Security Practices - Go Fish Digital
Request Proposal Toggle Menu

Security Practices

Updated December 11, 2023

At Go Fish Digital, we pride ourselves on protecting our business, clients, partners, and our people by ensuring the information, data, and technology assets we oversee is done so with the utmost care. We take the security of all data seriously and consider this one of our primary responsibilities. This is in our DNA; therefore, we aim to be open and transparent about our security practices. 

Please feel free to contact us at infosec@gofishdigital.com and a member of our cybersecurity practice will reach out to you ASAP. 

OUR MISSION

It is our policy that: 

The program objectives will be approved and regularly reviewed by executive leadership via Go Fish Digital’s Information Security Oversight Board. 

  • Go Fish Digital will always seek to protect our company and clients from information security threats to information, data, technology, and people. 
  • A formal information security program and Information Security Management System (ISMS) will be operated to ensure we effectively meet the cybersecurity security needs of Go Fish Digital, our clients, and other interested parties. 
  • The program will be maintained by an Information Security Officer – a dedicated role – with accountability for its ongoing direction and purpose. 
  • The program and its objectives will be derived from business objectives prioritized and approved by executive leadership – these include Go Fish Digital’s overall business strategy, contractual and regulatory requirements, and responsible use of technology. 
  • The program will enable the governance, strategy, standards, principles, and technical and organizational measures (controls) necessary to secure the organization. 
  • Go Fish Digital will proactively invest in the program; it will be sufficiently resourced to collectively manage needs across compliance, risk, and security. 

ORGANIZATIONAL SECURITY

Go Fish Digital’s Information Security Program addresses the technical, organizational, administrative, and human aspects of security as a critical first step ensuring these are well-established elements woven into the fabric of our business.  

CONFIDENTIALITY

Go Fish Digital establishes confidentiality by ensuring only those employees who require access to client data are provided access, and that the level of access provided is consistent with their job function. Access to client data is assigned based on the level of data classification and minimum level of access required, i.e., “least privilege” access. 

The operation of Go Fish Digital services requires that some employees have access to the systems which store and process client data. For example, IT staff such as systems administrators may be able to access client data to effectively support a system or diagnose a problem. These employees have separate user accounts for administrative and non-administrative duties, and they are not authorized to view or access systems with client data unless is it required for their privileged job function, i.e., “role-based access.” Technical controls are in place to ensure such access is logged where feasible. 

The controls that support confidentiality are extended by Go Fish Digital to our vendors and suppliers and validated through our Third-Party Risk Management (TPRM) program. 

Go Fish Digital has invested in industry leading security technologies providing an elevated level of assurance and trust for our clients. Security controls are regularly reviewed and updated internally, and they are validated by external partners on an annual basis through audits and penetration testing. 

PERSONNEL PRACTICES

All Go Fish Digital employees, contractors, and suppliers must adhere to our information security policies regarding protection of client data. 

Candidates for employment undergo background checks and are required to sign confidentiality agreements before joining Go Fish Digital. All candidates are screened for competency for their role. Job responsibilities related to security within the organization are defined and communicated prior to employment. 

Upon hire, all employees are provided cybersecurity orientation training and are required to read and acknowledge their understanding of Go Fish Digital’s information security policies for data protection and acceptable use. Our training has been designed and created in-house so that it is tailored to our business and people for greatest effectiveness. 

Employee and third-party onboarding and offboarding processes have been developed to ensure accurate and effective controls are followed for provisioning and deprovisioning access. These processes are systematically employed and use automation wherever possible to minimize human error and provide timely execution and reporting. 

SECURITY AWARENESS TRAINING

In addition to orientation, all employees are provided security awareness training on a regular basis that reminds and reinforces Go Fish Digital’s policies. The training measures all employee’s sentiment, engagement, and knowledge of security best practices and concepts. The Go Fish Digital Infosec team uses this training to create additional focused training sessions that may include topics like emerging threats or regulatory requirements such as GDPR, CCPA, and HIPAA. 

OUR TEAM

Go Fish Digital employs experienced security professionals providing operational effectiveness of its Information Security Management System (ISMS). These individuals comprise diverse roles within Go Fish Digital’s Information Security Team and Incident Response Team. Dedicated roles include our Chief Information Security Officer (CISO), Compliance Officer, Risk and Compliance Analysts, and technical and operational security staff. Together these teams oversee the following aspects of Go Fish Digital’s ISMS and information security program: 

  • Security governance, strategy, and policy 
  • Security architecture 
  • Operational risk management 
  • Security engineering and operations 
  • Incident detection and response 
  • Vulnerability management 
  • User education and awareness 
  • Compliance and privacy 

An Information Security Oversight Board governs and authorizes security strategy. This is to align the Infosec Team’s mission with overall company goals and provides necessary resources and budget for execution of the strategy by the CISO and security teams. 

COMPLIANCE

To ensure the effectiveness of Go Fish Digital’s ISMS and related security controls, we have aligned our security practices to common industry standards and control frameworks including NIST and ISO 27001/27002, and SOC. 

Service Organizations Controls (SOC): All Go Fish Digital services whether internal or client-facing are hosted and managed by major service providers that hold multiple security and data protection accreditations for their operations and data centers, including SOC. For information regarding their compliance, please visit AWS Security website, AWS Compliance website, Google Security websiteGoogle Compliance website, and Microsoft Service Trust website

MANAGEMENT POLICIES AND STANDARDS

Go Fish Digital’s policies, standards, procedures, and guidelines provide overall governance and rules for security within the organization. Each of these exists and is documented within Go Fish Digital’s Information Security Management System (ISMS). This includes but is not limited to: 

  • Code of ethics and conduct 
  • Information technology acceptable use policy 
  • Go Fish Digital’s house rules for security 
  • Information security policy 
  • Information security exceptions policy 
  • Risk management policy and process 
  • Access control policy 
  • Asset management policy 
  • Information classification policy 
  • Data retention policy 
  • Change management policy. 
  • Secure workplace (physical security, clear desk, and screen) policy 
  • Network and communications security policy
  • Compliance policy 
  • Encryption policy 
  • IT assets and services acquisition policy 
  • Cloud services policy 
  • Security roles and responsibilities policy 
  • Incident response policy and process 
  • Mobile device and remote working policy 
  • System development policy 
  • Open-source software policy 
  • Operations security policy 
  • Third-party and supplier relationships policy 
  • Ransomware response policy 
  • Vulnerability management policy 

These policies are living documents and reviewed and updated on an annual basis. They are available to all employees via our company intranet. While these are internal-only documents, redacted copied can be requested by clients as needed by contacting infosec@gofishdigital.com

AUDITS AND ASSESSMENTS

Go Fish Digital evaluates the design and operational effectiveness of its ISMS through internal assessment and self-validation and/or independent external audits. This ensures compliance with internal and external standards. On a periodic basis, Go Fish Digital engages qualified and credentialed third-party assessors to review our controls. The reports from these audits are shared with the Information Security Oversight Board and executive leadership. All findings are tracked to resolution. 

LEGAL AND PRIVACY COMPLIANCE

Go Fish Digital employs dedicated legal and compliance professionals with extensive expertise in data privacy and security. Along with the security team, these individuals are embedded in the development lifecycle for new services and technologies, and they review products and features for compliance with applicable legal and regulatory requirements. They work closely with development teams, IT, and security teams to ensure client, third-party, and regulatory requirements are met on an ongoing basis.

PENETRATION TESTING  

On a periodic basis Go Fish Digital engages a qualified and credentialed external security services provider to perform penetration testing of the network and systems that support Go Fish Digital’s corporate and client-facing technology services. Testing includes Go Fish Digital-managed infrastructure and systems underlying customer services. The requirement for testing is extended into our supply chain through Go Fish Digital’s Third Party Risk Management (TPRM) program. Findings from Go Fish Digital and third-party test reports are tracked to resolution.

DATA PROTECTION

ENCRYPTION IN TRANSIT AND AT REST

All information transmitted to or from Go Fish Digital over public networks uses industry standard encryption. This includes communications via e-mail where strong encryption protocols are supported by both parties. Go Fish Digital’s standard for encryption is TLS version 1.2 or later with AES-256 and SHA2.

Go Fish Digital classifies all client data as Confidential. Such data is always encrypted while at rest or in transit where technically and commercially feasible to do so.

User devices including laptops, smartphones, tablets, and other media are prohibited from transferring, storing, or processing Confidential data unless fully encrypted. These devices are encrypted at rest using IT-managed encryption technologies with AES-256. This includes removable media such as USB drives.

Data backups are encrypted both on-site and off-site.

Key management ensures keys for backups are stored separately from the systems they protect. Go Fish Digital hosts its services including backups with industry-leading data center providers in facilities that are ISO 27001, HIPAA / HITRUST, PCI, and SOC 2 Type 2 compliant. This ensures best-in-class protection for physical and virtual assets located within these centers. All providers encrypt all technology and data assets, including data in transit and at rest, for services used by Go Fish Digital.

LOGICAL ACCESS CONTROL

All electronic data stored by Go Fish Digital has strict access controls enforced through multiple layers of security. Go Fish Digital’s access control methodology adheres to the following core tenets of access management:

  • Role-based access: access is provided only to those who require it.
  • Separation of duties: employees with privileged access must have this access granted independently through a separate set of credentials from their non-privileged access.
  • Least privilege: the minimum amount of access required to perform one’s job function is granted.
  • Conditional access: access is dependent on certain conditions, for example time of day, location, or means of authentication.

To this end, Go Fish Digital employees the following measures:

  • All systems used at Go Fish Digital require users to authenticate using a unique set of credentials assigned to each user.
  • Multifactor authentication (MFA) is used for all systems and services that support it – this includes all Go Fish Digital corporate employee accounts.
  • System administrators have unique credentials for privileged and non-privileged accounts.
  • Access is logged, and suspicious logon attempts are systematically reviewed and alerted to the security team.
  • Access levels are regularly reviewed as part of Go Fish Digital’s internal risk assessment processes; this includes supplier access, privileged access, and inactive account.
  • IT administrator access is reviewed regularly to ensure the level of access granted is still appropriate for the employee’s current job function.

Go Fish Digital has implemented safeguards to protect secrets including the creation, storage, retrieval and destruction of service account credentials, access codes, and encryption keys. Secure password vaults are used within IT to store credentials and delegate access to staff as needed.

PHYSICAL ACCESS CONTROL

Go Fish Digital offices have access control mechanisms in place such as key cards and numeric keypads which are fitted to all ingress/egress points and secure internal locations.

Areas housing sensitive information or systems for the storage, transfer, or processing of data are restricted to ensure only authorized employees are permitted access.

Visitors to Go Fish Digital facilities must have an employee sponsor their visit and provide supervision while in any area that contains sensitive information.

NETWORK SECURITY

Go Fish Digital has adopted a “zero-trust” model for network security. This model requires that any worker, in any location, using any device must have access control and application sessions authorized by a network policy. Details of this model can be shared with clients as requested.

Connections to the internal Go Fish Digital network are strictly controlled and require authentication regardless of ingress point. Wireless network connections require two factors of authentication and are restricted to Go Fish Digital devices only.

All devices connected to the Go Fish Digital network must meet an initial security baseline; once connected, they receive regular patches and updates for vulnerabilities even if they are later disconnected from the network.

Networks are segregated physically and logically based on security classification of systems and data made available on each segment. Network access controls on devices such as firewalls, routers, and servers ensure only traffic that is required for a given services is accessible within or between network segments.

Network monitoring is performed at the data center edge to detect anomalies and inbound network-based attacks. In keeping with the zero-trust model, monitoring is also performed on end-user devices.

AUTHENTICATION

Go Fish Digital has strong policies and controls for user authentication and password management. These policies reduce the overall number of accounts required across applications and services thus reducing risk of multiple accounts and password re-use.

Multi-factor authentication is mandated for all employee’s corporate IT user accounts including third-party and administrative accounts. A company-wide password management tool is deployed to all employees and contractors for efficient and secure storage and sharing of credentials.

Where technically feasible and appropriate, Go Fish Digital uses encryption keys for authentication. For example, access may require access using an SSH key in additional to Go Fish Digital username and password.

All user and administrative passwords are required to incorporate four factors of complexity and be created without references to common dictionary words or patterns.

Go Fish Digital conducts sophisticated real-time analysis of every corporate user logon attempt, and it alerts the security team when suspicious logon attempts or anomalies are detected.

DATA CLASSIFICATION AND LABELING

Go Fish Digital classifies all data we control or process, including client data, to ensure appropriate levels of protection and control. Client data is classified as Confidential and requires the following measures:

  • Role-based access
  • Sharing authorization by owner only (no transitory sharing)
  • Strict access controls (least privilege)
  • Encryption at rest and in transit
  • Logging of all access
  • Data Loss Prevention (DLP) and Information Rights Management (IRM), where appropriate and technically and commercially feasible
  • Daily backups
  • Defensible destruction

DEVICE AND WORKSTATION SECURITY

Go Fish Digital workstations run monitoring and configuration tools to enforce security baselines and to prevent suspicious activity or unsafe configurations. End-users are limited in the administrative actions that can be taken on a workstation.

Malware detection occurs in real time through inspection of code in storage and in memory as code is executed.

All workstations use full disk encryption to prevent data loss resulting from loss or theft of the device.

MOBILE DEVICE MANAGEMENT

All mobile devices used within Go Fish Digital are encrypted. Go Fish Digital uses a Mobile Device Management (MDM) platform to control configuration and policy for devices including laptops, smartphones, tablets, and removable media. MDM provides ability to lock or wipe data from devices remotely.

It is Go Fish Digital’s policy that mobile devices and removable media are not permitted for use for storage, transfer, or processing of any sensitive data.

DATA AND ASSET DISPOSAL

Client data is removed and deleted when no longer required. Go Fish Digital’s policies and standards require all physical assets and media to be properly destroyed (if no longer required for use) or sanitized (if being repurposed for use).

OPERATIONAL SECURITY

Go Fish Digital’s operational security practices include processes for service and change management which aligned to the ITIL framework, centralized logging & monitoring, on-site and off-site data backups, technical vulnerability management, operational and security risk management, incident management, and asset management. Together these ensure a reliable and effective baseline from which to protect Go Fish Digital and client assets.

Go Fish Digital’s security team performs frequent scans on a continual basis for our network, systems, and application assets. Findings are documented, reported, and tracked to remediation. The team collects and stores network, system, and application logs for analysis. These logs are stored in a dedicated platform that is protected from modification by IT staff. Analysis of logs is automated to the extent feasible technically and commercially.

RISK MANAGEMENT

Go Fish Digital employs an internal risk assessment process to review its business units for technical, operational, and administrative threats and weaknesses. This process includes an audit of systems, data, and processes used within the business to ensure alignment with Go Fish Digital policy and control requirements. Where gaps or risks are discovered, these are documented, reported to accountable stakeholders, and tracked to resolution.

SECURITY DEVELOPMENT LIFECYCLE

For systems and applications developed by Go Fish Digital, we take a variety of measures to prevent the introduction of malicious or erroneous code to our environments and to protect against unauthorized or prevention of access and modification, destruction, or disclosure of data. This includes:

  • Separation of production and non-production environments
  • Change management
  • Developer training
  • Secure code repositories and version control systems
  • Secure code analysis
  • Application vulnerability management, e.g., OWASP 10
  • Policies regarding open-source software
  • Security hardening of host systems and infrastructure

THIRD PARTY SUPPLIERS

Go Fish Digital follows a “Plan, Do, Check, Act” cycle for security and risk management. In support of this, an internal Compliance Assurance Program (CAP) has been enacted to help us address the most common threats and vulnerabilities cybercriminals use today. The CAP is an internally developed program that ensures we continuously check the effectiveness of our processes related to security controls so improvements can be made and so any erosion of these processes is readily identified.

At Go Fish Digital, we maintain steadfast awareness of our role as a service provider to our customers.

DATA PROTECTION

Go Fish Digital has established and maintains a third-party vendor and supplier risk assessment program (TPRM). New vendors in scope with our technology-based services including the storage, processing, transfer, or analysis of data is reviewed by Go Fish Digital’s security team. All third parties are assessed and tracked within a risk platform that captures key elements of each assessment and provides for effective risk processes and reporting. 

Third-party assessments are conducted during vendor or supplier onboarding to through manual interrogation by Go Fish Digital’s information security team. This occurs prior to vendors participating in any live projects and periodically thereafter. 

A third-party assessment is a detailed process that requires vendors and suppliers to provide evidence of security controls no less effective than Go Fish Digital’s own controls and demonstrating due care and diligence for sensitive assets and data. Any gaps are reported to management and required to be remediated before the vendor or supplier is authorized for use by Go Fish Digital. 

DISASTER RECOVERY AND BUSINESS CONTINUITY

AVAILABILITY 

Go Fish Digital’s internal systems and those that house or support client-facing technology and data follow robust technical standards for resiliency to ensure maximum uptime. This technology includes: 

  • Redundancy and high availability by design eliminating single points of failure. 
  • Geographically segregated facilities/computing locations including backups stored in different regions from primary data. 
  • Service provider, network, and supplier diversity 
  • Strict use of technology platforms that are recognized as best-of-breed within their service areas, providing a high degree of availability, software updates and patches, and support. 
  • Virtualization providing for rapid portability and provisioning of systems and data. 
  • Remote working technologies 

DISASTER RECOVERY 

Go Fish Digital’s formal disaster recovery program is based on ISO 27031 standard and defines a purposeful and relevant approach to ensure survivability of internal and client-facing systems during a disaster event. The program includes the technical, administrative, and procedural measures required for effective preparation and response, including: 

  • Required policies and standards. 
  • The program leadership and teams 
  • Objectives for availability and recovery including RTO and RPO 
  • Classification of systems and assets for recoverability 
  • Planned processes and standards for operations and execution including communications, critical decision-making, change management, and security incident response. 
  • Risk impact assessment aligned with Go Fish Digital’s security risk assessment processes. 

Together these measures constitute Go Fish Digital’s disaster recovery planning. Plans are updated annually to ensure effectiveness. Go Fish Digital maintains backup copies of production data in remote locations from primary data. Recovery tests for data are performed on a periodic basis. 

PANDEMIC AND REMOTE WORKING 

In addition to our technology availability and continuity plans, Go Fish Digital maintains a pandemic and remote working plan. Through this plan, Go Fish Digital is capable of efficiently transitioning our core business operations to a 100% remote workforce while sustaining customer services.