M

o

k

R

a

n

k

Security Policy

  • Home
  • /
  • Security Policy

Comprehensive Information Security Policy

Organization: mokrank.com Version: 2.0 Effective Date: May 4, 2026 Document Owner: Chief Information Security Officer (CISO)

1. Purpose and Scope

The purpose of this Comprehensive Information Security Policy (CISP) is to establish the overarching framework for safeguarding mokrank.com’s information assets, user data, and technology infrastructure.

Scope: This policy applies to all employees, contractors, consultants, temporary workers, and third-party vendors associated with mokrank.com. It covers all systems, networks, applications, and physical facilities owned or leased by mokrank.com.

2. Information Security Governance & Compliance

Security at mokrank.com is driven from the top down, ensuring that risk management aligns with our business objectives.

2.1 Roles and Responsibilities

  • Board of Directors: Maintains ultimate oversight of cyber risk.

  • Chief Information Security Officer (CISO): Responsible for the strategic direction, implementation, and continuous monitoring of the security program.

  • Security Steering Committee: Cross-functional team meeting monthly to review security postures, incident trends, and compliance metrics.

  • All Personnel: Responsible for acknowledging and adhering to all security policies and participating in annual security awareness training.

2.2 Regulatory Alignment

mokrank.com strictly adheres to the following frameworks and regulations:

  • SOC 2 Type II: Continuous compliance for Security, Availability, and Confidentiality trust service criteria.

  • ISO/IEC 27001:2022: Certified Information Security Management System (ISMS).

  • GDPR & CCPA/CPRA: Strict adherence to international and state-level data privacy mandates, ensuring data sovereignty and the "Right to be Forgotten."

3. Identity and Access Management (IAM)

Access to mokrank.com systems is governed by the principles of Zero Trust Architecture (ZTA) and Least Privilege.

3.1 Authentication Requirements

  • Multi-Factor Authentication (MFA): Mandatory for all user, employee, and administrative accounts. Administrative access requires FIDO2-compliant hardware security keys (e.g., YubiKey).

  • Single Sign-On (SSO): All internal applications are integrated behind a centralized SAML/OIDC-based Identity Provider (IdP) equipped with adaptive, risk-based authentication (e.g., geofencing, impossible travel detection).

3.2 Authorization and Lifecycle

  • Role-Based Access Control (RBAC): Permissions are tied strictly to job functions, not individual users.

  • Provisioning/Deprovisioning: Access is automatically revoked within 15 minutes of employee termination via automated HR-to-IT integrations.

  • Access Reviews: Quarterly user access reviews (UAR) are conducted for standard systems, and monthly reviews are conducted for high-privilege administrative access.

3.3 Session Management

  • Internal administrative sessions timeout after 15 minutes of inactivity.

  • Customer session tokens are cryptographically signed, bound to device fingerprints, and automatically expire after 24 hours.

4. Data Protection and Cryptography

mokrank.com treats data as its most critical asset. All data is classified and protected according to its sensitivity level.

4.1 Data in Transit

  • All communications between clients and mokrank.com servers, as well as internal microservice-to-microservice traffic, are encrypted using TLS 1.3 with Perfect Forward Secrecy (PFS). Non-secure protocols (e.g., HTTP, FTP, Telnet) are strictly blocked.

4.2 Data at Rest

  • All persistent storage (databases, object storage, block volumes, and backups) is encrypted using AES-256-GCM.

  • Cryptographic Key Management: Keys are managed via a dedicated Hardware Security Module (HSM) or managed Cloud KMS. Cryptographic keys are rotated automatically every 90 days.

4.3 Data Lifecycle and Masking

  • Personally Identifiable Information (PII) is tokenized or masked in non-production environments.

  • Data retention limits are strictly enforced. Data slated for deletion is cryptographically wiped (crypto-shredding) and removed from backups within 30 days.

5. Infrastructure and Network Security

Our infrastructure is fully defined as code (IaC) and inherently secure by design.

5.1 Cloud Architecture

  • Virtual Private Clouds (VPC): Infrastructure is segregated into isolated subnets. Databases reside in private subnets with no direct ingress from the public internet.

  • Microsegmentation: Workloads are isolated; lateral movement is prevented via strict host-based firewalls and namespace isolation.

5.2 Perimeter Defense

  • Web Application Firewall (WAF): Actively mitigates OWASP Top 10 vulnerabilities (SQLi, XSS, SSRF) and blocks malicious bot traffic.

  • DDoS Protection: Network infrastructure is distributed via a global CDN with automated layer 3/4 and layer 7 DDoS mitigation.

6. Secure Software Development Lifecycle (SSDLC)

Security is "shifted left," heavily integrated into the software engineering process.

6.1 Code and Vulnerability Analysis

  • Static Application Security Testing (SAST) & Software Composition Analysis (SCA): Automated scans run on every pull request. PRs containing critical or high-severity vulnerabilities cannot be merged.

  • Dynamic Application Security Testing (DAST): Automated runtime scanning occurs in the staging environment before any production deployment.

6.2 External Validation

  • Penetration Testing: Independent, CREST-certified third parties conduct gray-box penetration tests bi-annually.

  • Vulnerability Disclosure Program (VDP): mokrank.com operates a private Bug Bounty program, incentivizing security researchers to responsibly report vulnerabilities.

7. Incident Response and Business Continuity

We maintain a state of readiness to detect, respond to, and recover from security events rapidly.

7.1 Security Operations Center (SOC)

  • SIEM and Logging: All system, application, and network logs are centralized in an immutable Security Information and Event Management (SIEM) platform.

  • Monitoring: The SOC operates 24/7/365, utilizing AI-driven heuristics to detect anomalous behavior.

7.2 Incident Response (IR) Phases

Following the NIST SP 800-61 framework:

  1. Preparation: Bi-annual tabletop exercises simulate ransomware and data breach scenarios.

  2. Detection & Analysis: Alerts with high confidence trigger page-outs to the on-call IR team.

  3. Containment: Automated playbooks isolate compromised instances from the network within minutes.

  4. Eradication & Recovery: Systems are rebuilt from known-good, secure IaC templates.

  5. Post-Incident Activity: A blameless root cause analysis (RCA) is conducted within 48 hours to update defenses.

7.3 Disaster Recovery

  • Backups: Encrypted backups are captured continuously. A daily snapshot is stored in an isolated, geo-redundant, air-gapped "vault" account.

  • Metrics: We target a Recovery Point Objective (RPO) of 1 hour and a Recovery Time Objective (RTO) of 4 hours for Tier-1 services.

8. Endpoint and Third-Party Risk

8.1 Endpoint Security

  • All company-issued devices are managed via Mobile Device Management (MDM).

  • Endpoints utilize Next-Generation Antivirus (NGAV) and Endpoint Detection and Response (EDR) agents. Full-disk encryption (FileVault/BitLocker) is mandatory.

8.2 Third-Party Risk Management (TPRM)

  • Vendors and third-party APIs must undergo a rigorous security assessment prior to onboarding.

  • Vendors handling sensitive mokrank.com data must provide an active SOC 2 Type II report and are subject to continuous risk monitoring.

MokRank.com uses essential dependencies and telemetry modules (Google Analytics) to optimize your production environment. By clicking "ALLOW", you consent to our data manifest. learn more

Allow