Security Statement

Introduction

            The purpose of this Brytemove Energy Security Statement is to provide the recipient with an understanding of the Information Security and Contingency Planning infrastructure in place at brytemove.  The information contained in this Security Statement is for informational purposes only.  This Security Statement is not intended to add to or change any agreement between brytemove and its clients.  Brytemove Energy reserves the right to make changes to this Security Statement and the topics covered at any time without notice to existing or prospective clients, unless otherwise stated in a written agreement.

Sub-Service Organization

            Brytemove Energy contracts with other 3^rd party hosting services.  This Security Statement only addresses Brytemove Energy’s Information Security infrastructure and does not address or include descriptions of the sub-service organizations’ information security and contingency planning infrastructure.  For information on our sub-service partnerships privacy agreements please visit: [INSERT_URL_HERE]

 

Managerial Controls

Information Security Staff

Brytemove energy employ’s its own staff with knowledge in security infrastructure, networking, cloud governance, and Identity and Access Management.  Staff is responsible for prevention, monitoring, testing and remediation.  The Manager of Information Technology is responsible for the security management and oversees information security practice.

Security Policies, Standards, and Maintenance

This Security Statement summarizes many of Brytemove Energy’s security practices but is not an exhaustive list.  Brytemove Energy has a formally documented set of policies specific to certain criteria.  These policies have been approved and adopted by management and are published for all Brytemove Energy employees to review.  As part of their employment with Brytemove Energy, employees must agree to comply with these policies.  Security policies are reviewed on an annual basis for change reflecting new technologies and business processes.

Security and Awareness

            Brytemove Energy does support its policies during new employee orientation as well as “alertness” emails.  Each employee does undergo a series of security and awareness training at time of hiring.

Employee Provisioning and Termination

            Each position at Brytemove Energy has a specific job description and modifier that allows for proper level of access (role-based access control (RBAC)) to be granted to the employee.  Formal termination procedures, which apply to all employees when their employment with Brytemove Energy ends, requires immediate disabling of their access.  All provisioning and de-provisioning is managed and logged in the brytemove Identity and Access Management system for quality assurance and auditing purposes.

Data Privacy Team

            Brytmove energy does not have a data Privacy team.

Operational Controls

Physical Access Controls

            Brytemove Energy uses a combination of video surveillance, electronic door badge access and physical keys to secure its server room and office building.  Motion detection and time-based recording video is deployed in the garage bay and IT storage room.

Environmental Protections

            Brytemove Energy deploys fire extinguishers, smoke detectors and battery backup systems to deter and provide uninterrupted power to the server room.

Change Management

            Brytemove Energy maintains a formal change control system and process.  All items are scheduled and approved by the proper management chain of command.  The Change control system is in place to track questions, requests, approvals, accountability, and emergency break-fix.  All formal changes to any production environment require testing in sandbox or through preproduction variables before submission into production.

Audit and Log Review

            Brytemove Energy reviews system logs as needed.  Logs are generated daily, weekly and/or monthly and reviewed on an as needed basis.  Logs are retained as long as required by law or by our sub-service organization agreements.

           

Risk Management

            Brytemove Energy risk assessment is conducted and reviewed by the Information Security staff.  The staff also provides identification and remediation to lessen risks.  Executive management also composes the Risk Management system and provides further guidance on the business level.

Business Continuity

            Brytemove Energy has multiple data storage warehouses storing computing resources. We rely on our sub-service organizations redundancy and geographically dispersed data centers along with our on-prem storage to provide comprehensive business continuity.

Incident Response Procedure

            Brytemove energy does not have an Incident Response Procedure

Compliance Efforts

            Brytemove energy makes every attempt to be following all applicable and outstanding laws and regulations governing information security and industry-specific compliance.

Third party Risk Management

            Brytemove Energy maintains a list of current software vendors and acknowledges the potential risks. Please see list of software vendors: [INSERT_URL_HERE]

Technical Controls

Network Infrastructure

            Brytemove Energy employs a SMB (Small-Medium Business) class deployment of routers, switches, firewalls, and access points that are managed and restricted by the networking team.  The overall network is designed to use isolated sub-networks between internal and external facing segments.  Brytemove Energy provides a secure wireless network and guest network for internet access.

Internet and Remote Access

            Brytemove Energy has multiple internet carriers to support redundancy.  Ingress/egress to the internet is protected by SMB-class firewall.  The firewall infrastructure provides egress URL filtering, file blocking, Gateway Antivirus, IPS, spam Blocker and Web Blocker.  The Firewall also includes a VPN solution, but part of Brytemove Energy’s policy is to not allow VPN connections.  Dial-up is not deployed in the environment and is forbidden.

Application Security and Development

Currently Brytemove Energy does not develop or deploy its own in-house applications.

Information Security

The Brytemove Energy Security is generally modelled after the ISO-27001 standard.  Security infrastructure, processes and procedures are implemented and maintained to achieve this standard.  These security controls are evaluated for gaps or advancement in technology that could be addressed.

Security Controls

Inventory of Authorized and Unauthorized Devices

            Brytemove Energy uses asset discovery tools, network access controls, security agents, vulnerability assessments and audits to maintain control over corporate devices.

Inventory of Authorized and Unauthorized Software

            Brytemove Energy uses an enterprise software delivery system, census tooling, least access principle and software licensing process to control software installations.

Password Configuration

Formal password policy is enforced on all platforms and devices.  The corporate password policy includes minimum length of 8 characters and be made up of three out of these four items: lowercase letters, uppercase letters, numbers, and symbols.  This password policy does not force periodic password expirations, and you cannot use the last password recently use when changing the password.  Initial and temporary passwords must also follow this requirement and be changed at first login.  Passwords are encrypted in transit and in storage per sub-service organization agreement.

Secure Configurations for Hardware and Software on Workstations and Servers

Endpoints are configured with an approved OS launch point and can be reset to preferable IT configuration when necessary.  Microsoft Identity Management is used to deploy and maintain security configurations on workstations.  Audits are done to maintain proper security settings.

Secure Configurations for Network Devices

Network devices are configured to industry guidelines set by our SMB's

Boundary Defense

Brytemove Energy uses Small-Medium Business class firewalls in its boundary defenses.  The firewall uses multiple technologies such as antivirus, IPS, and data leak prevention.

Maintenance and Monitoring of Audit Logs

Brytemove Energy does not employ a central repository log system for events in production.  Production environments contain their own logs that can be verified and audited individually.

Application Software Security

Brytemove Energy does not perform web application penetration testing and automated vulnerability assessments against external facing applications.

 

Application Development

            Brytemove Energy does not develop its own application systems.

Controlled Use of Administrative Privileges

Brytemove Energy strictly controls the use of administrative privileges.  Corporate assets are not deployed with users having extraordinary rights.  Yearly audits are used to control any rights that were granted and not later revoked.  Administrative accounts are secured in an electronic password vault, which requires a secret token.

Access Control

Brytemove energy access control measures authorize privileges no higher than necessary to accomplish required organizational and business functions.  Brytemove Energy employs the least privilege to the development, implementation, and operation of its systems.  Security functions include establishing system accounts and configuring access authorizations which include permissions and privileges.

Controlled Access Based on Need to Know

Brytemove Energy uses Role Based Access Controls to provision access based on the least access principle.  Executive management and IT Security team is established for administering proper rights.

Separation of Duties

Brytemove Energy

Vulnerability Assessment and Remediation

Brytemove Energy uses a formal vulnerability assessment for patch management.  The criticality of the findings from the assessment is used to determine system patches.

User Account Monitoring and Control

 

Malware Defenses

Malware defense is deployed on all endpoints.  Daily scans on endpoints and real-time scans of files are ran continuously.

Limitation and Control of Network Ports, Protocols and Services

Brytemove Energy uses host-based firewalls and proper guidelines to limit and control network ports and services.

Wireless Device Control

All wireless devices are controlled and connected to our Identity and Access Management system that need to be in a compliant state.

Data Loss Prevention

Full Disk encryption is issued on all Brytemove Energy endpoints.

Contact Information

            To Suggest changes or submit correction to this document, please contact:

Brytemove energy

Attention: IT Services

1451 Edinger Ave.

Unit D

Tustin, CA 92780