Security Policy

1. Purpose

Frontier Web's information systems are fundamental to our daily operations and future success. We shall implement procedures and controls at all levels to protect the confidentiality and integrity of information stored and processed on our systems, and to ensure that the systems and information are available to authorized persons when required.

2. Scope

This Security Policy applies to all system owners/managers, information owners/stewards, system maintainers, system developers, operators, and administrators, including contractors and third parties, of Frontier Web's information systems, facilities, communications networks, and information. This policy applies to all information collected or maintained by Frontier Web and all information systems used or operated by Frontier Web.

3. Policy

All information in Frontier Web's systems shall be protected from unauthorized access, use, disclosure, duplication, modification, diversion, or destruction - whether accidental or intentional - in order to maintain confidentiality, integrity, and availability. Authorized user access shall be limited to only information necessary for the performance of required tasks.

4. Roles and Responsibilities

a. Administrator - the responsibilities of the Administrator include, but are not limited to: (i) exercising primary responsibility and authority for management of Frontier Web's information security program; (ii) controlling access for all other roles described in this section; (iii) ensuring that persons filling all other roles are adequately trained on the principles and practices of this Security Policy, and sufficiently skilled to carry out their duties in accordance with it (iv) coordinating system and data security requirements; (v) developing a strategy for continuous monitoring of security control effectiveness; (vi) ensuring that sensitive information is protected from unauthorized access in all forms at rest or in transit; (vii) ensuring that information security and privacy considerations are integrated into the planning, budgeting, programming, and deployment of any Frontier Web product; (viii) purchasing, installing, and upgrading Frontier Web's SSL certificates, and those of any of its clients. b. System Developers and Maintainers - the responsibilities of System Developers and Maintainers include, but are not limited to: (i) understanding the need to plan security into information systems, especially from the beginning; (ii) understanding the relationship between planned information security safeguards and the features installed on any server or system under Frontier Web's control; (iii) participating in the development and maintenance of Frontier Web's "live" information systems. c. Contractors and Third Parties - the responsibilities of Contractors and Third Parties include, but are not limited to: (i) participating in the development and maintenance of Frontier Web's information system without access to any of Frontier Web's "live" systems or databases.

5. Procedures

a. Access by Authorized Users: (i) only authorized users will access Frontier Web's information systems; (ii) access to any of Frontier Web's systems must be granted by the Administrator; (iii) the Administrator may monitor access and/or revoke access at any time for any or no reason; (iv) Authorized Users are only able to access Frontier Web's information systems over Secure Shell (SSH) with key-based authentication; (v) Frontier Web maintains an internal listing of public keys which have been granted access to Frontier Web's information systems; (vi) Frontier Web reserves the right to revoke access to any SSH key at any time, for any or no reason; (vii) all unsecured connections are automatically refused by Frontier Web's firewall. b. Access by Clients: (i) Frontier Web's Clients are given limited, browser-based access to specific information systems; (ii) Frontier Web has carefully-implemented programmatic controls to ensure that Clients are only able to access intended information systems; (iii) the Administrator will monitor Client access to ensure that Clients are not attempting to circumvent programmatic controls; (iv) the Administrator may revoke Client access in the event that a Client does attempt to circumvent programmatic controls; (v) Clients are only able to access Frontier Web's information systems over an encrypted browser session; (vi) all unencrypted browser sessions are automatically refused by Frontier Web's web server. c. Storage of Passwords: (i) Frontier Web stores passwords in its databases, including the passwords of its Clients' accounts and in some cases the passwords of users of Clients' websites; (ii) Frontier Web stores all passwords using industry standard salting and SHA1 hashing procedures; (iii) Frontier Web does not at any point store any passwords in plaintext format; (iv) in the event of a full breach of Frontier Web's information systems, an attacker would not gain access to any passwords. d. Website Encryption: (i) Frontier Web encrypts all browser connections to its own website -; (ii) Frontier Web also encrypts connections on behalf of many of its clients; (iii) Frontier Web will ensure that any website under its control will be encrypted if Personal Data of any form is collected or displayed on that website; (iv) any encrypted website under Frontier Web's control will be configured to refuse any and all unencrypted connections; (v) only the Administrator has access to Frontier Web's SSL certificates; (vi) all SSL certificates are purchased from and signed by GoDaddy Inc.; (vii) Frontier Web uses industry best practices in the maintaining and ordering of its cypher suite. e. Email Dispatching: (i) Frontier Web contracts with third parties such as Google and Microsoft for the dispatching of emails on its own behalf and on behalf of its Clients; (ii) Frontier Web will only contract with a third party that implements the Simple Mail Transport Protocol (SMTP) over Transport Layer Security (TLS), an encrypted protocol; (iii) Frontier Web will enforce the use of TLS in the dispatching of all emails; (iv) Frontier Web will set up appropriate Domain Name Server (DNS) records to ensure that only designated third parties are authorized to send mail on behalf of Frontier Web and/or any of its Clients.

If you have any questions about this Security Policy, please feel free to contact us. Last updated: 24 October 2017