Cybersecurity Policies

eCourtDate’s information security program is based on the ISO 27001:2013 guidance for an Information Security Management System. It provides us a way to identify threats and vulnerabilities, and to take proactive measures to prevent these from being realized. The goal of the information security program is to preserve value for eCourtDate by ensuring the security of information and information systems.

Risk-Driven Information Security

The information eCourtDate handles is inherently valuable, and is therefore at risk from losses or failures in confidentiality, integrity, and availability. The foundation of our information security program rests on a thorough assessment of the risks present to our information systems and the data they store, process, and transmit.

These risks may be identified by an internal risk management efforts, or mandated by external bodies including governmental and industry regulatory groups. Once identified, these risks are proactively treated and managed with security controls and safeguards.

eCourtDate may participate in Information Sharing and Analysis Centers (ISAC) appropriate to eCourtDate’s industry, to facilitate risk and threat information sharing.

Risk Monitoring

eCourtDate remains diligent for both new risks as well as changes to the existing risk environment. Ongoing monitoring efforts should include routine activities such as vulnerability scans and penetration tests, as well as monitoring appropriate external channels such as vendor publications, Information Sharing and Analysis Centers (ISAC), and threat intelligence.

Risks identified outside of the Risk Assessment process should be dealt with in the same manner, i.e. they should have a risk score and action plans identified. Senior management may also choose to designate certain accepted risks for additional ongoing monitoring as needed. As an example, Distributed Denial of Service (DDoS) attacks have risen in both frequency and magnitude; existing controls/safeguards which mitigate DDoS attacks may be designated for additional oversight to ensure they continue to be adequate to the current risk presented by DDoS attacks.

Third-Party Vendors

eCourtDate must routinely assess the security posture of any third parties with which it does business, and incorporate such assessments into the annual risk assessment. Third parties with a weak security posture present additional risk to eCourtDate, and decisions about continued business with such third parties must consider that risk.

Continuous Improvement

All security efforts at eCourtDate should be placed into a cycle of continuous improvement where design deficiencies are identified and corrected. Identification may be through proactive review, such as annual risk assessment, routine vulnerability scans, etc., or as part of lessons learned when incidents occur.

Training and Awareness

Security is everyone’s responsibility at eCourtDate. We provide training on basic security to all employees; ongoing education and certification is required for employees with more advanced information security roles.

Incident Response

This policy details the preparations eCourtDate has taken to prepare for security incidents, the approved responses, and provides guidance on creating a plan of action.

Key Steps

1. An Incident Response (IR)Team, headed by an IR Coordinator, is responsible for documenting and executing procedures for incident response.

2. Proactive steps should be taken to prepare eCourtDate for likely incidents, rather than relying on decisions made during a crisis.

3. The selected response for any incident should prioritize the following elements in this order: data confidentiality, data integrity, and availability of data/systems.

4. Incidents involving eCourtDate customer data require notification of the affected parties, and may require coordination with law enforcement/external agencies.

Overview, Purpose, and Scope

Effective security is a team effort, which means everybody at eCourtDate has a crucial role to play. Sometimes things will go wrong, and we need to be ready for such security incidents. This policy details the preparations eCourtDate has taken to prepare for security incidents, the approved responses, and provides guidance on creating a plan of action.

This Incident Response Policy applies to everyone who works for eCourtDate, including our employees, contractors, and third parties who have access to any eCourtDate data.

Incident Prioritization

• P0 Critical The highest priority. P0 incidents are likely to have a catastrophic effect on eCourtDate, and therefore require the most attention and resources.
• P1 High P1 incidents have a major effect on eCourtDate operations, which are disrupted until the incident is resolved.
• P2 Moderate P2 incidents have a noticeable effect on eCourtDate operations, but the business is able to continue as long as the incident is resolved quickly.
• P3 Low These incidents have no noticeable effect on operations, but elevate the potential for risks to eCourtDate operations. They should be addressed in accordance with sound risk management processes.