DATA SECURITY POLICY

REDN requires all staff at induction to complete Induction/ Compliance training and System training. The process is completed on-line using REDN Help menu and Policy and procedure functions.

Staffs are required to complete the following training:

1. Induction.

Induction training covers REDN IT Security and Policy and Procedures document (ISP) including identifying and check public and private data. The staff member will receive training and support on REDN system and how they relate to our service and legal obligation to keep data confidential.

2. Quarterly review.

REDN has just developed a quarterly review framework where staff that control data will provide a system and security summary to IT Security and IT support on any data risks. While we report quarterly the staffs within the IPPP are required to apply the reporting timetable appropriate for the type of incident. Some matters require immediate reporting.

3. CPD (Continuing Professional Development).

REDN encourages its staff to continue their profession development through 3 main areas/ types of programs. They are as follows:

  1. Face-to-face programs: Attend face-to-face for networking. Our staffs are encouraged to attend face-to-face events but must consider the type and relevance. Our guide to such events include: conferences, skills workshops, emerging issues programs, advanced conferences and CPD programs offered by main stream institutes such as RICS.
  2. Skills workshops: Our staffs are required to attend industry related skills workshops that provide them with hands-on training that will deepen their skills in a specific area.
  3. Specialist Conference: Conference that provide a platform for experienced practitioners to network, share experiences, and support each other in continuing to professional development.

Other CPD activity:

  • Complete the programs online (via EVP Help menu) anytime, ensuring the topics are relevant to their job description and REDN policy.
  • Mentor training, mentor training is encouraged at all levels of the REDN group. Mentor training allows those experienced managers to share knowledge and ideas and to also encourage the team to aspire.

This policy and procedure process will cover our general polices regarding how we deal with our clients and also how to deal with data conflicts, Laws and provide you with the tools you need to implement good data security and data Privacy.

The simple rule we always want you to remember is reach out to the help EVPChatLine at any time you are unsure of what to do with certain data.

Our Induction training policy forms several parts and in a classroom setting and on-line where we test staff from induction in key areas of the policy to ensure they have a correct understanding. Our current Systems Director has a Certificate in Workplace Training and Assessment.

Part 1: Service commitments.

Welcome to Real Estate Data Network Company Limited.

The Services are provided by REDN Co Limited (“REDN”), and the registered office is at 1st Floor, Packsimex Building, 52 Nguyen Du, Ben Nghe Ward, District 1, HCMC. Vietnam. eValPro, Vnanalytics and PropertyCloud are trademark of REDN.

By using our Services, you and our clients are agreeing to these terms.

Our Services are very diverse, so sometimes additional terms or product requirements (including age requirements) may apply. Additional terms will be available with the relevant Services, and those additional terms become part of your agreement with us if they use our Services.

Using our Services

We require our clients to follow any policies made available to them within the Services.

We ask our clients not to misuse our Services. For example, don’t interfere with our Services or try to access them using a method other than the interface and the instructions that we provide. You may use our Services only as permitted by law, including applicable export and re-export control laws and regulations. We may suspend or stop providing our Services to you a client if they do not comply with our terms or policies or if we are investigating suspected misconduct.

Using our Services does not give them ownership of any intellectual property rights in our Services or the content they access. They are not permitted to use content from our Services unless they obtain permission from its owner or are otherwise permitted by law. These terms do not grant them the right to use any branding or logos used in our Services. We ask them to not remove, obscure, or alter any legal notices displayed in or along with our Services.

Our Services display some content that is not eValPro’s. This content is the sole responsibility of the entity that makes it available. We may review content to determine whether it is illegal or violates our policies, and we may remove or refuse to display content that we reasonably believe violates our policies or the law. But that does not necessarily mean that we review content, so we ask our clients to don’t assume that we do.

In connection with their use of the Services, we may send them service announcements, administrative messages, and other information. They may opt out of some of those communications.

Some of our Services are available on mobile devices. We ask they don’t use such Services in a way that distracts them and prevents them from obeying traffic or safety laws.

Your eValPro Account

Our clients need an eValPro Account in order to use some of our Services. They can where permitted create their own eValPro Account, or an eValPro Account may be assigned to them by an administrator, such as their employer. If they are using an eValPro Account assigned to them by an administrator, different or additional terms may apply and their administrator may be able to access or disable their account.

To protect their eValPro Account (just as with yours) keep the password confidential. You and they are responsible for the activity that happens on or through your eValPro Account. Try not to reuse your eValPro Account password on third-party applications. If you learn of any unauthorized use of your password or eValPro Account, contact us immediately. We also ask you study our password recommendation policy.

Privacy and Copyright Protection

eValpro’s privacy policies explains how we treat personal data and protect privacy when our clients use our Services. By using our Services, they agree that eValPro can use such data in accordance with our privacy policies.

We respond to notices of alleged copyright infringement and terminate accounts of repeat infringers according to the process set out in our IT Security and Procedure (ISP) document. We also have regard to the General Data Protection Regulation (GDPR) proposed by the European Commission. (We will bring it to our client’s attention so they to best understand as so will you during your induction training. We also have regard to privacy legislation in the jurisdiction in which our client/ do their business).

We provide information to help copyright holders manage their intellectual property online. If you think somebody is violating a copyright and want to notify us, you can find information about submitting notices and eValpro’ s policy about responding to notices via our EVPChatLine.

Commitment: 

eValPro is committed to protecting your personal information. We believe that our privacy policy represents industry best practice.

If you reside or are located in the European Economic Area (“EEA”) eValPro is the data controller of all Personally Identifiable Information (as defined below) collected via the Site and of certain Personally Identifiable Information collected from third parties, as set out in this Privacy Policy (ISP). If you reside or are located in the EEA, we keep your Personally Identifiable Information for no longer than necessary for the purposes for which the Personally Identifiable Information is processed. The length of time we retain Personally Identifiable Information for depends on the purposes for which we collect and use it and/or as required to comply with applicable laws and to establish, exercise or defend our legal rights.

You have certain rights in relation to your Personally Identifiable Information. You can access your Personally Identifiable Information and confirm that it remains correct and up-to-date or choose whether or not you wish to receive material from us or some of our partners by logging into the Site and visiting your user account page.

If you would like further information in relation to your rights or would like to exercise any of them, you may also contact us via [email protected]. If you reside or are located in the EEA, you have the right to request that we:

  • provide access to any Personally Identifiable Information we hold about you;
  • prevent the processing of your Personally Identifiable Information for direct-marketing purposes;
  • update any Personally Identifiable Information which is out of date or incorrect;
  • delete any Personally Identifiable Information which we are holding about you;
  • restrict the way that we process your Personally Identifiable Information;
  • provide your Personally Identifiable Information to a third party provider of services; or
  • provide you with a copy of any Personally Identifiable Information which we hold about you.

We try to answer every email promptly where possible, and provide our response within the time period stated by applicable law. Keep in mind, however, that there will be residual information that will remain within our databases, access logs and other records, which may or may not contain your Personally Identifiable Information. Please also note that certain Personally Identifiable Information may be exempt from such requests in certain circumstances, which may include if we need to keep processing your Personally Identifiable Information to comply with a legal obligation.

When you email us with a request, we may ask that you provide us with information necessary to confirm your identity.

eValpro’s sites are primarily operated and managed on servers located and operated within Japan. In order to provide our products and services to you, we may send and store your Personally Identifiable Information (also commonly referred to as personal data) outside of the country where you reside or are located. Accordingly, if you reside or are located outside of Japan, your Personally Identifiable Information may be transferred outside of the country where you reside or are located, including to countries that may not or do not provide the same level of protection for your Personally Identifiable Information. We are committed to protecting the privacy and confidentiality of Personally Identifiable Information when it is transferred. If you reside or are located within the EEA and such transfers occur, we take appropriate steps to provide the same level of protection for the processing carried out in any such countries as you would have within the EEA to the extent feasible under applicable law.

Content in our Services

Some of our Services allow our clients to upload, submit, store, send or receive content. They retain ownership of any intellectual property rights that they hold in that content. In short, what belongs to them stays theirs.

When they upload, submit, store, send or receive content to or through our Services, they give eValPro (and those we work with) a worldwide license to use, ‘host’, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights they grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if they stop using our Services. Some Services may offer them ways to access and remove content that has been provided to that Service. Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services. Make sure they have the necessary rights to grant us this license for any content that they submit to our Services.

If they have an eValPro Account, we may display (with written permission) their Profile name, Profile photo, and actions they take on eValPro or on third-party applications connected to their eValPro Account where they provide an unsolicited review and comments about our Services, including displaying in ads and other commercial contexts. We will respect their choices they make to limit sharing or not reviewing our services.

They can find more information about how eValPro uses and stores content in our ISP or additional terms for particular Services. If they submit feedback or suggestions about our Services, we may that feedback or suggestions without obligation to them.

About Software in our Services

When a Service requires or includes downloadable software, this software may update automatically on their device once a new version or feature is available. Some Services may let them adjust your automatic update settings.

eValPro gives them a personal, worldwide, royalty-free, non-assignable and non-exclusive license to use the software provided to them by eValPro as part of the Services. This license is for the sole purpose of enabling them to use and enjoy the benefit of the Services as provided by eValPro, in the manner permitted by these terms. They may not copy, modify, distribute, sell, or lease any part of our Services or included software, nor may they reverse engineer or attempt to extract the source code of that software, unless laws prohibit those restrictions or they have our written permission.

Open source software is important to us. Some software used in our Services may be offered under an open source license that we will make available to them. There may be provisions in the open source license that expressly override some of these terms.

Modifying and Terminating our Services

We are constantly changing and improving our Services. We may add or remove functionalities or features, and we may suspend or stop a Service altogether.

Our clients can stop using our Services at any time, although we’ll be sorry to see them go. eValPro may also stop providing Services, or add or create new limits to our Services at any time.

We believe that they own their data and preserving access to such data is important. If we discontinue a Service, where reasonably possible, we will give them reasonable advance notice and a get the information out of that Service.

Our Warranties and Disclaimers

We provide our Services using a commercially reasonable level of skill and care and we hope that you will enjoy using them. But there are certain things that we don’t promise about our Services.

Other than as expressly set out in these terms or additional terms, neither REDN or eValPro nor its suppliers or distributors make any specific promises about the Services. For example, we don’t make any commitments about the content within the Services, the specific functions of the Services, or their reliability, availability, or ability to meet your needs. We provide the Services “as is”.

Some jurisdictions provide for certain warranties, like the implied warranty of merchantability, fitness for a particular purpose and non-infringement. To the extent permitted by law, we exclude all warranties.

Liability for our Services

When permitted by law, REDN, eValPro, and eValPro suppliers and distributors, will not be responsible for lost profits, revenues, or data, financial losses or indirect, special, consequential, exemplary, or punitive damages.

To the extent permitted by law, the total liability of eValPro, and its suppliers and distributors, for any claims under these terms, including for any implied warranties, is limited to the amount you paid us to use the Services (or, if we choose, to supplying you the Services again).

In all cases, eValPro, and its suppliers and distributors, will not be liable for any loss or damage that is not reasonably foreseeable.

Business uses of our Services

If you they are using our Services on behalf of a business, that business accepts these terms. It will hold harmless and indemnify eValPro and its affiliates, officers, agents, and employees from any claim, suit or action arising from or related to the use of the Services or violation of these terms, including any liability or expense arising from claims, losses, damages, suits, judgments, litigation costs and attorneys’ fees.

About these Terms

We may modify these terms or any additional terms that apply to a Service to, for example, reflect changes to the law or changes to our Services. They should look at the terms regularly. We’ll post notice of modifications to these terms on this page. We’ll post notice of modified additional terms in the applicable Service. Changes will not apply retroactively and will become effective no sooner than fourteen days after they are posted. However, changes addressing new functions for a Service or changes made for legal reasons will be effective immediately. If they do not agree to the modified terms for a Service, they should discontinue use of that Service.

If there is a conflict between these terms and the additional terms, the additional terms will control for that conflict. These terms control the relationship between eValPro and them. They do not create any third party beneficiary rights.

If they do not comply with these terms, and we don’t take action right away, this doesn’t mean that we are giving up any rights that we may have (such as taking action in the future). If it turns out that a particular term is not enforceable, this will not affect any other terms.

The laws of Vietnam, excluding Vietnam’s conflict of laws rules, will apply to any disputes arising out of or relating to these terms or the Services. All claims arising out of or relating to these terms or the Services will be litigated exclusively in the courts Vietnam, and you and eValPro consent to personal jurisdiction in those courts. [Vietnam only].

For information about how to contact eValPro, please visit our ChatBox.

I have read and understand the terms of Services.

Part 2. Classification Definitions

The company and its directors refer you to the following standards to define data. We have through a variety of sources developed a standard that is to be applied when collecting, storing and sharing data.

Confidential Data

Protection of such information could be required by policy and/or laws or legislation. See section law/s or legislation. This type of information could be strictly protected by provincial or federal statutes or regulations, our policy(ies), or contractual agreement/s and must be protected from unauthorised access, modification, transmission, storage, destruction, or use.

Access to confidential information is restricted to those who have a legitimate purpose for accessing such information, not everyone can access our data and we encourage our clients to implement strict data protocols. Confidential data, is perhaps best described as data if compromised in some form or fashion, is likely to result in significant and/or long-term harm to the company and/or individuals whose data it is.

Sensitive

The major difference between confidential data and sensitive data is the likelihood, duration, and the level of harm incurred. Protection of such information could be recommended by the client’s or provider’s policy and/or law/s or legislation.

Access to Sensitive information should be granted to those who have a legitimate purpose for accessing such information. PLEASE NOTE: Information classified as Sensitive could potentially become classified as confidential if, in the many of the information when put together can then be deemed to reveal personally identifiable information.

Public

Public data is data which is readily available to any member of REDN or to the general public, either upon request or by virtue of its being posted or published through recognised and documented sources and by applying procedures. This type of information has no legal restriction on access or usage.

It may include information collected for the express purpose of public release with the knowledge and consent of the individuals the information is about.

Open data, eValPro primarily deals in open data and while this is the general case we need to be alert as the assumed application that all data is open gets complicated when we consider factors such as access, redistribution, maintenance and structure. When we source data we check copyright provisions on the data or site. See ISP section 12 and 13.

To understand open data the Open lnowledge foundation definition, “Open data and content can be freely used, modified, and shared by anyone and for any purpose.” But more detail is required and the inventor of the World Wide Web, Tim Berners-Lee, who developed a 5-star scale for the quality of open data is as follows:

  1. Make data available online and under an open license
  2. Make it available in a structured format (i.e. excel)
  3. Make it available in an open structured format
  4. Use URIs for denotation
  5. Link data to other data to offer context

The Open Data Institute adds further by providing an open data certificate to verify a data publisher uses best practices to uphold data dependability. These practices include timely data updates, the presence of a data maintainer who provides metadata on changes, and the availability of historical data. Today, there is an implied standard to open data: often structured, machine readable, open licensed and well maintained. Additionally, open data is free. The same does not necessarily hold true for public data. Public data can be defined as all information in the public domain, encompassing anything from a monthly updating dataset on a government data portal to PDF files that are only accessible via Freedom of Information requests (and everything in between).

Data Classification Examples

Confidential Data, in general within the scope of our daily activity can be considered to be:

  • Client and contact records.
  • Valuation data.
  • Research information. 
  • Employee information.
  • Other company Information. 

Client confidential data:

  • Identification Numbers
  • Full client name, full address, postal code;
  • Client valuation records;
  • Personal and Demographic Information (marital status, birth date, age, height, weight, email address);
  • Dates (except year) related to an individual client.
  • Medical images.
  • CVs.

Employee Information:

  • Staff Identification Numbers (Social Insurance Number, Employee ID etc.);
  • Personal financial information, including income level and sources (bank account, income);
  • Insurance and benefit information;
  • Demographic information (name, marital status, birth date, race, ethnic origin);
  • Personal Information of employees (email address, religion, educational level, tax return information);
  • Certain management information (performance evaluations, agreements, employment history etc.).

Client Sensitive Data:

  • Draft planning documents;
  • Internal Internet websites;
  • Official meeting minutes;
  • RFP processes and client documentation;
  • Property or project/ asset data that is protected under a Confidentiality Agreement (i.e. identifiers removed);
  • Personal and Demographic Information (marital status, birth date, age, height, weight, email address, employee password etc.).
  • Employee / chat box messages;
  • Employee / usage information.

Public Data

Any information that does not need to be protected to comply with Confidential or Sensitive classification standard;

Any information that has been publicly published through official channels.

PLEASE NOTE: these example lists are not exhaustive and are to be used as examples.

I have read and understand data definitions.

Part 3. Confidential data obligations to our clients

These are our confidentiality provisions as provided in our service agreements to our clients. REDN requires you to read, be familiar and apply them in all dealings with our clients and the public.

The Contractor (REDN) or its Personnel shall not, during and after the Contract Period, disclose or divulge any fact, information, knowledge and any other secret matter in relation to this Contract or activities performed or to be performed under this Contract to any third party (hereafter referred to as “Confidential Information”) except in the lawful and reasonable execution of the duties and obligations imposed herein or of required to do so by any competent authority. Provided, however, that this Clause shall not apply to such information:

  1. That is or becomes generally available to the public, other than as a result of a disclosure by breach of this Clause;
  2. That is known to the party prior to its disclosure by the Contractor or their Personnel; and/or
  3. That is lawfully acquired by the party from a third party without restriction on disclosure.

All the documents relating to the Confidential Information shall remain the property of the originating party during the Contract Period. All the Confidential Information in any form whatsoever together with any copies thereof shall immediately be returned to the party at the first request from other party. Alternatively, at the expiration or earlier termination of the Contract, either party may elect to have all details of the Confidential Information in its possession destroyed by giving the other party written instruction to that effect. Any breach of these provisions shall entitle the aggrieved party to claim an indemnity as a remedy for the damage suffered.

I have read and understand confidential obligations to our clients.

Part 4. IT Security and Policy and Procedures document (ISP)

This policy includes a baseline set of requirements for all staff to read, understand and implement. The policy also provides best practices recommendations to guide users, administrators, and IT staff in further steps to protect REDN computing and network infrastructure and data.

Every computer user is responsible for securing and protecting the information technology resources and data over which he or she has control. In meeting this requirement, users may rely upon the expertise, advice, of IT Support and IT Security. Systems Director is also resources for implementation issues raised by this policy (ISP) and for security matters in general.

The purpose of the policy is to protect the confidentiality, integrity, and availability of REDN data, and to protect our computing and network infrastructure.

Introduction (ISP).

This policy describes the requirements for securing computing devices and protecting confidential data. It includes a baseline set of requirements for all computing devices that connect to REDN, and additional requirements for devices that store or access confidential property/ client data. The policy also provides best practices recommendations to guide users, administrators, and IT staff in further steps to protect REDN computing and network infrastructure and data.

Every computer user is responsible for securing and protecting the information technology resources and data over which he or she has control. In meeting this requirement, users may rely upon the expertise, advice, of IT Support and the IT Security. The Systems Director is also resources for implementation issues raised by this policy (ISP) and for security matters in general.

Purpose.

The purpose of the policy is to protect the confidentiality, integrity, and availability of REDN data, and to protect our computing and network infrastructure.

Risk of Non-compliance.

Threats to networks and to data stored or transmitted by those networks are on the rise and exist in many forms. Examples include lost or stolen laptops and thumb drives, hacks of servers and desktops, interception of data in transit, abuse of legitimate access by individuals, and mistakes by well-intentioned people who accidentally misroute or otherwise allow unauthorized access to data.

Keeping REDN networks and data secure depends on a multi-layered approach. One key aspect is that all members of REDN adhere to the security standards in this policy.

Non-compliance with this policy poses great risk to REDN and to individuals whose data REDN maintains. For REDN there may be regulatory fines, lawsuits, reputational damage, and the loss of trust. For individuals, a loss of privacy may result, together with possible identity theft, embarrassment, harassment, and other problems. Further, security incidents can threaten the confidentiality, integrity, and availability of REDN computing infrastructure and data.

Scope.

The policy applies to:

  1. All staff, contractors, and their respective agents.
  2. All devices connected to REDN, whether they are connected directly to REDN (i.e. using or associated with a REDN IP address), or indirectly through another device that is connected to an REDN demarcation point – this includes computers connected to REDN via a Virtual Private Network (VPN), but excludes computers connecting via remote desktop control software, e.g. Remote Desktop Protocol (RDP).
  3. All Portable Computing Devices, Storage Devices, and Media that store confidential data including REDN-owned and personally owned devices, devices used on and off site.
  4. All servers that store confidential or operational REDN data, including devices hosted on third-party networks by outside service providers.
  5. All email servers on REDN).

Statement of policy.

This policy forms the minimum requirements for all devices connecting to REDN, each computing device that connects must comply with these basic security requirements:

Passwords (internal).

Where effective technology is available, devices must be protected by strong passwords that are resistant to dictionary attacks. For strong password rules, see the Password Selection Rules below. Passwords must be encrypted in transit and in storage. Passwords are renewed every 6 months (Automated reminders).

Security Patches.

Security patches must be applied on a timely basis. Patches for security vulnerabilities that vendors designate critical must be applied on the following schedule:

Servers – immediately or as soon as reasonably practical.

Other devices – within two business day of availability or as soon as reasonably practical. In addition to computers, these devices include, but are not limited to, routers, printers, and special purpose devices connected to REDN.

Firewalls – If a device is network connected, and the operating system includes a software firewall, activating it is a minimum requirement in the absence of other mitigating security practices (e.g. disabling unneeded services, use of a hardware firewall).

Antivirus protection – for operating systems for which REDN supports or recommends antivirus software. It supports implement and manage a regular program of maintaining current virus signatures and real-time scanning, consistent with software vendor recommendations. For other operating systems or circumstances precluding real-time scanning, equivalent compensating controls are considered and delivered by IT Support.

Encryption of Stored Data.

Certain types of confidential and sensitive data stored on such devices must be protected using strong encryption, with a key recovery component. Such data includes data that by law, requires notifying individuals in the event of a breach – specifically, security numbers, credit or debit card numbers, bank account numbers, and any other personal data as required under the terms of services.

Management and IT Support.

REDN employ 6 full-time staff members with 3 IT position designation and they serve as the system administrator/s. The system administrator/s is to be identified to staff. The system administrator/s must have attended REDN security training or equivalent for the relevant operating system within the past three years.

The system administration can be delegated to a third party who doesn’t meet the foregoing criteria. In such situations, the client must designate a regular, employee to oversee their system administration. The appointed individual providing oversight shall be fully accountable for compliance with this policy.

Third parties or Client staff members we recommend have the necessary skills and training to protect systems and data; and

Third parties or designated Client staff members are clearly informed of their obligations to comply with this policy.

Encryption of Data in Transit.

The system administrator must configure servers and server backups to encrypt any confidential or sensitive data that is transmitted over networks whenever network data encryption is a readily available capability that does not impose undue burden. Where REDN relies on B2 or equivalent hosting services REDN IT Security shall publish technical interpretations of this requirement and provide such to staff and clients.

Registration and Compliance.

The system administrator must ensure that the server is properly registered and that the requirements of this policy are met.

Physical Security Servers.

REDN require our B2 or equivalent ‘host’ service providers to have their servers housed in a locked, physically secure area accessible only by those requiring access.

Scanning.

IT security will scan or examine servers at least quarterly for common security vulnerabilities. The system administrator must address, and if necessary, correct any serious vulnerabilities.

Servers if located behind hardware firewalls must be scanned from inside the firewall by the system administrator subject to IT Security providing and supporting security scanning.

Backups and Recoverability.

The system administrator implements a routine program of data backup and regular recovery testing for any servers storing data.

Disabling Accounts. The system administrator is responsible for ensuring that user accounts are promptly disabled when informed that users no longer require access.

Secure Data Deletion. When storage devices or media are to be retired, they must be securely wiped or destroyed first and the client under the agreed service terms and legal obligations (where applicable) are be notified.

Central Logging – System administrators:

We select our ‘host’s on the basis they provide log system events to a central solution selected and event notifications are logged and received at 2 or more IT Support locations.

Periodically review logs for anomalies, with automated real-time alerts configured wherever possible.

Periodically re-assess what events are being logged to ensure they continue to be consistent with current guidance.

Additional Requirements for Email Servers:

Virus protection plan. Email servers must have a documented plan to prevent viruses from being either accepted from, or delivered to, users of the email server.

Recommendations and Best Practices

  1. Confidential Data. Data should be maintained in the safest environment consistent with our services or operational needs. The proliferation of data on multiple devices, particularly mobile devices, creates additional risk.

Printers that typically are used to print confidential data should be in locations with restricted physical access.

Physical backups should be stored in locations with restricted physical access and our clients are advised accordingly to self-assess risk. REDN (ISP) program, provides a framework and support for inventorying confidential data, assessing risks to data, and identifying appropriate steps to remediate those risks.

  1. Secure Data Deletion. Data that is no longer required for operational needs (see client service agreement) and that the client advises no need to be retained REDN will within the time frame agreement in the service contract (Normally 2-7 working days) delete such data and provide confirmation to the client. Where by law or REDN are advised to delete or retain data and where applicable report such incidents to our clients as soon as practical. Such incidents are to be reported in the Incident Log and to Systems Director and Director immediately.
  2. Configuring New Computers. Most computer systems as shipped by the vendor are very insecure. Steps must be taken by the system administrator at the time of installation and connection to ensure that known vulnerabilities are eliminated and strong passwords required.
  3. Patch Management. The use of automated patch management tools and antivirus update software is strongly encouraged. For operating systems in wide use (e.g. Windows, Mac OS), it is a low risk to automatically download security patches from the operating system vendor. For servers, untested security patches pose a moderate risk. System administrators are encouraged to test security patches or check that others have done so before applying them.
  4. Unneeded Services. Remove or disable unneeded services to reduce the risk of break-in.
  5. Stored Passwords (external). Avoid storing unencrypted private keys and clear text passwords wherever possible. Some applications permit users to script or store their ID and password. Web browsers and other clients sometimes intercept logins and offer to auto-complete logins by filling in the username and password based on what was typed previously. Such features should be avoided since they expose passwords to theft. For scripted batch processes, special care should be taken to ensure that access to stored credentials is limited to the users and process (es) that need access.
  6. Authentication. Configure authenticated services to add a delay (back off) between failed authentication attempts, or consider locking an account after a set number of failed attempts.
  7. Scanning System. Administrators are encouraged to scan our systems for common security vulnerabilities, assuming they have obtained the necessary authorisation.
  8. Penetration testing: IT Support in conjunction with IT Security undertakes and manage a Pen – Test program.

REDN undertakes regular or as needed testing to exploit the vulnerabilities of our IT infrastructure and to evaluate our overall security. The vulnerabilities can exist anywhere, including operating systems, configurations, user behaviour, etc.

Some of the many benefits of penetration testing include the following:

  • Vulnerabilities are managed intelligently.
  • Network downtime cost is avoided.
  • Regulatory requirements are met.

By Pen – Testing we aim to keep our customer loyalty and corporate reputation intact. Comprehensive penetration testing replicates the intruder seeking an access to sensitive information by exploiting loopholes existing across the system.

In order to ensure a more consistent and secured REDN and IT network, penetration testing is performed on a 6 monthly basis. Penetration tests helps in identifying new threats and vulnerabilities however IT Support and It Security must run a Pen Test whenever:

  • New network infrastructure is added.
  • Any Upgrade and modification is applied to the network.
  • New office locations are established.
  • Security patches are added.
  • End user policies are changed.

System Administration:

REDN currently controls its standards and auditing controls internally (ISP). Our auditing policy, controls and check lists determine if appropriate and effective security controls are in place. Our procedures are created to provide pre-defined, standard benchmarks for controls related to the security, availability, processing integrity, confidentiality, or privacy of a system and its information.

Linode and security procedures:

Where we are concerned about risk our steps to mitigate are as follows when we turn to Linode services. Whether it’s a username and password, or approved customers abusing their entry privilege. The Linode Manager’s built-in security instruments assist. We have enabled two-factor authentication to guard our account with a bodily token, establishing an IP whitelist, after which configuring security occasion notifications in our Linode Manager account.

  1. IP Address Whitelisting. The IP Address Whitelist characteristic protects our Linode Manager account from unauthorised entry makes an attempt by accepting connections solely from the IP addresses we specify.
  2. Security Event Notifications. Linode Manager Security event features are applied to mitigate our risk. Linode Manager’s built-in security tools assist us by
  • Enabling two factor authentication to protect our account with a physical token, then set up an IP address whitelist, and then configure security event notifications our Linode/ Host Manager account.
  • Where applicable we recommend and apply Two-factor authentication increases the security of our accounts.
  1. Configuring User Accounts and Password Expiries.

Where we have a number of people accessing the identical Linode Manager account we create separate consumer accounts for every particular person. Once created the accounts, we assign permissions to limit entry to sure areas of the management panel. This is beneficial for teams that must grant workforce members entry to the Linode Manager. The Linode/ Host Manager and EVP is configured to alter their passwords each 6 months.

  1. Home Computers. REDN staff are advised to avoid using insecure home computers shared with other family members to gain remote access to confidential. Rather, use a properly secured computer that is not shared with others. If unsure contact IT support.
  2. Mobile Device Security. For mobile devices or where the ability to prevent theft of data is extremely important, we advise staff to use software that permits location of the device and secure deletion of the data remotely, should the device be lost or stolen.

I have read and understand confidential obligations of the ISP.

Part 5. Compliance and Incident Procedures (CIP).

REDN applies Chat Box forum to contact the relevant compliance officers. The IT Security, IT Support, Data Manager and System Director and Director shall be made aware of any incident notifications, remedy and system management recommendations from the data control officers See ICP policy.

REDN manages (where responsible) all data errors and omissions in accordance with this policy and the law applicable if the jurisdiction has no Privacy or Intellectual Property Laws then REDN will as a default have regard to GDPR requirements 

Incident:

Incident function:

Interval and protocols:

Reporting procedures:

Verification (Devices):

IT Support will use security scanners at least quarterly to scan all registered (non-host) servers and will periodically scan other devices for security vulnerabilities.

On-going.

Notification: Immediate.

Action: Register an incident report.

Remedy: Based on assessed security risk factor. Where immediate report and rectify accordingly.

Notification: IT support will report violations of this policy to the primary contact in the client Services Agreement, or to the appropriate Security Liaison.
Remedy: The remedy may be immediate removal of the device from the network, depending on the severity of the operational impact on REDN. IT Security shall report non-compliance to IT Support and Directors. System and Management:IT Security will offer immediate assistance in correcting security problems, after which the device/s may be reconnected to the network, and/or normal service restored. 

Verification (Third Party Host):

IT Support will use penetration tools (where applicable) at least quarterly to scan ‘host’ servers for vulnerabilities.

It Security and Director will be registered to receive security event notifications from the ‘host’.

On-going.

Notification: Immediate.

Action: Register an incident report.

Remedy: Based on assessed security risk factor. Where immediate report and rectify accordingly.

Notification: IT support will report violations of this policy to the primary contact in the client Services Agreement, or to the appropriate Security Liaison.
Remedy: The remedy may be immediate removal of the device from the network, depending on the severity of the operational impact on REDN. IT Security shall report non-compliance to IT Support and Directors. System and Management:IT Security will offer immediate assistance in correcting security problems, after which the device/s may be reconnected to the network, and/or normal service restored.

Verification (Data):

IT Manager and Directors will be responsible to monitor and where conflict is identified rectify any 3rdparty data.

Note data provided by the client is not subject to verification. However where we are notified of any data record corrections, errors or omissions we will act within the law relevant to the jurisdiction in which that data was obtained.

On-going.

Notification: Immediate.

Action: Register an incident report.

Remedy: Based on assessed security risk factor. Where immediate report and rectify accordingly.

REDN during the consolation process implements agreed client data protocols with the client/ primary contact and those protocols are then deemed to be client focused protocols. While we agree under service terms to manage the security of the client data the internal client focused protocols are the responsibility of the client not REDN.

Notification: IT Manager will report any errors or omissions that may have a financial impact on REDN. REDN will notify the party/s where an error or omission may have occurred to the primary contact in the Services Agreement, or to the appropriate Security Liaison.
Remedy: The remedy may be immediate by correcting or removal of the data from the network, depending on the severity of the operational impact on REDN. IT Security shall report non-compliance to IT Support and Directors.

System and Management: IT Manager and Systems Director will offer immediate assistance in correcting security problems, after which the data or data set may be deleted, corrected or made available if required by law.

Data Isolation:

Data that is reported as non-compliant or confidential.

The data or data set may need to be deleted, corrected or made available if required by law.

On-going.

Notification: Immediate.

Action: Register an incident report.

Remedy: Based on assessed security risk factor. Where immediate report and rectify accordingly.

REDN will based on remedy recommendation contact the REDN legal advisor to seek clear and written advice before proceeding. Information under this incident is to be referred to the Systems Director and Director.

Notification: REDN staff will report any non-compliant data, data with errors or omissions that may have any impact on REDN.

REDN will immediately isolated the data and commence an internal audit procedure to verify the source/s. Where the data maybe required at law REDN will comply with the law. This may or may not require any contact/ notification to the primary contact in the Services Agreement, or to the appropriate Security Liaison.
Remedy: The remedy may be immediate by isolation the data or removal of the data from the network, depending on the severity of the operational impact on REDN. System Director shall report to the Director non-compliance.

System and Management: IT Manager and Systems Director will offer immediate assistance in correcting, deleting or isolating the data or data set.  

CIP protocols:

REDN staff and directors will when dealing with an incident of data or security will have regard to the following protocols when arriving at a remedy and system management recommendation. IT Security and support are responsible to make encrypted services available when there is a reasonable expectation that the services provided by REDN are handling or may be used to handle confidential data. All staff are responsible to ensure they are handling confidential data in compliance with this policy. For all other devices, the individual owner or user of the device is responsible for compliance with this policy.

Financial Implications: REDN at all times must consider the cost/s implication related to ensuring compliance with this policy. They must also be aware of the costs of non-compliance and that non-compliance is a breach of this policy and our service commitment.
Responsibility: For servers; does the responsibility for compliance lie with the system administrator, or the individual appointed to oversee third party system administrators or the ‘‘host’’.

Data; does the responsibility for compliance lie with the system administrator, or the individual appointed to oversee third party data or the client.

REDN will need to refer the client to the recorded source/s of their data. REDN is simply a platform and the data is in near all instances entered by the client or REDN is instructed to enter the client data.
Time Frame: This policy shall be effective from 1st December 2017 and will be revised in 18 months. If staff or IT Support or Security or Directors believe that REDN cannot comply with this timeframe, he or she may petition for an early review or extension under Appeals.

Enforcement: Who is responsible for the enforcement following consultation?

IT Support and IT Security shall record in the Incident Report an outline of the client’s primary source/s and report where considered necessary any vulnerabilities. REDN has also incorporated an exception report for the client to assist them in identifying data that has limited or low data parameters and we encourage our clients to apply this tool. REDN does not guarantee sources.

Information, systems and Computing, compliance and privacy: A summary each quarter will be produced by the Compliance officers identifying any issues not in compliance with this policy based on available information. In addition, the Systems Director shall conduct periodic audits and such audits will be retained within REDN system tools.

Appeals: Requests for waiver from the requirements of this policy are decided by the System Director and Director. A waiver granted for the inability to meet one compliance requirement does not exempt the system owner from meeting all other requirements. All waiver, extension or review requests may be submitted to Systems Director.

Incident report:

Name of Person who discovered non-conformance

 

Date Discovered

 

Date of Incident

 

People Involved and their designation(s)

 

Details of non–conformance (to be filled in by person who discovered non-conformance)

 

Signature of person who discovered non-conformance

 

Requires reporting to REDN Director?

Yes / No

Signature of Data Control Officer

 

Details on why the non-conformance occurred

 

Corrective measures to be implemented

 

People tasked to implement measures and their designation(s)

 

Remarks (if any)



Date implementation is completed

 

Name and signature of person overseeing implementation of corrective measures

 

Date:

 

Name and signature of Data Control Officer

 

Date:

 

Name and signature of personnel who signed the Undertaking section of the audit checklist

 

Date:

 

Compliance officers (last updated 30.10.2018):

IT Security: Mr. Trinh Tran

IT Support: Mr. Thanh Nguyen, Mr. Toan Nguyen and Mr. Nhut Ha

Data Administrator: Ms. Trang Tran

Office and System Manager: Ms. Sandra My Luu

Data and Systems and Incident Director: Mr. Leon Cheneval

Incident Director and Director: Mr. David Jackson.

Password selection policy

Our IT support recommends the following when selecting or creating a password:

Passwords must be: At least 8 characters.

Password must NOT be:

  • All uppercase or all lowercase. (Examples: database, DATABASE, and abcde or 12345 are not valid passwords.)
  • Your username; your first, middle, or last name; or any variation thereof.
  • Based on a dictionary word.

“Dictionary” does not simply mean a Standard English language dictionary — it also includes foreign language dictionaries and all kinds of specialised dictionaries that hackers use to crack passwords. Embedding a number or case-shift within a word does not make a valid password. Systematic password guessing attacks are sophisticated and will routinely ‘crack’ such passwords. (Examples: time2go, big$deal, vinAcap, 2morrow, money$, and database are not valid passwords.

Composed of all numbers. Embedding decimal points, minus signs, or plus signs within a number does not make a valid password. (Example: 1-609-555-1212 is not a valid password.)

Selecting a Strong Password:

Think of a phrase that has special meaning only to you, or conversely that no one would suspect would have any meaning to you:

You can make an even stronger password by including the punctuation and “tweaking” it a little: LCH114t4D8! This is a pretty strong password, and not hard to remember if you keep the source phrase in mind.

There are many password checker websites around. They require you to not record real passwords but REDN does allow you to use them to test your skill in developing strong passwords. LCH114t4D8! Is considered a strong password. Toan14 is considered a week password.

Remember to NEVER share your password with anyone.

Laws and Decrees and resources

The following are various references to websites and material that will provide a more detailed understanding of various key topics, such as:

The following are various references to websites and material that will provide a more detailed understanding of various key topics, such as:

Intellectual property verification (Vietnam)

The following snippets refer to the process undertaken to verify when necessary ant intellectual property rights. :

Step 1 Access http://iplib.noip.gov.vn/WebUI/WSearch.php

Step 2. Insert details (in this example eValpro is the search criteria).

Step 3. Verification. 

Intellectual property verification (Singapore)

The following snippets refer to the process undertaken to verify when necessary ant intellectual property rights. :

Step 1 Access https://www.ip2.sg/RPS/RPSLogin/SPLogin.

Step 2. Insert details after establishing an account.