Corporate Security

Data Assets Classification

OpenWeather has established a formal policies to delineate the requirements for the classification and handling of public and confidential information. The policy categorizes information into three distinct classes - public, internal, and restricted - each of which requires a corresponding set of security controls, including encryption measures for non-public data.

1. Public information such as weather forecasts and observation history is deemed non-sensitive and, as such, does not require confidentiality from OpenWeather.
2. Internal information must be maintained as confidential with necessary access control policies applied.
3. Restricted information which may include any types of customer sensitive data (i.e. emails and billing addresses) must also be kept confidential with tight access controls and data storage encryption applied.

OpenWeather maintains an assets inventory system including both hosted and cloud resources which allows it to identify which file storages and databases contain assets of specific types, so appropriate policies could be applied to them. In addition it contains software stack details for each of components which allow rapid identification of need to update for software vulnerabilities discovered.

Security Controls

OpenWeather's security controls are divided into three categories: administrative controls, physical controls, and technical controls.

• Administrative controls include logical access control and human resource processes that are implemented to manage user access.
• Physical controls are designed to prevent unauthorized physical access to servers and data processing environments. Physical access control mechanisms are implemented to ensure that only authorized personnel have access to restricted areas.
• Technical controls include secure configurations and encryption for data at rest and in transit. These controls help to ensure that data is protected from unauthorized access or disclosure, and that the confidentiality, integrity, and availability of the data are maintained.

Access control refers to the policies, procedures, and tools used to manage access to and utilization of resources such as a cloud service, physical server, file, application, data in a database, and network device.

There are two distinct approaches to access control: the first approach is Least Privilege, which is system-oriented and involves a careful evaluation of user permissions and system functionality to ensure that access is restricted to only the resources necessary for users or systems to perform their designated functions. The second approach is Default-Deny, which is a network-oriented configuration method that initially denies the transmission of all traffic and then permits only the essential traffic based on protocol, port, source network address, and destination network address.

User Access Management

OpenWeather employs an account-provisioning system for provisioning user access. Access privileges are assigned based on specific job roles and are subject to approval from management. This approach ensures that user access is granted only when necessary for job duties and is authorized by appropriate management personnelh3.

Password Management

OpenWeather's policies outline guidelines for password usage. To minimize the risk of intruders exploiting user accounts and associated passwords to gain access to systems or environments, it enforces strict policies, including requirements for password length and complexity for all types of accounts. Additionally, system-generated and assigned passwords must be changed immediately upon receipt.

OpenWeather employees are required to adhere to the established password rules, maintain the confidentiality and security of their passwords. Employees are prohibited from sharing their individual account passwords with others. Also OpenWeather system or application passwords are not permitted to be used for non-OpenWeather applications or systems by employees.

Access Rights Review

In accordance with its policies, OpenWeather regularly evaluates network and operating system accounts to ensure that employees have the appropriate level of access. If an employee leaves the company due to any reason, OpenWeather promptly takes the necessary steps to terminate their network, email, applications, cloud services, databases and physical access.

In the event of suspected mishandling or unauthorized access of customer data, OpenWeather will respond and evaluate the situation as per OpenWeather policies. The policies outline requirements for incident reporting and response. Incident-response programs and operational teams have defined requirements based on the type of incident. Upon discovery of an incident, OpenWeather develops a response plan for quick and effective investigation, response, and recovery. Root-cause analysis is performed to identify opportunities for security improvement. Formal procedures and systems are used to collect information and maintain a chain of custody for evidence during incident investigation.

As part of our commitment to ensuring the protection of our clients' privacy, we have developed a comprehensive Privacy Policy that outlines our data collection practices. We do not collect any personal client data, as we recognize the sensitivity and importance of this information. Our Privacy Policy is a reflection of our dedication to safeguarding the confidentiality of our clients' personal information, and we strictly adhere to the principles outlined in this policy to maintain the trust and confidence of our valued customers.