Security Requirements

  1. Pandion Handbook
  2. Unified Standards
  3. Security Requirements

Security Requirements #

This document explains minimum security requirements at Pandion Ltd.

Basic Principles #

Security First #

  • Security is not added later
  • Consider security from the design stage
  • Prioritize security over cost

Multi-layered Defense #

  • Don’t rely on a single measure
  • Combine multiple security measures
  • Ensure security at each layer

Authentication and Authorization #

Password Policy #

  • Minimum Length: 12 characters or more
  • Complexity: Include uppercase, lowercase, numbers, symbols
  • Change Frequency: Every 90 days (but change immediately if leaked)
  • History: Cannot reuse last 5 passwords

Multi-Factor Authentication (MFA) #

  • Required Services: Email, cloud services, VPN
  • Recommended Method: Authentication apps (Google Authenticator, etc.)
  • Backup: Safe storage of recovery codes

Account Management #

  • Principle of Least Privilege: Grant only minimum necessary permissions
  • Regular Review: Check permissions quarterly
  • Delete Unnecessary Accounts: Disable immediately upon leaving

Data Protection #

Classification of Confidential Information #

  • Public: Can be publicly disclosed
  • Internal: Can only be shared within company
  • Confidential: Limited access
  • Top Secret: Highest level of protection

Encryption #

  • At Rest: Encrypt confidential data when stored
  • In Transit: HTTPS, VPN, encrypted email
  • Backup: Encrypted backups

Data Handling #

  • Minimization: Collect only minimum necessary data
  • Prohibition of Use Beyond Purpose: Prohibit use beyond collection purpose
  • Retention Period: Store only for necessary period, delete after expiration

Network Security #

Firewall #

  • Basic Settings: Close unnecessary ports
  • Application Level: Control by application
  • Regular Review: Regularly check settings

VPN #

  • Remote Work: VPN required for external access
  • Encryption: Use strong encryption protocols
  • Access Control: Minimum necessary access permissions

Network Monitoring #

  • Log Recording: Record and store access logs
  • Anomaly Detection: Monitor suspicious access
  • Regular Audit: Regularly check network settings

Software Security #

Vulnerability Management #

  • Regular Scanning: Monthly vulnerability scans
  • Patch Application: Rapid application of security patches
  • Dependency Management: Monitor library vulnerabilities

Secure Coding #

  • Input Validation: Validate all input values
  • Output Encoding: Implement XSS countermeasures
  • Error Handling: Error handling that prevents information leakage

Code Review #

  • Security Perspective: Check for security vulnerabilities
  • Automation: Utilize static analysis tools
  • Knowledge Sharing: Share security knowledge

Physical Security #

Device Management #

  • Screen Lock: Enable auto-lock feature
  • Device Encryption: Full disk encryption
  • Loss/Theft Countermeasures: Prepare remote wipe functionality

Office Environment #

  • Physical Access Control: Minimum necessary access
  • Document Management: Appropriate storage of confidential documents
  • Disposal: Appropriate disposal of confidential information

Incident Response #

Preparation #

  • Response Plan: Develop incident response plan
  • Contacts: List of emergency contacts
  • Escalation: Clarify escalation procedures

Response Procedures #

  1. Detection: Early detection of incidents
  2. Containment: Identify and contain impact scope
  3. Eradication: Remove threats
  4. Recovery: Recover systems
  5. Recurrence Prevention: Implement countermeasures and improvements

Recording and Reporting #

  • Incident Records: Create detailed records
  • Analysis: Cause analysis and impact assessment
  • Improvement: Implement recurrence prevention measures

Compliance #

  • Personal Information Protection Law: Appropriate handling of personal information
  • Industry Regulations: Respond to industry-specific regulations
  • International Standards: Compliance with standards such as ISO27001

Audit #

  • Internal Audit: Conduct regular internal audits
  • External Audit: External audit as needed
  • Improvement: Improvement activities based on audit results

Education and Training #

Security Education #

  • New Employees: Security education upon joining
  • Regular Training: Annual security training
  • Latest Information: Share latest threat information

Awareness Raising #

  • Phishing Training: Regular phishing training
  • Incident Sharing: Share incident cases
  • Best Practices: Share security best practices

Continuous Improvement #

Evaluation and Review #

  • Regular Evaluation: Quarterly security evaluation
  • Threat Changes: Respond to new threats
  • Technology Advancement: Introduce new security technologies

Improvement Activities #

  • Security Enhancement: Continuous security enhancement
  • Process Improvement: Improve security processes
  • Tool Introduction: Introduce new security tools
November 7, 2025
Edit this page
 
Edit Edit in WebIDE