Version: 1.5 Last change: Aug 15, 2024

KLERQ – Cyber Security Policy

Section 1: Introduction and Purpose

1.1. Organization Name: KLERQ (a trade name of BlueKnows B.V.)

1.2. Date of Policy Creation: May 23, 2023

1.3. Policy Version: Version 1.2

1.4. Policy Owner: The technology department of KLERQ

1.5. Primary Purpose of the Cybersecurity Policy:

The KLERQ Cybersecurity Policy, herein referred to as “the Policy,” is established to safeguard our organization’s information assets, protect sensitive data, and mitigate cybersecurity risks. As a trade name of BlueKnows B.V., KLERQ operates within the legal industry, where the confidentiality, integrity, and availability of data are of utmost importance.

1.6. Importance of Cybersecurity:

In today’s digital age, cybersecurity is paramount. The legal industry, in particular, demands the highest standards of data protection and confidentiality. Cybersecurity breaches can have severe consequences, not only jeopardizing the trust of our valued clients, which include law firms, but also potentially leading to legal and regulatory repercussions.

1.7. Relationship Between Cybersecurity and Incident Management:

Incident management is an integral part of our cybersecurity strategy. It ensures that we respond effectively and swiftly to any security incidents that may arise, thereby minimizing their impact and safeguarding our clients’ sensitive information.

1.8. Commitment to Security:

At KLERQ, we are deeply committed to maintaining a secure environment for our clients and partners. We recognize the immense responsibility that comes with handling sensitive legal data. Our dedication to security is unwavering, and we continuously strive to uphold the highest standards of data protection.

1.9. Audience:

This Policy applies to all employees, contractors, and individuals who engage with KLERQ’s systems and data. Compliance with this Policy is mandatory to ensure the security and confidentiality of our operations.

Section 2: Scope and Applicability

2.1. Covered Systems and Data:

This cybersecurity policy applies to all information systems, data, and technology resources owned, operated, or managed by KLERQ, including but not limited to:

KLERQ’s Software as a Service (SaaS) platform, which includes information pertaining to law firms.
Hosting services provided by Microsoft Azure, where KLERQ’s SaaS platform is hosted.
The policy encompasses various categories of data, including but not limited to:

• Matter information
• Referees (contact details)
• Personal information about lawyers (name phone numbers, email addresses, photos)
• Commercial text related to practices, focus industries and the firm in general
• Publications
• Quotes
• Information about pitches
• Information for submissions documents

2.2. Personnel:

This policy is applicable to all divisions and departments within KLERQ, including but not limited to:

• Technology
• Sales
• Marketing
• Support
• Customer Success

Additionally, this policy extends to law firms and external entities with whom KLERQ collaborates, including:

• Microsoft Azure (as the cloud provider)
• External development agency Stijlbreuk
• All employees, contractors, temporary workers, and third-party vendors within these divisions and entities who have access to KLERQ’s systems and data are required to comply with this policy.

2.3. Policy Review and Updates:

This cybersecurity policy will undergo regular reviews, at a minimum, once every half a year. Additional reviews will be conducted in the event of major changes to the software, the engagement of new sub-vendors, or significant shifts in technology or regulations. Updates to the policy will be made to address emerging threats, ensure compliance, and maintain the highest standards of data security.

Section 3: Roles and responsibilities

3.1 Key Personnel and Roles:

KLERQ (Internal)
• Technology Department: Manages day-to-day technology operations, including system security, access control, and incident response.
o Contact: Tim Strijbosch (Head of Technology)
• Sales and Marketing Team: Ensures that client interactions align with security policies and guidelines.
o Contact: Stijn van Oirschot (Head of Sales and Marketing)
• Management Team: Provides executive oversight and guidance for cybersecurity practices.
o Contact: Jorn Vermeulen (Director)
• Support Team: Assists clients with security-related inquiries and reports incidents as necessary.
• Administration Team: Supports cybersecurity efforts through policy enforcement and employee training.
• Customer Success Team: Collaborates with clients to address security concerns and promote cybersecurity awareness.

External:
• Microsoft Azure (External Cloud Provider)
o Azure Security Team: Manages the security of the cloud infrastructure and ensures physical and network security within Azure data centers.
o Azure Support Team: Provides assistance in addressing security-related concerns within the Azure environment.
• Stijlbreuk (External Development Agency)
o Development Team: Collaborates with KLERQ on software development, ensuring that security best practices are followed and vulnerabilities are promptly addressed.
o Incident Response Contact: Designated point of contact at Stijlbreuk for reporting and addressing security incidents related to software development.

3.2 Reporting Structure:

The main points of contact for cybersecurity and incident management within KLERQ are:

• Tim Strijbosch (Head of Tech)
• Stijn van Oirschot (Head of Sales and Marketing)
• Jorn Vermeulen (Director)

They can be reached via the dedicated email address: security@klerq.io . This email address serves as the primary channel for reporting security incidents and related concerns within KLERQ.

3.3 Policy Review and Updates:

To ensure the effectiveness of this cybersecurity policy, it will be reviewed at least once every half a year. Additionally, reviews will occur in response to significant changes to the software, engagement of new sub-vendors, or substantial shifts in technology or regulations. Updates to the policy will be made to address emerging threats, ensure compliance, and maintain the highest standards of data security.

Section 4: Information Classification

4.1. Categories of Information:

KLERQ handles various categories of information, including but not limited to:

• Personal Information: Data related to individuals, including clients and employees.
• Company Information: Information about organizations and businesses.
• Commercial Information: Data related to commercial practices, focus industries, and client interactions.

4.2. Data Classification Labels:

By default, all customer information is classified as “Confidential.” This classification applies to all information concerning clients, whether within or outside KLERQ’s tooling, and includes information shared during customer support interactions.

Within the KLERQ tooling, clients have the option to label specific information as “Confidential” or “Publishable.” However, these labels do not alter the overall classification or handling of the information.

4.3. Handling and Protection:

• Encryption: All information within the KLERQ system, including data received for implementations (e.g., submissions, pitches, referee lists), is encrypted using SSL (Secure Sockets Layer) throughout the entire platform.
• Need-to-Know Basis: Access to information is granted based on the principle of “need-to-know.” Only authorized individuals within specific roles are granted access to information as required for their responsibilities.
• Access Control: Access to customer information is controlled and limited to the following roles:
o Technology: Access to implementation documentation received from clients, strictly for the required period, governed by NDAs.
o Customer Success: Access for onboarding purposes, limited to the information necessary for their tasks.
o Support: Access is enabled by the client and is only provided in response to client inquiries.
o Sales: Access to client data for demonstration purposes, as specified by the client.
o Other Categories: No default access to customer information.

4.4. Data Labeling:

Data within the KLERQ system is labeled as “Confidential” by default, with the option for clients to label specific information as “Confidential” or “Publishable” within the tooling.

4.5. Data Handling Procedures:

• Support Data: Support data is retained for a maximum of 30 days after the ticket is successfully resolved.
• Customer Success Data: Customer Success works in conjunction with the Technology Department for implementation and retains information for 30 days after successful implementation. During this period, data is stored in an extra-protected Microsoft cloud environment, accessible only to the implementation and tech teams. Information may also be securely transmitted to KLERQ via protected environments.

Section 5: Access Control

5.1. Roles and Departments:
Access control is defined based on specific roles and departments within KLERQ. The following roles and departments have access to various categories of information:

• Technology: Responsible for system management.
• Sales: Engages with client data on request.
• Customer Success: Manages client relationships and implementations.
• Support: Assists clients with technical inquiries.

5.2. Data Access Permissions:

Access permissions for each role are as follows:

• Technology: View, delete, and transfer client data.
• Sales: View client data (access granted upon client request).
• Customer Success: View, edit, delete, and transfer client data (access granted upon client request).
• Support: View and edit client data (access granted upon client request).

5.3. Conditions for Access:

Access is granted based on the specific responsibilities and requirements of each role. For Sales, Customer Success, and Support, access is granted upon client request, ensuring that clients have control over their data access.

5.4. Access Revocation:

Access is regularly reviewed and checked by the Technology team on a monthly basis. An access control scheme is maintained to track who has access to which client data and for what period. Access is revoked as part of the offboarding process when it is no longer required.

5.5. Monitoring and Auditing:

Access to information is continuously monitored and audited to ensure compliance with this policy. Audit logs are maintained to track access activities.

5.6. Reporting and Accountability:

Incidents or breaches related to access control should be reported through the established incident management process. Accountability for proper access management lies with the respective roles and departments responsible for data access.

5.7. Security Checks:

KLERQ undergoes annual penetration testing to assess and enhance its security posture. Regular security checks are conducted in collaboration with the external development team. Access to an external security advisor is maintained to ensure ongoing security vigilance and best practices.

Section 6: Incident Management

6.1. Incident Response Team:

The incident response team at KLERQ consists of the following key personnel:

• Director: Jorn Vermeulen
• Head of Sales and Marketing: Stijn van Oirschot
• Head of Technology: Tim Strijbosch

6.2. Incident Categories:

Cybersecurity incidents at KLERQ are categorized into the following types, among others:

• Data breaches
• Malware infections
• Unauthorized access
• Denial of service attacks
• Other incidents impacting data security

6.3. Incident Reporting:

Employees, clients, or other stakeholders should promptly report cybersecurity incidents to the designated incident response team via the following channels:
Email: security@klerq.io
Phone: +31 085 060 60 24 (During business hours)

6.4. Incident Assessment:

Upon receiving a report of a cybersecurity incident, the incident response team, in conjunction with the client and KLERQ’s external technology partner, will assess and categorize the incident’s severity based on predefined criteria.

6.5. Response Procedures:

The incident response procedures include the following steps:

• Containment: Isolate affected systems to prevent further damage.
• Eradication: Remove the threat and vulnerabilities causing the incident.
• Recovery: Restore affected systems and services to normal operation.
• Lessons Learned: Review the incident to identify areas for improvement.

6.6. Communication:

Incident information will be communicated as follows:

• Internally: The incident response team will coordinate internal communication.
• Externally: Clients will be informed within 24 hours for major incidents and within 5 business days for minor incidents. Minor incidents are those with no significant impact.

6.7. Documentation:

All cybersecurity incidents will be documented, and the incident report will include the following structure:

• Incident details and description
• Incident category and severity
• Actions taken during incident response
• Impact assessment
• Recommendations for prevention

6.8. Review and Improvement:

Incidents will be reviewed after resolution to identify areas for improvement in incident response procedures and overall cybersecurity. This review process includes annual security meetings with clients to discuss relevant topics.

Section 7: Training and Awareness

7.1. Training Requirements:

• All employees receive comprehensive data security training during their onboarding process.
• Data security is a recurring topic in monthly company meetings.
• Quarterly security updates and training sessions are conducted, led by external specialists and/or the Head of Technology. These sessions may include participation from the external development agency.

7.2. Training Delivery:

Whenever possible, cybersecurity training is conducted in person to facilitate effective learning and engagement.

7.3. Awareness Programs:

• Employees are encouraged to support each other in maintaining a culture of cybersecurity awareness.
• Specific topics, such as password protection and secure data handling and storage, are addressed through internal one-pagers.
• Periodic checks are conducted to assess and reinforce cybersecurity practices.

7.4. Roles and Responsibilities:

• Head of Technology: Oversees all internal security processes and serves as the main point of contact for internal security matters.
• Head of Sales: Responsible for all customer-related communications regarding security.
• Director: Holds overall responsibility for the cybersecurity process.

7.5. Reporting and Compliance:

• Cybersecurity training and awareness compliance are monitored and reported.

7.6. Documentation:

Training documentation is utilized during the onboarding process and is centrally accessible to all employees for ongoing reference and improvement. Information is reviewed and updated quarterly to ensure relevance and effectiveness.

Section 8: Access Control

8.1. Access Control Policy:

KLERQ’s access control policy is founded on the principle of granting individuals access only to the resources they need to perform their roles effectively and securely. The policy aims to maintain the confidentiality, integrity, and availability of data and systems.

8.2. Access Rights:

Access rights are assigned based on the principle of least privilege. Employees and authorized individuals receive access rights customized to their roles and specific needs within the organization. Criteria for determining access include job responsibilities and tasks.

8.3. Access Control Mechanisms:

Authentication: Access control is enforced through strong authentication methods, including username and password or multi-factor authentication (MFA).

Role-Based Access Control (RBAC): Customized roles are created to ensure that individuals have access only to the functions and data necessary for their roles.

Password Manager: A strong password manager is utilized to ensure password complexity, expiration, and secure storage.

8.4. Password Policies:

Password Complexity: Passwords must meet complexity requirements, including length, character types, and regular updates.

Password Manager: A password manager is recommended to generate, store, and manage complex passwords securely.

8.5. Multi-Factor Authentication (MFA):

MFA is implemented and available upon request for clients using Microsoft Azure services, enhancing the security of user authentication.

8.6. User Account Management:

User accounts are created, modified, and deactivated by administrators based on the needs of employees and the organization. Terminated employees’ access rights are promptly revoked.

8.7. Remote Access:

Secure Connections: Remote access is secured through the use of Virtual Private Network (VPN) connections, ensuring encrypted data transmission.
Authentication: Strong authentication methods are employed for remote access.

8.8. Access Review and Auditing:

Access rights are subject to periodic review to ensure alignment with job roles and responsibilities.

Auditing of user access and changes to access rights is conducted regularly to detect and respond to unauthorized access.

8.9. Incident Response:

Access control is integrated into the incident response process to promptly address unauthorized access or security breaches. Measures are in place to investigate, contain, and mitigate any incidents related to access control.

Section 9: Backup and Recovery

9.1. Backup Policy:

KLERQ’s backup and recovery policy aim to ensure the availability and integrity of data. Key objectives include data protection, minimizing data loss, and rapid recovery in the event of data loss or system disruptions.

9.2. Data Backup Procedures:

Data is backed up every hour using Microsoft Azure services.
Primary backup copies are stored in The Netherlands, ensuring data redundancy and availability.

Additional fallback backup copies are securely maintained in an EER (European Economic Area) country to further safeguard against data loss.

9.3. Retention Period:

Backup data is retained for a period of 30 days, providing a comprehensive data recovery window.

9.4. Data Recovery Procedures:

Data recovery procedures are managed jointly by the Technology department and our external development partner.

In the event of data loss or system disruptions, the responsible teams initiate the recovery process promptly to minimize downtime.

Data recovery is designed to be efficient, ensuring that data can be restored quickly.

9.5. Testing and Verification:

Backups are regularly tested and verified to ensure their integrity and reliability. This includes conducting test restores to confirm data recoverability.

9.6. Backup Encryption:

Azure Backup automatically encrypts all backed-up data using 256-bit AES encryption while storing it in the Azure cloud. This encryption ensures the security and compliance of stored data.

9.7. Off-Site Storage:

Primary and fallback backup copies are securely maintained, providing redundancy and disaster recovery capabilities. Off-site storage in an EER country enhances data protection and availability.

9.8. Incident Response:

Backup and recovery procedures are integrated into the incident response process to address data loss or system disruptions promptly. Refer to Section 6 for details on the incident response process.

9.9. Business Continuity and Disaster Recovery (BCDR):

Azure Site Recovery (ASR) is utilized to implement a robust business continuity and disaster recovery (BCDR) strategy. ASR helps secure data, applications, and workloads during planned or unplanned outages, ensuring business continuity.

Section 10: Security Monitoring and Logging

10.1. Monitoring and Logging Policy:

KLERQ’s security monitoring and logging policy are designed to proactively identify and respond to security threats, ensuring the confidentiality, integrity, and availability of our systems and data. The key objectives include early threat detection, incident response readiness, and continuous security improvement.

10.2. Monitoring Systems:

While we do not utilize a dedicated Security Information and Event Management (SIEM) system, we rely on regular log checks of our systems and leverage Azure logs to monitor our network, systems, and applications for potential security threats.

10.3. Event and Log Collection:

Security events and logs are collected from various systems, including servers, network devices, and cloud services, to provide comprehensive visibility into our environment.

10.4. Log Retention:

Security logs are retained for a minimum period of 90 days to support incident investigations and compliance requirements. Longer retention periods may be applied based on legal or regulatory obligations.

10.5. Log Analysis:

Our security team regularly analyzes security logs to identify anomalies, potential security incidents, and emerging threats. Automated and manual analysis techniques are employed to ensure thorough scrutiny.

10.6. Alerting and Notification:

Real-time alerts and notifications are generated when security incidents or anomalies are detected.

Alerts are delivered to designated security personnel, including the Director and Head of Technology, for immediate response.

10.7. Incident Response Integration:

Security monitoring and logging are tightly integrated into our incident response process (see Section 6). When security incidents are identified, incident response procedures are promptly initiated to contain and mitigate potential threats.

10.8. Regular Review and Reporting:

Security logs are subject to regular review to identify trends, potential weaknesses, and areas for improvement. Reports summarizing the results of log analysis are presented to the management team during security meetings.

Section 11: Change Management Process

To ensure the continued integrity, availability, and confidentiality of our information systems, all changes to the organization’s technology infrastructure, applications, and services must follow a formal Change Management Process. This process helps to mitigate the risks associated with implementing changes.

11. 1 Scope: This process applies to all changes to systems, applications, network configurations, and other critical IT infrastructure components that could impact cybersecurity.

11. 2 Procedures:

a. Request for Change (RFC):

    • All changes must begin with a documented Request for Change (RFC). This document must include the purpose, scope, impact analysis, and rollback procedures.
    • The RFC must be submitted to the Change Advisory Board (CAB) for review.

b. Impact Assessment:

    • An impact analysis must be performed to understand the potential effects of the change on security, compliance, and business operations.
    • Risk assessments should be conducted to identify any new vulnerabilities introduced by the change.

c. Approval Process:

    • The CAB, composed of representatives from IT, security, and relevant business units, will review the RFC.
    • Only changes that have been fully assessed and deemed low-risk will be approved. High-risk changes may require additional controls or mitigation measures before approval.

d. Implementation:

    • Approved changes should be implemented following the documented plan, including any necessary security controls.
    • All changes must be logged, and sufficient documentation must be maintained.

e. Post-Implementation Review:

      • A review must be conducted after the change is implemented to ensure it has been successful and has not introduced any unexpected issues.
      • Lessons learned should be documented to improve future change management practices.

11. 3 Documentation:

  • All related documentation, including RFCs, impact assessments, and approvals, must be stored securely and be accessible for audit and review purposes.

12. User Access Rights Review Procedure

Managing user access to systems and data is a critical aspect of our cybersecurity strategy. To ensure that access rights are appropriate and secure, a formal User Access Rights Review Procedure has been established.

12. 1 Scope: This procedure applies to all employees, contractors, and third parties with access to the organization’s systems and data.

12.2 Procedures:

  1. Initial Access Provisioning:

    • Access rights must be granted based on the principle of least privilege, ensuring users only have access to the data and systems necessary for their role.
    • All access provisioning must be documented, including the justification for access and approval by the appropriate authority.
  2. Regular Access Reviews:

    • User access rights must be reviewed on a quarterly basis to ensure they remain appropriate to the user’s role.
    • Reviews should include an audit of current access levels and verification with department heads to confirm the necessity of each access.
  3. Access Revocation:

    • Access rights must be immediately revoked or adjusted when an employee changes roles, leaves the company, or no longer requires certain access.
    • This process must be documented, and confirmation of revocation should be logged.
  4. Reporting and Documentation:

    • All access review activities, including findings and actions taken, must be documented.
    • Reports should be maintained for audit purposes and reviewed by the IT security team to ensure compliance with access management policies.

13. Visitor Log and Identification Procedure

To maintain the security of our physical premises and protect sensitive information, a formal procedure for logging and identifying all visitors has been implemented. This procedure ensures that only authorized individuals gain access to our facilities and that their presence is recorded.

13.1 Scope: This procedure applies to all visitors entering the premises, including contractors, delivery personnel, and guests.

13.2 Procedures:

  1. Visitor Logging:

    • All visitors must sign in at the reception desk upon arrival. The log must include the visitor’s name, the purpose of their visit, the time of entry, and the person they are visiting.
    • Visitors must sign out when leaving, with the time of departure recorded.
  2. Visitor Identification:

    • Visitors are required to present official identification upon arrival. This ID will be checked against the visitor log to ensure accuracy.
    • Visitors will be issued a temporary visitor badge, which must be worn visibly at all times while on the premises.
  3. Access Control:

    • Visitors must be escorted by an employee at all times while within secure areas of the building.
    • Access to restricted areas is not permitted unless expressly authorized and accompanied by a security staff member or relevant department head.
  4. Monitoring and Review:

    • The visitor log will be reviewed regularly to ensure compliance with the procedure.
    • Any discrepancies or security incidents involving visitors must be reported immediately to the security team.
  5. Retention of Logs:

    • Visitor logs will be retained for a minimum of six months and will be available for review by the security team or management upon request.

Section 14: Review and Revision

14.1. Policy Review Frequency:

This cybersecurity policy will be subject to regular review and updates to ensure its ongoing effectiveness. The policy will be reviewed at least once every six months by the security team and management to align with evolving cybersecurity threats, regulatory changes, and organizational needs.

14.2. Incident Management Testing:

Incident management procedures will be rigorously tested and evaluated on an annual basis or as needed in response to significant changes in the organization’s technology environment, threat landscape, or incident response capabilities. Testing and revision will ensure that the incident management procedures remain effective and in sync with emerging threats.

Section 15: Conclusion

15.1. Commitment to Cybersecurity:

At KLERQ, we are unwavering in our commitment to safeguarding the confidentiality, integrity, and availability of data. This cybersecurity policy serves as a foundational framework to protect our organization, our clients, and the sensitive information we handle. It reflects our dedication to maintaining the highest standards of cybersecurity and our continuous efforts to adapt to the ever-evolving threat landscape.

15.2. Employee Awareness:

We encourage all employees to familiarize themselves with this cybersecurity policy and the related incident management procedures. By understanding and adhering to these guidelines, each member of our organization plays a crucial role in upholding our cybersecurity practices and contributing to the protection of our data and our clients’ data.