Information Security Policy

Last updated: March 02, 2024

1. Introduction

This policy establishes the security requirements for BlackNodes' information systems, with a focus on protecting our validator infrastructure and cryptographic assets.

2. Key Management

2.1 Key Hierarchy

• Root Keys: Stored in air-gapped hardware security modules (HSMs) with multi-signature requirements
• Validator Keys: Derived from root keys and stored in dedicated HSMs
• Operational Keys: Limited-privilege keys for day-to-day operations

2.2 Key Generation

• All keys must be generated in secure environments using approved cryptographic algorithms
• Key generation ceremonies require at least three authorized personnel
• All ceremonies must be recorded and documented

2.3 Key Storage and Backup

• All private keys must be stored in HSMs or equivalent hardware devices
• Backup keys must be stored in geographically distributed secure locations
• No keys shall be stored in plaintext format on any system

2.4 Key Rotation

• Operational keys must be rotated quarterly
• Validator keys must be reviewed bi-annually for rotation needs
• All rotations must follow documented procedures

3. Access Control

3.1 Access Hierarchy

• Level 1: Root Key Custodians (Executive level only)
• Level 2: Validator Operations (Senior engineers)
• Level 3: Monitoring & Alerts (Operations team)
• Level 4: Support & Maintenance (Support staff)

3.2 Authentication Requirements

• Multi-factor authentication mandatory for all systems
• Biometric verification required for physical access to HSMs
• Session timeouts enforced on all systems

3.3 Least Privilege Principle

• Access granted only to resources necessary for job functions
• All access requests require formal approval
• Access rights audited quarterly

4. Network Security

4.1 Network Architecture

• Validator infrastructure must operate on isolated networks
• All critical systems must implement defense-in-depth strategy
• Network traffic must be monitored 24/7

4.2 Firewall and Endpoint Protection

• All endpoints must run approved security software
• Firewall rules must be reviewed monthly
• Changes to security configuration require approval

5. Incident Response

5.1 Detection and Reporting

• All security incidents must be reported immediately to the CISO
• Automated monitoring systems must be in place to detect anomalies
• Regular tests of detection systems must be conducted

5.2 Response Procedures

• Defined playbooks for common incident types must be maintained
• Key compromise requires immediate key rotation
• Significant incidents require post-mortem analysis

6. Employee Security

6.1 Personnel Requirements

• Background checks required for all employees
• Security training mandatory upon hiring and quarterly thereafter
• Confidentiality agreements required for all staff

6.2 Offboarding Procedures

• Immediate revocation of all access upon termination
• Hardware collection and account deactivation checklist
• Reminder of ongoing confidentiality obligations

7. Compliance and Audit

7.1 Internal Audits

• Quarterly review of key management processes
• Bi-annual penetration testing of all systems
• Annual comprehensive security assessment

7.2 Documentation

• All security procedures must be documented
• Documentation must be reviewed and updated quarterly
• Changes to procedures require formal approval

8. Policy Enforcement

Violation of this policy may result in disciplinary action up to and including termination of employment. BlackNodes reserves the right to notify appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity.

Contact Us

If you have any questions about this Information Security Policy, You can contact us:

• By email: contact@blacknodes.net