YAHOO TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
Yahoo will implement and maintain the following technical and organisational security measures, in particular:
Yahoo Information Security Overview
Yahoo takes information security seriously. This information security overview applies to Yahoo’s corporate controls for safeguarding personal data which is processed in connection with delivery of our services. Yahoo’s information security program enables the workforce to understand their responsibilities. Some customer solutions may have alternate safeguards outlined in the statement of work as agreed with each customer.
Security Practices
Yahoo has established a comprehensive information and cyber security program based on industry standard security governance framework. Yahoo’s Information Security organisation is responsible for implementing controls and ensuring adherence to security policies and standards in conjunction with evolving business requirements, compliance guidance and an emerging threat landscape. Information Security risks are managed in accordance with ISO 27001/lSO 27005 and aligned with NIST CSF. Yahoo’s Information Security Policy defines the fundamentals for Information Security (lS) management and the core principles of IS risk management. Yahoo’s core IS documents are reviewed annually.
Organisational Security
It is the responsibility of the individuals across the organisation to comply with these practises and standards. To facilitate the corporate adherence to these practices and standards, the function of information security provides:
- Strategy and compliance with policies/standards and regulations, awareness and education, risk assessments and management, contract security requirements management, application and infrastructure consulting, assurance testing and drives the security direction of the company.
- Security testing, design and implementation of security solutions to enable security controls adoption across the environment.
- Security operations of implemented security solutions, the environment and assets, and manage incident response.
Asset Classification and Control
Yahoo’s practice is to track and manage physical and logical assets. Examples of the assets that Yahoo IT might track include:
- Information Assets, such as identified databases, network resiliency and redundancy architecture, data classification, archived information.
- Software Assets, such as identified applications and system software.
- Physical Assets, such as identified servers, desktops/laptops, backup/archival tapes, printers and communications equipment.
The assets are classified based on business criticality to determine confidentiality requirements. Technical, organisational and physical safeguards may include controls such as access management, encryption and monitoring.
Personnel Security and Training
As part of the employment process, employees undergo a screening process applicable per regional law. Employees are bound to follow Yahoo’s policies and procedures and breaking or not following these will result in disciplinary actions up to and including termination based on local law. Yahoo’s annual compliance training includes a requirement for employees to complete an online course and pass an assessment covering information security and data privacy. The security awareness program may also provide materials specific to certain job functions.
Additionally Yahoo service providers with access to data or systems, undergo a screening process applicable per regional law. Also are contractually bound to adhere to the same policies and procedures as full time employees.
Physical and Environmental Security
Yahoo uses a number of technological and operational approaches in its physical security program in regards to risk mitigation. Their security team works closely with each site to determine appropriate measures are in place and continually monitor any changes to the physical infrastructure, business, and known threats. Yahoo balances its approach towards physical security by considering elements of control that include architecture, operations, systems, performance, compatibility and interoperability.
Operations Management
The IT organisation manages changes to the corporate infrastructure, systems and applications through a centralised change management program, which may include testing, business impact analysis and management approval where appropriate.
To protect against malicious use of assets and malicious software, additional controls may be implemented based on risk. Common controls may include, but are not limited to, additional information security policies and standards, restricted access, designated development and test environments, virus detection on endpoints, email attachment scanning, system compliance scans, information handling options for the data exporter based on data type, network security, and system and application vulnerability scanning.
Encryption
Industry standard hashing algorithms are being used throughout the environment. Yahoo requires that any TLS stacks must support, offer, and prefer TLS version 1.2 or higher. Any versions that do not comply with standards must be reviewed and approved by the security department, supporting additional compensating security controls.
Incident Response
Yahoo maintains a security operations center which monitors and reports on potential security related events. Yahoo utilizes multiple scanning, investigation, and protection technologies across the enterprise to identify, track, block, and remediate vulnerabilities and potential breaches. Additionally, there is an established policy and process for incident response, as well as mandated annual security training for all employees and an internal web page with instructions for easy reference.
Additionally, Yahoo has dedicated personnel to investigate new and emerging attack intelligence. Security-related incidents are logged and tracked, to include the validation of the supporting documentation following internal standards and procedures.
Access Controls
Access to corporate systems is restricted, based on procedures to ensure appropriate approvals. In addition, remote access and wireless computing capabilities are restricted and require that both user and system safeguards are in place.
System Development and Maintenance
Publicly released third party vulnerabilities are reviewed for applicability in the Yahoo environment. Based on risk to Yahoo’s business and customers, there are predetermined time frames for remediation. In addition, vulnerability scanning and assessments are performed on new and key applications and the infrastructure based on risk. Code reviews are used in the development environment prior to production. These processes enable proactive identification of vulnerabilities as well as compliance. Additionally, a public bug bounty program is available and supplements the research performed by internal security.
Compliance
The information security, legal, privacy and compliance departments work to identify regional laws, regulations applicable to Yahoo compliance. Mechanisms such as the information security program, Privacy council, internal and external review/assessments, internal and external legal counsel consultation, internal controls assessment, internal penetration testing and vulnerability assessments, contract management, security awareness, security consulting, policy exception reviews and risk management combine to drive compliance with these requirements.
Last updated on December 5, 2022