Security Insurance Plan

Introduction

Versions

Revisions

Authors

SIP Responsibilities

NEOSTORE is responsible for the drafting, evolution, and application of the Security Assurance Plan.

Procedure for the Evolution of the SIP

The Security Insurance Plan may change during the project at the request of the service provider or NEOSTORE. The latter is responsible for drafting the initial SIP and its evolutions to meet the security requirements of the service provider throughout the duration of the contract.

In case of evolution of the system, its environment, or the scope of the outsourcing operation, NEOSTORE checks if the SIP needs to be modified. If this is the case, it proposes an amendment to the provider. If this modification is accepted, the SIP is revised and submitted to the provider for formal validation.

Applicability of the SIP

In case of non-compliance with the SIP, NEOSTORE is required to inform the service provider. NEOSTORE will report the origin of the non-compliance, the compensatory measures, and the processing times of the non-compliance clause.

NEOSTORE will have to proceed with a request for evolution if, for reasons incumbent upon it, it is no longer able to maintain hundreds of clauses of the SIP.

Document Classification

This document is public.

Sponsor

This document was written by Opsession SAS on behalf of NEOSTORE in 2023.

Company and Software Description

Presentation of the Company

NEOSTORE is a French startup specializing in the development of a SaaS solution to enrich the customer experience in-store through data capture and wallet technologies. NEOSTORE is composed of a team experienced in retail and e-commerce for more than 15 years. Since 2020, NEOSTORE has been developing the eponymous software.

Software Overview

The software transforms the mobile wallet into a new central space of the customer experience. A modern engagement channel that bridges the gap between physical and digital for marketing, commerce, service, and loyalty without requiring to download an app.

The main features of the software are:

• The collection of customer data and consents to simplify the capture of customer data in-store via optimized registration forms, accessible by QR code.
• The dematerialization of cards in Wallets to increase traffic and retention through effective mobile marketing campaigns (Apple Cards and Google Wallet).
• Protection of personal data to meet GDPR/CCPA regulatory compliance requirements through a unique technology for collecting proof of consent.

Presentation of the Offer

NEOSTORE is made available according to a SaaS model, subject to this security assurance plan, in annual right of use mode – support and maintenance included.

Security of the SaaS Customer Environment

NEOSTORE uses C# and React for its development, hosting on Azure Cosmos DB and Azure Blob Storage for the database management system. All data is siloed and accessible only to the organization that owns the information.

The architecture of the SaaS model offered by NEOSTORE is based on a database and an application infrastructure shared between several entities or organizations.

Specific security measures are put in place to guarantee the confidentiality of the data entered by the organization:

• Data access rights management is set up for each organization. Server-side tests are systematically performed to ensure that the data delivered to the user is the property of the organization to which the user belongs (silo system).
• Within each silo (organization), funnel logic is also proposed, with access rights management (management/read/write) applicable manually and unitarily for each user and each project in the organization.

Organization of Information Security

Overview

In order to best address the security issue in the services offered to its customers, NEOSTORE has set up an information security organization focused on the following perimeter:

Development, hosting, support, and maintenance of its NEOSTORE software

The security of the information system makes it possible to secure the production data entrusted by NEOSTORE’s customers, or which are processed by them through the eponymous software.

The objective of the information security organization is to define a precise framework for security management within NEOSTORE, in order to guarantee the availability, integrity, and confidentiality of the data entrusted and the software against the main risks, such as intrusion, data alteration, disclosure or loss of data and misuse of software.

The information security organization follows a logic of continuous improvement following the principles of the Deming Wheel (PDCA), as described in the diagram below:

To achieve the objectives set, NEOSTORE implements the following security governance:

• Top-Down Strategy:
  • Intended for all NEOSTORE employees included within the scope of the organization.
  • To define and communicate what needs to be done, through Policies, Procedures, and Operating Procedures.
• Bottom-Up Strategy:
  • To measure, evaluate, and improve what has been done by NEOSTORE employees.

Information Security Roles and Responsibilities

Managing Director

NEOSTORE is represented by its CEO, responsible for the technical, functional, and contractual aspects. The CEO

's missions include:

• Ensuring global security considerations.
• Assisting the provider’s teams.
• Deciding on actions based on audit results, incidents, or advice reported by the service provider.
• Validating all actions related to project safety management.
• Processing SSI reporting activities between NEOSTORE and the service provider.

Technical Director

The Technical Director is responsible for the operational implementation of all technical security actions within the infrastructure and operation of the NEOSTORE software. The Technical Director assists the CEO of NEOSTORE in relationships with service providers on all technical subjects.

Data Protection Officer (DPO)

The outsourced DPO guarantees NEOSTORE’s compliance with regulations relating to the protection of personal data. The DPO ensures compliance with the General Data Protection Regulation (GDPR), defines and implements a processing management procedure, and ensures that it is considered within the company. The DPO is the point of contact for the service provider for all issues related to personal data processed by NEOSTORE.

For questions regarding documentation about personal data: privacy@neostore.cloud

Organizational Security Measures

Information Security Policies

NEOSTORE formalizes an information system security policy (ISSP) defining the security rules to be implemented in response to identified risks and applicable regulatory and contractual requirements. This ISSP is then operationally broken down into ancillary policies, operational procedures, or thematic operating procedures specifying the measures to be implemented. Documentation relating to information security is made available to all NEOSTORE staff according to each person’s needs. This documentation is regularly updated (at least annually) to consider changes related to the scope, regulations, or cyber context.

Information Security Duties and Responsibilities

NEOSTORE sets up an internal organization dedicated to the development, support, and maintenance of the NEOSTORE software. This organization is divided into two components:

• An operational component, where the technical department carries out the actions and identifies blocking points to be arbitrated.
• An operational and strategic management component, where NEOSTORE managers meet on a monthly basis to arbitrate hard points and measure the achievement of objectives.

Contacts with Specific Interest Groups and Threat Intelligence

By the nature of its business, NEOSTORE and the teams involved in the development, support, and maintenance of the software maintain close relationships with specialized working groups related to information security. NEOSTORE regularly consults and immerses itself in the CERTFR of the French National Agency for the Security of Information Systems and particularly watches over Microsoft Azure, CloudFlare, and Auth0 topics.

Asset Responsibilities

Rules for the use of NEOSTORE’s information assets are communicated to all employees within the perimeter. These rules stipulate, for each level of confidentiality of the information handled, security practices to be implemented. Additionally, media assets used for information processing and activities included within the scope are protected against threats of unavailability, alteration, and disclosure:

• Data stored on workstations is saved within an ISO 27001 certified host.
• Hard drives are encrypted.
• Anti-malicious code software is installed and regularly updated.
• Operating systems and applications are updated automatically or through sensitized employees.
• Monitoring of system and application updates is carried out through specific tooling.

Access Control and Identity Management

The initial access to the NEOSTORE solution is made by the customer. The customer is responsible for creating an account on the system. NEOSTORE will review this account and grant access to the appropriate resources. The customer can connect using a SSO provider or a login/password with a password policy imposed by NEOSTORE.

The management of the account of the organization manager is carried out by NEOSTORE using an Auth0 outsourced identity manager. The communication API between Auth0 and the NEOSTORE infrastructure uses the Open Authorization OAuth2 feature to ensure security and password policy maintenance.

Relationship with Suppliers

Each new supplier is subject to a security analysis to identify the risks inherent in the subcontracted services and the security requirements to be integrated into the contracts. Audits may be carried out by NEOSTORE with its subcontractors, for periodic inspection or in the event of an incident. Suppliers working within the perimeter must at least comply with NEOSTORE’s Information System Security Policy and the IT charter. An NDA (Non-Disclosure Agreement) is established with third parties, obligating them to maintain discretion and commit to preserving the confidentiality of information processed within NEOSTORE.

Information Security Incident Management

NEOSTORE implements a process for handling incidents related to information security:

• Identifying alerts.
• Formalization of the alert within an incident ticket and qualification of the incident (security or not).
• Treatment of the security incident with the implementation of corrective actions by the personnel concerned.
• Causal analysis of the incident.
• Capitalization of past incidents and implementation of a continuous improvement process.

Each security incident is subject to traceability and specific tracking.

Business Continuity

A business continuity plan for NEOSTORE’s strategic activities is defined by the General Management to compensate for any unavailability of staff or prolonged shutdown of sensitive systems and applications. This business continuity plan defines:

• The SPOF (Single Point of Failure) of the NEOSTORE IT and the protective measures put in place to reduce their importance.
• Potential major disasters that could trigger a crisis.
• The means implemented and operational modalities to ensure the continuity of vital functions of NEOSTORE production following a crisis situation.
• The roles and activities of each.
• How to switch to degraded mode or fallbacks.

In accordance with the procedure for integrating security into the relationship with suppliers, any critical activity subcontracted to a third-party company (e.g., host) must be subject to a sensitivity assessment that identifies the need and possible consequences of a loss of availability. As a result, a contract is formalized with the expected service levels in accordance with the expressed needs.

Regarding access to the application, the following information is contractualized:

• Availability rate: 99.5%

Compliance with Regulatory and Contractual Obligations and Protection of Privacy and Personal Data (PD)

An Outsourced Data Protection Officer (DPO) is appointed and is responsible for ensuring compliance with expected regulatory practices. In its GDPR compliance approach, NEOSTORE has documented a mapping of personal data processing to constitute its mandatory register. The following internal processes are in place:

• Integration of GDPR obligations for the protection of personal data upstream of the design of an application (privacy by design).
• Employee awareness.
• Management of personal data breaches through the security incident management process.
• Organization and processing of complaints and requests from data subjects regarding the exercise of their right.

The following external process is in place:

• Contractualization of a Data Processing Agreement regarding protection of personal data as necessary with customers.

Compliance with Information Security Policies, Rules and Standards

The Executive Department of NEOSTORE is responsible for conducting a program of audits of compliance with the Information System Security Policy. The objective of this program is to verify the correct and compliant application of the policy by the various entities concerned. The controls carried out are specified within a three-year audit program defined by the CEO and concern:

• Compliance audits with regard to the Information System Security Policy.
• Technical audits to consider technical security rules and requirements.

Technical audits are carried out on the sensitive components identified within the risk analysis, in the form of penetration tests:

• In “black box” mode: tests carried out from the internet without any prior knowledge. The auditor starts without initial knowledge, in particular without technical information relating to the platform tested and without identifiers. Only public information such as IP addresses or URLs is usually provided. This type of test requires the implementation of tools and methods that a hacker uses to break into a remote system of which he has no information. The objective is to assess the level of resistance of the system against attacks by hackers from the Internet.
• In “greybox” mode: The auditor has limited and selected information in order to measure the risk in a relevant situation. For example, valid credentials may be provided to assess the extent of risk in the event of a privileged user’s impersonation. This type of internal testing verifies whether or not it is possible for a user of the entity to elevate their privileges from their authorized scope of use or to retain access after their mission has ended within the entity.

Each test carried out, whether organizational or technical, results in an audit report expressing the non-conformities found and the curative, corrective, and preventive actions to be implemented. These actions are analyzed and integrated into the monitoring of security actions managed by the CEO.

Security Measures Applicable to Persons

Staff Safety

Recruitments carried out by NEOSTORE are conducted in accordance with local legislation and implement checks adapted to the missions envisaged. The signing of the employees’ employment contract entails a duty of reserve and a commitment of confidentiality on the information processed as part of NEOSTORE’s missions and the software.

Information Security Awareness and Training

NEOSTORE’s Executive Department is responsible for the application of safety rules concerning its employees, trainees, and service providers. All employees are trained in safety through their university education and professional experience. A presentation of the rules of the ISSP as well as good information security practices is made.

Management of Staff Inputs, Exits and Movements

A process for managing arrivals, movements, and departures is set up to manage the staffing and physical and logical access of any person accessing or leaving the IS (employees, service providers, trainees).

Physical Security Measures

Clean Desk and Blank Screen

The technical and functional teams to develop, support, and maintain the NEOSTORE software work remotely. As such, the IT charter is formalized to meet the rules of clean office and blank screen and specifies the rules for managing removable storage media.

Technological Security Measures

Privileged Access Rights and Secure Authentication

All the resources composing the NEOSTORE IS (infrastructure, operation) require identification and authentication of the administrator:

• Identification is carried out nominatively. No generic account is used for common tasks. Generic high-privilege accounts are used as a last resort and access is

subject to rigorous traceability and secure storage.

• Authentication is carried out in a strong way: access couple login/password and second factor of authentication with the implementation of a strong password policy respecting the recommendations of ANSSI (French National Agency for the Security of Information Systems).

Access to Source Codes

Access to source code is secured through practices designed to prevent the introduction of unauthorized functionality, prevent unintentional or malicious modifications, and maintain the confidentiality of important intellectual property.

Malware Protection

For Azure Cloud Services

The services are equipped with antivirus software (Azure Cloud Defender), continuously updated both for the antivirus database and for the application used. Alerts are centralized and processed by NEOSTORE’s Technical Department.

For Workstations

The workstations of NEOSTORE employees are all equipped with constantly updated antivirus software (Microsoft Defender or Apple XProtect).

Technical Vulnerability Management

NEOSTORE’s services are equipped with Dependabot software compliance software and GitHub Advanced Security for Azure DevOps allowing NEOSTORE’s management to identify vulnerable systems and force the deployment of security patches on each asset.

Backup and Restore

For Azure Cloud Services

The backup strategy is as follows:

• Real-time incremental backup.
• Keep all incremental backups for 90 rolling days.

Development, support, and maintenance data is backed up in real time, using the same process. Backups are processed in a manner that ensures confidentiality, integrity, and availability.

For Workstations

Employee data is backed up in real time through the use of a synchronization tool hosted in an ISO 27001 certified datacenter.

Logging and Monitoring

Each IS resource has a logging device to keep track of security events. These traces are time-stamped via approved time sources, protected, and kept for one year. Only authorized persons of the Technical Department of NEOSTORE can have access to logged events, and they are accessed only in case of request from authorized personnel or in case of a proven incident.

Network Security

Hardening Network Equipment Configurations

The security configuration of network infrastructure devices (firewall, proxy, …) is controlled.

Network Administration

Networks are administered and managed to protect information in systems and applications appropriately. The following minimum requirements must be met:

• The same NEOSTORE application and data access control measures apply to access to network services.
• Only users authorized by NEOSTORE can be authenticated in the network using strong authentication.

Network Silos

The NEOSTORE IS is segmented into several logical networks, each with a homogeneous level of security. Flow filtering is set up, kept up to date, and reviewed regularly. The following minimum requirements for network zoning must be met:

• Systems and devices with different levels of trust are located in separate network zones.
  • Systems that provide services for external networks (e.g., Internet) are located in different areas (demilitarized zones).
• Different types of systems and devices are located in separate security zones.
  • NEOSTORE employees’ computers are in different security zones than cloud services.
  • Development and test systems are located in different areas of production systems.
• It is guaranteed that systems with strictly confidential or secret data can be placed in separate network zones.

Filtering Incoming and Outgoing Flows

Network entry and exit points are controlled, organized, and approved. The configuration of firewalls, and in particular the rules for opening protocols and flows, are subject to validation and regular monitoring by NEOSTORE’s Technical Department, which ensures the legitimacy of requests to open flows. New rules or changes to existing configurations for the network infrastructure are formally approved by the Technical Department.

Detection of Intrusion Attempts

Intrusion Detection Systems are implemented. Indicators related to intrusion attempts are implemented to monitor and prevent any security incident.

Securing Services Published on the Internet

All services exposed on the Internet are equipped with a properly configured web application firewall. Each service publication must be validated by the Technical Department and configured within the web application.

Cryptography

There is a process to manage the creation, renewal, and revocation of certificates purchased externally from certified entities such as Microsoft and CloudFlare PKIs.

Secure Development Lifecycle

Engineering and Architecture and Secure Systems

Secure application development rules meet the following minimum requirements:

• Secure programming techniques are used both for developing new applications and for reusing and modifying existing code.
• Application development considers best practices and development security standards for the programming language used.
• When developing web applications, the principles of software development according to OWASP (Open Web Application Security Project) are applied.

Development Approach

The development approach is based on the Agile method:

• Regular deployment of updates, making the production process more reliable.
• Regular tests, at the earliest.
• Testing performed in a production-like staging environment.
• Continuous integration including continuous testing.
• Short improvement loop considering user feedback and improvements.
• Close monitoring of operation and production quality.

Security in Projects

Information security requirements are added to the requirements of new information systems or modified for existing information systems. They are based on applicable specifications, identified vulnerabilities, and threat scenarios, considering the required level of protection of the data and business processes involved.

In the case of projects, a safety study is appropriate and can take the form of a risk analysis (for very sensitive projects). The entire process of integrating security into projects is managed by change management during the NEOSTORE Steering Committee.

Secure Development Environment

Secure development environments are configured for development and systems integration projects. These cover the entire system development cycle and provide adequate protection. The following considerations are considered when setting up a secure development environment:

• Sensitivity of the data to be processed, stored, and transmitted by the system.
• The required segregation of development environments.
• Control of access and data traffic to/from the development environment.
• Monitoring changes to the environment and the code stored in it.
• Storage of backups in secure external locations.

Security Requirements for Third-Party Developments

NEOSTORE reserves the right to call on external developers to strengthen its technical teams. Activities related to the development of outsourced systems are adequately supervised and controlled. The following aspects are considered:

• Exclusive development concerning the graphic aspect of the NEOSTORE software.
• Localized development activities in France.
• Submission of documentary evidence that sufficient reviews have been conducted to ensure that:
  • Upon delivery, there is no presence of intentionally or unintentionally embedded malicious code.
  • The existence of known vulnerabilities can be excluded.
  • Ensure escrow agreements are in place.
• NEOSTORE’s contractual right to review the developer subcontractor’s development processes and control measures.

Change Management

For new information systems, evolutions, and new versions, approval testing programs and associated criteria are defined before going into production. No production is authorized without the formal agreement of the NEOSTORE Steering Committee after analysis of the consideration of safety in the tests carried out.

The change control process includes:

• A reference to specifications, testing, quality control, approval, and implementation.
• An analysis of the impact of changes and specification of the necessary security controls.
• Adequate version control for all software updates.

Test Information

NEOSTORE generates fictitious test data in order not to use its customers’ production data.