by, and acknowledge, by way of signature, the Acceptable Use Policy. +* Access information only in support of their authorized job responsibilities. +* Comply with Information Security Policies and Standards and with all controls established by the organization. +* Follow proper procedure for all disclosures of PHI outside of Datica and within Datica, other than for treatment, payment, or health care operations. +* Keep personal authentication devices (e.g. passwords, Smartphones, PINs, etc.) confidential. +* Attend HIPAA and Information Security training upon initial hire and complete annual refresher HIPAA and Information Security training. +* Report promptly to the CSO or delegate the loss or misuse of Datica. information. +* Initiate corrective actions when problems are identified. + +### Privacy Officer/Data Privacy Officer + +**Ted Bienapfl** +`ted.bienapfl@datica.com` + +The Privacy Officer, in collaboration with the CSO or delegate, Information Security/Risk Management/Compliance Team, and senior leadership, are responsible for overseeing the development, implementation, and oversight of all activities pertaining to Datica’s efforts to be compliant with, among other compliance mandates, the HIPAA Privacy Rule (Privacy Rule) and Breach of Unsecured PHI Rule, as applicable and as described in Business Associate Agreements. The intent of all oversight activities include those necessary to maintain the Confidentiality, integrity, and availability of protected information as described in the Information and System Classification section of this policy. These responsibilities include, but are not limited to the following: + +* Oversee all organizational initiatives related to the identification, development, implementation, auditing, enforcement, improvement, and adherence to the organization’s privacy policies and procedures and the Privacy Rule and Breach of Unsecured PHI Rule. +* Monitor developments relating to privacy and Breach of Unsecured PHI, including changes in applicable laws and regulations and when significant risks are identified. +* Verifies privacy safeguarding measures meet the requirements of the Privacy Rule, while balancing business needs and capabilities to maintain the confidentiality, integrity, and availability of protected and confidential information. +* Serve as a resource for Datica staff and customers regarding the privacy of protected and confidential information and data. +* Work with staff members, vendors, outside consultants, customers, and other third parties to continuously improve privacy within the organization. +* Privacy policy and procedure oversight + 1. Ensures written policies and procedures comply with the Privacy and Breach of Unsecured PHI Rules + 2. Ensures written policies and procedures establish appropriate administrative, technical, and physical safeguards to protected and confidential information. +* Make all reasonable efforts to limit incidental uses and disclosures and protect the privacy of PHI from intentional or unintentional uses and disclosures that are in violation of the law or Datica’s policies and procedures. +* In conjunction with the Chief Security Officer, ensure privacy training is provided to workforce members and other confidential information users as necessary and appropriate to carry out their job functions. Verify the privacy training program reflects current privacy safeguarding requirements. Works with the Human Resources Director to maintain documentation of the training provided. +* Maintain a program promoting the reporting of non-compliance with established privacy policies and procedures. +* Promote an open communication system encouraging staff members, customers, and vendors/business associates to express and report concerns or problems related to privacy policies and procedures. +* Ensure prompt, proper, and consistent investigations as well as consistent and appropriate sanctions are provided against workforce members who fail to comply with Datica’s privacy policies and procedures; takes appropriate steps to prevent recurrence. +* Mitigate to the extent practicable, any harmful effect known to the organization of a use or disclosure of protected information in violation of the organization’s or business associate’s policies and procedures. +* Monitor, audit, and reinforce compliance with the law and Datica’s privacy policies and procedures. +* Report privacy efforts and incidents to the CSO or delegate in a timely manner. +* Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected information or in locations where it may be accessed. + +In regards to data regarding EU citizens the DPO will have the following responsibilities: + +* to inform and advise the controller or the processor and the employees who carry out the processing of their obligations pursuant to the EU GDPR and to other Union or Member State data protection provisions; +* to monitor compliance with the EU GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; +* to provide advice where requested as regards the data protection impact assessment and monitor its performance; +* to cooperate with the supervisory authority; +* to act as the contact point for the supervisory authority on issues relating to processing, including prior consultation with a supervisory authority, and to consult, where appropriate, with regard to any other matter. + +### Support Engineer + +* Field customer support tickets in Customer Ticketing Tool +* Responsible for notification to customers regarding change plans, maintenance, or other issues that may affect production cloud environment. This may be delegated to another Datica Customer Support role dependent on scenario. +* Provide updates to Customer Support Manager regarding customer environment status +* Coach and provide guidance for customers migrating to Datica hosted environment + +### Engineer + +* Add or remove containers and virtual machines in production and non-production cloud environments +* Add or remove computing resources located in production and non-production cloud environments +* Control access to data flow +* Evaluate network performance issues +* Configure and maintain virtual infrastructure +* Manage membership and maintain documentation regarding Datica security groups +* Create, modify, delete, and disable system accounts +* Investigate and respond to support tickets in Project Management Tool +* Maintain updated network diagrams, inventory, and port/protocol/service documentation +* Support remote access to Datica cloud environments +* Manage and maintain network infrastructure, system interconnections, and build standards +* Manage, support, and maintain IDS +* Develop and implement change plans +* Develop, document, and disseminate access control procedures +* Install, configure, document and maintain Datica Platforms and Technologies + +### Developer + +* Investigate and respond to tickets in Project Management Tool +* Develop and maintain application repository +* Maintain updated documentation and diagrams regarding key management system +* Document and maintain network diagrams and the flow of data +* Develop and complete code migration and change plans + +### Customer + +Responsible for installing and administering servers (where needed), databases, and applications hosted in the Datica production hosting environment +* Responsible for notifying Datica of any performance or availability issues affecting their environment +* Send support tickets and requests to Datica through Customer Ticketing Tool +* Authorize, establish, and manage access, accounts, and permissions to their cloud environment diff --git a/docs/theme-configuration.md b/docs/theme-configuration.md deleted file mode 100644 index 07cef20..0000000 --- a/docs/theme-configuration.md +++ /dev/null @@ -1,88 +0,0 @@ ---- -title: Theme configuration -date: 2018-09-15 07:42:34 -slug: theme-configuration ---- - -## Changing logo -Since there is a bright and a dark theme in Jamdocs, you will need two logotypes. Just replace the two svg files in `src/assets/img` where the dark on is named `logo-dark.svg` and the bright one is named `logo-bright.svg`. If you can´t provide SVG logos, you can just change the file format to for example PNG in line 5 and 10 `src/components/Logo.vue`. - - -## Adding icons -If you need to use icons somewhere in the theme, you can use any icon from [Feather Icons](https://feathericons.com/) as a component. All that is needed is that you import the icon in the component you want to use it like i do it in the theme switcher component: - -```javascript -import { MoonIcon, SunIcon } from 'vue-feather-icons' - -export default { - components: { - MoonIcon, - SunIcon - }, -... -``` - -And then the icon can be used like this: - -```html - -``` - -## Changing colors -To change the theme colors you need to edit the file `src/assets/scss/config/_colors.scss`. When you open the file for the first time it will look like this: - -```scss -// Dark theme -$backgroundDark: #18191a; -$sidebarDark: #2a2c2f; -$textDark: #fff; - -// Bright theme -$backgroundBright: #fff; -$sidebarBright: #f3f4f5; -$textBright: #2a2c2f; - -// Brand -$brandPrimary: #10c186; -``` - -## Changing font -Jamdocs uses Source Sans Pro by default. I chose to embed the font in the project to increase page speed. To change the font, you just install another Google Font as a dependency, lets say you want Open Sans: - -```bash -yarn add typeface-open-sans -``` - -Then, on line 7 in `src/main.js` you change the line to: - -```javascript -require('typeface-open-sans') -``` - -Now you can go to line 12 in `src/assets/scss/globals.scss` and change that line to: - -```scss -font-family: 'Open Sans', sans-serif; -``` - -You're done! - -## Edit the sidebar - -To edit the sidebar, open the file `data/settings.json`. In this file you will find global theme settings as objects and arrays. The sidebar is edit by adding an sections. A section object looks like this: - -```json -{ - "section": "Introduction", - "topics": [ - { - "title": "Getting started", - "slug": "getting-started" - } - ] -} -``` - -The section contains a name, in this case "Introduction", and following the name is an array called topics. Each topic resembles a markdown file in `docs` and contains the title you want that file to have in the sidebar, as well as the slug for routing. - -For each topic the markdown is scanned for h2 headings, which is added as anchor links right below the topic in the sidebar. \ No newline at end of file diff --git a/gridsome.config.js b/gridsome.config.js index 8184348..98c4187 100644 --- a/gridsome.config.js +++ b/gridsome.config.js @@ -16,8 +16,8 @@ function addStyleResource (rule) { } module.exports = { - siteName: 'Jamdocs', - siteUrl: 'https://jamdocs.netlify.com', + siteName: 'Datica Open-Source Compliance Policies', + siteUrl: 'https://policy.datica.com', templates: { Doc: '/:slug', }, @@ -37,7 +37,7 @@ module.exports = { { use: '@gridsome/plugin-google-analytics', options: { - id: (process.env.GA_ID ? process.env.GA_ID : 'XX-999999999-9') + id: (process.env.GA_ID ? process.env.GA_ID : 'UA-60319203-4') } }, { diff --git a/netlify.toml b/netlify.toml index a4a48c1..fc03730 100644 --- a/netlify.toml +++ b/netlify.toml @@ -2,4 +2,11 @@ command = "gridsome build" publish = "dist" [build.environment] - NODE_VERSION = "10" \ No newline at end of file + NODE_VERSION = "10" + + # Redirect policy domain to datica policy page +[[redirects]] + from = "https://policy.datica.com/*" + to = "https://datica.com/policy" + status = 301 + force = true diff --git a/package.json b/package.json index 1239feb..40b7ce8 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,9 @@ { "name": "jamdocs", "private": true, + "engines": { + "node": "10.x" + }, "scripts": { "build": "gridsome build", "develop": "gridsome develop", @@ -14,7 +17,7 @@ "@gridsome/transformer-remark": "^0.3.4", "gridsome": "^0.7.0", "gridsome-plugin-algolia": "^2.1.1", - "typeface-source-sans-pro": "^0.0.54", + "typeface-inter": "^3.10.0", "vue-feather-icons": "^4.22.0", "vuex": "^3.1.1" }, diff --git a/src/assets/img/logo-bright.svg b/src/assets/img/logo-bright.svg index 79207d5..7c79afd 100644 --- a/src/assets/img/logo-bright.svg +++ b/src/assets/img/logo-bright.svg @@ -1,5 +1,3 @@ - - - - + + diff --git a/src/assets/img/logo-dark.svg b/src/assets/img/logo-dark.svg index 9c45b66..93db271 100644 --- a/src/assets/img/logo-dark.svg +++ b/src/assets/img/logo-dark.svg @@ -1,5 +1,3 @@ - - - - + + diff --git a/src/assets/scss/config/_colors.scss b/src/assets/scss/config/_colors.scss index c3c9b87..7daff91 100644 --- a/src/assets/scss/config/_colors.scss +++ b/src/assets/scss/config/_colors.scss @@ -4,9 +4,9 @@ $sidebarDark: #2a2c2f; $textDark: #fff; // Bright theme -$backgroundBright: #fff; -$sidebarBright: #f3f4f5; -$textBright: #2a2c2f; +$backgroundBright: rgb(245, 245, 245); +$sidebarBright: #ececec; +$textBright: #1d1d1f; // Brand -$brandPrimary: #10c186; +$brandPrimary: #00c4b3; diff --git a/src/assets/scss/globals.scss b/src/assets/scss/globals.scss index c80da78..135065a 100644 --- a/src/assets/scss/globals.scss +++ b/src/assets/scss/globals.scss @@ -4,12 +4,14 @@ @import 'config/functions'; @import 'prism'; +$sidebarWidth: 300px; + html { scroll-behavior: smooth; } body { - font-family: 'Source Sans Pro', sans-serif; + font-family: 'Inter', sans-serif; margin: 0; padding: 0; line-height: 1.7; @@ -52,10 +54,21 @@ h1 { margin-top: 0; @include respond-above(md) { - font-size: 4rem; + font-size: 3.5rem; } } a { color: $brandPrimary; -} \ No newline at end of file +} + +.mask { + &-bottom { + mask: linear-gradient(0deg, rgba(0,0,0,0) 3%, rgba(0,0,0,1) 20%); + -webkit-mask: linear-gradient(0deg, rgba(0,0,0,0) 6%, rgba(0,0,0,1) 13%); + } + &-top { + mask: linear-gradient(180deg, rgba(0,0,0,0) 3%, rgba(0,0,0,1) 20%); + -webkit-mask: linear-gradient(180deg, rgba(0,0,0,0) 6%, rgba(0,0,0,1) 13%); + } +} diff --git a/src/components/GitLink.vue b/src/components/GitLink.vue index b02311a..62ef4e9 100644 --- a/src/components/GitLink.vue +++ b/src/components/GitLink.vue @@ -1,5 +1,5 @@
@@ -16,6 +16,10 @@