Security Policy

1. Introduction

At Sensei Project Solutions, security is fundamental to our values and the trust our clients place in us. This Security Policy outlines our internal practices, systems, responsibilities, and protective measures for managing information systems that support Sensei IQ—our modern project and portfolio management solution built on the Microsoft Power Platform. This policy provides governance for securing our systems, data, and development operations, while reinforcing our commitment to ethical behavior, legal compliance, and continuous improvement. All Sensei personnel are expected to understand and adhere to this policy.

2. Purpose

The purpose of this policy is to define and document the principles and controls we apply to safeguard the security, availability, and integrity of Sensei IQ. These efforts are designed to:

  • Protect our internal assets and development environments.
  • Ensure the confidentiality and privacy of sensitive business information.
  • Prevent unauthorized access to systems and services.
  • Maintain a high standard of trust with our clients, partners, and employees.

Sensei complies with all applicable laws and regulations and expects every team member, contractor, and representative to uphold the same standard.

3. Scope

This policy applies to all systems, applications, services, infrastructure, and information assets used by Sensei Project Solutions in the development and support of Sensei IQ. It applies to all employees, contractors, and authorized users.

4. Data and Asset Classification

Sensei applies role-based access control and layered protections to all internal data and systems. While we do not manage or store client data directly, internal assets such as source code, credentials, product secrets, and system configurations are treated as confidential and protected accordingly. We apply strong encryption, enforce MFA, limit access by business need, and ensure proper disposal of sensitive data and devices.

5. Client Data

Client data is entirely managed within the client’s Microsoft 365 tenant. Sensei does not store, move, or manage client data within our systems. Our role is to configure, extend, and support solutions that operate securely within that tenant. The client remains the sole controller of their data, including identity, access, and lifecycle of all associated records.

6. Asset Management

Sensei maintains an inventory of all company-issued devices and associated users. All assets are:

  • Enforced to receive automatic OS and antivirus updates.
  • Configured to auto-lock after 5 minutes of inactivity.
  • Subject to full drive wipe and secure disposal upon decommission.

In addition:

  • Employees must secure their home networks with WPA2 encryption or better.
  • Router firmware must be updated regularly.
  • Remote management features must be disabled.

VPN use is required on public or untrusted networks.

7. Password Policy

All passwords used to access Sensei systems must:

  • Be at least 8 characters in length.
  • Include a mix of uppercase, lowercase, numbers, and special characters when allowed.
  • Avoid personal identifiers, common phrases, or reused credentials.
  • Never be stored in plain text, emailed, or written down.
  • Not be stored in unmanaged tools like digital notes or word processors.

Multi-factor authentication (MFA) is required across all core systems. Employees are strongly encouraged to use a secure password manager to generate, store, and organize their credentials.

8. Background Checks and Character Assurance

To ensure the integrity of personnel accessing client environments or sensitive systems, Sensei performs background checks on all team members at the time of hire. A log of check completions and dates is maintained by HR. Results are not shared externally, but records are kept to provide confidence in our internal risk posture.

9. Access Control

Access to systems is governed by the principles of least privilege and need-to-know:

  • All access must be explicitly approved and assigned based on role.
  • Administrative access is granted only with documented justification.
  • Shared accounts are prohibited for systems handling sensitive data.
  • Temporary access is revoked once no longer needed.
  • Access logs are reviewed and dormant or excessive permissions removed.

All access requests are tracked, logged, and auditable.

10. Vulnerability Management

Sensei is responsible for identifying, tracking, and resolving security vulnerabilities in our products and infrastructure. As we do not manage client data directly, client systems are not at risk in the event of an internal vulnerability. Nevertheless, we take all risks seriously and:

  • Monitor for vulnerability advisories and patch affected systems promptly.
  • Track remediation efforts in our development backlog.
  • Maintain audit logs of mitigation efforts and retesting.

We continuously look for opportunities to harden our posture and reduce attack surfaces.

11. Change Management

All changes to systems, applications, and infrastructure supporting Sensei IQ follow formal change management procedures:

  1. Creation of a tracked work item in Azure DevOps.
  2. Team review and approval of the proposed change.
  3. Peer-reviewed code changes via pull request.
  4. Testing in non-production environments.
  5. Staged deployment using CI/CD pipelines.
  6. Post-release monitoring using Azure Application Insights and alerts.

Rollback strategies and notifications are prepared as needed.

12. Secure Coding Practices and Processes for Sensei IQ

In today’s fast-evolving cybersecurity landscape, secure coding is essential for developing applications that are resilient against a wide range of vulnerabilities. At Sensei Project Solutions, our development team adheres to a comprehensive set of secure coding practices to ensure the integrity, confidentiality, and availability of our application, Sensei IQ, which is built within the Microsoft Power Apps environment. This document outlines the principles, frameworks, and processes that guide our efforts to integrate security at every stage of the software development lifecycle (SDLC).

12.1 Secure Development Policy

Secure coding involves writing software in a way that prevents common vulnerabilities and protects against threats such as data breaches, unauthorized access, and malicious activity. By embedding security considerations into every phase of the development process, we effectively mitigate risk and protect user data and system resources.

12.1.1 Microsoft Security Development Lifecycle (SDL)

The Microsoft Security Development Lifecycle (SDL) provides a comprehensive framework for integrating security throughout the software development lifecycle. Our development team follows SDL practices from the earliest design phases through to deployment. These practices include:

  • Threat modeling.
  • Applying secure design principles.
  • Conducting security-focused code reviews.
  • Executing secure deployment practices.

We follow Microsoft's SDL guidelines to proactively address security considerations in all Sensei IQ development.

12.1.2 Key Secure Coding Standards and Frameworks

Our team applies industry-recognized standards to ensure consistency and security. These include:

  • OWASP Top Ten: We use the Open Web Application Security Project Top Ten list as a guide to recognize and eliminate the most critical web application security risks such as SQL Injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF).
  • Microsoft Secure Coding Guidelines: We apply Microsoft's coding recommendations for input validation, authentication, encryption, and secure exception handling.

Sensei follows commonly used coding standards and frameworks, and as necessary, revises and refactors legacy code to better align with secure coding practices.

12.2 Secure Development Practices at Sensei Project Solutions

We have integrated secure development practices throughout the SDLC to ensure Sensei IQ meets high standards for security and resilience.

12.2.1 Feature Requirement Verification

Each code review confirms that the implemented feature meets defined business and user requirements. This includes:

  • Ensuring that the code satisfies the intended user functionality.
  • Identifying and implementing any missing or incomplete functionality.
  • Considering additional enhancements that align with the feature's purpose.

This approach ensures that every implementation is effective, secure, and aligned to user needs.

12.2.2 Readability Assessment

We ensure that all code is structured, readable, and easy to maintain. Reviews include:

  • Verifying that code structure and logic are easy to follow.
  • Ensuring compatibility with standard screen resolutions (14-inch and 22–24-inch displays).
  • Keeping code clear, concise, and free of obfuscation.
  • Using descriptive names for functions and variables.
  • Improving naming and adding in-line comments where needed.

Readable code facilitates easier debugging, maintenance, and future development.

12.2.3 Maintainability Testing

Our team places high priority on code maintainability. During reviews, we:

  • Confirm that code can be easily tested and debugged.
  • Ensure configuration values can be easily updated for testing.
  • Avoid dependencies on outdated or unsupported technologies.

This process ensures our codebase remains scalable, reliable, and adaptable.

12.2.4 Security Vulnerability Check

We implement proactive measures to detect and prevent security flaws by:

  • Ensuring all libraries and tools are up to date and free of known vulnerabilities.
  • Enforcing strong authentication protocols, including OAuth with MFA via Microsoft Entra ID.
  • Validating and sanitizing all inputs to defend against injection attacks, XSS, and similar threats.
  • Implementing and enhancing data validation, especially for API requests.
  • Encrypting sensitive data, particularly personally identifiable information (PII) and GDPR-protected content.

Our team continuously seeks opportunities to enhance data security at all levels.

12.2.5 Performance and Efficiency Considerations

We optimize code performance to maintain a scalable and responsive system. During reviews, we:

  • Eliminate inefficient operations such as excessive string concatenation or memory misuse.
  • Remove redundant or duplicate code.
  • Identify and refactor common logic into reusable components in the shared repository.

As part of our roadmap, we continue to refactor older implementations and consolidate shared logic into reusable assets for use across Power Apps, Dynamics, and Teams.

12.2.6 Documentation Quality

Proper documentation enables developers to understand and extend the codebase. We ensure that:

  • Code documentation clearly describes purpose, usage, and dependencies.
  • Documentation is concise, complete, and current.
  • New features and changes are accompanied by examples and usage instructions.

We are enhancing documentation across various components, including PCF Controls, Plugins, Workflows, and WebResources. Existing inline comments, particularly in plugins, already follow best practices by including purpose, ticket references, and update history.

12.2.7 Naming Conventions Inspection

Consistent naming improves code clarity and maintainability. Our practices include:

  • Adhering to naming conventions for variables, functions, and classes.
  • Refactoring names to better reflect purpose and improve readability.
  • Documenting standards for current and future developers.

We continue to evolve our naming conventions and refactor older code as necessary, establishing clarity across the codebase.

12.3 Security Tools Integrated with Azure DevOps

To automate and enforce secure development, we integrate the Microsoft Security DevOps Extension with Azure DevOps. This includes tools such as:

  • GitHub Advanced Security: Identifies credentials checked into source code.
  • BinSkim: Performs static analysis on binaries.
  • TSLint and ESLint: Enforces TypeScript and JavaScript coding standards.
  • StyleCop: Enforces C# style and formatting rules.

These tools ensure consistency, detect vulnerabilities early, and reduce risk throughout the pipeline.

12.4 Dependency Management and Security

We follow best practices for secure dependency management:

  • Keep libraries and packages updated to stable versions.
  • Monitor security advisories for any known vulnerabilities.
  • Use lock files such as package-lock.json and yarn.lock to enforce consistent versions.
  • Regularly audit and remove unused dependencies using tools like depcheck.

These practices are now routine within the team, with growing familiarity and application of tools like DepCheck and React-specific techniques for managing dependencies.

12.5 Incident Response Plan

If a security breach occurs within our Microsoft 365 tenant, we follow a well-defined response plan. In the unlikely event of a security incident or data breach affecting internal systems:

  1. Detect: Identify the breach through monitoring and alerting systems.
  2. Contain: Limit exposure and control access.
  3. Escalate: Notify department leads and the CEO.
  4. Assess: Evaluate impact and identify affected data.
  5. Take Action: Implement containment and recovery measures.
  6. Notify: Inform affected individuals as required.
  7. Review: Conduct a post-incident review and update policies or training accordingly.

This structured process ensures quick action, legal compliance, and improved future resilience. Incidents are documented and reviewed by technical, legal, and leadership personnel.

12.6 Ongoing Education and Training

To stay current with evolving threats and best practices, our team actively pursues:

  • Training: Internal workshops and curated online training on secure coding and OWASP.
  • Security Culture: Integration of DevSecOps and continuous improvement of security posture.
  • Knowledge Sharing: Internal portals for guidelines, resources, and shared learning.
  • Framework Adoption: Implementation of Microsoft SDL and secure development frameworks.
  • Certifications: Encouragement to obtain DevSecOps credentials.

By adhering to secure coding best practices, leveraging Microsoft's security frameworks, and maintaining a culture of vigilance and education, Sensei Project Solutions ensures that Sensei IQ is developed to meet modern cybersecurity demands.

13. Security Awareness Policy

All Sensei employees are required to complete mandatory security awareness training at onboarding, followed by annual refresher training. Training includes:

  • Password best practices.
  • Safe handling of confidential and internal data.
  • Recognizing phishing attempts and malicious links.
  • Appropriate use of devices, networks, and email.

Compliance is auditable and monitored by the HR and IT leads.

14. Continuous Improvement

Sensei regularly reviews and updates this policy in alignment with best practices and evolving threats. We maintain:

  • Quarterly policy checkpoints.
  • Annual comprehensive reviews.
  • Stakeholder involvement from Product, Leadership, and Customer Success.

Security is a shared responsibility, and every team member plays a role in maintaining the integrity of Sensei IQ. This document serves as a reference for all development activities and a foundation for continuous improvement in secure software engineering at Sensei.

For questions or clarifications, contact us at: info@senseiprojectsolutions.com