Security Policy

Last updated: July 25, 2023

Onerep LLC uses a set of following security policies to ensure security:

  • Information Security Policy communicates Onerep LLC's information security policies and outlines the acceptable use and protection of Onerep LLC's information and assets.
  • Data Classification Policy defines 5 classes of data and rules for data classification.
  • Data Management Policy ensures that information is classified and protected in accordance with its importance to the organization.
  • Cryptography Policy ensures proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
  • Asset Management Policy identifies organizational assets and defines appropriate protection responsibilities.
  • Access Control Policy limits access to information and information processing systems, networks, and facilities to authorized parties in accordance with business objectives.
  • Operations Security Policy ensures the correct and secure operation of information processing systems and facilities.
  • Incident Response Plan defines policy and procedures for suspected or confirmed information security incidents.
  • Secure Development Policy ensures that information security is designed and implemented within the development lifecycle for applications and information systems.
  • Business Continuity and Disaster Recovery Plan prepares Onerep LLC in the event of extended service outages caused by factors beyond our control (e.g., natural disasters, man-made events), and to restore services to the widest extent possible in a minimum time frame.
  • Risk Management Policy defines the process for assessing and managing Onerep LLC's information security risks in order to achieve the company's business and information security objectives.
  • Human Resource Security Policy ensures that employees and contractors meet security requirements, understand their responsibilities, and are suitable for their roles.
  • Physical Security Policy prevents unauthorized physical access or damage to the organization's information and information processing facilities.
  • Third-Party Management Policy ensures protection of the organization's data and assets that are shared with, accessible to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery in line with supplier agreements.

Principles and Concepts

The cybersecurity system of Onerep LLC is designed based on the following principles and concepts:

The Defense-in-depth Concept

By combining these various layers of security, the defense-in-depth conception allows us to create a robust and resilient security posture, reducing the likelihood and impact of successful cyberattacks.

The Role-based Access Control (RBAC) Concept

RBAC allows Onerep to simplify access management, improve security and access auditability.

Mandatory Access Control

Onerep defines a strict Hierarchical access levels (3 levels) to 5 data security classes.

The Principle of Least Privilege

The principle of least privilege helps to create a more secure environment by reducing the attack surface and limiting potential damage in case of a security breach.

The Principle of Continuous System Improvement

Any incident, even a false one, is carefully analyzed and investigated for its root cause. Additionally, the company regularly conducts various exercises and drills to test the system's functionality and explore opportunities for system optimization.

Network Security

Onerep implements network segmentation, perimeter protection, firewalling, Web Application Firewall (WAF), and network anomaly detection.

Vulnerability Management

The company utilizes periodic vulnerability scanning, internal penetration testing and conducts periodic external penetration testing.

Data Protection

All data (except those classified as public) is protected with encryption at rest and in transit.

Human Resource Security

Each candidate is evaluated based on their connections with competitors and criminal history. All employees undergo cybersecurity training.

Every new employee is assigned to one of the 6 security groups based on several parameters that influence their level of access to data, environments, and systems.