Effective Date: 9/12/2024

Version: 1.0.1

 

 

At Usermuse, we are committed to safeguarding the confidentiality, integrity, and availability of our systems and the data entrusted to us. This security policy outlines our approach to integrating security best practices into our Secure Software Development Lifecycle (SSDLC) in a manner that is both practical for our team’s stage of development and reassuring to our stakeholders.

 

 

• Security Lead: Responsible for reviewing all incoming vulnerabilities and scheduling all security activities.
• Developers: Responsible for implementing security controls and following best practices.
• All Team Members: Must adhere to this security policy and report any security concerns promptly.

 

 

 

• All team members will receive orientation on this secure development policy, as well as highly regarded training and resources in which they can learn more about secure development practices. 
• Team members will stay informed about security best practices and discuss any concerns during regular meetings.

 

 

 

• System Criticality Level: Moderate. Usermuse handles sensitive user research data that is critical to our clients but it does not consitute a critical part of their infrastructure.   
• Information Classification:
  
  • Confidential: User transcripts, AI analysis outputs. 
  • Internal Use: System configurations, internal communications. 
  • Public: Marketing materials, publicly available information.

   

4. Secure Software Development Lifecycle (SSDLC) Practices

  

• Security requirements will be identified at the start of each project or feature development.
• Compliance with relevant regulations (e.g., GDPR) will be ensured.

  

• Consider potential security threats whenever designing new features.
• Focus regularly review and document threats on key areas like API integrations,  component libraries, data storage, authentication mechanisms.

  

• Follow established secure coding standards and guidelines.
• Perform manual and automatic security code review on a periodic basis.
• Implement peer code reviews whenever possible, and especially when significant code changes are made.
• Use pull requests and code review tools integrated with our development workflow.

  

• Utilize standard and proven automatic code security assessment tools to perform SAST & SCA during development.
• Address high priority vulnerabilities before code is deployed.
• Document lower priority issues for scheduled mitigation.

  

• Employ industry proven tools to perform DAST on deployed applications.
• Remediate any discovered issues in a timely manner according to their priority.

  

• Perform penetration test by an external party at least once a year.
• Create test data that does not include real user data.
• Investigative the found vulnerabilities and schedule them for remediation according to their severity level. (See vulnerability management)

 

 

• Regularly scan for vulnerabilities in code and dependencies, using but IaaS and IaC tools.
• Monitor for new vulnerabilities in third-party components.

 

• Keep all systems and dependencies up to date with the latest security patches, based on the analyzed severity level.
• Schedule time in sprints for high priority updates in dependencies and libraries.

 

• Identify and assess the incident promptly to determine its scope and impact.
• Contain and mitigate the issue as soon as possible to prevent further harm.
• Notify all team members and affected clients as necessary without delay.
• Investigate the root cause and resolve the incident efficiently.
• Review the incident afterward to improve our security measures and prevent reoccurrences.

 

• Assess the security posture of third-party APIs and services before integration.
• Use API services securely based on industry common best practices.
• Ensure secure handling of API keys and secrets using Dotenv and secure environment variable management.

 

• Document all significant changes to the system.
• Use version control (e.g., Git) to manage code changes.
• Review security implications during the planning of new features or changes.

 

• Implement logging of security-relevant events using proven industry tools while respecting user privacy.
  
• Regularly review logs for unusual activity.

 

• Encrypt sensitive data in transit and at rest.
• Limit access to confidential data to authorized personnel only.
• Comply with data protection regulations relevant to our operations.

 

• Stay informed about and comply with all applicable laws and regulations.
• Conduct annual reviews to ensure ongoing compliance.

 

 

• Perform annual third-party penetration testing.
• Periodically review and update this security policy to reflect changes in technology and threat landscape.
• Encourage team members to suggest improvements to security practices.

 

 

—

 

NOTE: This security policy is intended to be a living document and will be reviewed and updated as needed to adapt to new challenges and technologies.