1.1. Organization Name: KLERQ (a trade name of BlueKnows B.V.)
1.2. Date of Policy Creation: May 23, 2023
1.3. Policy Version: Version 1.2
1.4. Policy Owner: The technology department of KLERQ
1.5. Primary Purpose of the Cybersecurity Policy:
The KLERQ Cybersecurity Policy, herein referred to as “the Policy,” is established to safeguard our organization’s information assets, protect sensitive data, and mitigate cybersecurity risks. As a trade name of BlueKnows B.V., KLERQ operates within the legal industry, where the confidentiality, integrity, and availability of data are of utmost importance.
1.6. Importance of Cybersecurity:
In today’s digital age, cybersecurity is paramount. The legal industry, in particular, demands the highest standards of data protection and confidentiality. Cybersecurity breaches can have severe consequences, not only jeopardizing the trust of our valued clients, which include law firms, but also potentially leading to legal and regulatory repercussions.
1.7. Relationship Between Cybersecurity and Incident Management:
Incident management is an integral part of our cybersecurity strategy. It ensures that we respond effectively and swiftly to any security incidents that may arise, thereby minimizing their impact and safeguarding our clients’ sensitive information.
1.8. Commitment to Security:
At KLERQ, we are deeply committed to maintaining a secure environment for our clients and partners. We recognize the immense responsibility that comes with handling sensitive legal data. Our dedication to security is unwavering, and we continuously strive to uphold the highest standards of data protection.
1.9. Audience:
This Policy applies to all employees, contractors, and individuals who engage with KLERQ’s systems and data. Compliance with this Policy is mandatory to ensure the security and confidentiality of our operations.
2.1. Covered Systems and Data:
This cybersecurity policy applies to all information systems, data, and technology resources owned, operated, or managed by KLERQ, including but not limited to:
KLERQ’s Software as a Service (SaaS) platform, which includes information pertaining to law firms.
Hosting services provided by Microsoft Azure, where KLERQ’s SaaS platform is hosted.
The policy encompasses various categories of data, including but not limited to:
• Matter information
• Referees (contact details)
• Personal information about lawyers (name phone numbers, email addresses, photos)
• Commercial text related to practices, focus industries and the firm in general
• Publications
• Quotes
• Information about pitches
• Information for submissions documents
2.2. Personnel:
This policy is applicable to all divisions and departments within KLERQ, including but not limited to:
• Technology
• Sales
• Marketing
• Support
• Customer Success
Additionally, this policy extends to law firms and external entities with whom KLERQ collaborates, including:
• Microsoft Azure (as the cloud provider)
• External development agency Stijlbreuk
• All employees, contractors, temporary workers, and third-party vendors within these divisions and entities who have access to KLERQ’s systems and data are required to comply with this policy.
2.3. Policy Review and Updates:
This cybersecurity policy will undergo regular reviews, at a minimum, once every half a year. Additional reviews will be conducted in the event of major changes to the software, the engagement of new sub-vendors, or significant shifts in technology or regulations. Updates to the policy will be made to address emerging threats, ensure compliance, and maintain the highest standards of data security.
3.1 Key Personnel and Roles:
KLERQ (Internal)
• Technology Department: Manages day-to-day technology operations, including system security, access control, and incident response.
o Contact: Tim Strijbosch (Head of Technology)
• Sales and Marketing Team: Ensures that client interactions align with security policies and guidelines.
o Contact: Stijn van Oirschot (Head of Sales and Marketing)
• Management Team: Provides executive oversight and guidance for cybersecurity practices.
o Contact: Jorn Vermeulen (Director)
• Support Team: Assists clients with security-related inquiries and reports incidents as necessary.
• Administration Team: Supports cybersecurity efforts through policy enforcement and employee training.
• Customer Success Team: Collaborates with clients to address security concerns and promote cybersecurity awareness.
External:
• Microsoft Azure (External Cloud Provider)
o Azure Security Team: Manages the security of the cloud infrastructure and ensures physical and network security within Azure data centers.
o Azure Support Team: Provides assistance in addressing security-related concerns within the Azure environment.
• Stijlbreuk (External Development Agency)
o Development Team: Collaborates with KLERQ on software development, ensuring that security best practices are followed and vulnerabilities are promptly addressed.
o Incident Response Contact: Designated point of contact at Stijlbreuk for reporting and addressing security incidents related to software development.
3.2 Reporting Structure:
The main points of contact for cybersecurity and incident management within KLERQ are:
• Tim Strijbosch (Head of Tech)
• Stijn van Oirschot (Head of Sales and Marketing)
• Jorn Vermeulen (Director)
They can be reached via the dedicated email address: security@klerq.io . This email address serves as the primary channel for reporting security incidents and related concerns within KLERQ.
3.3 Policy Review and Updates:
To ensure the effectiveness of this cybersecurity policy, it will be reviewed at least once every half a year. Additionally, reviews will occur in response to significant changes to the software, engagement of new sub-vendors, or substantial shifts in technology or regulations. Updates to the policy will be made to address emerging threats, ensure compliance, and maintain the highest standards of data security.
4.1. Categories of Information:
KLERQ handles various categories of information, including but not limited to:
• Personal Information: Data related to individuals, including clients and employees.
• Company Information: Information about organizations and businesses.
• Commercial Information: Data related to commercial practices, focus industries, and client interactions.
4.2. Data Classification Labels:
By default, all customer information is classified as “Confidential.” This classification applies to all information concerning clients, whether within or outside KLERQ’s tooling, and includes information shared during customer support interactions.
Within the KLERQ tooling, clients have the option to label specific information as “Confidential” or “Publishable.” However, these labels do not alter the overall classification or handling of the information.
4.3. Handling and Protection:
• Encryption: All information within the KLERQ system, including data received for implementations (e.g., submissions, pitches, referee lists), is encrypted using SSL (Secure Sockets Layer) throughout the entire platform.
• Need-to-Know Basis: Access to information is granted based on the principle of “need-to-know.” Only authorized individuals within specific roles are granted access to information as required for their responsibilities.
• Access Control: Access to customer information is controlled and limited to the following roles:
o Technology: Access to implementation documentation received from clients, strictly for the required period, governed by NDAs.
o Customer Success: Access for onboarding purposes, limited to the information necessary for their tasks.
o Support: Access is enabled by the client and is only provided in response to client inquiries.
o Sales: Access to client data for demonstration purposes, as specified by the client.
o Other Categories: No default access to customer information.
4.4. Data Labeling:
Data within the KLERQ system is labeled as “Confidential” by default, with the option for clients to label specific information as “Confidential” or “Publishable” within the tooling.
4.5. Data Handling Procedures:
• Support Data: Support data is retained for a maximum of 30 days after the ticket is successfully resolved.
• Customer Success Data: Customer Success works in conjunction with the Technology Department for implementation and retains information for 30 days after successful implementation. During this period, data is stored in an extra-protected Microsoft cloud environment, accessible only to the implementation and tech teams. Information may also be securely transmitted to KLERQ via protected environments.
5.1. Roles and Departments:
Access control is defined based on specific roles and departments within KLERQ. The following roles and departments have access to various categories of information:
• Technology: Responsible for system management.
• Sales: Engages with client data on request.
• Customer Success: Manages client relationships and implementations.
• Support: Assists clients with technical inquiries.
5.2. Data Access Permissions:
Access permissions for each role are as follows:
• Technology: View, delete, and transfer client data.
• Sales: View client data (access granted upon client request).
• Customer Success: View, edit, delete, and transfer client data (access granted upon client request).
• Support: View and edit client data (access granted upon client request).
5.3. Conditions for Access:
Access is granted based on the specific responsibilities and requirements of each role. For Sales, Customer Success, and Support, access is granted upon client request, ensuring that clients have control over their data access.
5.4. Access Revocation:
Access is regularly reviewed and checked by the Technology team on a monthly basis. An access control scheme is maintained to track who has access to which client data and for what period. Access is revoked as part of the offboarding process when it is no longer required.
5.5. Monitoring and Auditing:
Access to information is continuously monitored and audited to ensure compliance with this policy. Audit logs are maintained to track access activities.
5.6. Reporting and Accountability:
Incidents or breaches related to access control should be reported through the established incident management process. Accountability for proper access management lies with the respective roles and departments responsible for data access.
5.7. Security Checks:
KLERQ undergoes annual penetration testing to assess and enhance its security posture. Regular security checks are conducted in collaboration with the external development team. Access to an external security advisor is maintained to ensure ongoing security vigilance and best practices.
6.1. Incident Response Team:
The incident response team at KLERQ consists of the following key personnel:
• Director: Jorn Vermeulen
• Head of Sales and Marketing: Stijn van Oirschot
• Head of Technology: Tim Strijbosch
6.2. Incident Categories:
Cybersecurity incidents at KLERQ are categorized into the following types, among others:
• Data breaches
• Malware infections
• Unauthorized access
• Denial of service attacks
• Other incidents impacting data security
6.3. Incident Reporting:
Employees, clients, or other stakeholders should promptly report cybersecurity incidents to the designated incident response team via the following channels:
Email: security@klerq.io
Phone: +31 085 060 60 24 (During business hours)
6.4. Incident Assessment:
Upon receiving a report of a cybersecurity incident, the incident response team, in conjunction with the client and KLERQ’s external technology partner, will assess and categorize the incident’s severity based on predefined criteria.
6.5. Response Procedures:
The incident response procedures include the following steps:
• Containment: Isolate affected systems to prevent further damage.
• Eradication: Remove the threat and vulnerabilities causing the incident.
• Recovery: Restore affected systems and services to normal operation.
• Lessons Learned: Review the incident to identify areas for improvement.
6.6. Communication:
Incident information will be communicated as follows:
• Internally: The incident response team will coordinate internal communication.
• Externally: Clients will be informed within 24 hours for major incidents and within 5 business days for minor incidents. Minor incidents are those with no significant impact.
6.7. Documentation:
All cybersecurity incidents will be documented, and the incident report will include the following structure:
• Incident details and description
• Incident category and severity
• Actions taken during incident response
• Impact assessment
• Recommendations for prevention
6.8. Review and Improvement:
Incidents will be reviewed after resolution to identify areas for improvement in incident response procedures and overall cybersecurity. This review process includes annual security meetings with clients to discuss relevant topics.
7.1. Training Requirements:
• All employees receive comprehensive data security training during their onboarding process.
• Data security is a recurring topic in monthly company meetings.
• Quarterly security updates and training sessions are conducted, led by external specialists and/or the Head of Technology. These sessions may include participation from the external development agency.
7.2. Training Delivery:
Whenever possible, cybersecurity training is conducted in person to facilitate effective learning and engagement.
7.3. Awareness Programs:
• Employees are encouraged to support each other in maintaining a culture of cybersecurity awareness.
• Specific topics, such as password protection and secure data handling and storage, are addressed through internal one-pagers.
• Periodic checks are conducted to assess and reinforce cybersecurity practices.
7.4. Roles and Responsibilities:
• Head of Technology: Oversees all internal security processes and serves as the main point of contact for internal security matters.
• Head of Sales: Responsible for all customer-related communications regarding security.
• Director: Holds overall responsibility for the cybersecurity process.
7.5. Reporting and Compliance:
• Cybersecurity training and awareness compliance are monitored and reported.
7.6. Documentation:
Training documentation is utilized during the onboarding process and is centrally accessible to all employees for ongoing reference and improvement. Information is reviewed and updated quarterly to ensure relevance and effectiveness.
8.1. Access Control Policy:
KLERQ’s access control policy is founded on the principle of granting individuals access only to the resources they need to perform their roles effectively and securely. The policy aims to maintain the confidentiality, integrity, and availability of data and systems.
8.2. Access Rights:
Access rights are assigned based on the principle of least privilege. Employees and authorized individuals receive access rights customized to their roles and specific needs within the organization. Criteria for determining access include job responsibilities and tasks.
8.3. Access Control Mechanisms:
Authentication: Access control is enforced through strong authentication methods, including username and password or multi-factor authentication (MFA).
Role-Based Access Control (RBAC): Customized roles are created to ensure that individuals have access only to the functions and data necessary for their roles.
Password Manager: A strong password manager is utilized to ensure password complexity, expiration, and secure storage.
8.4. Password Policies:
Password Complexity: Passwords must meet complexity requirements, including length, character types, and regular updates.
Password Manager: A password manager is recommended to generate, store, and manage complex passwords securely.
8.5. Multi-Factor Authentication (MFA):
MFA is implemented and available upon request for clients using Microsoft Azure services, enhancing the security of user authentication.
8.6. User Account Management:
User accounts are created, modified, and deactivated by administrators based on the needs of employees and the organization. Terminated employees’ access rights are promptly revoked.
8.7. Remote Access:
Secure Connections: Remote access is secured through the use of Virtual Private Network (VPN) connections, ensuring encrypted data transmission.
Authentication: Strong authentication methods are employed for remote access.
8.8. Access Review and Auditing:
Access rights are subject to periodic review to ensure alignment with job roles and responsibilities.
Auditing of user access and changes to access rights is conducted regularly to detect and respond to unauthorized access.
8.9. Incident Response:
Access control is integrated into the incident response process to promptly address unauthorized access or security breaches. Measures are in place to investigate, contain, and mitigate any incidents related to access control.
9.1. Backup Policy:
KLERQ’s backup and recovery policy aim to ensure the availability and integrity of data. Key objectives include data protection, minimizing data loss, and rapid recovery in the event of data loss or system disruptions.
9.2. Data Backup Procedures:
Data is backed up every hour using Microsoft Azure services.
Primary backup copies are stored in The Netherlands, ensuring data redundancy and availability.
Additional fallback backup copies are securely maintained in an EER (European Economic Area) country to further safeguard against data loss.
9.3. Retention Period:
Backup data is retained for a period of 30 days, providing a comprehensive data recovery window.
9.4. Data Recovery Procedures:
Data recovery procedures are managed jointly by the Technology department and our external development partner.
In the event of data loss or system disruptions, the responsible teams initiate the recovery process promptly to minimize downtime.
Data recovery is designed to be efficient, ensuring that data can be restored quickly.
9.5. Testing and Verification:
Backups are regularly tested and verified to ensure their integrity and reliability. This includes conducting test restores to confirm data recoverability.
9.6. Backup Encryption:
Azure Backup automatically encrypts all backed-up data using 256-bit AES encryption while storing it in the Azure cloud. This encryption ensures the security and compliance of stored data.
9.7. Off-Site Storage:
Primary and fallback backup copies are securely maintained, providing redundancy and disaster recovery capabilities. Off-site storage in an EER country enhances data protection and availability.
9.8. Incident Response:
Backup and recovery procedures are integrated into the incident response process to address data loss or system disruptions promptly. Refer to Section 6 for details on the incident response process.
9.9. Business Continuity and Disaster Recovery (BCDR):
Azure Site Recovery (ASR) is utilized to implement a robust business continuity and disaster recovery (BCDR) strategy. ASR helps secure data, applications, and workloads during planned or unplanned outages, ensuring business continuity.
10.1. Monitoring and Logging Policy:
KLERQ’s security monitoring and logging policy are designed to proactively identify and respond to security threats, ensuring the confidentiality, integrity, and availability of our systems and data. The key objectives include early threat detection, incident response readiness, and continuous security improvement.
10.2. Monitoring Systems:
While we do not utilize a dedicated Security Information and Event Management (SIEM) system, we rely on regular log checks of our systems and leverage Azure logs to monitor our network, systems, and applications for potential security threats.
10.3. Event and Log Collection:
Security events and logs are collected from various systems, including servers, network devices, and cloud services, to provide comprehensive visibility into our environment.
10.4. Log Retention:
Security logs are retained for a minimum period of 90 days to support incident investigations and compliance requirements. Longer retention periods may be applied based on legal or regulatory obligations.
10.5. Log Analysis:
Our security team regularly analyzes security logs to identify anomalies, potential security incidents, and emerging threats. Automated and manual analysis techniques are employed to ensure thorough scrutiny.
10.6. Alerting and Notification:
Real-time alerts and notifications are generated when security incidents or anomalies are detected.
Alerts are delivered to designated security personnel, including the Director and Head of Technology, for immediate response.
10.7. Incident Response Integration:
Security monitoring and logging are tightly integrated into our incident response process (see Section 6). When security incidents are identified, incident response procedures are promptly initiated to contain and mitigate potential threats.
10.8. Regular Review and Reporting:
Security logs are subject to regular review to identify trends, potential weaknesses, and areas for improvement. Reports summarizing the results of log analysis are presented to the management team during security meetings.
To ensure the continued integrity, availability, and confidentiality of our information systems, all changes to the organization’s technology infrastructure, applications, and services must follow a formal Change Management Process. This process helps to mitigate the risks associated with implementing changes.
11. 1 Scope: This process applies to all changes to systems, applications, network configurations, and other critical IT infrastructure components that could impact cybersecurity.
11. 2 Procedures:
a. Request for Change (RFC):
b. Impact Assessment:
c. Approval Process:
d. Implementation:
e. Post-Implementation Review:
11. 3 Documentation:
Managing user access to systems and data is a critical aspect of our cybersecurity strategy. To ensure that access rights are appropriate and secure, a formal User Access Rights Review Procedure has been established.
12. 1 Scope: This procedure applies to all employees, contractors, and third parties with access to the organization’s systems and data.
12.2 Procedures:
Initial Access Provisioning:
Regular Access Reviews:
Access Revocation:
Reporting and Documentation:
To maintain the security of our physical premises and protect sensitive information, a formal procedure for logging and identifying all visitors has been implemented. This procedure ensures that only authorized individuals gain access to our facilities and that their presence is recorded.
13.1 Scope: This procedure applies to all visitors entering the premises, including contractors, delivery personnel, and guests.
13.2 Procedures:
Visitor Logging:
Visitor Identification:
Access Control:
Monitoring and Review:
Retention of Logs:
14.1. Policy Review Frequency:
This cybersecurity policy will be subject to regular review and updates to ensure its ongoing effectiveness. The policy will be reviewed at least once every six months by the security team and management to align with evolving cybersecurity threats, regulatory changes, and organizational needs.
14.2. Incident Management Testing:
Incident management procedures will be rigorously tested and evaluated on an annual basis or as needed in response to significant changes in the organization’s technology environment, threat landscape, or incident response capabilities. Testing and revision will ensure that the incident management procedures remain effective and in sync with emerging threats.
15.1. Commitment to Cybersecurity:
At KLERQ, we are unwavering in our commitment to safeguarding the confidentiality, integrity, and availability of data. This cybersecurity policy serves as a foundational framework to protect our organization, our clients, and the sensitive information we handle. It reflects our dedication to maintaining the highest standards of cybersecurity and our continuous efforts to adapt to the ever-evolving threat landscape.
15.2. Employee Awareness:
We encourage all employees to familiarize themselves with this cybersecurity policy and the related incident management procedures. By understanding and adhering to these guidelines, each member of our organization plays a crucial role in upholding our cybersecurity practices and contributing to the protection of our data and our clients’ data.