Data Assets Classification
OpenWeather has established a formal policies to delineate the requirements for the classification and handling of public and confidential information. The policy categorizes information into three distinct classes - public, internal, and restricted - each of which requires a corresponding set of security controls, including encryption measures for non-public data.
- Public information such as weather forecasts and observation history is deemed non-sensitive and, as such, does not require confidentiality from OpenWeather.
- Internal information must be maintained as confidential with necessary access control policies applied.
- Restricted information which may include any types of customer sensitive data (i.e. emails and billing addresses) must also be kept confidential with tight access controls and data storage encryption applied.
OpenWeather maintains an assets inventory system including both hosted and cloud resources which allows it to identify which file storages and databases contain assets of specific types, so appropriate policies could be applied to them. In addition it contains software stack details for each of components which allow rapid identification of need to update for software vulnerabilities discovered.
Security Controls
OpenWeather's security controls are divided into three categories: administrative controls, physical controls, and technical controls.
- Administrative controls include logical access control and human resource processes that are implemented to manage user access.
- Physical controls are designed to prevent unauthorized physical access to servers and data processing environments. Physical access control mechanisms are implemented to ensure that only authorized personnel have access to restricted areas.
- Technical controls include secure configurations and encryption for data at rest and in transit. These controls help to ensure that data is protected from unauthorized access or disclosure, and that the confidentiality, integrity, and availability of the data are maintained.