Tikshop Info — Information Security Policy

Purpose. This policy sets the standards for protecting Tikshop Info’s data, systems, and users from cyber threats. We implement preventive, detective, and responsive controls aligned with industry best practices.

1) Scope

Applies to all Tikshop Info assets: server/hosting infrastructure, web applications, domains and DNS, admin/editor accounts, analytics tools, organizational email, and user data (personal and non-personal).

2) Security Principles

• Confidentiality — Role-Based Access Control (RBAC), least-privilege access.

• Integrity — Change control and file integrity protections.

• Availability — Redundancy, routine backups, and recovery planning.

3) Data Protection

• Encryption in transit: HTTPS/TLS 1.2+; HSTS enabled.

• Encryption at rest: Disk/database encryption on supported storage services.

• Data minimization: Collect only what is necessary; retention follows business needs.

• Pseudonymization/Anonymization: Applied to analytics whenever feasible.

4) Application Security

• Secure development: Code reviews, linting, and dependency scanning.

• Vulnerability testing: Scans aligned to OWASP Top 10 (XSS, SQLi, CSRF, SSRF, etc.).

• Security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.

• Input protection: Server- and client-side validation/sanitization; upload size limits.

• Secrets management: API keys and credentials stored in a secrets manager, not in repositories.

• Rate limiting & CAPTCHA: Enforced on sensitive endpoints (login, comments, forms).

5) Access & Identity

• MFA mandatory for admin, hosting, DNS, CDN, email, and analytics accounts.

• RBAC: Access restricted by role (admin, editor, contributor).

• Strong passwords: Minimum 12 characters; no reuse; hashed with bcrypt/Argon2.

• Access audits: Quarterly reviews; immediate revocation for inactive accounts.

6) Infrastructure & Network

• WAF/CDN for DDoS mitigation and traffic filtering.

• Firewalls: Only essential ports open; SSH via public keys.

• Routine patching: OS, web server, runtimes, CMS/plugins.

• Monitoring: App/access/error logs sent to centralized logging with at least 90-day retention.

7) Backup & Recovery

• Automatic daily backups (databases & critical files).

• Retention: Daily (7), weekly (4), monthly (3).

• Restore testing: At least twice per year.

• RTO/RPO: Defined by service tier (e.g., RTO 4 hours / RPO 1 hour for critical content).

8) Vulnerability Management

• Regular scanning (weekly or upon major change).

• Risk-based SLAs:

  • Critical: patch ≤ 24 hours

  • High: ≤ 7 days

  • Medium: ≤ 30 days

  • Low: prioritized as appropriate

• Component inventory (SBOM) and CVE monitoring.

9) Incident Response (IR)

• Response team: Incident lead, communications, forensics/logs, operations.

• Workflow: Detection → Triage → Containment → Remediation → Recovery → Post-mortem.

• Notifications: In case of personal data breach, affected users and relevant authorities are notified per applicable regulations.

• Incident logbook retained for a minimum of 1 year.

10) Third-Party Security

• Vendor due diligence (hosting, CDN, payments, analytics).

• DPA (Data Processing Agreement) where personal data is processed.

• Least access and service-isolated API keys for each provider.

11) Training & Awareness

• Annual security training for staff (phishing, password hygiene, data classification).

• Periodic phishing simulations; easy internal channel for incident reporting.

12) Compliance

• Adherence to relevant Indonesian data protection rules and international best practices.

• Privacy by design for new features, with DPIA (Data Protection Impact Assessment) where needed.

13) Policy Updates

This policy is reviewed at least every 12 months or whenever there are significant changes in risk/technology.

🕓 Last updated: November 3, 2025

14) Security Contact

Report security issues to: security@tikshop.info