Merge pull request 0xPolygon#353 from jabraham-polygon/security

Security - add ISO detail; non-material edits/formatting

Author: 0xCVH

docs/security/contact.md

@@ -1,3 +1,3 @@
 # Contact us
-Polygon Labs Security Organization is happy to talk to you. Feel free to reach us out at:
+Polygon Labs Security organization is happy to talk to you. Feel free to reach out to us at:
 security@polygon.technology

docs/security/governance.md

@@ -1,6 +1,6 @@
 Polygon Labs' security program is designed and implemented following the ISO/IEC 27001 standards, an internationally recognized framework for managing and securing sensitive information assets. By adhering to these standards, Polygon Labs demonstrates a strong commitment to the protection of its clients' and employees' data, ensuring that confidentiality, integrity, and availability are maintained at all times.
 
-The ISO27001-based security program at Polygon Labs involves the establishment of an Information Security Management System (ISMS), which is a systematic approach to managing sensitive information and minimizing risk. This includes conducting regular risk assessments to identify, analyze, and evaluate potential threats and vulnerabilities, as well as implementing appropriate security controls and measures to mitigate those risks.
+The ISO 27001-based security program at Polygon Labs involves the establishment of an Information Security Management System (ISMS), which is a systematic approach to managing sensitive information and minimizing risk. This includes conducting regular risk assessments to identify, analyze, and evaluate potential threats and vulnerabilities, as well as implementing appropriate security controls and measures to mitigate those risks.
 
 In addition to risk assessments, Polygon Labs' ISMS incorporates a comprehensive set of policies, procedures, and guidelines that cover various aspects of information security, such as access control, incident management, and business continuity planning. Employee training and awareness programs are also an integral part of the security program, ensuring that staff members understand their roles and responsibilities in safeguarding the organization's information assets.
 

docs/security/hr.md

@@ -6,10 +6,10 @@ When an employee exits the company, HR changes their status in our HRIS system,a
 
 ### Security Awareness Training
 
-Polygon utilizes a SaaS platform to provide an integrated approach to email and security awareness training for all of our employees.  All employees are required to pass the training during their first weeks of employment.  The key features of the platform are::
+Polygon utilizes a SaaS platform to provide an integrated approach to email and security awareness training for all of our employees.  All employees are required to pass the training during their first weeks of employment.  The key features of the platform are:
 
 - **Industry-specific modules** - Reinforce critical concepts mapped to key industry standards and security frameworks, including ISO, NIST, PCI DSS, GDPR, and HIPAA
 - **Real-world assessment** -  Safely test employees on real-world threats with de-weaponized phishing attacks
 - **Comprehensive reporting** - Track primary indicators of risk across the awareness training platform and take remedial action with easily discernible user risk scores
 - **Integrated risk insight** - Leverage real-world click behavior to identify high risk users
-- **Effortless administration**- 12-month programs with rapid deployment. 
+- **Effortless administration** - 12-month programs with rapid deployment

docs/security/infrastructure.md

@@ -10,14 +10,14 @@ The monitoring infrastructure was developed both in-house and by vendors as need
 
 ### Multisig Security
 
-Specific requirements are followed by any Polygon Labs employee that is a signer on a corporate multisig contract. Multisig contacts are corporately owned  and control treasury assets or smart contract deployments. They consist of Safes (previously Gnosis Safes) and other smart contract multisig implementations. Hardware wallets are hardware-based cold storage such as Trezor or Ledger devices that store private keys and enable signing multisig transactions offline. Signer multisig requirement include:
+Specific requirements are followed by any Polygon Labs employee that is a signer on a corporate multisig contract. Multisig contacts are corporate-owned  and control treasury assets or smart contract deployments. They consist of Safes (previously Gnosis Safes) and other smart contract multisig implementations. Hardware wallets are hardware-based cold storage such as Trezor or Ledger devices that store private keys and enable signing multisig transactions offline. Signer multisig requirement include:
 
-- **Hardware Wallet:** Polygon requires Cold storage from an accepted vendor dedicated for company official use only and secured by a PIN
+- **Hardware Wallet:** Polygon requires cold storage from an accepted vendor dedicated for company official use only and secured by a PIN
 - **Hot Wallets:** Hot wallets are not allowed for use on Polygon multisigs
-- **Corporate Workstation:** Signing must be performed from a company system  managed by  our enterprise mobile device management (MDM) platform  complete with anti-virus (AV) and endpoint detection and device (EDR).
+- **Corporate Workstation:** Signing must be performed from a company system  managed by  our enterprise mobile device management (MDM) platform  complete with anti-virus (AV) and endpoint detection and device (EDR)
 - **Clean Key:** All signers are required to create a clean key that has never been exposed to a hot wallet
 - **Mnemonic Storage:** Polygon mandates safe storage of mnemonic passphrases and provides guidance to its employees
-- **Secure Communication:** All multisig signing events are coordinated using Polygon’s accepted communication protocols for multisigs.
+- **Secure Communication:** All multisig signing events are coordinated using Polygon’s accepted communication protocols for multisigs
 
 **All corporate multisigs are monitored 24/7 by the Polygon security team.**
 

docs/security/operations.md

@@ -19,4 +19,12 @@ When an incident is identified the security operations team performs triage and
 
 Polygon Labs carefully considers when, how and who to communicate with during incident response. Impacted stakeholders are sent notifications in a timely manner to ensure they can take reasonable steps to protect their information if necessary. Polygon Labs also makes every effort to work with law enforcement to the degree required by the laws of the jurisdictions that we operate in, which may be different depending on the nature of the cyber security incident.
 
-In order to ensure the incident response process remains relevant, we conduct regular incident response exercises if no real security incident has occurred after a given period.
+In order to ensure the incident response process remains relevant, we conduct regular incident response exercises if no real security incident has occurred after a given period.
+
+**Authentication & Access Control**
+
+Polygon Labs establishes standards for authentication & access control in its information security policy and information security standards documents.
+
+To ensure the security of our corporate systems, all employees must adhere to strict password requirements.  Passwords should be changed regularly according to our guidelines and two-factor authentication is mandatory for accessing sensitive systems. Default, shared, or easily guessable passwords are strictly prohibited.
+
+Polygon Labs performs entitlement reviews for sensitive systems on a yearly basis. Where applicable and available, systems are accessed via single sign-on (SSO).

docs/security/overview.md

@@ -1,6 +1,4 @@
-The purpose of this document is to provide an overview of the security measures and capabilities of Polygon Labs.
-
-At Polygon Labs, ensuring the security of our information systems and safeguarding the sensitive data of our clients and employees is of paramount importance. We prioritize security throughout every facet of our operations, from implementing robust security policies and guidelines to adopting industry best practices, such as ISO27001 as a baseline for our security program and adhering to the OWASP recommendations for secure software development. We invest heavily in continuous security training for our employees, keeping them informed of emerging threats and equipping them with the necessary skills to protect our digital assets. In addition, we embrace a proactive approach by incorporating security by design principles and utilizing state-of-the-art security tools to detect and mitigate vulnerabilities at every stage of the development lifecycle.
+At Polygon Labs, ensuring the security of our information systems and safeguarding the sensitive data of our clients and employees is of paramount importance. We prioritize security throughout every facet of our operations, from implementing robust security policies and guidelines to adopting industry best practices, such as ISO 27001 as a baseline for our security program and adhering to the OWASP recommendations for secure software development. We invest heavily in continuous security training for our employees, keeping them informed of emerging threats and equipping them with the necessary skills to protect our digital assets. In addition, we embrace a proactive approach by incorporating security by design principles and utilizing state-of-the-art security tools to detect and mitigate vulnerabilities at every stage of the development lifecycle.
 
 ## Commitment to security
 

docs/security/reports.md

@@ -1,10 +1,12 @@
-Polygon Labs periodically assesses the security its products and applications through extensive internal testing and external (public & private) engagements, such as code reviews, security audits and penetration testing. All products and applications have been assessed multiple times to date. Security assessments continue as the ecosystem matures.
+Polygon Labs periodically assesses the security of its products and applications through extensive internal testing and external (public & private) engagements, such as code reviews, security audits, red team assessments and penetration testing. All products and applications have been assessed multiple times to date. Security assessments continue as the ecosystem matures.
 
-Following information relates to the latest available (and public) external assessments:
+Following information relates to the latest available (and public) external assessments and certifications:
 
-## ISO27001
+## ISO/IEC 27001:2022 Certification
 
- - ISO27001 certificate: https://www.schellman.com/certificate-directory (search for Polygon Labs)
+ - Polygon Labs was awarded ISO 27001 certification in March of 2024
+    - **Certificate:** https://www.schellman.com/certificate-directory (search for "Polygon Labs")
+    - **Scope:** `The scope of the ISO/IEC 27001:2022 certification is limited to the information security management system (ISMS) supporting the Polygon Labs' business of developing blockchain scaling solutions, which includes personnel, policies, procedures, standards, systems, endpoint devices, applications, data, and controls, and in accordance with the statement of applicability, version 1.2, dated October 11, 2023.`
 
 ## Portal
 

docs/security/vulnerability.md

@@ -5,10 +5,3 @@ Vulnerabilities are sent to a centralized issue and findings tracker ensuring th
 Polygon Labs maintains open communication channels with vendors and security researchers, enabling us to stay informed of newly discovered vulnerabilities, patches, and updates. This collaboration significantly contributes to maintaining a secure environment by ensuring that systems and applications are up-to-date and protected against known threats.
 
 All these activities, and others, are part of our robust vulnerability management lifecycle, which effectively reduces the risks associated with security vulnerabilities, strengthens the overall security posture, and maintains the trust and confidence of our clients, partners, and employees.
-Authentication & Access Control
-
-Polygon Labs establishes standards for authentication & access control in its information security policy and information security standards documents.
-
-To ensure the security of our corporate systems, all employees must adhere to strict password guidelines. Passwords must be a minimum of 12 characters in length and contain at least one uppercase letter, one lowercase letter, one numeral, and one special character. Passwords should be changed every 90 days and two-factor authentication is mandatory for accessing sensitive systems. Default, shared, or easily guessable passwords are strictly prohibited.
-
-Polygon Labs performs entitlement reviews for sensitive systems on a yearly basis. Where applicable and available, systems are accessed via single sign-n (SSO).