Link Search Menu Expand Document

Processes and Proceedures

This page contains details on security-related processes and proceedures for both employees and contractors.

Table of contents

  1. Accounts and Passwords :closed_lock_with_key:
    1. External Accounts
    2. Passwords
    3. Multi-Factor Authentication :iphone:
  2. Secure Browsing :computer:
    1. Extensions
    2. Form autofill :memo:
  3. Email :email:
  4. Security Awareness :eyes:
  5. Contacting Security

Accounts and Passwords :closed_lock_with_key:

External Accounts

Do not sign up for a new service on behalf of Parallel without first receiving permission from security@parallelmarkets.com

This includes signing into web pages and web apps using your @parallelmarkets.com Google sign-in.

Passwords

Use a password manager! A password manager let you memorize one strong password, and then it generates and manages strong, unique passwords for every site for which you have a login. Employees can install LastPass via the Self Service App that is installed on your company device.

  1. Make sure you use a separate password for every service (for instance, your Gmail password should be different than your Slack password).
  2. You should use the password autogeneration capabilities of your password manager to generate secure passwords. Passwords should:
    • have a minimum length of 12 characters
    • never be reused - whether across services or on the same service
    • should not be the same as username
    • should not be predictable (for instance, follow a pattern across services)
  3. Don’t share passwords (with co-workers, friends, strangers, or any other people, living or dead :ghost:). Every person should have their own account on every service.
  4. Don’t write any passwords down.
  5. Password “hints” are not to be used. If a password is forgotten, a mechanism must be in place to replace a password/passphrase with sufficient controls to verify the identity of the requester of the password reset.
  6. If an account or password is suspected to have been compromised, contact the Security Team immediately.

Multi-Factor Authentication :iphone:

You must use Multi-factor authentication (aka, 2 Factor Authentication, aka 2FA) for every service that provides support, including all third-party tools and company applications. This second factor requirement can help prevent unauthorized users from being able to access accounts if one piece of evidence (such as password) is compromised. Note that 2FA is mandatory for most Parallel services.

The following 2FA methods are acceptable:

  1. Use of an app like Google Authenticator or Authy to provide a time-based, one-time passwords (a number that changes every 30 seconds).
  2. Some services support external authentication devices like Yubikeys; these are acceptable forms of 2FA as well (though not all services support them).
  3. Some services allow you to download “backup codes” that you can use instead of a time-based code in case you lose your phone (or access to your time-based password generator). Make sure you store these somewhere safe!

Note: SMS (text message) and phone call based 2FA are both vulnerable to an attack known as a SIM Swap. These methods should not be used for 2FA unless there are no other 2FA option available for a specific service.

Secure Browsing :computer:

Extensions

While browser extensions are easy to install and test out, make sure you only install extensions from sources you trust. Here are a few extensions we do recommend:

  • HTTPS Everywhere - ensure that you only visit sites that support encrypted HTTP
  • Privacy Badger - A tool from the EFF, Privacy Badger automatically learns to block invisible trackers.
  • uBlock Origin - blocks ads and the data they collect

Form autofill :memo:

Form autofill is known to be dangerous since it can share more information than you intended without your consent. We recommend turning form autofill off in your browser:

Email :email:

Here are some general guidelines for email:

  1. If you get an email that looks suspicious, forward the email to security@parallelmarkets.com.
  2. An email can be suspicious, even if it’s from someone you know, if there’s an unexpected link :link: or attachment :file_folder:.
  3. Don’t be afraid to reach out to anyone directly to ask if they sent something you weren’t expecting (for instance, reach out on Slack).
  4. Follow the guidelines for identifying phishing emails provided in this guide.
    • The Security Team will, from time to time, simulate phishing attacks to our company email addresses to ensure everyone is aware of the threat.
    • If you receive a suspicious email, forward it to security@parallelmarkets.com for analysis before clicking any links or downloading any attachments.
  5. When in doubt, reach out to security@parallelmarkets.com or #security in Slack.

Security Awareness :eyes:

  1. Never sign in to any Parallel Markets related account using public computers, such as library or hotel kiosks.
  2. If you receive a security report of any kind (issue, customer ticket, etc.) never dismiss it as invalid. Please contact the Security Team.
  3. Be familiar with the general approaches used in social engineering, and know that you could be targeted based on your access to highly sensitive personal information. You should understand the vectors used:
    • Vishing :phone: - Someone may call you asking for information. Never share sensitive data over the phone.
    • Phishing :fishing_pole_and_fish: - You may get an email that looks valid at first glance but contains an attachment with malware or a link to a site that will install malware.
    • Smishing :iphone: - Be aware of suspicious texts, and don’t click links that look suspicious or weren’t expected.

Contacting Security

Feel free to reach out to the Security Team at any point with questions, concerns, or suspicious emails for analysis at security@parallelmarkets.com. You can also ask for help in the #security room in Slack at any time.