Security measures taken by Yandex 360
- Organization of information security
- Human resources security
- Asset management
- Access management
- Physical security and environmental safety
- Data security and information lifecycle management
- Incident management
- Development and maintenance of information systems
- Continuous operation and emergency recovery
- Information security review
This page describes the technical and organizational measures that Yandex implements to protect the data of Yandex 360 for Business customers.
Organization of information security
Information security management system
- Yandex maintains an information security management system, adopts and applies internal policies and procedures to minimize the risks of information security breaches to protect customer data.
Responsible security
- Yandex has a team responsible for implementing and monitoring security procedures.
Risk management
- Yandex has a risk management program that includes regular risk assessment and implementation of risk treatment plans.
Human resources security
Training
-
-
Yandex requires employees and contractors to apply information security measures in accordance with the company's rules and procedures.
-
Yandex trains its staff how to appropriately handle customer data.
-
Termination or change of employment
- Yandex informs and educates its employees and contractors, as well as ensures the fulfillment of the responsibilities for information security that remain in force after termination of employment or change of job.
Asset management
Acceptable use
- Yandex documents and complies with the rules for acceptable use of information and assets related to information and information processing tools.
Asset recovery
- It's provided that after the termination of the employment contract, Yandex employees must return the organizational assets that were in their possession.
Classification of information
- Yandex classifies information based on legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification.
Asset management
- Yandex develops and implements asset management procedures in accordance with the adopted information classification scheme.
Access management
Customer data access policy
- Yandex 360 regulations restrict employees from accessing customer data unless otherwise provided by the contract or law.
Access control policy
- Yandex has a policy prescribing that only authorized personnel have access to facilities, secure areas, computing and network resources.
Access to networks and systems
-
-
Access to Yandex networks and systems requires prior authorization.
-
Yandex managers approve employees' access to facilities, secure areas, computing and network resources.
-
Yandex limits the set of user access permissions to the minimum that's necessary to perform their work, and these permissions don't last longer than they need to.
-
Yandex places hardware management interfaces in segregated networks with limited access for authorized personnel.
-
Yandex provides access to the source code to authorized personnel in accordance with the security policy.
-
User access reviews
- Yandex annually reviews all employee access permissions.
Revocation or change of access permissions
- Yandex revokes permissions to access information and systems for employees who leave the company and edits these permissions if their responsibilities in the company change.
Password strength
- Yandex ensures password strength in internal password management systems. Passwords are checked against minimum length, number of character classes, and maximum expiration time.
Physical security and environmental safety
Physical access control
- Yandex has proper physical access control measures in place to ensure that only authorized personnel have access to offices and data centers.
Safe disposal or reuse of equipment
- Confidential data on information carriers is deleted or securely overwritten before the carriers are reused. If the carriers can no longer be used, Yandex disposes of them following formal procedures.
Data security and information lifecycle management
Data transmission security
- Yandex uses the TLS protocol to protect customer information when it's transmitted over public networks and within the internal company network.
Incident management
Incident response. Reporting
-
-
Yandex has a formal process for monitoring, reporting, and responding to security threats in order to identify, record, and appropriately respond to known or suspected incidents.
-
Yandex has procedures for notifying customers of data leaks without undue delays.
-
Development and maintenance of information systems
Systems development life cycle
- Yandex has a systems development life cycle that regulates the development and deployment of systems and applications.
Information security requirements
- Yandex applies information security requirements to its new as well as existing information systems.
Secure development
-
-
Yandex constantly improves key components of its Security Development Lifecycle (SDLC) framework.
-
Yandex controls changes in systems within the development lifecycle using formal change control procedures. They include security architecture reviews and product security audits.
-
Yandex creates and properly protects environments for the development and integration of systems throughout the entire systems development lifecycle.
-
Yandex separates development, testing, and production environments.
-
Yandex has procedures in place to ensure that production data is never replicated in development or testing environments.
-
Vulnerability management
-
-
Yandex regularly tests its cloud platform for penetration and scans it for vulnerabilities in order to detect, mitigate, and resolve security issues.
-
Yandex fixes the detected vulnerabilities before the systems go into production.
-
Yandex has a policy for managing fixes. It regulates the maximum time from the moment of delivery of a critical security patch to the moment of its application.
-
Yandex has a bug bounty program that incentivizes white hat hackers to find vulnerabilities in products and report them to the company for a reward.
-
Cryptographic standards
- Yandex has a policy that sets minimum cryptographic standards. All applications as well as network and computing resources must comply with them.
Continuous operation and emergency recovery
Redundancy
-
-
Yandex uses backup mechanisms for all critical services.
-
Yandex operates in several geographically distributed data centers designed for round-the-clock operation without weekends and protected from environmental threats.
-
Yandex uses redundant data storage to ensure the preservation of customer data in the event of equipment failure.
-
Tests
- Yandex regularly tests its continuous operation and emergency recovery plans.
Information security review
Self-assessment
-
-
Yandex regularly checks its information systems for compliance with the company's information security policy and standards.
-
Yandex evaluates and revises its approach to managing and implementing information security on a scheduled regular basis as well as ad hoc, if there's a significant change.
-