Information Security Management System
SOC 2 Criteria: CC1.2, CC1.3, CC2.1, CC5.1, CC5.2, CC5.3
ISO 27001 Requirements: 6.2
ISO 27001 Annex A: A.5.1.1, A.6.1.5, A.6.2.1, A.6.2.2, A.7.1.2, A.7.2.2, A.7.2.3, A.7.3.1, A.11.2.8, A.11.2.9, A.12.6.1, A.18.1.2
Keywords: Corrective action, Security training, Clean desk
Purpose
Bramble has adopted the ISO/IEC 27001:2013 standards for our information security management system (ISMS) to provide Bramble team members and customers members with a high level of assurance on the robustness of our information security policies, standards and procedures, and the strength of our control environment. The purpose of this document is to define the boundaries and objectives of Bramble’s ISMS.
Scope
The scope of Bramble’s ISMS is limited to the resources that directly support the Brmbl.io SaaS application.
Assets
Assets within the scope of the ISMS include: customer data, software, people, and internal information assets to host and operate the cloud-based solution.
Excluded from Scope
As an all remote company, there are no physical office locations in the scope of the ISMS. All third party data center operations and physical hardware assets are not in scope and are managed by the third party service provider.
Locations
Bramble’s headquarter mailing address is in scope and covers all sub organizations. Please note this is a mailing addresses only, there is no physical location to visit:
- Bramble Group, Corp. 16192 Coastal Highway, Lewes Delaware 19958, USA.
Organizational Units
Business functions included in the scope of the ISMS include:
- Engineering - CTO, Security team;
- People Operations - COO
- Legal - CEO
Interested Parties
- Customers
- Team Members
- Shareholders/owners of the business
Implementation Manual
Leadership
Bramble is committed to information security. The general objective for the ISMS is to protect Bramble’s confidential information and assets against new and existing security and privacy risks while maintaining confidentiality, integrity and availability. Objectives for individual security controls are inherited by the in scope security standards and regulations which are: ISO 27001, SOC 2 Type 2 Security and PCI DSS Level 1.
The ISMS council, comprised of Security and Privacy leadership, shall meet on a minimum of an annual basis to discuss the state of the ISMS and measure the fulfillment of all ISMS objectives. The following topics will be covered:
- Review of membership and objectives
- ISMS Internal Audit Results
- Significant controlled document updates
- Results of the Annual Security Risk Assessment
- Changes to Risk Heatmap (trends)
- Output from Continuous Control Monitoring
- Observations (CA/PAs)
- Changes that could affect the ISMS
- Feedback and improvements
- ISMS inputs and outputs
ISMS Roles and Responsibilities
| Role | Responsibility |
|---|---|
| ISMS Council | Oversight, implementation and continual improvement of the ISMS |
| CTO | Executive sponsor of the ISMS; coordinate, promote and improve information security; establish information security policy |
| Security Officer | Reporting on the performance of the information security management system to top management; security risk assessments and treatment; continuous monitoring and auditing; customer assurance activities; security awareness program; security governance activities |
| SIRT | Monitor, manage and report on security incidents; monitor compliance with security policies through technical tools; identify security risks; |
| DevSecOps | * Manage third party penetration and bug bounty programs; provide input to the software development lifecycle; manage application vulnerability program; administer security champions program; maintain application security tools; identify security risks * Manage infrastructure vulnerability program; maintain infrastructure security tools; identify security risks |
| Other ISMS Business units | Implement, operate and/or administer information security requirements; remediate information security findings; collaborate with the Security Team |
| All Bramble Team Members | Awareness of responsibilities as it relates to information security; adherence to information security controlled documents; reporting of suspected security violations |
Planning
Bramble is implementing a formal Operational Risk Management program to identify, rank, track, and treat cybersecurity, IT, and privacy operational risks in support of Bramble’s organization-wide objectives. The process for selecting in scope information security controls is executed by the Security Compliance team.
Support
Bramble has implemented a formal security awareness training program that includes: new hire security awareness training, global annual security awareness training and annual targeted phishing exercises. These trainings are administered via a third party portal (Drata) and include a quiz to test understanding of the security topics presented.
A formal controlled document procedure is in place to ensure that there is consistency in developing and maintaining controlled documents at Bramble utilizing a hierarchal approach. All controlled documents are available to all Bramble team members and the public via the Bramble handbook unless otherwise noted. Updates to controlled documents are managed via Merge Requests which are also accessible to all Bramble team members for the entire workflow. An annual review of controlled documents is required by the ISMS owner or assigned representative.
Operations
The Bramble team handbook is the central repository for how we run the company. Everything at Bramble is handbook first, to include development of company policies, standards and procedures. Key controlled documents that support the ISMS include:
- Data Classification Standard
- Internal Acceptable Use Policy
- Security Policies
- Code of Conduct and Business Ethics Policy
- Infrastucture Change Management Procedure
- Security Operational Risk Management Procedure
Bramble’s Security Officer is responsible for monitoring design and effectiveness of our security controls to ensure Bramble’s security objectives are thoughtfully planned, implemented and monitored.
If using a third party service to outsource or supplement security processes, a third party risk assessment is executed prior to onboarding. Critical vendors are also reviewed once per calendar year after onboarding, or at contract renewal if it comes first.
Performance
Bramble monitors, measures, and improves security controls through various continuous monitoring measures, such as:
- Continuous control testing/Annual ISMS internal compliance audits
- External audits (SOC 2 Type 2)
- Annual security operational risk assessments
- Annual third-party penetration testing
- Infrastructure Vulnerability scanning
- Application Vulnerability Scanning
- Audit log monitoring
- ISMS Council (annual management review)
Intellectual Property Rights
Bramble takes handling and safeguarding of intellectual property very seriously. Intellectual property rights include software or document copyright, design rights, trademarks, patents and source code licenses. See Intellectual Property Rights Procedure
Disciplinary Process
Bramble’s discipline policy and procedures are designed to provide a structured corrective action process to improve and prevent a recurrence of undesirable employee behavior and performance issues. It has been designed to be consistent with Bramble cultural values, Human Resources (HR) best practices, and employment laws.
Enforcement
Bramble Management, under the explicit authority granted by the company CEO, retains the authority and responsibility to monitor and enforce compliance with this Policy and other policies, standards, procedures, and guidelines. Monitoring activities may be conducted on an on-going basis or on a random basis whenever deemed necessary by Management and may require investigating the use of the Company’s information resources. The company reserves the right to review any and all communications and activities without notice.
Bramble will take appropriate precautions to ensure that monitoring activities are limited to the extent necessary to determine whether the communications or activities are in violation of Company policies, standards, procedures, and guidelines or in accordance with normal business processing performance or quality activities.
Violation of the controls established in this Policy is prohibited and will be appropriately addressed. Disciplinary actions for violations may include verbal and/or written warnings, suspension, termination, and/or other legal remedies and will be consistent with our published HR standards and practices.
Exceptions
Exceptions to Information Security policies or procedures will be tracked as per the Information Security Policy Exception Management Process.
References
- ISO/IEC 27001:2013
- ISO/IEC 27002:2013