Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, no.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Implement Incydr: Resources

Overview

This article contains resources you can use when implementing Incydr at your company.

Considerations

The Code42 Security Success Team (SST) can provide you with additional resources for Incydr. Contact your Customer Success Manager (CSM) to engage the Security Success Team.

Critical assets questionnaire for data owners

Every owner of critical data assets at your company should answer the following questions. Use them to develop other questions specific to your organization. Note that each question may have several answers.

Questions Example
What is the critical file or intellectual property? Software code for new product x
What is the file format? .js
Where is it located?

Developer local repositories under X directory structure, or in a more restrictive environment, GitHub and only on the segmented development jump box host or virtual desktop infrastructure (VDI) platform.

What are our guidelines for handling this kind of asset? All source code is expected to only be resident in GitHub. The transmission of source code to USBs or other locations is not allowed.
What will be the financial impact resulting from loss? $5,000,000 to develop
What will be the compliance impact resulting from loss? None
What will be the contractual impact resulting from loss? We have a contact with the customer X who takes protection of its data very seriously.  

Data classification matrix

Create a matrix for classifying data at your company. Following is an example

 

Public

Internal

Confidential

Restricted

Description

Information freely available and communicated to the general public with a low likelihood of exposing unnecessary risk.

Information generally available to employees and approved non-employees. Confidentiality of information is preferred, but may be subject to open records disclosure.

Information received from third parties pursuant, non-disclosure agreements or equivalent confidentiality provisions, and information where disclosure has the potential to negatively influence operations, cause financial losses, provide advantages to competitors, cause a drop in consumer confidence, expose employee privacy, or expose you to legal action. Information integrity and accessibility to maintain operational effectiveness.

Information critical to company operation, entrusted assets, or otherwise subject to industry, contractual, legal regulations, or generally under the purview of the legal department. Disclosure, alteration, or destruction of this data represents a significant risk.

Examples

  • Approved advertising and sales materials
  • Public-facing website materials
  • Approved press releases
  • Approved annual reports
  • Customer support materials
  • Employee distribution or contact lists
  • Policy documents
  • HR handbook
  • Wiki pages
  • Employee training materials
  • Guidelines

 

 

  • Employee personnel files
  • Employee personally identifiable information (PII)
  • Intellectual property
    • Source code
    • Code in development
  • Standards and procedures documents
  • Audit findings
  • QA findings
  • Customer contracts
  • Company CMS Certification Number (CCN)
  • Configuration files
  • Corporate structure
  • Corporate organization charts
  • Customer personally identifiable information (PII) unless contractually obligated to provide greater protection (seek legal review)

Business or insider information

  • Financials
  • Mergers and acquisitions
  • IPO
  • Future product plans
  • Sensitive contracts

Regulated data

  • Customer archives
  • Customer personally identifiable information (PII) (when obligated in contract seek legal review)
  • Cryptographic keys
  • Cardholder data
  • Protected health information (PHI)
  • Infrastructure data
    • Password or authentication configurations

Data handling matrix

Create a matrix of acceptable data handling at your company. Following is an example.

 

Public

Internal

Confidential

Restricted

Portable device (USB)

No

No

No

No

Collaboration platforms
(e.g. Slack, Sharepoint)

Yes

Yes

Yes

None to public channels

Internal corporate email to internal corporate email

Yes

Yes

Yes

None to distribution lists

Internal corporate email to external email

Yes

Yes

Yes

Yes if encrypted

Corporate sanctioned cloud storage (e.g. GDrive)

Yes

Yes

Yes, but no public links Yes, but no public links

Corporate sanctioned apps or SaaS 
(e.g., GitHub, Jira)

Yes

Yes

Yes, but no public links Yes, but no public links

Customer required cloud storage

Yes

Yes

Yes, but no public links Yes, but no public links

Contractor, third party, or service provider required cloud storage

Yes

Yes

Yes, but no public links

Yes, but no public links

File transfer services
(e.g. FTP, SCCP)

Yes

Yes

No

No

Printers

Yes

Yes

Yes

Yes

Unauthorized data transfer and deletion attestation template

Following is an example template you can modify to give your employees in the event they are implicated in a data incident.

Consult with your legal counsel
Code42 is not providing legal advice. Instead, this template is provided as an example for general informational purposes only. Consult with your legal counsel before using this template.

You signed an Employee Agreement with X Software, Inc. (“X”) and agreed to abide by the Corporate Security Policy. Both your Employee Agreement and Corporate Security Policy require you to protect the confidentiality of data belonging to X (“X Data”).  You may only use X Data as required to perform your job duties and only on X approved devices and systems. 

We observed a transfer of X Data in violation of your Employee Agreement and the Corporate Security Policy, as described on Exhibit A (“Transfer”). 

Due to the seriousness of this matter, we require that you agree and acknowledge that:

  • You have permanently deleted all X Data involved in the transfer (including any copies, duplicates, subsets, extracts, derivates and related materials) from all unauthorized devices and systems.
  • You have not transferred any other X Data to unauthorized devices or systems.
  • You have not provided access to X Data to an unauthorized third party.
  • You have reviewed and acknowledged X’s corporate security policy and understand your responsibilities with regards to X Data.

(Any other transfers of X Data, or attempts to transfer X Data, to an unauthorized device or system may result in disciplinary action, including termination.)

If you have any questions regarding this matter or whether a device or system is approved for X Data, please contact security@X.com.  

 

By signing below, I confirm that I understand and agree to the above statements.

By: ________________________________________

Name: ______________________________________

Date: _______________________________________

 

EXHIBIT A

[Attach documentation of unauthorized transfer]

  • Was this article helpful?