Information Systems, Application Development, and Maintenance Policy

This document describes how eXpress badging® manages the development, security, and maintenance of its business information systems, including the Veonics® Portal.

🛠️ It consolidates policies for Scoped Data handling, secure development practices, patching, encryption, and incident management.

Our goal is to align with NIST CSF 2.0 and ISO 27001 principles, while balancing transparency for customers with protection of internal IP and trade secrets.


📊 Business Information Systems & Scoped Data

Are business information systems used to transmit, process, or store Scoped Data?
✅ Yes — Scoped Data is primarily managed in the Veonics® Portal (AWS-hosted). On rare occasions, customer-provided data is staged locally before migration.

Are security requirements documented?
✅ Yes — Covered in the above-linked security policies.


🧑‍💻 Application Development

Is application development performed?
✅ Yes — eXpress badging® and contracted development partners maintain and enhance the Veonics® software ecosystem.

Is there a formal Software Development Life Cycle (SDLC)?
✅ Yes — We maintain an SDLC process using Jira (Atlassian) and a custom dev management tool.

  • Training is required for authorized staff.

  • Processes and accountabilities are published internally.

  • Note: These are not customer-facing but can be demonstrated via secure remote screen share for vetting purposes.

Are systems and applications patched?
✅ Yes — Systems and applications are patched as part of continuous maintenance.

  • Note: Patch deployment processes are not published externally to avoid disclosing IP and system details.

  • Customers may review evidence via secure screen share upon request.

Supporting Documentation (available under NDA/screen share):

  • A. Runbooks/checklists for hardening & patching

  • B. SCCM/configuration screenshots

  • C. Latest patch deployment screenshots


🌐 Veonics® Portal Web Application

Is a web site supported, hosted, or maintained that has access to Scoped Data?
✅ Yes — The Veonics® Portal is a secure, cloud-hosted front-end application that provides authorized customers access to their Scoped Data, including badge records and photos.

Are penetration tests executed against web apps?
✅ Yes — Covered in: Vulnerability Management & Remediation Process

Are annual vulnerability tests performed on applications?
✅ Yes — Performed with Fortra VM, covering both internal and external applications.

Supporting Documentation (available under NDA):

  • A. Vulnerability Assessment Policy/Process

  • B. VAPT results/reports


🔒 Encryption Management

Are encryption tools managed for Scoped Data?
✅ Yes — Encryption is enforced across laptops/desktops, servers, backups, and network communications.

Is there an encryption policy?
✅ Yes — Documented policies define where encryption is applied and at what strength.

Is data encrypted at rest?
✅ Yes — AWS-native encryption for the Veonics® Portal; Datto encrypted storage for backups; laptop full-disk encryption.

Supporting Documentation (available under NDA/screen share):

  • A. Runbooks/policies showing encryption strength (AES-256 at rest, TLS in transit)

  • B. Screenshots of backup encryption settings

  • C. Screenshots of laptop/desktop full disk encryption


🚨 Incident Management

Is there an Incident Management program?
✅ Yes — Managed through Jira (development/security events) and HubSpot (customer-facing incidents).

Supporting Documentation Required:

  • A. Incident Management Policy — latest version maintained in Jira/HubSpot footer (live environment).

  • B. Requirements docs govern incident response escalation.

Is there a documented policy approved by management with assigned owner?
✅ Yes — Covered in: Cybersecurity Incident & Breach Response Process

Does the Incident Response Plan include reporting?
✅ Yes — Reporting and escalation procedures are documented and tested as part of the response process.


🧭 NIST CSF 2.0 Alignment

Function Example Practices in this Policy
Identify (ID) Asset inventory, Scoped Data definition, risk identification
Protect (PR) SDLC, patching, encryption at rest/in transit
Detect (DE) VAPT, monitoring, SOC oversight
Respond (RS) Incident management via Jira/HubSpot, customer notifications
Recover (RC) Patching, encrypted backups, DevOps issue resolution
Govern (GV) Management-approved policies, assigned owners, review cadence

✅ Key Takeaways for Customers & Auditors

  • Yes, business systems are used — primarily AWS-hosted Veonics® Portal.

  • Yes, security requirements are documented — referenced in KB articles.

  • Yes, application development follows a formal SDLC — Jira-based with internal accountabilities.

  • Yes, patching is continuous — evidence available under NDA/screen share.

  • Yes, Veonics® Portal is a web app — protected, tested, and penetration-tested.

  • Yes, vulnerabilities are assessed annually — reports available under NDA.

  • Yes, encryption is implemented — at rest, in transit, and full disk.

  • Yes, incident management program exists — Jira + HubSpot based, with formal response plan.

 

✅ Runbooks Overview Screenshot

Runbook screenshot