In today's rapidly evolving digital landscape, the security and functionality of our devices is of vital importance. I would like to emphasize the important role that keep software up to date plays in protecting your personal information and the security of Hiip's digital environment.

Security: Updates often include patches for known vulnerabilities that could be exploited by malicious actors. By neglecting updates, you may be leaving your devices and data at risk.
Data Protection: Updates frequently enhance the security features of your devices and software, helping to protect your personal and academic data from potential breaches.
Performance: New updates can optimize the performance of your devices, ensuring that they run smoothly and efficiently, allowing you to focus on your studies without disruptions.
Compatibility: Updates often include improvements in compatibility with various software and devices. Ensuring that you have the latest versions can prevent compatibility issues that could affect your coursework.
New Features: Updates may introduce new and valuable features that can enhance your user experience and productivity.

Therefore, we will check regularly: Manually check for updates every 15 days. This includes web browsers and mobile apps (IOS & Android).

Keeping Software Up to Date for backend environment:
- Hiip will conduct periodic checks every 6 or 8 months to identify patches in third-party software that resolve security vulnerabilities

Based on the severity of the update, we will divide it into sections:
1. Serious: Need to update immediately
2. Danger: Update immediately after processing the Serious part (1)
3. Medium: Priority to process later or process in the next test
4. Low: Priority to process later or process in the next test

How to keep it up to date
* About devices:
If you manage the configuration of your computer yourself, for example if it's your own computer or is not one of the University's desktop configurations, you have to take responsibility to keep it up to date yourself.
​Windows PCs
Go via the Windows button into the settings mens/update menu and youi can find the options listed under security.
Apple Macs
These normally will tell you whenever an update is available. To check manually, select the [Apple menu] then [Software Update ...]​
Linux
There are lots of types of Linux in use. We suggest you do an internet search of "how to update" and add your variant of Linux to the search. Choose the method that you find works best for you.
Smartphones
Make sure you know how to update the system software. Most of devices provide user-friendly methods for this. Make "ease of update" as one of your selection criteria when choosing such devices.


* Monitor for Updates and Vulnerabilities for Hiip mobile app (IOS & Android):
Dependencies and Libraries: Regularly check for updates to third-party libraries and frameworks your app relies on (Every 6 to 8 months). Hiip use lools Snyk help automate this process.
Platform Updates: Stay informed about updates and security advisories from mobile platforms (iOS and Android). This includes changes in APIs, security vulnerabilities, and new guidelines.
Security Vulnerabilities: Subscribe to security bulletins and advisories related to mobile app development to stay ahead of potential vulnerabilities.
Plan and Prioritize:
Assess Impact: Evaluate the impact of each patch on your app’s functionality, performance, and user experience. Prioritize: Prioritize patches based on severity (e.g., critical security vulnerabilities vs. minor performance improvements) and their impact on your users.
Testing:
Develop and Test Locally: Apply patches in a development environment first. Thoroughly test the app to ensure that the patch resolves the issue without introducing new bugs.
Automated Testing: Use automated testing tools to run regression tests and ensure that existing functionalities are not broken by the new patch.
Beta Testing: Deploy the patched version to a beta group of users to gather feedback and identify any issues that might not have been caught during internal testing.
Deployment:
Staged Rollout: If possible, use a staged rollout to gradually release the patched version to users. This helps in identifying and addressing any issues on a smaller scale before a full deployment.
Monitor Feedback: After deployment, closely monitor user feedback and app performance to ensure that the patch has resolved the issue and hasn’t caused new problems.
Documentation:
Change Logs: Maintain detailed change logs for each patch, including what was fixed or updated and any impact on the app.
Release Notes: Communicate changes to users through release notes or in-app messages, especially if the patch includes significant updates or improvements.
Maintenance and Iteration:
Regular Reviews: Regularly review the app’s performance and user feedback to identify areas that may need further attention or new patches.
Continuous Improvement: Adopt a continuous improvement mindset, using insights from user interactions and performance data to guide future updates and patches.

- All systems within the organization must record and maintain audit log information that includes the following information:
i. The activities performed on the system.
ii. The user or entity (i.e., system account) that performed the activity, including the system from which the activity was performed.
iii. The file, application, or other object on which the activity was performed.
iv. The time the activity occurred.
v. The tool with which the activity was performed.
vi. The outcome (e.g., success or failure) of the activity.
- Specific activities to be logged must include: Event type, Date and time, Success or failure indicator, Meta user ID (If User need to access your Facebook account)
i. Information (including authentication information such as usernames or passwords) is created, read, updated, or deleted.
ii. User authentication and authorization to systems.
iii. Granting, modification, or revocation of access rights.
iv. Application process abort, failure, or abnormal end.
- Application event audit logs are reviewed at least every 7 days - Determining & escalation whether a security event is valid or invalid involves a series of steps to analyze and verify the nature of the event. Here’s a structured approach to assess and validate security events:
+ Define the Event Criteria
Identify what constitutes a security event: Understand the baseline for what is considered a security event in your context (e.g., unauthorized access attempts, malware detection, etc.).
Determine the severity levels: Categorize events based on their potential impact (e.g., critical, high, medium, low).
+ Collect and Review Event Data
Gather information: Obtain all relevant logs and data related to the event. This might include system logs, firewall logs, intrusion detection system (IDS) alerts, and more.
Verify the source: Ensure the data source is reliable and the logs are from trusted systems.
+ Correlate with Known Threats
Check against threat intelligence: Compare the event details with known threat indicators, signatures, or patterns from threat intelligence sources.
Analyze patterns: Look for known attack patterns or anomalies that match common security threats.
+ Assess Context and Impact
Evaluate the context: Consider the context in which the event occurred. For example, an event might be normal behavior in one scenario but indicative of a problem in another.
Determine the impact: Assess the potential impact of the event on the organization’s assets, data, and operations.
+ Verify Event Authenticity
Cross-check with other sources: Verify the event with other security tools and logs to ensure consistency and accuracy.
Investigate potential false positives: Determine if the event could be a false positive by evaluating the normal operation and behavior of the systems involved. + Validate Against Policies and Procedures
Check compliance: Ensure the event aligns with organizational security policies and procedures.
Review incident response procedures: Confirm that the event is handled according to established incident response protocols.
+ Document Findings
Record details: Document the event’s details, analysis process, and conclusions.
Update records: Ensure that findings are recorded in incident management systems and that any lessons learned are incorporated into security practices.
+ Take Appropriate Actions
Respond as needed: If the event is valid, take appropriate remediation and mitigation steps based on the severity and impact.
Review and improve: Use the findings to refine detection mechanisms, update policies, and enhance overall security posture.
By following these steps, you can systematically determine the validity of security events and take appropriate actions to protect your organization.

Purpose:The purpose of this policy is to define how Hiip data is transmitted electronically.
Scope: This IT policy, and all policies referenced herein, shall apply to all members of the Hiip, including Admin, brand, Influencer (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the Hiip IT Resources controlled networked.
Rules for transmitting:
- Secure, authenticated connections or secure protocols must be used for transmission of protected data via: + Hyper Text Transfer Protocol Secure (HTTPS) + Secure File Transfer Protocol (SFTP) server + Transport Layer Security (TLS). Use TLS 1.2 or above, and disable SSL v2/ v3.

Purpose: Hiip must restrict access to confidential and sensitive data to protect it from being lost or compromised, since any incident could adversely impact our customers and result in penalties for non-compliance and damage to our reputation. At the same time, we must ensure that users can access data as required for them to work effectively.
Scope: This data security policy applies all customer data, personal data and other company data defined as sensitive by the company’s data classification policy. Therefore, it applies to every server, database and IT system that handles such data, including any device regularly used for email, web access or other work-related tasks. Every user interacting with company IT services is also subject to this policy.
Rules:
- All data we collect is encrypted.
- Access to company IT resources and services will be given through a unique user account and complex password. Accounts are provided by the IT department based on HR records.
Multi-Factor Authentication (MFA): The purpose of this policy is to establish guidelines for implementing and managing Multi-Factor Authentication (MFA) to strengthen access controls and safeguard sensitive and critical information systems.
Scope: This policy applies to all employees, contractors, and third parties who access the organization's systems, applications, or data that require authentication
Definitions:
Multi-Factor Authentication (MFA): A security mechanism that requires users to provide two or more forms of verification (factors) to gain access to systems or data.
Factors of Authentication: Includes something you know (password), something you have (security token), and something you are (biometric verification)
MFA Requirements:
Mandatory MFA: MFA is required for access to all critical systems, applications, and sensitive data, including but not limited to:
Administrative accounts
Remote access systems (e.g., VPNs)
Cloud-based applications and services
Financial systems and sensitive data repositories
Access to Specific Tools:
- Collaboration and Communication Tools
+ User Accounts: Accounts must be unique to each user. Shared accounts are prohibited.
+ Monitoring: Access and usage of collaboration tools will be monitored to ensure compliance with organizational policies.
- Code Repositories
+ Repository Access: Access to code repositories will be restricted based on role and need. Developers will only have access to repositories relevant to their projects.
+ Code Reviews: All code changes should be reviewed by a peer before being merged.
- Software Deployment Tools
+ Deployment Permissions: Access to deployment tools must be restricted to authorized personnel. Automated deployment processes should be used where possible.
+ Audit Trails: Deployment activities must be logged and auditable.
- Backend Administrative Tools
+ Administrative Access: Only system administrators and designated IT staff will have administrative access. Access to backend tools must be controlled and monitored.
+ Change Management: Changes to backend systems must follow a formal change management process.
- Remote Access (e.g., SSH)
+ Access Control: Remote access must be controlled through secure methods, such as VPNs or SSH keys.
+ Key Management: SSH keys must be managed securely, with periodic reviews and rotations.
+ Logging: Remote access activities must be logged and reviewed regularly

Purpose: The purpose of the Hiip Vulnerability Management Policy is to establish the rules for the review, evaluation, application, and verification of system updates to mitigate vulnerabilities in the IT environment and the risks associated with them.
Rules:
- The Hiip Vulnerability Management Policy applies to individuals who are responsible for Information Resource management.
- Vulnerability Testing Methods: About 8-12 months we will conduct vulnerability testing through a 3rd party: The Vietnamese Security Network (VSEC)
- The severity of vulnerabilities is divided into four levels:
+ Serious: Security vulnerabilities that can lead to complete system or application takeover, Security vulnerabilities that are easily exploited without requiring authentication or user interaction.
+ Danger: Complex vulnerabilities require a lot of knowledge and time to exploit, Security vulnerabilities used to escalate privileges, Security vulnerabilities lead to partial data loss, leading to system downtime.
+ Medium: Vulnerabilities that require user interaction to exploit (via social engineering), Service vulnerabilities that result in denial of service, which are difficult to implement, Vulnerabilities that can only be exploited on the internal network. - Vulnerabilities that allow limited access to data, Vulnerabilities that require special access rights to exploit.
+ Low: These risks include conditions that do not result in immediate or indirect information disclosure but provide information that can be used in conjunction with other vulnerabilities for exploitation., Security vulnerabilities that require physical access to exploit.

Policy for Remediation of High-Severity Vulnerabilities
The purpose of this policy is to outline the process for identifying, assessing, and remediating high-severity vulnerabilities that could potentially lead to unauthorized access to platform data.
Scope: This policy applies to all systems, applications, and network components within the platform that process, store, or transmit sensitive or critical data.
Definitions:
High-Severity Vulnerability: A security flaw that, if exploited, could result in unauthorized access to sensitive data, significant disruption of services, or compromise of system integrity.
Remediation: The process of addressing and fixing vulnerabilities to eliminate or mitigate associated risks
Vulnerability Identification and Assessment
Continuous Monitoring: Implement automated tools and manual assessments to continuously monitor for vulnerabilities.
Vulnerability Scanning: Regularly perform vulnerability scans and assessments to identify potential high-severity vulnerabilities.
External Sources: Stay informed of vulnerabilities and patches through security advisories, threat intelligence feeds, and industry reports

- Account: Any combination of a User ID (sometime referred to as a username) and a password that grants an authorized user access to a computer, an application, the network, or any other information or technology resource.
- Security Administrator: The person charged with monitoring and implementing security controls and procedures for a system. Whereas Hiip have one Information Security Officer, technical management may designate a number of security administrators.
- System Administrator: The person responsible for the effective operation and maintenance of information systems, including implementation of standard procedures and controls to enforce an organization’s security policy
- Purpose: The purpose of this policy is to establish a standard for the creation, administration, use, and removal of accounts that facilitate access to information and technology resources at Hiip.
Rules:
+ Information system user accounts are to be constructed so that they enforce the most restrictive set of rights/privileges or accesses required for the performance of tasks associated with an individual’s account. Further, to eliminate conflicts of interest, accounts shall be created so that no one user can authorize, perform, review, and audit a single transaction.
+ All information system accounts will be actively managed. Active management includes the acts of establishing, activating, modifying, disabling, and removing accounts from information systems.
+ Access controls will be determined by following established procedures for new employees, employee changes, employee terminations, and leave of absence.
+ All account modifications must have a documented process to modify a user account to accommodate situations such as name changes and permission changes.
+ Information system accounts are to be reviewed monthly to identify inactive accounts. If an employee or third party account is found to be inactive for 30 days, the owners (of the account) and their manager will be notified of pending disablement. If the account continues to remain inactive for 15 days, it will be manually disabled.
+ A list of accounts, for the systems they administer, must be provided when requested by authorized Hiip management.
+ An independent audit review may be performed to ensure the accounts are properly managed.
+ Review all access grants at every 12 months and revoke access when it’s no longer required and when it’s no longer being used
+ Revoke access promptly when a person departs your organization