Flaw Remediation and Vulnerability Policy

Product Security Flaw, Vulnerability, and Remediation

When it comes to management of any issues which may implicate any iStorage product with a Flaw, Vulnerability, or any other logical condition which may implicate the security objectives of assured CIA+A (ConfidentialityIntegrity, and Availability) iStorage are committed to follow a robust set of processes, and our mission statement to apply countermeasures and mitigations to secure our products.

Mission Statement

iStorage follow a proactive operational set of practices with the firm objective of maintaining a secure and robust profile of our products, by discovering, and applying prioritised flaw and vulnerability remediation processes to prevent the manifestation of security exposures, instability, or conditions which may be manipulated directly, or indirectly to compromise a system, asset or iStorage product.

In the first instance, this is achieved by the application of a set of operational objectives, under an established iStorage SDLC (Secure Development Lifecycle) at all levels of development, and, where required to manage a robust process of flaw and vulnerability remediation and management to mitigate, and to underpin a secure product range – including:

  • Identification of any Flaws or Vulnerabilities which may have impact on products
  • Evaluation of all detected or reported Flaws, Vulnerabilities, or other observations
  • Verification of all detected or reported Flaws, Vulnerabilities, or a potential adverse-conditions
  • Remediation and response to mitigate any potential adverse impact on any iStorage product
  • Management processes which follow code, and security best practices
  • Mitigation to deliver timely communication and response to secure the implicated product

Risk: Flaw and Vulnerability management has become increasingly important factor for all organisations over the last decade, driven by the high number of high-profile global targeted cyber-attacks, system compromises, and associated loss of sensitive data assets, implicating Confidentiality, Integrity, and Availability (CIA). Therefore, iStorage see Flaw and Vulnerability Management as high-priority when it comes to their products, and apply and  follow robust practices and procedures to assure that any actual, or suspected flaw, vulnerability, or security exposures are addressed as soon as they are discovered, or reported to assure that all iStorage products in operational use are secured and protected from any form of cyber-attack or compromise which could exposure client’s data assets, or otherwise cause a denial of service to an iStorage product. Internal to iStorage this is managed by following strict guidelines to accommodate the following security objectives:

  • Design: In this phase, iStorage apply best industry security practices as part of their developed in-house SDLC (Secure Development Lifecycle) concerned with the creation of source code, run-time code, and all applicable manufacturing practices in support of developing secure and stable code, and robust products
  • Development: Againthe aspect of Development follows the same practices as those inherent to the Design Phase and the direction of the SDLC. However, in this phase the Development Team Security Operating Procedure (SyOp) is also applied to direct the teams approach by underpinning with a set of mandated operational instructions and control objectives based on the ISO/IEC 27001, and many other industry Best Security Practices
  • Deployment: Under the iStorage SDLC, the Deployment phase requires that complete verification and process is applied to ensure that all products are operating as expected, and are supportive of the objective to deliver secure, robust and stable products into the delivery chain of iStorage for business users and clients alike
  • Distribution: iStorage ensure that their products are distributed to their end clients in a form which supports the Integrity of their products (CIA). For this reason, and to mitigate the potential of tampering, all products are sealed in secure packaging along with the application of tamper proof seals
  • Upgrade: As part of the SDLC, on the rare occasion where a flaw or vulnerability is discovered which directly, or indirectly affects the security, stability, or operability of any iStorage product, immediate remediation action is taken to investigate, evaluate and to mitigate the discovery as appropriate
  • Maintenance: The iStorage Development Team carry out regular maintenance against all source code and products to ensure they are concurrent with any newly published security alerts, notification or vendor updates as are applicable to their product base; or any other associated party who support iStorage to ensure they are always up to date with the latest vulnerability notifications

Flaw and Vulnerability Remediation and Reporting

The iStorage Technical Support Team (TS) is responsible for maintaining secure products by ensuring that any discovered or reported flaws, vulnerabilities, or other technical issues which may have impact on their product range are dealt with as a matter of priority as soon as they become known. This is underpinned by the many robust processes which iStorage deploy into their product and manufacturer SDLC as shown above.

Response: iStorage have developed a set or processes and protocols which they apply to respond to any adverse reports which implicate their product range. This is achieved by dedicated iStorage technical support teams who manage the receipt of any such notifications, which are then followed up with internal evaluation of the observation. The process will then follow a conjoined set of high-level processes, applied by technical support teams to ManageCoordinate, EvaluateVerifyPrioritiseRemediate, as shown at Fig 1 below:

Fig 1 – High-Level Flaw/Vulnerability Reaction Life-cycle

This process is in place to assure that all products which could be exposed to allow an unauthorised actor to compromise the Confidentially, Integrity or Availability, are reacted to as a matter of high-priority by iStorage technical support teams who will quickly:

  • Verify the discovery
  • Evaluate the Exposure
  • Apply Prioritisation in accordance with the verified Severity Rating
  • Coordinate their internal Flaw and Vulnerability Remediation process
  • Issue a patch, update, or take other action as required to robustly address the issue
  • Issue notification as appropriate to the Flaw, Vulnerability, or exposure

Reporting or Obtaining Support for a Suspected Flaw, Vulnerability or Security Exposure

Any user or organisations who suspect that any iStorage product may have a flaw, vulnerability, security exposure, or some other condition which may implicate its stable operability should contact the iStorage Technical Support team as soon as possible.

Under this same process, iStorage also welcome reports from independent researchers, security consultants, industry organisations, vendors, customers, and other sources concerned with product security or stability. To submit a report takes minimal effort, and may be done by either contacting iStorage by email, or on one of their contact telephone numbers as shown below:

Telephone Contact:

 

 

+44 (0) 20 8991 6260

+44 (0) 20 8991 6283

+44 (0) 20 8991 6265

Email: support@istorage-uk.com

 

Response to Notifications

iStorage take all reports very seriously, and upon receipt of any notification relating to a Flaw, Vulnerability, or any other observation relating to product security, stability, or operability, we will follow the high-level process as shown in Fig 2 below:

Fig 2 – Flaw and Vulnerability Reporting Process

Our Security Commitment

iStorage is committed to responding to all received reports and notifications as a matter of urgency, and where required will take direct action to mitigate the flaw, vulnerability, or observation as a matter of high-priority to ensure all our products are always secure.

 

Released Firmware Version and Known Flaws

 

Device

Firmware Versions

Security Flaw

datAshur

v1.2

No flaws found/reported

datAshur PRO

v1.9

No flaws found/reported

v1.11

No flaws found/reported

datAshur Personal

v2.1

No flaws found/reported

datAshur Personal2

v1.9

No flaws found/reported

diskAshur2

v1.2

No flaws found/reported

diskAshur PRO2

v1.2

No flaws found/reported

diskAshur DT2

v1.2

No flaws found/reported

PS: This table will be updated within 7 days of the new firmware release / any flaw found