Information Security Policy

Revision History Log:

Version

Approved Date

Description of Changes

Revised By

Approved By

1.0

Initial Draft

2.0

12.1.2022

Added Password policy, updated links

Nan Jiang

Matthew Saeed

2.1

12.1.2023

Accepted minor changes to punctuation and password complexity requirements to align with updated NIST guidance

Nan Jiang

Matthew Saeed

1. INTRODUCTION

This Information Security Policy is a formal set of rules by which those personnel who are given access to company technology and information assets must abide.

The Information Security Policy serves several purposes. The main purpose is to inform company users: employees, contractors and other authorized users of their obligatory requirements for protecting the technology and information assets of the company. The Information Security Policy describes the technology and information assets that we must protect and identifies many of the threats to those assets.

The Information Security Policy also describes the user’s responsibilities and privileges. What is considered acceptable use? What are the rules regarding Internet access? The policy answers these questions, describes user limitations and informs users there will be penalties for violation of the policy. This document also contains procedures for responding to incidents that threaten the security of the company computer systems and network. This document is reviewed at minimum every 12 months, or when there is a major change.

2. DEFINITIONS

Company. The use of the term “company” or “the company” is in reverence to the following organization: JAND, Inc. and its affiliates d/b/a Warby Parker.

Security Officer. A member of the senior management who is entitled to make decisions that could have a significant effect on the business will be designated as a Security Officer. This can be the Director of the Department of Information Technology or the Chief Technology Officer.

Security Administrator. A member of the Information Security (“InfoSec”)Team will operate as Security Administrator for the company.

Externally accessible to the public. The system may be accessed via the Internet by persons outside of the company without a logon id or password. For example, www.warbyparker.com website.

Non-Public, Externally accessible. Users of the system must have a valid logon id and password. The system must have at least one level of firewall protection between its network and the Internet. The system may be accessed via the Internet by specific whitelisted IPs or using Cloudflare Access. An SFTP server used to exchange files with business partners is an example of this type of system, as well as our Jira server hosted by Atlassian.

Internally accessible only. Users of the system must have a valid logon id and password. The system must have at least two levels of firewall protection between its network and the Internet. The system is not visible to Internet users and can be accessed via the DMVPN network or the OpenVPN server. For example, Retail / POE.

3. WHAT ARE WE PROTECTING

It is the obligation of all users of the company systems to protect the technology and information assets of the company, including customer PHI and PII. This information must be protected from unauthorized access, theft and destruction.

The technology and information assets of the company are made up of the following components:

The entirety of our AWS cloud infrastructure, including the RDS instance of WarbyParker production database and S3 buckets that contain customer PHI and PII.
The entirety of our Google cloud infrastructure, including BigQuery and Looker.
The entirety of our Azure infrastructure, including AD clone.
Variety of hosted services, including GitHub that holds our production code, GSuite and Slack Chat that contain company documents and employee communications, Atlassian Jira and Wiki that store company documentation, DrChrono that houses EHR, DataDog and Sentry that aggregate our application logs, etc.
Network stacks at the New York and Nashville offices, Sloatsburg Lab, and retail stores, as well as any computer hardware, iPads, credit card swipers, printers, cameras, and other devices found on the company premises and / or used by the company employees for company business.
Software, including our proprietary helios application code, commercial software packages used by various departments within the company, operating systems and operating systems management software, network device software, DMVPN configuration information, etc.

The full list of the company systems can be found here: Warby Parker Systems List

3.1 Classification of Information

Information found in company files and databases shall be classified as either confidential or non-confidential. The Security Administrator is required to review and approve the classification of the information and determine the appropriate level of security to best protect it. Furthermore, the Security Administrator shall classify information controlled by units not managed by the Security Administrator.

3.2 Computer System Classifications

Security Level

Description

Example

RED

(Confidential Data and / or Mission Critical system)

This system contains confidential information that cannot be revealed to personnel outside of the company. Even within the company, access to this information is provided on a “need to know” (POLP) basis.

AND / OR

The system provides mission-critical services vital to the operation of the business. Failure of this system may have an adverse financial impact on the business of the company.

Production database that contains customer PHI and PII.

S3 bucket that contains company secrets.

Network routers and firewalls that contain DMVPN initialization keys.

GREEN

(Controlled access to Red Systems)

This system does not contain confidential information or perform critical services, but it provides the ability to access RED systems (ideally, in a controlled and auditable manner.)

Management workstations used by Production Services Team members.
WarbyParker WiFi network that grants access to the company LAN.
User PCs that are used to access company applications, such as Drchrono.
Retail iPads used to access Admin and POE.

WHITE

(Non-Public, internal, isolated, not critical, nor confidential)

This system is not externally accessible. It is on an isolated LAN segment, unable to access RED or GREEN systems. It does not contain sensitive information or perform critical services.

The dev environment, which is isolated in its own AWS account and consists of AdHocs that use sanitized customer data for testing.
Independent Doctor Network.

BLACK

(Non-Public, externally accessible, isolated, not critical, nor confidential)

This system is externally accessible. It is isolated from RED or GREEN systems. While it performs important services, it does not contain confidential information.

Retail vendor DMZ network, that allows RetailNext SSH access to their systems; isolated from breaking out into the rest of the WP network.

3.3 Local Area Network (LAN) Classifications

A LAN will be classified by the systems directly connected to it. For example, if a LAN contains just one RED system and all network users will be subject to the same restrictions as RED systems users. A LAN will assume the Security Classification of the highest level systems attached to it.

3.4 Classification Application

All of the company data, computer systems, and networks are subject to the above classification, which must be applied during the initial onboarding of the asset and audited annually for changes by the Security Administrator.

3.5 Minimum Required Protection based on the Classification Level

Security Level

Internally Hosted Application

Outside Vendor Integration

RED

(Confidential Data and / or Mission Critical system)

Encryption at rest
Encryption in transit
PKI or PSK authentication with MFA
Access and error logs
Security Monitoring

Must be reviewed by the InfoSec Team
Encryption at rest
Encryption in transit
PKI or PSK authentication with MFA
Access and error logs
Vendor is HIPAA compliant and has executed a BAA with Warby Parker.

GREEN

(Controlled access to Red Systems)

Encryption at rest
Encryption in transit
PKI or PSK authentication, MFA strongly encouraged
Access and error logs
Security Monitoring

Must be reviewed by the SecOps Team
Encryption at rest
Encryption in transit
PKI or PSK authentication, MFA strongly encouraged
Vendor has basic security controls, agrees to full disclosure in case of a breach and has executed a BAA with Warby Parker.

WHITE

(Non-Public, internal, isolated, not critical, nor confidential)

PKI or PSK authentication
Access and error logs

PKI or PSK authentication
Access and error logs

BLACK

(Non-Public, externally accessible, isolated, not critical, nor confidential)

PKI or PSK authentication, MFA strongly encouraged
Access and error logs
Security Monitoring

PKI or PSK authentication, MFA strongly encouraged
Access and error logs

Any non-public data must be reviewed by the InfoSec team in the case that the data will be shared outside of the company. Any system that contains non-public data must be reviewed by the InfoSec team if it is to be assessed by an external entity. This includes all vendors, partners, and third party services.

4. THREATS TO SECURITY

Information Security threats can originate from inside or outside of the company network. They can come in using software like Viruses, Worms, Trojan Horses etc. or manipulate unsuspecting insiders via social networking. They can lead to theft of identity or intellectual property, theft of equipment or information, sabotage or information extortion.

The groups that represent the most threat are outlined below:

4.1 Insider Threat

Whether they’re rogue employees acting with ill intent or employees or contractors making mistakes, they often have access to key applications, storage systems, networks and more. You have to layer your security to compensate for that.

The possibility of insider threat is extremely high. Some of the risk factors enabling the insider threat vulnerability include excessive access privileges for users, mistakes due to information technology complexity, and negligence due to the lack of security awareness / education.
Insider attacks can be difficult to detect because internal personnel are usually trusted by the company, and it can look like they are just doing daily work and have access to cover their attacks.
The most common type of vulnerability from an insider attack is exposed confidential business information. For example, an unaware employee could email customer PII and PHI to or from a personal account or download sensitive files to a personal computer or an unmarked flash drive.

4.2 Black Hat Hackers

These are criminal hackers and saboteurs. They are out there, often acting alone or in small numbers, trying to exploit cybersecurity vulnerabilities through online robbery and extortion or by stealing credentials in data breaches. They may be acting on their own behalf, but these can also be hackers-for-hire, with an emphasis on customer service and reliability, as long as the price is right.

The probability of this type of attack is low, but not entirely unlikely given the publicity that Warby Parker has experienced.
The skill of these attackers is medium to high as they are likely to be trained in the use of the latest hacker tools.
The attacks are usually well planned and are based on weaknesses discovered from outside the company network, using techniques like spear phishing, DNS enumeration, network and vulnerability scanning, etc.

4.3 Script Kiddies

These people are the most common type of attackers on the Internet. These amateur hackers are scanning the Internet and looking for well known security holes that have not been plugged. Web servers and electronic mail are their favorite targets. Once they find a weakness they will exploit it to plant viruses, Trojan horses, or use the resources of your system for their own means. If they do not find an obvious weakness they are likely to move on to an easier target.

The probability of attack is high and there is also likely to be a large number of attacks.
The skill of these attackers is low.
These are usually crimes of opportunity. If the attackers do not find an obvious weakness they are likely to move on to an easier target.

4.4 Organized Crime

The mob has a whole new look. Today, there are highly motivated groups of criminals looking to exploit cyber technology and digital information. While many would expect organized online criminals to go for the money, targeting financial companies, there are many other potential targets that could help them carry out their nefarious deeds.

The probability of attack is extremely high. Warby Parker is on the target list and we have seen many of these attacks come at as with a varying success rate.
The skill of these attackers is supplemented with large financial resources.
Favored attack methods include spear fishing and whaling, ransomware, credential stuffing, fake account creation for spam purposes, and other large scale automated bot attacks.

4.5 Hacktivists

In the past few years ‘hacktivism’ has seen a dramatic rise. You may know them by their more popular names like Anonymous or WikiLeaks, whose members use their computer skills to access networks with a political or social agenda in mind.

The probability of this type of attack is low, but not entirely unlikely given the publicity that Warby Parker has experienced.
The skill level of these attackers varies.
These data breaches are more personal and pointed. These ideological bad actors are typically targeting state and local governments, leaking insider information to the press, or seeking to interfere with processes they disagree with (the cyber equivalent of a street protest or sit-in).

5. USER RESPONSIBILITIES

This section establishes usage policy for the computer systems, networks and information resources of the office. It pertains to all employees and contractors who use the computer systems, networks, and information resources as business partners, and individuals who are granted access to the network for the business purposes of the company.

5.1 User Classification

All users are expected to have knowledge of these security policies and are required to report violations to the SecOps Team. See How to Report a Security Incident for more info.

The company operates on The Principle of Least Privilege (POLP): the concept of granting the least amount of privilege possible for our users to perform their work. This should also apply to our systems and applications—roles and access should be granted with the least amount of access possible in order to function.

The company has established the following user groups and defined the access privileges and responsibilities:

User Category

Privileges & Responsibilities

Department Users (Employees)

Access to resources, applications, and databases as required for job function (RED and/or GREEN cleared.)

System Owners / Administrators

Access to computer systems, AWS accounts, and other infrastructure technology required for the job function. Access to confidential information on a “need to know” basis only.

Security Administrators

Highest level of security clearance. Allowed access to all computer systems, databases, firewalls, and network devices as required for the job function.

Systems Analyst / Developer

Contractors / Consultants

Access to resources, applications, and databases as required for the specific job function. Access to computer systems, AWS accounts, and other infrastructure technology required for the job function. Access to routers and firewalls only if required for job function. Knowledge of security policies. Access to company information and systems must be approved in writing by the company director/CEO.

Other Agencies and Business Partners

Access allowed to selected applications only when contract or inter-agency access agreement is in place or required by applicable laws.

General Public

Access is limited to applications designated as public, such as the company website and Guest Network. The general public will not be allowed to access confidential information.

5.2 Acceptable Use

User accounts on company computer systems are to be used only for business of the company and not to be used for personal activities. Unauthorized use of the system may be in violation of the law, constitutes theft and can be punishable by law.

All users must conform to the Acceptable Use Policy set forth by the company.

5.3 Use of the Internet

The company will provide Internet access to employees and contractors who are connected to the Warby Parker network and who have a business need for this access. Employees and contractors must obtain permission from their supervisor and file a request with the Technical Services Team.

Any BYOD (Bring Your Own Device) is to be used with the Guest network only. This includes cell phones, tablets, personal laptops, etc.

The Internet service may not be used for transmitting, retrieving or storing any communications of a discriminatory or harassing nature or which are derogatory to any individual or group, obscene or pornographic, or defamatory or threatening in nature for “chain letters” or any other purpose which is illegal or for personal gain.

5.4 Password Policy

Warby Parker employees must follow the guidance below for any work-related authentication systems. Warby Parker password requirements are derived from industry best practice guidelines published in the National Institute of Standards and Technology (NIST) Special Publication 800-63B, Rev 3. Failure to use sufficiently complex passwords may pose a risk to the organization and therefore is considered a violation of company policy. Policy violations may result in a verbal warning, written notice, and or termination for repeated offenses.

Password Complexity Requirements:

17 Character Minimum
Do NOT share your password
Do NOT write down your password or save in plain text
The use of a password management solution (such as the corporate issued solution) is strongly recommended

An exception to the aforementioned password requirements applies to off-the-shelf systems where Warby Parker is unable to modify the password requirements enforced by the software vendor.

In the event that there are conflicts in requirements with other Company policies, Warby Parker follows the specific and/or additional regulatory requirements in precedence over this policy.

5.5 Employee Training and Awareness Program

The company provides Cyber Security Training session as part of the New Employee Orientation as well as part of the mandatory annual training that covers the following topics:

5.5.1 Password Security:

Users must use long unique passwords for every site and online account that they have.
Users should consider Password Manager to generate and retrieve complex passwords. Users must turn on MultiFactor Authentication (MFA) whenever possible. Company provides physical hardware keys. For virtual options preferred methods are Duo or Google Authenticator.
Users must never share accounts to access systems, e.g. users must not use shared service accounts for regular non-machine access to systems.
Users must never share individual login information with co-workers, e.g. no post-it notes on the monitor, no logging somebody in so they can use a tablet or a workstation, etc.
Users must watch out for shoulder surfing when viewing confidential information. Upon request, the company provides privacy screens for laptops and monitors. Check the self-service station or submit a Freshdesk ticket to the Tech Services team to get privacy screens for your devices.

5.5.2 Phishing:

Users should be suspicious of any email with urgent requests for personal financial information. Phishers typically include upsetting or exciting (but false) statements in their emails to get people to react immediately. They typically ask for information such as usernames, passwords, credit card numbers, social security numbers, etc. Phisher emails are typically NOT personalized, while valid messages from the banks or e-commerce companies generally are.
The users should not use the links in an email to get to any web page, especially if they suspect the message might not be authentic. Instead, they should call the company on the telephone, or log onto the website directly by typing in the Web address in the browser.
Users should avoid filling out forms in email messages that ask for personal financial information. They should know to only communicate information such as credit card numbers or account information via a secure website or the telephone.
Users should be able to tell a secure website from an unsecure one and be vigilant to always use a secure website when submitting credit card or other sensitive information via the browser.

5.5.3 Incident Reporting:

Users should be familiar with Section 1 of the CSIRP (CyberSecurity Incident Response Plan), which Includes confidentiality statement, incident definitions and initial reporting process.
See How to Report a Security Incident for more info.

5.5.4 Retail Operations / PCI DSS:

This section applies to retail personnel that handle card-present transactions (that is, card swipe or dip).
Users should be aware of their existence and be able to update the inventory list of card-reading devices used in card-present transactions at the point of sale. The inventory list must include the following: make / model of device, location of device (for example, the address of the site or facility where the device is located), device serial number or other method of unique identification, last date of update. It must be updated when devices are added, relocated, decommissioned, etc.
Users should periodically inspect card-reading devices to look for signs of tampering or substitution. Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into the device, missing or changed security labels, broken or differently colored casing, or changes to the serial number or other external markings.
Users should verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
Users should not install, replace, or return devices without verification.
Users should be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).
Users should know to report suspicious behavior and indications of device tampering or substitution as a security incident.

5.6 Monitoring the Use of Computer Systems

The company has the right and capability to monitor electronic information created and/or communicated by persons using company computer systems and networks, including e-mail messages and usage of the Internet. It is not the company policy or intent to continuously monitor all computer usage by employees or other users of the company computer systems and network. However, users of the systems should be aware that the company may monitor usage, including, but not limited to, patterns of usage of the Internet (e.g. site accessed, on-line length, time of day access), and employees’ electronic files and messages to the extent necessary to ensure that the Internet and other electronic communications are being used in compliance with the law and with company policy.

5.7 Penalty for a Security Violation

The company takes the issue of security seriously. Those people who use the technology and information resources of the company must be aware that they can be disciplined if they violate this policy. Upon violation of this policy, an employee of the company may be subject to discipline up to and including discharge. The specific discipline imposed will be determined by a case-by-case basis, taking into consideration the nature and severity of the violation of the Information Security Policy, prior violations of the policy committed by the individual, state and federal laws and all other relevant information. Discipline which may be taken against an employee shall be administered in accordance with any appropriate rules or policies and the company Policy Manual.

Regardless of whether the violator is or is not an employee of the company the matter shall be submitted to the Security Administrator or the Security Officer, who may refer the information to law enforcement agencies and/or prosecutors for consideration as to whether criminal charges should be filed against the alleged violator(s).

6. AUTHENTICATION

Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity.

Authentication ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.

6.1 Active Directory

The company Active Directory is an internal service used to authenticate to the following:

Access to employee workstations and laptops
OpenVPN
Atlassian Confluence
Self Service Portal
Solarwinds
Springfield a.k.a. Retail (POE) and Admin applications
Retail Next

See Wiki article for more details.

6.2 GSuite Email, Drive, SAML, and SSO

Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., email and password) to access multiple applications.

For external vendors and/or business partners, Single sign-on (SSO) solution is required for Red and Green systems and is strongly recommended for White and Black systems. If the external vendors and/or business partners do not have SSO capabilities, exceptions need to be determined upon review on a case by case basis.

6.3 AWS IAM

Access to AWS is controlled via AWS IAM (Identity Access Manager). Human users are provisioned with username and password credentials under warbyparker (wp-primary) AWS account. They are required to set up MFA upon first login.

Further human access is based solely on Groups and Roles. Users are assigned to Groups based on their job function as reported by their Engineering Manager. Users must assume Roles to elevate privileges and / or access other WP AWS accounts.

Programmatic access for human users is allowed using AWS Access Key / Secret Key pairs. Key rotation is required every 90 days. IAM password should be rotated at least once per year. (Can access Key rotation be automated?)

See IAM RFC for more details.

6.4 Multi-Factor Authentication (MFA)

Two factor authentication strengthens access security by requiring two methods (also referred to as factors) to verify your identity. These factors can include something you know - like a username and password, plus something you have - like a smartphone app to approve authentication requests.

Duo is a user-centric access security platform that was chosen as a two-factor authentication provider for the company resources, including WARP bastion host and Active Directory.

6.5 Local Users

Any system that requires Local Authentication must be vetted by the SecOps team.

Any systems that use Local Authentication should be placed on the Risk Register and audited annually by the System owner and the SecOps team.

7. ACCESS CONTROL

Access Control is a set of permissions that are assigned to individuals or systems and authorize them to access specific resources. Physical access control limits access to campuses, buildings, rooms and physical IT assets. Logical access control limits connections to computer networks, system files and data.

7.1 Role-based Access Control (RBAC)

7.1.1 Definition

Role-based access control (RBAC) is a method of restricting network access based on the roles of individual human users within an enterprise. Roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members of staff (or third-parties) are assigned particular roles, and through those role assignments acquire the permissions needed to perform particular system functions. Since human users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations, such as adding a user, or changing a user's department.

7.1.2 Three primary rules are defined for RBAC:

Role assignment: A subject can exercise a permission only if the subject has selected or been assigned a role.
Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized.
Permission authorization: A subject can exercise a permission only if the permission is authorized for the subject's active role. With rules 1 and 2, this rule ensures that users can exercise only permissions for which they are authorized.

7.1.3 Implementation

All users will be required to have a unique login ID and password to access the systems. The user’s password should be kept confidential and MUST NOT be shared with management & supervisory personnel and/or any other employee whatsoever. All users must comply with the Warby Parker Password Policy (section 5.4) that outlines the rules regarding the creation and maintenance of passwords.

Employee Login IDs and passwords will be deactivated as soon as possible if the employee or a contractor is terminated, fired, suspended, placed on leave, or otherwise leaves the employment of the company office.

The Talent team is responsible for communicating the changes in employee status that requires terminating or modifying employee login access privileges to the Technical Services and SecOps teams. Corporate, Lab, and Customer Experience accounts are removed manually, while the Retail offboarding process follows the procedure outlined in RFC-W110 - User Lifecycle Management: Automated Account Deprovisioning.

Access will be granted as per the rules of RBAC. The employees will be assigned roles and added to groups appropriate for the business function. Such assignments will need to be approved by their direct supervisor in a written auditable form, such as an email or a Jira ticket.

Employees will be responsible for all transactions occurring during Logon sessions initiated by use of the employee’s password and ID with their knowledge. Employees shall not login to a computer and then allow another individual to use the computer or otherwise share access to the computer systems.

System Administrators, network administrators, and security administrators will have Administrative level access to host systems, routers, hubs, and firewalls as required to fulfill the duties of their job.

7.2 Connecting to Third-Party Networks

This policy is established to ensure a secure method of connectivity provided between the company and all third-party companies and other entities required to electronically exchange information with the company.

“Third-party” refers to vendors, consultants, and business partners doing business with the company, and other partners that have a need to exchange information with the company. Third-party network connections are to be used only by those duly authorized to conduct specific business purposes of the company. The third-party company will ensure that only authorized users will be allowed to access information on the company network. The third-party will be required to encrypt company data in transit and at rest (if stored on their systems).

Any third-party integration that facilitates an exchange of company data, including but not limited to customer PHI or PII, must go through the Security Review Process.

7.3 Connecting Devices to the Network

Only authorized devices may be connected to the private company network. Authorized devices include laptops and workstations owned by the company that comply with the configuration guidelines of the company. Other authorized devices include network infrastructure devices used for network management and monitoring.

Users shall not attach to the network: non-company computers that are not authorized, owned and/or controlled by the company, any device that would alter the topology characteristics of the company network, any unauthorized storage devices, etc.

7.4 Remote Access

Only authorized persons may remotely access the company network. Remote access is provided to those employees, contractors and business partners of the company that have a legitimate business need to exchange information and / or access computer applications. Authorized connection can be remote PC to the network or a remote network to company network connection. Any new network to network connection has to go through the Security Review Process.

7.4.1 OpenVPN

Company OpenVPN server is used by technology team members while working remotely to access internal resources, such as ssh to ad-hoc instances and production servers. Access is granted via Active Directory.

7.4.2 Cloudflare Access

Cloudflare Access has been adopted by the company as an OpenVPN alternative, providing secure, public access to internal resources. It is part of our Zero-Trust initiative. It is integrated with GSuite for authentication. Cloudflare Access can put an authentication layer in front of web applications, requiring GSuite authentication before a user can load the application. Access can also be used for remote ssh access via a secure tunnel.

7.5 Unauthorized Remote Access

Users may not install personal software designed to provide remote control of the PC or workstation without explicit permission from the Technical Services or SecOps teams. This type of remote access bypasses the authorized highly secure methods of remote access and poses a threat to the security of the entire network.

8. ADDITIONAL SECURITY CONTROLS

8.1 Security Baselines

Warby Parker maintains security baselines across our various systems—workstations and server configuration, AWS infrastructure, and our retail and corporate networks. See here for a full breakdown.

8.2 Physical Security

Physical security tools include:

Key badges that allow or keep people from entering a sensitive area, such as a network closet or a computer equipment storage room.
Cameras for monitoring sensitive areas, common areas, and means of ingress to company office spaces.

8.3 Asset Management

An asset is any resource owned by the company. It includes physical and intellectual property, physical and virtual computer systems, networks, accounts, etc.

8.3.1 Asset Lifecycle

Security must be incorporated into the IT asset lifecycle at every stage, which includes doing a Security Review during procurement, implementing access controls and asset tagging during deployment, monitoring and licensing while in operation, secure archiving, decommission, and disposal after retirement.

8.3.2 Inventory and Asset Ownership

Inventories of all physical production systems are documented and maintained for tracking and reporting purposes. An audit of physical hardware inventory is performed periodically. For a comprehensive list of our assets and inventory, please refer to:

Routers, Switches, Battery Backups - Solarwinds
Wireless Access Points - Extreme Networks Management Portal
iOS and macOS devices - Jamf Pro
User-Assigned Windows devices - Airwatch
ChromeOS devices - G-Suite Admin Panel
Security Cameras - Meraki and RetailNext Admin Panels

Production systems are tagged and assigned a role within the inventory system to document the use and purpose of each device. Each asset has a designated team that owns and maintains the system. This includes all physical and virtual assets, such as EC2 instances, AMIs, S3 buckets, etc. Refer to RFC for tagging S3 buckets as an example.

8.3.3 Patch Management

Company software and hardware systems must be patched on a regular basis.

8.3.4 Time Synchronization

Clocks for information processing systems are synchronized with publicly available NTP pool servers. Clocks are synchronized at least hourly for audit and log consistency as well as proper application operation.

8.4 Payment safety and PCI compliance

The company uses Stripe and their product Stripe Elements for online payment processing.

Stripe Elements makes collecting payment details more secure and helps prevent malicious actors from stealing any sensitive information. Stripe generates a secure iframe and isolates sensitive information from our site, eliminating entire classes of attacks, because no sensitive data hits our servers. With Stripe Elements we qualify for the easiest form of PCI compliance (SAQ-A and SAQ-C).
It is vital to verify that company retail employees and developers adding new features to the payment system do not violate the main PCI compliance restrictions, including writing down or otherwise capturing customer CC information outside of the prescribed methods that use Stripe Elements.
Stripe Terminal allows Warby Parker to make use of EMV Level 1, 2, 3 pre-certified Stripe card readers,and qualify for SAQ-A and SAQ-C while accepting payments in our stores.

8.5 Risk Register

The company maintains a Risk Register outlining the threats identified by Security Audits, Penetration testing, Vulnerability Scanning, and normal business operations. See Risk Register Process for more details.

8.6 Firewalls, Routers, etc.

Use Access Control Lists and / or Firewall rules to filter incoming and outgoing traffic from the internet.
Set up automated Intrusion Detection and / or Intrusion Prevention Systems (IDS / IPS).
Add second layer protection by putting publicly available web servers and API gateways behind WAF or CDN firewall.
Cloudflare Access and Bot mitigation.

8.7 Endpoint Protection

Internal storage for all macOS, Windows and ChromeOS devices have Full-Disk Encryption Enabled.
macOS: Internal storage is encrypted using FileVault 2 enforced via Jamf Policy.
Keys are escrowed in Jamf Pro.
Windows: Internal storage is encrypted using Bitlocker enforced via Airwatch Policy.
Keys are escrowed in Bitlocker Key Escrow.
ChromeOS: By default, internal storage has Full-Disk Encryption with no way of disabling.
CarbonBlack IDS is installed and running on macOS and Windows devices. All logs are sent to Warby Parker’s SOC where suspicious or anomalous behavior is reported back to Warby Parker’s Security Operations team.
Ancillary security-related policies such as locking the screen after idle and enabling firewalls enforced through Mobile Device Managers.
ChromeOS: G-Suite Admin Panel
macOS: Jamf Pro
Windows: Airwatch
The use of external storage devices is permitted only when necessary or as part of a required workflow including, but not limited to:
Receiving private institutional data from a partner.
Teams responsible for large media files (images and videos).

8.8 Secure SDLC

A secure SDLC process ensures that security assurance activities such as security testing, static code analysis, and code review are an integral part of the development effort.

8.8.1 The primary advantages of pursuing a secure SDLC approach

More secure software as security is a continuous concern
Awareness of security considerations by stakeholders
Early detection of flaws in the system
Cost reduction as a result of early detection and resolution of issues
Overall reduction of intrinsic business risks for the organization

8.8.2 Code Security

The SecOps team provides review and guidance for the security of our code hosting service accounts, including GitHub and AWS Code Commit. See Warby Parker Github Policy for more info.
The Product teams own their code repositories and code dependencies. It is the responsibility of the Product Team Engineering Managers to prioritize patching of any vulnerabilities and to keep the dependencies up to date.
The developers are responsible for the quality and security of the code they write. Each developer should be familiar with the OWASP Application Security Verification Standard requirements.

8.8.3 Security Reviews for new vendors, applications, and services

SecOps team provides Security Checklists for vendors, apps, and services in order to integrate security best practices into SDLC and new feature on-boarding.
SecOps team performs manual Security Reviews upon request.
See Security Reviews Confluence Page for more info.

8.9 Security Auditing

A security audit is a systematic evaluation of the security of a company's information system by measuring how well it conforms to a set of established criteria. It is implemented at the company in the following ways:

8.9.1 Third-party Security Assessments / Risk Assessments

Warby Parker conducts an annual risk assessment to identify, manage, and respond to risks to the organization. The assessment process is based on the HIPAA Regulation and NIST CSF Framework where threats and vulnerabilities are mapped to different asset classes within the organization.

8.9.2 Penetration Testing

A simulated cyberattack against company websites, applications, computer systems, and / or retail locations is performed annually to evaluate the effectiveness of existing security controls.

8.9.3 Vulnerability Scanning

Vulnerability scanning of the warbyparker.com and myvisiondirectory.com is performed on a monthly basis using Rapid7 Insight AppSec.

8.9.4 Network Scanning

Network Scanning is performed using Rapid7 InsightVM.

8.10 Logs, Monitoring, and SIEM

The platform is monitored for security breaches, system performance, and other key performance indicators. Service teams have configured production servers, databases, and network devices to report their logs into a Security Information and Event Management (SIEM) system. The production systems are configured to capture log events including: logon events, account management events, privilege functions, and other system events. The SIEM is configured to monitor and alert when certain thresholds and activities are performed.

Alert notifications are monitored by the Production Services team, which includes SecOps and SRE. Alerts are acknowledged and corrective action is taken as needed. Documented procedures are followed to address security breaches, incidents, and service disruptions. Automated monitoring systems are supplemented with manual reviews of system logs and physical access logs.

See WP Security Monitoring and Alerting Wiki Page for more info.

8.11 Internal Bug bounty Program

The internal bug bounty program was designed to foster collaboration within the team to help protect our systems and our client information from malicious activities.

There exists a mechanism to report the findings to the SecOps team, as well as a set of regulations to protect the company from harm.

Refer to the Internal bug bounty Program Wiki Page for more details.

8.12 Proactive Security Program

Effective cybersecurity means being proactive, getting ahead of the problem and addressing the issue at its core rather than operating in a reactive fashion, constantly fixing the symptoms.

8.12.1 Threat Hunting

Threat Hunting is the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.

Threat hunting activities performed by the SecOps team include:

Reviewing our systems against OWASP top 10 threats, as well as top Retail industry threats on semi-annual basis. See the Top Security Threats doc for more information.
Monitoring the news for emerging vulnerabilities, putting in patches and controls to detect and / or prevent the exploitation by a bad actor.

8.12.2 Threat Modeling

Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritized. The purpose of threat modeling is to provide defenders with a systematic analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker. Threat modeling answers questions like “Where am I most vulnerable to attack?”, “What are the most relevant threats?”, and “What do I need to do to safeguard against these threats?”.

9. INCIDENT RESPONSE PROCEDURES

The term “security incident” is defined as any irregular or adverse event that threatens the security, integrity, or availability of the information resources on any part of the company network. Employees who believe their terminal or computer systems have been subjected to a security incident, or has otherwise been improperly accessed or used, should report the situation to the SecOps team. See How to Report a Security Incident for more info. The employee should not turn off the computer or delete suspicious files. Leaving the computer in the condition it was in when the security incident was discovered will assist in identifying the source of the problem and in determining the steps that should be taken to remedy the problem.

Once reported, the incident will be investigated by the SecOps team, who will follow the established CSIRP (CyberSecurity Incident Response Plan) to confirm the threat, assign a Severity rating and inform a cross-functional group known as the CSIRT (CyberSecurity Incident Response Team) on the next steps.

Refer to the Incident Response Wiki Page for more info.