Digital Security Protocol
- All data collected is processed using a database. Data and services are hosted on cloud and dedicated servers based on operational needs.
- Data in transit is encrypted via SSL/TLS and data at rest is encrypted at the server.
- Management access and data transfers are done via SSH and SFTP.
- Backups of data are taken in real-time, or on an hourly, daily or monthly basis depending on operational needs.
- The development environment is separated from production: access to the development environment does not grant access to the production environment or user data.
Fourth Estate’s security team perform routine risk assessments including security auditing, penetration testing, vulnerabilities assessment, and account auditing. Based on the assessment, security recommendations are made to the relevant organizational unit, and security patches and software upgrades are performed. If vulnerabilities are discovered, security updates and/software updates are performed immediately, and do not wait for the scheduled security assessment period. An investigation into any resulting breaches is immediately performed as per the Breach Policy below.
Restricted Access Control
- Remote access to servers is done through SSH protocols using SSH-keys version 2; public keys are provided to team members and contractors on a needs basis and with written approval of the Technology Director or Executive Director.
- Fourth Estate staff have manager access rights to the LMS and AMS, but the master account is restricted to the Technology Director or Executive Director only. Permissions for access requested by staff or contractors require demonstrated need and written approval.
Firewalls & Security Software
- Security groups and secure management ports are enabled on all of our instances.
- All staff and contractor devices have up to date anti-virus and anti-malware software.
Fourth Estate conducts a routine reviews of all the privileged accounts in the technology stack. In coordination with the Operations Departments, terminated users and/or staff accounts are disabled and privileges are revoked immediately upon departure or end of contract.
All account changes are monitored and logged, and alerts are sent to notify users in case of changes in their account access credentials. Fourth Estate encourages all staff to change all their login credentials bi-annually and use multi-factor authentication whenever possible
Third Party Access
All contractors who require access to the technology stack must sign Fourth Estate’s Non-Disclosure Agreement. Only contractors directly working on program implementation and support can request such access. No third party access to Fourth Estate’s technology stack or data is otherwise granted, including for commercial purposes.
- Fourth Estate provides in-house training to all staff about data security and protection, and all privacy policies and procedures are presented to incoming Fourth Estate staff and contractors.
- All staff and contractors who have access to user/member data must sign a Non-Disclosure Agreement.
- IT staff are additionally trained on complying with the organization’s security standards and making users aware of policies and procedures regarding appropriate use of networks, systems, and applications.