DreamCampaigns Information Security Policy
DreamCampaigns takes the security of customer data seriously. DreamCampaigns has implemented internal policies and controls to try to ensure that customer data is not lost, accidentally destroyed, misused or disclosed, and is only accessed by DreamCampaigns employees in the performance of their duties. Where DreamCampaigns engages third parties to process customer data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are required to implement appropriate technical and administrative measures to ensure the data is secure.
DreamCampaigns will maintain data security by protecting the confidentiality, integrity and availability of the customer data as follows:
- Confidentiality means that only people who are authorized to use the data can access it.
- Integrity means that data should be accurate and suitable for the purpose for which it is processed.
- Availability means that authorized users should be able to access and use the data if they need it for authorized purposes in a timely and reliable manner. Customer data should therefore be stored in approved data stores and made available to authorized users only.
How is data security managed
The security of DreamCampaigns is modelled on a ‘defense in depth’ approach on multiple levels, including Physical, Network, Host, Software, and User Account Security. DreamCampaigns maintains internal security policies and standards in support of its ongoing operations. Access to resources is granted only to those who reasonably require access, based on their responsibilities. Security processes include:
Physical Security
Physical access to DreamCampaigns hosting environment is restricted to specific individuals and uses multiple levels of security, including:
- DreamCampaigns servers and infrastructure are located in a physically secure data center. Access to the data center is limited to authorized personnel. Badge access or biometric authentication (hand scanners and fingerprint IDs) are required in order to access the facilities.
- DreamCampaigns servers are isolated and secured within the data center in areas dedicated to DreamCampaigns equipment only. These areas are not shared with third parties.
- Access to the data center and systems are regularly reviewed to ensure authorization.
- 7x24 Security guards perform random checks of the data center to ensure physical security controls have not been compromised.
Network Security
- Access to DreamCampaigns services is via standard HTTP and HTTPS connections.
- DreamCampaigns hosting environment is protected from the public Internet via multiple next generation firewalls, monitored with an intrusion prevention/detection system, including a strategically placed distributed denial of service mitigation system.
- All of your account, credit card, and subscriber information and content is encrypted via industry-standard Secure Sockets Layer (SSL) connections over HTTPS.
Host Security
- DreamCampaigns performs industry-standard security hardening efforts on all systems. In accordance with our security and change management policies, unused services are disabled and software updates are applied on a regular basis.
- DreamCampaigns regularly reviews information on current security vulnerabilities, including vendor announcements and other industry sources. If security updates are determined to be critical to the DreamCampaigns environment, they are thoroughly tested and deployed in a timely manner.
- All DreamCampaigns hosts and services are routinely monitored for integrity and availability. Operations staff review all alerts generated by monitoring systems and respond promptly.
- DreamCampaigns servers are monitored 24x7 for malicious activity.
- Administrative access to DreamCampaigns infrastructure is limited strictly to authorized users with multi factor authentication. Individual usernames and passwords are required for all machine and data access.
- Strong password guidelines are in place, including complexity and minimum length requirements. Passwords are expired and changed on a regular basis.
Software Security
- All internally developed code is subject to a strict Quality Assurance program, including extensive testing of functionality and business logic. Strong change control processes are in place to ensure that all code deployed to the production environment has been appropriately reviewed.
- We train our engineers in secure coding and architectural design patterns like the ones outlined in the OWASP Top 10, SANS critical security controls, and the NIST frameworks.
Incident Management
- DreamCampaigns has a documented Cybersecurity Incident Response Plan, a 24x7 Command Monitoring Center, a Cybersecurity Incident Commander and an industry leading incident response third party on retainer.
- The Plan undergoes annual table top testing and is updated as necessary.
- The Chief Privacy Officer / Data Protection Officer will be informed of any reasonably suspected Customer Data breach and will act as required by the GDPR and other laws as necessary.
Personnel Security
- DreamCampaigns employment offers are contingent upon successful completion of criminal background and reference checks where allowed by law.
- Upon commencing employment, all DreamCampaigns employees receive information security training and are contractually obligated to confidentiality clauses to ensure that they adhere to DreamCampaigns’s commitment to security and confidentiality.
- DreamCampaigns’s information security awareness and training program requires employees complete annual security refresher training.
Patch Management
- DreamCampaigns patch installation is prioritized based on the severity of the patch with respect to the impact on the hosting services.
- DreamCampaigns systems are routinely updated per vendor recommendations and industry standards.
- Patch levels on managed systems are monitored and enforced by third party software.
Virus/Malware Management
- DreamCampaigns uses up to date virus scanning software for detecting currently known malware.
- Malware definitions are updated daily and installed as required.
- vOperations teams monitor the DreamCampaigns hosting environment 24x7 for malware infections.