Security Measures
This Security Measures Addendum is incorporated into and is subject to the terms and conditions located at https://chord.co/legal/terms. Chord will implement and maintain the security measures set out herein. Chord may update or modify such Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services.
- Organizational management and dedicated staff responsible for the development, implementation and maintenance of Chord’s information security program.
- Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Chord’s organization, monitoring and maintaining compliance with Chord’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
- Data security controls which include at a minimum, but may not be limited to, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Personal Data that is:
a. being transmitted by Chord over public networks (i.e., the Internet) or when transmitted wirelessly; or
b. at rest or stored on portable or removable media (i.e., laptop computers, CD/DVD, USB drives, back-up tapes).
- Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
- Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Chord’s passwords that are assigned to its employees:
a. be at least eight (8) characters in length,
b. not be stored in readable format on Chord’s computer systems;
c. must be changed every ninety (90) days;
d. must have defined complexity;
e. must have a history threshold to prevent reuse of recent passwords; and
f. newly issued passwords must be changed after first use.
- System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
- Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Chord’s possession.
- Change management procedures and tracking mechanisms designed to test, approve and monitor all changes to Chord’s technology and information assets.
- Incident / problem management procedures design to allow Chord to investigate, respond to, mitigate and notify of events related to Chord’s technology and information assets.
- Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
- Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
- Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.