We have created a general information security policy and specific policies for related topics and are working to put them in place. These policies are necessary to set up secure processes and demonstrate our compliance with industry standards towards our customers. You can also find the annual acknowledgment forms here.
Because we all must follow our security policies, we have set up GoogleForms that you can fill out and submit. Use the following three checklists to set yourself up securely:
- Policy Acknowledgment, an acknowledgment of our current policies. Mandatory to complete annually by all employees
- Security configuration a checklist to set up a basic secure configuration of your tools. Mandatory to complete annually by all employees.
Overall Management intention on security and baseline for our security management system.
Rocket.Chat places a great emphasis on protecting its information. Such information includes e.g. information we manage on behalf of our customers, personnel files, and our intellectual property.
At Rocket.Chat, we aim to ensure at all times that the information we manage is appropriately secured to protect against the consequences of breaches of confidentiality, failures of integrity or interruptions to the availability of that information.
Our objectives are:
- We will meet all applicable requirements in properly protecting our information, including laws, regulations, industry standards, and contractual commitments
- The protections we apply to information assets will be in proportion to the value and sensitivity of the information, and will balance the sensitivity of the information against the cost of controls, the impact of the controls on the effectiveness of business operations, and the risks against confidentiality, integrity and availability of the information
- We will ensure that these controls are accepted by all employees, vendors, service providers, representatives, and associates of our company who may have access to our information. This includes ensuring that all personnel at all levels are aware of, and are held accountable for safeguarding information assets.
- We will identify and mitigate any breaches to this policy.
- We aim to improve our security practices over time continually.
This information security policy provides management direction and support for information security across the organization. Specific, subsidiary information security policies, procedures and guidelines are considered an integral part of this information security policy, because only when followed in its entirety, we can ensure the objectives of this policy are met. This policy has been ratified by Rocket.Chat´s management team and forms part of its policies and procedures. It is applicable to and will be communicated to our staff, contractors, students and other relevant parties.
Everyone handling Rocket.Chat information has the responsibility to keep the information safe, no matter where the information is located. This includes our staff members, contractors, students, etc., but also our suppliers (e.g. those that provide us with our tools to work) and other recipients of that information.
To determine the appropriate levels of security measures applied to information systems, a process of risk assessment is carried out to identify the probability and impact of security failures.
To manage information security within the organisation an information security oversight committee is established, chaired by Rocket.Chat´s Security Lead and consisting of senior members of our relevant teams. The objective of this committee is to ensure that there is clear direction and visible management support for security initiatives. This oversight group shall promote security through appropriate commitment and adequate resourcing.
An information security working party, comprising management representatives from all relevant parts of the organisation, shall devise and coordinate the implementation of information security controls. The responsibility for ensuring the protection of information systems and ensuring that specific security processes are carried out shall lie with the head of the department managing that information system.
Specialist advice on information security is available throughout the organization. Any member of the organization can contact his manager or Rocket.Chat´s Security Lead directly.
Rocket.Chat will establish and maintain appropriate contacts with other organizations, law enforcement authorities, regulatory bodies, and network and telecommunications operators.
Violations of our policies will be handled in accordance with the severity of the violation and applicable rules and regulations, including up to termination of the contract for severe violations.
This policy is reviewed and updated regularly to ensure that it remains appropriate in the light of any relevant changes to the law, our other policies or contractual obligations. We will inform relevant parties about the updates.
The implementation of the information security policy shall be reviewed independently of those charged with its implementation.
The following are sub-policies related to specific areas and supplement the general policy.
We maintain a RASCI-chart that contains the responsibilities around information security. Conflicts of interest in these responsibilities must be avoided and tasks that create these conflicts be assigned to different persons. Where this is not possible, compensating controls (e.g. four-eyes principle) should be considered.
Current conflicting roles identified:
- The roles of data protection officer and security lead are currently taken by one person and cases of conflict of interest will be raised to the management team to resolve.
The company maintains relevant contacts with authorities and agencies, those relevant for Rocket.Chat being mostly:
- Data protection agencies
- Open Source Community
In project management, the project leads are responsible to ensure security is properly addressed in a project.
All personnel is screened before entering a position and subject to a Terms of employment, including a duty of confidentiality. The screening process is in relation to the applicable laws and regulations as well as the requirements of the position. All personnel is subject to contractual terms that describe their duties. The Information Security Team ensures that all personnel is aware of Rocket.Chat´s Security policies. Personnel that is leaving Rocket.Chat must certify that all assets have been returned to the company and then will be de-registered from the user directories.
The details of these processes are implemented and the records kept by the Human Resources Team.
An asset is something of value for Rocket.Chat such as, but not limited to, information itself, a device, intellectual property.
This policy cover important security aspects and guidelines that help rocketeers to protect and avoid any misuse of company owned assets.
- Read the rules that are pinned in the office
- Join the Rocket.chat channel to be informed about news
Cryptography is the practice of securing information by transforming it into an unreadable format, which can only be understood by those who have the key to unlock it. Cryptography is used in various applications, such as secure communication, digital signatures, and data protection.
Key management is the practice of protecting and managing the cryptographic keys used in encryption and decryption. It involves generating, storing, exchanging, and revoking keys to ensure that the encryption and decryption process remains secure. Proper key management is essential for maintaining the confidentiality, integrity, and availability of information that is encrypted using cryptographic algorithms. Key management also includes ensuring the authenticity of the keys, so that the right person or entity can access the encrypted information.
Authentication is the process of verifying the identity of a user or system entity. It is a security mechanism that helps to ensure that only authorized individuals or systems are granted access to a particular resource, such as a system, network, or application.
Secure engineering basic principles:
Features or changes involving components that could affect overall system security (e.g. authentication, encryption, access control) should consider the following steps:
- have a thoroughly documented PR explaining the change
- the PR must pass all checks, alerts must be remediated before merging
- be subject to the regular tests (including security tests) before a release and not be introduced after these tests
- should check if documentation needs to be updated and if so, update it
Changes to assets should only occur when a change is necessary. All changes must be controlled. All changes related to source code must occur through the authorized version control system (e.g. GitHub). In case a change is urgent, the change control process may be shortened by decision of management, in order to mitigate potential damages to the organization.
For access to customer data, you must adhere to the following:
You may only access customer data if
- The customer specifically requests it (e.g. support request) or
- When it is necessary for us to fulfill our contractual obligations (e.g. to act proactively to prevent an instance from failing)
Access is strictly limited to the data needed to fulfill the request. You may not access data of other customers. No customer data may be extracted unless this is strictly requested by the customer. All data extracted must be stored safely and deleted when it is no longer necessary.
You must terminate the session immediately after the reason for your access has been resolved. You must as soon as possible inform the customer of the outcome of your access.
An incident is any event that has the potential to affect the confidentiality, integrity or availability of Rocket.Chat information, in any format, or IT systems in which this information is held. Violations of laws, policies, contractual obligations or also external requests should also be considered as incidents in this sense.
Examples of incidents include:
- Lost devices
- A suspicious and successful log in
- Malware incident
- Ransomware attack
- Email with confidential data sent to wrong recipient
- Law enforcement requests to disclose data of customers
The Rocket.Chat's incident response plan is an internal Document that can be found here: Incident Response Plan
All Systems procured must comply with defined information security requirements. Those requirements are defined before a procurement decision is made.
The Information Security Team will audit the design and implementation of these policies on a regular basis, with a focus on risks identified in the risk management process. Where a potential conflict of interest takes place, the audit will be delegated to another individual with such conflict or other compensating controls be taken.