Documente Academic
Documente Profesional
Documente Cultură
1.2 Scope
This document applies to any person, group, or entity that meets the following conditions:
The person is an employee, contractor, partner/partners business contact, or other
party that has access to Yammer systems or data
The person requires access to data owned by Yammer or customer data stored
within Yammer systems that is not released to the general public and is/would be
classified as non-public data.
Director of Security
Security Engineer
Director of Infrastructure
Responsibility
The Microsoft executive responsible for
directing engineering efforts for Yammer. The
General Manager is a high-level escalation
point for all engineering issues, including
security.
Engineering executive responsible for directing
the security program and protecting the
confidentiality, integrity, and availability of the
Yammer application and customer data. The
Director of Security is the escalation point for
all security issues.
Security representative tasked with
implementing policies and controls to protect
the Yammer application and customer data.
An engineering executive responsible for the
provisioning, upkeep, and resiliency of
Yammers core production infrastructure and
services.
Yammer
Information Security Policy
Data Owner
Data Custodian
2 Information Security
Policy Objective: To provide documented management direction and support for the consistent
implementation of information security and privacy for Yammer. To assess risks to Yammer,
develop mitigating strategies, and monitor existing policies and effectiveness of safeguards.
Yammer
Information Security Policy
The Policy must be made available to all new and existing Yammer Staff for review. All Yammer
Staff are required to represent that they have reviewed, and agree to adhere to, all policies
within the Yammer Security Policy documents.
All Yammer Contingent Staff must agree to adhere to the relevant policies within the Policy in
accordance with the process in Section 7.1.
Effective Date
This policy takes effect for all Services upon its approval by management. All Services must be in
compliance with the policy guidelines herein no later than the release date of the next major
service version, unless earlier compliance is specified by the Yammer Security team.
For the purpose of auditing, the compliance date for this version is July 31, 2013.
This document supersedes all previously approved versions upon its approval, regardless of the
service version currently in use for a particular customer offering. If the contents of this policy
conflicts with any other Microsoft policy, the stricter of the two policies will be enforced.
Exceptions to the Policy must be authorized by both Yammer Security management and the
affected asset owner.
Yammer
Information Security Policy
CIA
Principles
Policy
Requirements
SOPs
Yammer
Information Security Policy
This is adapted literally from NIST Special Publication 800-27 Engineering Principles for
Information Technology Security (A Baseline for Achieving Security), page 14, Principle 20.
The intent of this passage is to combine with the previous Principle to highlight the
importance of the three As: authentication, authorization, and audit.
2
Yammer
Information Security Policy
3 Organizational Security
Policy Objective: The management of information security within the organization.
Yammer
Information Security Policy
Yammer
Information Security Policy
and requirements for the security, confidentiality, integrity and availability of the information
assets involved. Appropriate security standards should be addressed in the agreement, to
provide a level of protection against identified risks equivalent to that provided by the Yammer
Security Policy. Pre-existing third party contracts should be amended to include appropriate
language upon renewal.
*Third Party: Non-FTE vendors and consultants who work on or provide products or services to Yammer or in Yammer/Microsoft
Data Centers.
Access to Yammer/Microsoft Assets must be controlled on the basis of justifiable business needs and class of 3 rd party (ref. 2.8, 9.1). Third parties
can include: 1) Information Security vendors, including vendors and consultants providing 24 X 7 services in critical environ ments; 2) vendors
providing services on a frequent, but not continuous basis, such as circuit technicia ns or vendors handling backup storage; 3) Vendors supporting
equipment or applications, such as vendors engaged by product groups to supply, install and troubleshoot hardware; 4) On -demand vendors
such as plumbers, janitors, handymen and electricians requiring access to the data center production or pre-production environment and 5)
Visitors to a Microsoft facility, including potential customers and vendors.
5 Personnel Security
Policy Objective: To reduce the risks of human error, theft, fraud or misuse of facilities.
Yammer
Information Security Policy
detailed responsibilities for the protection of specific assets or the execution of specific
security processes or procedures. These security roles and responsibilities should be
formally assigned to an individual or team. An individual with formally assigned security
responsibilities may delegate security tasks to others; however this individual will remain
responsible and must confirm that any delegated tasks have been correctly performed.
Such roles and responsibilities include, but are not limited to:
Establish, document, and distribute security policies and procedures
Clearly identify and define the assets and security processes associated with each
particular system
Identify security events related to each particular system and monitor for their
occurrence
Establish, document, and distribute security incident response and escalation
procedures
Administer user account and authentication management
Monitor and control all access to logical assets (data, code, documentation) and
physical assets (hardware, hardcopy documentation, storage media)
Yammer
Information Security Policy
10
6 Operations Management
Policy Objective: To ensure the correct and secure operation of information processing
facilities.
Yammer
Information Security Policy
11
The handling and processing of information assets classified according to the Yammer
Data Classification Policy and Procedure
Error and incident response procedures
System maintenance, backup, and shutdown/reboot procedures
24x7 Yammer support contact information
Yammer
Information Security Policy
12
All information gathered during incident and malfunction remediation activities is to be treated
as Microsoft Confidential Information.
The disciplinary process for dealing with Yammer Staff found to be in violation of the security
policies or procedures must follow appropriate Microsoft Human Resource guidelines, or be
subject to the terms and conditions of the third party contract.
Yammer
Information Security Policy
13
Yammer
Information Security Policy
14
Yammer
Information Security Policy
15
Yammer
Information Security Policy
16
8 Compliance
Policy Objective: To assess Yammer compliance with the Yammer Security Policy document.
Yammer
Information Security Policy
17
Yammer
Information Security Policy
18
9 Communications Security
Policy Objective: To protect important information against loss, modification, misuse, or
unauthorized disclosure while in transit across networks and to protect the supporting
Yammer.
9.1
All information systems supporting Yammer must be protected from malicious software through
the use of preventative and detective controls. All software in use must be approved for the
Yammer environment. Users must be made aware of the dangers of downloading files from
unknown or un-trusted sources.
Yammer
Information Security Policy
19
Yammer
Information Security Policy
20
Automated monitoring and reporting tools must be available and used to assess the security
posture of Yammer.
9.8.2 Proactive Vulnerability Scanning and Penetration Testing
Yammer must proactively monitor the information systems servers for possible exposures. This
must include a regularly scheduled scanning of known system vulnerabilities and penetration
testing from outside as well as inside the Yammer environment.
Proactive monitoring must be scheduled pursuant to operational change control procedures,
performed by authorized Yammer Staff or others authorized by Yammer Security and conducted
in such a fashion so as to minimize impact to the production environment.
9.11 Tele-working
Suitable protection must be afforded to remote sites where Yammer Staff or Yammer
Contingent Staff remotely access Yammer systems. Physical as well as logical controls must be
put in place to ensure the security of the remote site is comparable to that at primary work
facilities. Yammer Staff and Yammer Contingent Staff connecting remotely from home must
adhere to corporate remote access policies for gaining access to Microsoft Networks.
Yammer
Information Security Policy
21
tested during the development phases. Critical security review and approval checkpoints must
be included during the system development life cycle for products that have a foreseeable
security impact.
Yammer
Information Security Policy
22
Yammer
Information Security Policy
23
Yammer
Information Security Policy
24
Yammer
Information Security Policy
25
or a manned reception desk. The construction of the barrier should be physically sound and
extend to the real floor and ceiling of a space if necessary.
Additional physical barriers, such as locked cabinets erected internal to facility perimeters,
may also be required for certain assets according to the Yammer Data Classification Policy and
Procedure.
11.4 Surveillance
Subject to existing laws and corporate privacy policies, surveillance measures must be put in
place for monitoring of Yammer facilities and Data Centers. Such measures include security
patrols as well as video surveillance equipment.
Yammer
Information Security Policy
26
Yammer
Information Security Policy
27
Yammer
Information Security Policy
28
12 Document Control
12.1 About this Document
Author
Effective Date
Email
Matthew Sutkus
August 1, 2013
msutkus@yammer-inc.com
12.2 Revisions
Revision
0.1
0.2
0.3
Date
11/14/13
11/29/2013
Author
Matthew Sutkus
Matthew Sutkus
Matthew Sutkus
0.4
12/2/2013
Matthew Sutkus
8/6/13
Comments
Initial Draft
Correct some typos
Remove some bad
links
Add LCA as third
party vendor
management
12.3
12.4 Approvals
Name
Josha Bronson
Role
Version
Director of Security 0.4
Adam Pisoni
Yammer General
Manager
0.4
Approval
Yammer Approval 1
12/3/13
Yammer Approval 1
12/3/13
12.5 Glossary
Access Control The implementation of rules and security mechanisms with the purpose of
limiting or preventing unauthorized use of information, resources, and facilities. Reference:
ISO/IEC 27002:2005
Account - A set of credentials that corresponds to exactly one person used for access to systems
or applications.
Adjustment The process of revising the Yammer Risk Management Program and supporting
policies and procedures based upon the results from an evaluation process.
Yammer
Information Security Policy
29
Administrative Safeguards The formulation of policies and procedures for the management of
Yammer that help ensure the consistent implementation of controls in the Yammer
environment. Reference: Department of Treasury, Interagency Guidelines Establishing Standards
for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and
Soundness; Final Rule, 12 CFR Part 30, et al.
Asset Any item used to support the delivery or operation of Yammer, including information,
software, physical, and service assets.3 A major Asset is one considered essential to the
function of Yammer at the discretion of the Asset Owner.
Asset Owner the creator, generator, originator, or primary possessor of an Asset, or agent(s)
to which the Asset Owner has given consent to act as a fiduciary with regard to specific assets,
according to a documented agreement.
Assurance Ground for confidence that an information system meets its security objectives.
Reference: The CISSP Prep Guide, Ronald L. Kurtz and Russell Dean Vines, Wiley Computer
Publishing, 2001.
Attack A malicious act to compromise Yammer.
Audit Synonym for Security Audit.
Authentication The process of determining that a person or information system attempting to
access an asset is really the entity they say they are. Reference: The Information Systems Audit
and Control Association and Foundation (ISACA).
Authorization The act of granting access to an asset on the basis of authenticated
identification. Reference: International Telecommunication Union (ITU) T Security Definitions,
March 2002.
Availability The process of ensuring that authorized users have access to information and
associated assets when required. Reference: ISO/IEC 27002:2005
Service Continuity Management (SCM) Documented processes and procedures for ensuring
that essential business functions can continue to operate during and after an unforeseen
circumstance such as a natural or man-made disaster. Reference: ISO/IEC 27002:2005
CISSP Acronym for Certified Information Systems Security Professional , a current industry
standard certification offered by the ISC2 organization. Reference: www.isc2.org
Classification The act of categorizing assets into defined groups according to the assets
sensitivity.
3
Yammer
Information Security Policy
30
Yammer
Information Security Policy
31
Critical Risk Threats that pose critical impact to the security of the analyzed entity. Yammer
must take action to mitigate immediately.
Cryptography The discipline that embodies principles, means, and methods for the
transformation of data in order to hide its information content, prevent its undetected
modification and/or prevent its unauthorized use. Reference: International Telecommunication
Union (ITU) T Security Definitions, March 2002.
Denial-of-Service The prevention of authorized access to resources or the delaying of timecritical operations. In a shared network, this threat can be recognized as a fabrication of extra
traffic that floods the network, preventing others from using the network by delaying the traffic
of others. Reference: International Telecommunication Union (ITU) T Security Definitions,
March 2002.
Disaster Recovery Plan (DRP) Procedures that define the appropriate actions to be taken in
emergency situations that affect environmental and computing resources.
Domain A set of items that fall under one logical categorization for ease of reference and
management.
Encryption A method used to translate information from plaintext into a secure form that is
near impossible to unscramble and interpret during transmission and storage.
Reference:ITSecurity.com Dictionary
End-User Synonym for Consumer.
Environment The physical and logical surroundings in which Yammer are delivered or
operated.
Evaluation Assessment of the sufficiency of the Yammer Risk Management Program and
supporting policies and procedures in meeting the programs mission and objectives.
Exploit The methodology for enacting an attack against Yammer using exposures.
Exposure Direct or indirect risks to Yammer that could result from the absence of mitigating
controls.
Guideline A recommendation for the implementation of a control or safeguard to meet the
Yammer Security Policy.
High Risk Threats that pose significant impact to the security of the analyzed entity. Yammer
must take action to mitigate, but on a timeline based on business priorities.
Yammer
Information Security Policy
32
Identity Management A business strategy for the unified control of user online identities,
authentication information, and access profiles across the organization using a combination of
technologies and processes.
Information Acquisition The collection or receipt of data by Yammer.
Information Disposal The permanent destruction of data to prevent recovery.
Information Processing Transactions on data by an information system or an individual.
Information Security The preservation of confidentiality, integrity and availability of
information. Reference: ISO/IEC 27002:2005
Information Sharing The disclosure of data to an outside party not associated with the delivery
or operation of Yammer.
Information Storage The persistence of data in physical or logical format.
Information System A combination of hardware, software, and supporting infrastructure that
receive, process, or transmit data in support of the delivery and operation of Yammer.
Information Transmission The transfer of data across communication networks or across
physical distances. Transmission can originate from or terminate at one of the Yammer.
Infrastructure All personnel, services, information, systems, and assets that operate together
with the purpose of providing Yammer.
Integrity Safeguarding the accuracy and completeness of information and processing methods.
Reference: ISO/IEC 27002:2005
Intrusions Attacks that yield unauthorized access.
ISO 27002 An information technology code of practice, prepared based upon the British
Standards Institution (BS 7799 standard), and adopted by a Joint Technical Committee in parallel
with its approval by the national bodies of International Standards Organization and
International Electrotechnical Commission. Reference: ISO/IEC 27002:2005
Least-Privilege The principle that users and processes should operate with no more privileges
than are absolutely necessary to perform the duties of their current role or function. Reference:
ITSecurity.com Dictionary
Yammer
Information Security Policy
33
Low Risk Threats that pose minimal impact to the security of the analyzed entity. Yammer may
take action to mitigate based on business priorities.
Medium Risk Threats that pose moderate impact to the security of the analyzed entity.
Yammer must take action to mitigate, but on a timeline based on business priorities.
Microsoft Confidential Information Nonpublic information that Microsoft designates as being
confidential. Microsoft Confidential Information includes, without limitation, information in
tangible or intangible form relating to and/or including released or unreleased Microsoft
software or hardware products, the marketing or promotion of any Microsoft product,
Microsofts business policies and practices, and information Microsoft received from others that
Microsoft is obligated to treat as confidential. Reference: Microsoft Corporation Non-Disclosure
Agreement, Microsoft Law and Corporate Affairs, 04/09/2002
Maturity - A level of review and refinement associated with an organiza tional process
supporting security development.
Mitigating Control Synonym for Control.
Need-to-Know A principle by which information is only provided to those with a legitimate
need for that information. Reference: ITSecurity.com Dictionary
Non-Production Environments utilized for development and testing of online services,
commonly known by names such as: development, sandbox, testing, staging/pre-production,
etc. No claims to safeguard end-user or partner submitted data must be made.
Operations The execution of processes and procedures supporting the delivery of Yammer.
Responsible for performing system administration, engineering and service management
support, including functions such as order management, inventory management, provisioning
and activation of new systems, maintenance of existing systems, network topology management
and maintenance, and stability/performance diagnostics of online services, supporting
infrastructure services and networks, facility management, and client ma nagement. Operations
also drives optimization of the online services and associated environments, including
automation of manual operations of the network, delivery services, and support, making these
areas more efficient, cost-effective and error-free.
Operations Management The oversight of processes and procedures supporting the delivery
and functioning of Yammer. Reference: ISO/IEC 27002:2005
Organizational Security The structure through which individuals and groups cooperate
systematically in the implementation of the Yammer Risk Management program. This structure
includes the allocation of roles and responsibilities to individuals and groups as well as rules
guiding the interactions between these individuals and groups. Reference: ISO/IEC 27002:2005)
Yammer
Information Security Policy
34
Yammer
Information Security Policy
35
Risk Assessment The analysis of threats to, impacts on, and vulnerabilities of Yammer assets
and the likelihood of an occurrence of loss, modification, misuse, or unauthorized disclosure.
Reference: ISO/IEC 27002:2005
Risk Management The process of identifying, controlling and minimizing or eliminating risks
that may affect Yammer. Reference: ISO/IEC 27002:2005
Risk Rating A qualitative metric assigned to a risk to reflect the likelihood of an occurrence of
loss, modification, misuse, or unauthorized disclosure and the impact of that occurrence.
Safeguard Synonym for Control.
Security Audit An independent review and examination of system records and activities in
order to test for adequacy of system controls, to ensure compliance with established policy and
operational procedures, to detect breaches in security, and to recommend any indica ted
changes in control, policy and procedures. Reference: International Telecommunication Union
(ITU) T Security Definitions, March 2002.
Security Policy A non-technical collection of rules that defines Yammer approach to
information security. These rules have been agreed upon and endorsed by Yammer executive
management, and are required to be implemented in order to achieve the Yammer Risk
Management Program mission and objectives.
Security Violations Any action or process which breaks the agreed upon policies or procedures
set forth by Yammer executive management.
Standards mandatory prerequisite for all of Yammer. Standards are subordinate to Policy
statements, and are designed to provide more explicit definition of Policy intent. Standards
statements are typically published in a consolidated Standards document (for example, Yammer
Security Standards). Applicability to Yammer shall be clearly declared in the opening Scope
section of a given Standards document. Compliance with a given Standard must be documented
in a team-specific SOP.
Standard Operating Procedure (SOP) A document that describes how to implement a
configuration or execute a process that is considered mandatory for a specific Yammer
workload. SOPs serve as the documented record of a given teams compliance with relevant
Policy and/or Requirement statements. For example, an SOP authored by the Networking team
could describe the team-specific process for configuring network equipment according to the
Network Access Control section of the Yammer Security Policy.
System Synonym for Information System.
Yammer
Information Security Policy
36
System Development and Maintenance The utilization of a repeatable methodology for the
planning, development, testing, deployment, operation, and modification of an information
system. Reference: ISO/IEC 27002:2005
System Failures Unavailability of whole or significant parts of Yammer due to natural or manmade causes.
Technical Safeguards The formulation of policies and procedures regarding the
implementation of security technologies that help ensure the consistent implementation of
controls in the Yammer environment. Reference: Department of Treasury, Interagency
Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year
2000 Standards for Safety and Soundness; Final Rule, 12 CFR Part 30, et al.
Third Party - Non-FTE vendors and consultants who work on or provide products or services to
Yammer or in Microsoft Data Centers. Access to Microsoft Assets must be controlled on the
basis of justifiable business needs and class of 3 rd party (ref. 2.8, 9.1). Third parties can include:
1) Information Security vendors, including vendors and consultants providing 24 X 7 services in
critical environments; 2) Vendors providing services on a frequent, but not continuous basis,
such as circuit technicians or vendors handling backup storage; 3) Vendors supporting
equipment or applications, such as vendors engaged by product groups to supply, install and
troubleshoot hardware; 4) On-demand vendors such as plumbers, janitors, handymen and
electricians requiring access to the data center production or pre-production environment and
5) Visitors to a Microsoft facility, including potential customers and vendors.
User Profile A collection of information about a particular person or information system,
usually stored in a central repository.
User Awareness The ongoing process of receiving up-to-date information and education
concerning policies, procedures, and best practices for the secure delivery and operation of
Yammer.
Yammer Application Enterprise social networking product offered by Microsoft and accessed
or consumed by connecting via the Internet on a computer or mobile device/tablet.
Yammer Service- Any application or Service hosted in a data center managed by Yammer staff
or any application or service supported by Yammer Staff regardless of hosting location.
Yammer Staff Microsoft employees involved in the development, marketing, sales, support or
operation of a Microsoft Online Service.
Yammer Contingent Staff - Any vendors, agents or contractors on assignment to or engaged by
Microsoft who are allowed to access, manage, or process information assets of Yammer, or to
introduce new applications or services into Yammer facilities.
Yammer
Information Security Policy
37
Yammer Executive Management The executives responsible for particular Yammer and
certain key direct reports to these executives.
12.6 Revisions
Revision
0.1
0.2
Date
7/1/13
11/26/13
Author
Matthew Sutkus
Matthew Sutkus
Comments
Initial Draft
Align more closely
with SOA