Security Policy

Goals and implementation program of the Masterplan.com Security Policy

Version 2.0 on 04.12.2022
Content of this page
  1. Information Security
  2. Personnel Security
  3. Information Protection Policy
  4. Access Control
  5. Security Principles for Network Communication
  6. Data Security
  7. Security Policy for end-user devices (stationary and mobile)
  8. Data Security: Physical and Environmental Controls
  9. Communication and Operations Management
  10. Masterplan.com supply chain security and assurance
  11. Data Protection @ Masterplan.com
  12. Response to incidents
  13. Risk Management Resilience Program

Objectives

The security policy adopted by the management of Masterplan.com is implemented as part of a program. Protection goals of information security, such as confidentiality, availability and integrity of data, IT systems and their infrastructure are to be ensured.
Corporate values of Masterplan.com that require a high level of protection are:
  1. The eLearning platform
  2. Masterplan.com source code and other sensitive data
  3. Personal and other sensitive information that Masterplan.com collects in the course of its operations, including customer, partner, supplier and employee data processed in Masterplan.com's internal IT systems
Masterplan.com's aim is to ensure that Masterplan.com's products and the components and systems necessary for their operation are protected to the fullest extent possible against, for example, theft of information, willful or malicious modification of software, inappropriate use, external threats.
The developers of the Masterplan.com platform take into account the principle of secure design at every stage of the product development and software life cycle.
This applies to the phases of specification, development, testing and maintenance of products.

Industry Standards and Certifications

Masterplan.com's security policies cover security management for both Masterplan.com's internal organization and for services Masterplan.com provides to its clients.
The security policies apply to all Masterplan.com personnel, as well as external employees, service providers and contractors. They are aligned with ISO/IEC 27002:2013, ISO/IEC 27001:2013 and TISAX standards and are authoritative for all defined security areas within Masterplan.com.

Organization of Information Security Management

Information security management is the responsibility of the CISO (Chief Information Security Manager) appointed by the Executive Board. This position is established as a staff position at Masterplan.com and reports directly to the Executive Board.
Tasks include strategic planning and development of concepts, standards and guidelines for information security; technical implementation of IT security; and management and coordination of security measures in compliance with standards (Information Security Process Management, ISO 27001and TISAX)
In addition, the CISO is responsible for coordinating and training the security coordinators of the business units; incident and configuration management; and the continuous analysis and optimization of IT security strategies in line with business processes.
Furthermore, this person organizes the analysis and assessment of risks to the security of information (across divisions and locations); the planning and implementation of security concepts in close cooperation with the specialist departments and IT); as well as the execution and support/supervision of audits.
This person is responsible for organizing and coordinating awareness-raising and training measures on the subject of information security.
The Chief Information Security Officer (CISO) leads the department directly responsible for identifying and implementing security measures at Masterplan.com. This department drives the company's security program, defines the company's security policies, assesses compliance and provides operational oversight of the multi-dimensional aspects of Masterplan.com's security policies and practices:
  1. Information Security
  2. Physical Security
  3. Security Structure

Information Security

Overview
At Masterplan.com, information security means security oversight, compliance and enforcement and conducting information security assessments.
This forms the basis for developing an information security policy and strategy as well as training and raising awareness among staff.
The entity responsible for information security serves as the primary point of contact for security incident response and provides overall direction for incident prevention, identification, investigation and resolution.
The Information Security Program is dedicated to maintaining the confidentiality, integrity and availability of Masterplan.com information resources. This includes the focus areas of:
  1. The definition of technical corporate standards to ensure security, privacy and compliance

Information Security Manager

The Information Security Manager (ISM) manages the information security implementation program. The Information Security Manager serves as the business unit security officer to increase awareness of and compliance with security policies, processes, standards and initiatives within Masterplan.com.

Physical Security

Overview
Physical security at Masterplan.com means defining, developing, implementing and managing all aspects of physical security to protect Masterplan.com's employees, company facilities and assets.
Risk Based Approach
Masterplan.com uses a risk-based approach to continuously assess risks and improve physical and environmental security. The goal is to effectively balance prevention, detection, protection and response while maintaining a constructive work environment that fosters innovation and collaboration among Masterplan.com employees, partners and customers.
Masterplan.com conducts regular risk assessments to ensure that proper and effective risk mitigation measures are used and maintained.

Supervision of the Security Structure

Overview
The Masterplan.com Security Architect (SAC) assists the organization in defining the technical and organizational direction of information security and in developing and deploying information security and identity management solutions.
The Security Architect collaborates with Information Security and Software Development, communicating and implementing enterprise security architecture roadmaps.
The Enterprise Security Architecture manages a variety of programs and utilizes various methods of collaboration with leadership and security teams responsible for operations, services, cloud and all other Masterplan.com business units.
  1. Pre-assessment: Risk management teams in each business unit must perform a pre-assessment of each project based on the approved template
  2. The security architecture team reviews the submitted plans and performs a technical security design review
  3. Security assessment review: Based on the level of risk, systems and applications undergo a security review prior to production deployment

Personnel Security

Overview
Masterplan.com sets high standards for employees for ethical business conduct at all levels of the company. These include Masterplan.com employees as well as contractors and customers. They cover legal and regulatory compliance as well as business conduct and relationships. Masterplan.com trains its employees in ethics and business conduct every two years.
Security Focus
The company continuously implements initiatives that help minimize risks associated with human error, theft, fraud and misuse of facilities. Measures to ensure that only trusted and well-trained personnel, acting with appropriate privacy and information security awareness, work for Masterplan.com.
Confidentiality
Masterplan.com employees are required to maintain the confidentiality of customer information. Employees agree to maintain confidentiality on all business transactions upon joining the company and to comply with company policies protecting sensitive information as part of their initial terms of employment. Subcontractors and relevant service providers are regularly audited by Masterplan for compliance with Masterplan.com policies.
Training and further development of security awareness
Masterplan.com promotes security awareness and trains its employees on a regular basis.
Each employee agrees to complete information security awareness training upon hire and every two years thereafter. This training educates employees on compliance with Masterplan.com's privacy and security policies and principles.
Implementation
Security reviews and audits are conducted periodically to ensure compliance with Masterplan.com's information security policies, procedures and practices.

Masterplan.com Information Protection Policy

Overview
Masterplan.com's Information Protection Policy applies to all information and data generated in Masterplan.com's operations and addresses how employees and business partners should use and apply information classification schemes.
Masterplan.com categorizes information and data into four classes - public, internal, confidential, and highly confidential - with each classification requiring appropriate security measures, such as encryption requirements for data classified as confidential or highly confidential.
Training and Awareness
During Masterplan.com's mandatory training, employees are informed about the company's privacy policy. Employees must complete this training when they join Masterplan.com and repeat it periodically thereafter.
System Inventory
Developing and maintaining an accurate system inventory is a necessary element for effective overall information system management and operational reliability. Masterplan.com's Information Systems Inventory Policy requires that an accurate and up-to-date inventory be maintained for all information systems that contain critical and highly critical information assets in Masterplan.com infrastructures.

Masterplan.com Access Control

Introduction
Access controls refer to the policies, procedures, and tools that govern the access to and use of resources. Examples of resources include a physical server, a file, a directory, a service running on an operating system, a table in a database or a network protocol.
  1. Least Privilege is a system-oriented approach in which user privileges and system functionality are carefully evaluated and access is limited to the resources that users or systems need to perform their tasks
  2. Default deny is a network-oriented approach that implicitly denies the transmission of all traffic and then specifically allows only the required traffic based on protocol, port, source and destination
Masterplan.com's Access Control Policies and Practices
Masterplan.com's Logical Access Control Policy applies to access control decisions for all Masterplan.com employees and all information processing facilities for which Masterplan.com has administrative authority. This policy does not apply to publicly accessible, Internet-facing Masterplan.com systems or end users.
Privilege Administration
Authorization depends on successful authentication as control of access to certain resources depends on establishing the identity of an entity or person. All Masterplan.com authorization decisions for granting, approving, and verifying access are based on the following principles:
  1. Need to know: Does the user need this access for their job function?
  2. Separation of duties: Does the access create a conflict of interest?
  3. Least Privilege: Is access limited to only those resources and information necessary for a legitimate business purpose?
User Password Management
Masterplan.com enforces strong password policies for the Masterplan.com network, operating system and database accounts to reduce the chances of intruders gaining access to systems or environments by exploiting user accounts and associated passwords.
Periodic Review of Access Rights
Masterplan.com regularly reviews network and operating system accounts with respect to appropriate employee access levels. In the event of employee termination, death or resignation, Masterplan.com will take appropriate action to immediately terminate network, telephony and physical access.
Password Guideline
The use of passwords is covered in the Masterplan.com Password Policy. Masterplan.com employees are required to follow rules regarding the length and complexity of passwords and to keep their passwords confidential and secure at all times. Passwords may not be disclosed to unauthorized persons. Under certain circumstances, authorized Masterplan.com employees may share passwords for the purpose of providing support services.
Network Access Measures
Masterplan.com has implemented and maintains strong network measures to ensure the protection and control of customer data as it moves from one end system to another. Masterplan.com's Network Service Usage Policy states that endpoints connected to the Masterplan.com network must meet well-established standards for security, configuration, and access method.

Security Principles for Network Communication

Overview
To manage network security and network management devices, Masterplan.com requires IT staff to use secure protocols with authentication, authorization, and strong encryption. Network devices must be in an environment that is protected and defined by physical access controls and other standards for physical security measures.
Communications to and from the Masterplan.com corporate network must be routed through network security devices at the perimeter of the Masterplan.com internal corporate network.
Vendor and third party access to the Masterplan.com corporate network is subject to restrictions and prior approval by Masterplan.com's Third Party Network Access Policy.
Asset Management
Network devices must be registered in a Masterplan.com approved information system inventory in accordance with Masterplan.com policy. This policy requires inventory and documented ownership of all information systems that process critical and highly critical information assets throughout their lifecycle using an approved inventory system.
Wireless Networks
The Masterplan.com Wireless LAN Policy governs the deployment and use of wireless networks and connectivity to access the Masterplan.com corporate network. Masterplan.com manages wireless networks and monitors unauthorized wireless networks.

Data Security

Introduction
Masterplan.com's Information Asset Classification determines the company's data security requirements for Masterplan.com-managed systems. Masterplan.com policies and standards provide guidance on appropriate measures to protect the confidentiality, integrity and availability of enterprise data in accordance with the data classification. The required mechanisms are designed to be consistent with the type of enterprise data being protected. For example, security requirements are higher for sensitive or valuable data such as cloud systems, source codes and employment records.
Masterplan.com's enterprise security measures fall into three categories: Administrative, physical and technical measures.
  1. Administrative measures, including logical access control and personnel processes
  2. Physische Maßnahmen, die den unbefugten physischen Zugang zu Servern und Datenverarbeitungsumgebungen verhindern sollen
  3. Technical measures, including secure configurations and encryption for data at rest and in transit (data at rest, data in motion)
In addition, Masterplan.com has formal programs in place to guide the development of the platform. This covers every phase of the product development lifecycle and is Masterplan.com's methodology for building security into the design, build, testing and maintenance of its platform.

Masterplan.com Security Policy for End Devices (Stationary and Mobile)

Introduction
Masterplan.com policy mandates the use of antivirus, IPS, and firewall software on endpoints - to the extent possible. In addition, automated security updates and virus signature updates must be enabled on all end devices. Any endpoints that process Masterplan.com or customer data will be encrypted with approved software.
Protection against malicious code
Masterplan.com employees must follow Masterplan.com's email instructions and are responsible for promptly reporting to the Masterplan.com employee help desk any virus or suspected virus infection that cannot be remedied by antivirus software.
Employees are prohibited from modifying, disabling or removing antivirus software and the Security Update Service from any computer. Any Masterplan.com employee who violates this standard may be subject to disciplinary action which may include termination of employment.
End Device Encryption
To protect sensitive Masterplan.com information, Masterplan.com employees must install Masterplan.com-approved encryption software on their endpoints.
Mobility Management for Enterprises
Masterplan.com deploys a mobile device management solution to protect employee-operated mobile device data. These solutions support all major mobile device operating systems and platforms. Masterplan.com's IT and security organizations regularly promote mobile device security awareness and best practices.

Data security: Physical and Environmental Inspection

Risk Based Approach
Global Physical Security uses a risk-based approach to physical and environmental security. The goal is to balance prevention, detection, protection and response while maintaining a positive work environment that fosters innovation and collaboration among Masterplan.com employees and partners. Masterplan.com conducts regular risk assessments to confirm that the correct and effective mitigation measures are in place and being maintained.

Preventive Measures: Protection of Masterplan.com Assets and Employees

Masterplan.com has implemented the following protocols:
  1. Physical access to the facilities is limited to Masterplan.com employees , contractors and authorized visitors.
  2. Visitors are required to be escorted and/or observed when on Masterplan.com premises and/or bound by the terms of a confidentiality agreement with Masterplan.com
  3. Masterplan.com monitors possession of keys/access cards and ability to access facilities. Employees who leave employment with Masterplan.com must return keys/cards, and keys/cards will be deactivated upon termination
Data Center Security
Masterplan.com's platform runs in data centers that help protect the security and availability of customer data. This approach begins with Masterplan.com's site selection process. Data centers meet ANSI/TIA-942-A Tier 3 or Tier 4 standards set by the Uptime Institute and Telecommunications Industry Association (TIA). Data centers hosting Masterplan.com platform use redundant power sources and maintain generator backups in the event of a widespread power outage. They are closely monitored for air temperature and humidity and fire suppression systems are in place. Data center staff are trained in incident response and escalation procedures to respond to potential security and availability events.

Masterplan.com Communication and Operations Management

Introduction
Masterplan.com's security programs are designed to protect the confidentiality, integrity and availability of both Masterplan.com and customer data. Masterplan.com continually works to strengthen and improve the Company's security measures and practices for its internal operations and services.
Acceptable Use and Masterplan.com Employees
Masterplan.com has formal requirements for the use of the Masterplan.com corporate network, computer systems, telephony systems, messaging technologies, Internet access and other corporate resources available to Masterplan.com employees and contractors.
General Security Principles for Communications
Masterplan.com has formal requirements for the use of the Masterplan.com corporate network, computer systems, telephony systems, messaging technologies, Internet access and other corporate resources available to Masterplan.com employees and contractors.
Separation of Duties and Awareness of the Principles
Masterplan.com enforces clearly defined roles that enable segregation of duties among operations personnel. The operations are organized into functional groups, with each function performed by separate groups of employees. Examples of functional groups include database administrators, system administrators and network engineers. Learn more about Masterplan.com Access Control.
Monitoring and Protecting Audit Log Information
Masterplan.com protocols certain security-related activities on operating systems, applications, databases and network devices. Systems are configured to provide a record of access to Masterplan.com programs, as well as system alerts, console messages and system errors. Masterplan.com implements controls to protect against operational problems, failure to record events, and/or log overwriting.
Masterplan.com reviews protocols for forensic purposes and incidents and identifies anomalous activity that feeds into the security incident management process. Access to security logs is granted on a need-to-know and least privilege basis. When possible, log files are protected by strong cryptography in addition to other security controls and access is monitored. Logs generated by systems that are accessible via the Internet are moved to systems that are not accessible via the Internet.
Asset Management
Masterplan.com's inventory management for information systems requires an accurate inventory of all information systems and devices that contain critical and highly critical information assets throughout their lifecycle via a Masterplan.com inventory system. This policy defines the required identification attributes to be recorded for server hardware, software, data held on information systems and information needed for disaster recovery and business continuity purposes.
Communication Technology
Masterplan.com manages enterprise solutions for collaboration and communication within Masterplan.com and with external parties. Masterplan.com's policies require that employees use these approved corporate tools when handling confidential information.
Masterplan.com has defined standards for secure information sharing with suppliers and other third parties.

Masterplan.com Supply Chain Security and Assurance

Introduction
Masterplan.com customers around the world rely on the Masterplan.com platform to protect their data. As a global company, Masterplan.com takes great care in the development and distribution of its platform.
Masterplan.com has formal policies and procedures in place to ensure the security of its supply chain. These policies and procedures explain how Masterplan.com selects third-party vendors to embed in Masterplan.com Platform.
Masterplan.com also has formal requirements for its suppliers and partners to certify that they will protect Masterplan.com and third-party data and assets entrusted to them. The Supplier Information and Physical Security Standards describe the security measures that Masterplan.com's suppliers and partners must adhere to:
  1. Access to Masterplan.com and Masterplan.com customers' facilities, networks, and/or information systems.
  2. Handling Masterplan.com confidential information and Masterplan.com hardware assets in possession
In addition, Masterplan.com suppliers are required to adhere to the Masterplan.com Code of Conduct, which provides guidelines regarding the security of confidential information and intellectual property of Masterplan.com and third parties.
Overview
Masterplan.com's supply chain risk management practices focus on quality, availability, continuity of supply and resilience in Masterplan.com's direct supply chain, as well as authenticity and security of the Masterplan.com platform and services.
Other security processes focus on safety and product protection during transportation, shipping, and storage.

Data Protection at Masterplan.com

Our privacy policy can be viewed at https://masterplan.com/en/privacy-policy
Overview
Following recommended practices in common security standards issued by the International Organization for Standardization (ISO) and other industry sources, Masterplan.com has implemented a variety of preventive, detective and corrective security measures with the goal of protecting information assets.
Network Protection
Masterplan.com's network protections include solutions to ensure service continuity and defend against denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks.
Events are analyzed using signature detection, which is a pattern matching of environment settings and user activity against a database of known attacks. Masterplan.com updates the signature database frequently.
Monitoring and Incident Alerts
Warnmeldungen werden zur Überprüfung und Reaktion auf potenzielle Bedrohungen an das Sicherheitsteam von Masterplan.com gesendet. Alerts are sent to Masterplan.com's security team for review and response to potential threats. These alerts are monitored 24x7x365.

Response to Incidents

Masterplan.com evaluates and responds to incidents that raise suspicion of unauthorized access to or handling of customer data, whether the data resides on Masterplan.com hardware assets or on the personal hardware assets of Masterplan.com employees. Masterplan.com's Information Security Incident Reporting and Response Policy defines incident reporting and response requirements. This policy authorizes the security organisation to act as the primary point of contact for security incident response and provide overall direction for incident prevention, identification, investigation, and resolution.
Corporate requirements for incident response programs and response teams are defined per incident type:
  1. Validation that an incident has occurred
  2. Communication with relevant parties and notifications
  3. Preservation of evidence
  4. Documenting an incident itself and the associated
  5. Response activities
  6. Containment of an incident
  7. Elimination of an incident
  8. Escalation of an incident
Upon discovery of an incident Masterplan.com defines an incident response plan for rapid and effective incident investigation, response and recovery. Root cause analysis is performed to identify opportunities for appropriate action to improve the security posture and mitigation in detail. Formal procedures and centralized systems are used to gather information and maintain a chain of custody during the investigation of an incident. Masterplan.com is able to support legally permissible forensic data collection as needed.
Notifications
In the event that Masterplan.com determines that a security incident has occurred, Masterplan.com will immediately notify all affected customers or other third parties in accordance with its contractual and legal obligations. Information about malicious attempts or suspected incidents is confidential to Masterplan.com and will not be disclosed to outside parties. Incident history is also Masterplan.com Confidential and will also not be shared externally.
Security Vulnerabilities
To report a security weakness to Masterplan.com, please use the following link: informationssicherheit@masterplan.com

Risk Management Resilience Program (RMRP)

Masterplan.com Risk Management Resilience Policy
Masterplan.com's Risk Management Resilience policy defines requirements and standards on business interruption events. It also establishes the functional roles and responsibilities required to establish, maintain, test and evaluate the business continuity capability for Masterplan.com across business units and locations. It defines responsibilities for monitoring compliance with the program. The policy mandates an annual operating cycle for planning, assessment, training, validation and executive approvals for critical business operations
Risk Management Resilience Program
The objective is to provide a business resiliency framework to enable efficient response to business disruption events that impact Masterplan.com operations.
The RMRP approach consists of several sub-programs: Initial Emergency Response to Unplanned and Urgent Events, Serious Incident Crisis Management, IT Disaster Recovery, and Business Continuity Management. The goal of the program is to minimize negative impacts to Masterplan.com and maintain critical business processes until regular operating conditions are restored.
Each of these subprograms is a uniquely diverse discipline. However, by consolidating emergency response, crisis management, business continuity, and disaster recovery, they can become a robust collaborative and communicative system
Masterplan.com's RMRP is designed to incorporate multiple aspects of emergency management and business continuity from the onset of an event and leverage them as the situation requires.