Access Management

This policy establishes the principles and guidelines for managing access to RevLab’s systems and data, ensuring security, accountability, and compliance. The following principles guide our approach to access management:

• Access Control Policy: RevLab will maintain a comprehensive Access Control policy that defines how access to systems and data is managed, monitored, and enforced.

• User Accounts: Access to systems will be managed through individual user accounts, ensuring accountability and traceability for all actions.

• User Responsibility: All users are responsible for safeguarding access to their accounts and systems, including adhering to security best practices.

• System Logging and Monitoring: Systems will be logged and monitored to detect and respond to potential unauthorized or inappropriate access.

• Multi-Factor Authentication (MFA): Remote access to systems will require robust multi-factor authentication (MFA) to protect against unauthorized access. MFA will be enforced for all users, including administrators, and will include strong authentication methods such as app-based authenticators or hardware tokens to mitigate risks associated with phishing and credential theft.

• Conditional Access Policies: Conditional access policies will be implemented to enforce MFA dynamically based on risk factors, such as user location, device type, or behavior anomalies.

• Segregation of Duties: Duties will be segregated where appropriate to minimize the risk of unauthorized access or misuse of privileges.

​

Asset Management

This policy sets out the general principles and guidelines for the management of RevLab's IT assets and how those assets should be handled. The basic principles (tl;dr) of asset management at RevLab include: 

• RevLab will maintain an inventory of assets;

• Assets maintained in an asset management database will have identified owners;

• Acceptable use of assets will be identified, documented, and implemented;

• Assets will be returned to RevLab if employment is terminated.

​

Business Continuity & Disaster Recovery

This policy sets out the general principles that establish our approach toward resilience, availability and continuity of processes, systems and services at RevLab. It defines requirements around business continuity, disaster recovery and crisis management processes. The basic principles include: 

• Mission critical system, process or Service Owners must ensure proper Business Continuity and/or Disaster Recovery that is inline with the tolerance for disruption in case of disaster.

• Continuity plans must include appropriate "last stand" environment, that provides core functionality (at the minimum), and a plan to fail to that environment. Considerations for business-as-usual resumption must also be included.

• No mission critical system, process or function could be deployed in production without appropriate continuity plan

• Plans must be tested quarterly and issues identified and addressed.

• Maximum time for recovery (RTO) starts from event detection until the core functionality is operational. Services are grouped into Tiers that define maximum RTO and RPO.

​

Communications Security

This policy sets out the general principles and guidelines for managing the security of our communications and our networks. The basic principles include:  

• Network access should be controlled

• Network access is supplied and all users should be familiar with the Policy - Electronic System and Communications

• Networks should be segregated based on criticality

​

Cryptography & Encryption

This policy sets out the general principles to ensure that RevLab implements appropriate encryption & cryptography to ensure confidentiality and integrity of critical data.  RevLab deploys cryptographic mechanisms to mitigate the risks involved in storing sensitive information and transmitting it over networks, including those that are publicly accessible (such as the internet).  

 

Facilitating the use of encryption technologies that are reliable, secure and proven to work effectively is a key objective of this standard in order to mitigate the risk of unauthorised access to and/or modification of sensitive company information. The basic principles include:

• Sensitive data is encrypted appropriately;

• Strength of selected encryption corresponds with information classification;

• Cryptographic keys will be securely managed;

• Only approved cryptographic algorithms and software modules will be used.

​

Data Security, Classification & Lifecycle Management

RevLab ensures data is classified, secured, and managed throughout its lifecycle to protect sensitive information and comply with legal requirements. This policy establishes clear guidelines for handling data based on its sensitivity, value, and criticality.

• Data Classification: Data is classified based on legal, business, and security requirements to ensure appropriate handling.

• Data Flow Mapping: Data is identified, labeled, and documented in a data flow map to maintain accuracy and proper management.

• System Logging: Systems log key events (e.g., access, modifications) to ensure accountability, with logs reviewed regularly for anomalies.

• Secure Disposal: Media containing sensitive data is securely deleted or destroyed in compliance with legal requirements.

• Data Transport: Data is encrypted and protected during transport to prevent unauthorized access or misuse.

These measures ensure data security, compliance, and operational integrity across RevLab’s systems.

​

Mobile & Bring Your Own Device (BYOD)

This policy sets out the general principles and guidelines for the use of personal devices with RevLab networks and systems. The basic principles include:

• The philosophy behind this Bring Your Own Device Policy (referred to here as the BYOD Policy or the Policy) is to be as unobtrusive and flexible as possible with regard to BYOD usage to maintain the autonomy of RevLab whilst ensuring we have the ability to protect our customer and corporate data.

• As such, the focus will be on configuration / posture checking and monitoring of compliance of devices, with the least restrictive principles that reasonably achieve the required security objectives, rather than enforcement of restrictions. Where restrictions do need to be applied, this will be done selectively depending on the data that can be accessed.

• This Policy covers both our current and our anticipated future needs. Some of the capabilities outlined may not be implemented immediately.

​

Operations

This policy sets out the general principles and guidelines for technology operational practices at RevLab. The basic principles include:

• Procedures should be documented for operational activities

• Backups should be taken regularly and the backups tested

• Changes should be managed and evaluated by multiple people

• Capacity should be evaluated and planned for

• Software installation should be limited and unnecessary software should be restricted

• Logs should be configured and forwarded to the centralized logging platform

• Any operational incidents should be managed according to our standard HOT process

​

Personnel Security

This policy sets out the general principles and guidelines for personnel security at RevLab.

The basic principles include:

• Security responsibilities will be outlined in job definitions

• All employees and users will regularly view security awareness training

• All employees and contractors have a duty to report security incidents or weaknesses

• Upon employee termination, access and return of assets will occur in a reasonable time frame

​

Physical & Environmental Security

This policy sets out the general principles and guidelines for securing any of our buildings, offices and securing our equipment. The basic principles include:

• Provide for secure areas to work

• Secure our IT equipment wherever it may be

• Restrict access to our buildings and offices

​

Controls

Access to customer information is restricted to authorized individuals based on their roles and responsibilities, in alignment with the principle of least privilege. The following measures are enforced to safeguard access:

• Authentication and Authorization: Only authorized users are permitted to access systems and data. Strong authentication mechanisms, such as multi-factor authentication (MFA), are required to verify user identities.

• Principle of Least Privilege: Access to customer information is limited to the minimum necessary for users to perform their specific duties and functions. No individual is granted unnecessary or excessive access.

• Customer Access Restrictions: Customers are only permitted to access their own information, ensuring that no unauthorized access to other customer data occurs.

• Physical Access Controls: Physical safeguards, such as secure file rooms, locked cabinets, and restricted access to data centers, are implemented to prevent unauthorized access to customer files and information.

• Regular Access Reviews: Access rights are reviewed on a regular basis to verify that users still have a legitimate business need for their assigned permissions. Access is revoked or adjusted as necessary.

​

These controls are designed to protect customer information, maintain compliance with regulatory requirements, and uphold RevLab’s commitment to data security.

​

Privacy

This policy sets out principles to ensure that RevLab implements appropriate security measures that help protect data privacy. RevLab recognizes that while encryption and other Privacy Enhancing Technologies (PETs) are powerful tools, thoughtful consideration is required during technology selection and implementation. RevLab takes a risk-based approach to privacy that considers the nature, scope, context, and purposes of data processing as well as the likelihood and severity of risks for the rights and freedoms of natural persons. The basic principles include:

• PETs should be chosen according to a risk-based approach

• PETs must not prevent RevLab from meeting regulatory requirements regarding privacy rights

• PETs should not impair the security of systems and services that process data

• PETs should not impair the ability to restore private data access and availability in the event of a breach

• PETs should allow for regular testing, assessing, and evaluation of effectiveness

​

Security Incident Management

This policy sets out the general principles and guidelines to ensure that RevLab reacts appropriately to any actual or suspected security incidents. RevLab has a responsibility to monitor for incidents that occur within the organisation that may breach confidentiality, integrity or availability of information or information systems.

 

All suspected incidents must be reported and evaluated. The policy has been implemented so that RevLab Security can limit their duration and adverse impact on RevLab and its customers as well as learn from incidents.The basic principles include:

• Anticipate security incidents and prepare for incident response

• Contain, eradicate and recover from incidents

• Invest in our people, processes and technologies to ensure we have the capability to detect and analyze an security incident when it occurs

• Make protection of Personal data and customer data the top priority during security incidents

• Regularly exercise the security incident response process

• Learn from and improve the security incident management function

• Communicate critical security incidents to the RevLab Leadership Group

​

Service Provider Management

This policy sets out the general principles and guidelines to select, engage, monitor and off-board suppliers. The basic principles include:

• RevLab will be purposeful in managing our vendor selection process

• All suppliers must be onboarded and managed in accordance with RevLab service provider risk assessment and due diligence processes

• The business owner requesting the vendor relationship is responsible for utilizing standard RevLab contracts

• RevLab will perform oversight of the relationship to ensure it meets our RevLab standards

• RevLab reserves the right to terminate the contract with any vendor when the service is no longer required

​

System Acquisition, Development, and Maintenance

This policy sets out the general principles and guidelines for development of applications, both internally and customer-facing, as well as creating limitations on how to manage pre-production environments and incorporating open source software into any of our Products and Services. The basic principles include:

• Security requirements will be included and incorporated to any environment or application development or acquisition;

• Product development will follow our internal quality assurance process, which includes integration of security checks;

• Production data that is Restricted according to the Data Security Information Lifecycle Management Policy will be anonymized or masked when being used in pre-production environments; and

• Integration of any open source frameworks or libraries will follow our internal Standard - Using Third Party Code in a RevLab Product

​

Application Assessments

We adopt secure development practices for in-house applications and implement rigorous evaluation procedures for externally developed applications. These assessments help us identify and mitigate vulnerabilities, ensuring our systems remain resilient against evolving threats.

• Secure Development Practices: All in-house applications used to transmit, access, or store customer information are developed following secure coding standards and best practices, such as those outlined in frameworks like NIST SP 800-218.

• External Application Assessments: Externally developed applications are thoroughly evaluated, assessed, and tested for security vulnerabilities before being integrated into our environment.

• Regular Security Testing: Applications undergo regular security testing, including vulnerability scans, penetration testing, and code reviews, to identify and address potential risks.

• Continuous Monitoring: We continuously monitor applications for new vulnerabilities and apply patches or updates as necessary to maintain security.

• Compliance with Standards: All application security practices align with industry standards and regulatory requirements to ensure the confidentiality, integrity, and availability of customer information.

​

By embedding security into every stage of the application lifecycle, RevLab ensures that our systems remain secure and trustworthy for our customers.

​

Threat & Vulnerability Management

This policy sets out the general principles and guidelines for managing security threats and vulnerabilities both in our environment and in our products.

The basic principles include:

• Manage security vulnerabilities in our products and services, including issuing updates, patches or advisories

• Manage security threats and vulnerabilities throughout our environment, both internal and hosted environments 

• Manage the threat of malware in the environment

​

Audit & Compliance Management

This policy sets out the general principles for managing and auditing control compliance at RevLab. The basic principles include:

• We implement controls to properly manage risk and ensure compliance with relevant policies, regulations and external industry standards

• We use audits as a way to verify the appropriateness and operational effectiveness of our controls

• Audits are coordinated and delivered as appropriate to achieve high level of confidence in our control environment, as well as to achieve internal or external certification

• RevLab seeks external validation of controls

• RevLab maintains a consolidated view of all its relevant control objectives, control activities and tests​