MetricStream Cloud Frequently Asked Questions

Size: px
Start display at page:

Download "MetricStream Cloud Frequently Asked Questions"

Transcription

1 MetricStream Cloud Frequently Asked Questions 1.0 Architecture & Environment Service Level Agreement High Availability & Scalability Backup & Disaster Recovery Data Security Network Security Physical Security & Infrastructure* Operational Security Security/ Audit Logs 34

2 1.0 Architecture & Environment 1.1 Does MetricStream operate its own hosting center? MetricStream partners with multiple SSAE 16 Type II Audited Tier IV data centers with co-location facilities currently located in California, New Jersey, and Missouri and London. MetricStream is also in the process of partnering with datacenters in countries such as UAE and Canada in order to expand its hosting locations. 1.2 Does MetricStream offer shared or dedicated server environments? MetricStream does not multi-tenant. To eliminate the potential for co-mingling of data, each customer is provided dedicated servers helping ensure MetricStream meets the compliance & regulatory requirements of industries like Banking, Finance, Insurance, Life sciences, Healthcare, Energy, Utilities, etc. 1.3 What is the minimum and maximum duration for contracting Cloud services? Typically, MetricStream requires a three (3) year contract commitment for our hosted services and term licenses, and we are open to discussing maximum terms of five and seven years. 1.4 Describe MetricStream s compliance with various laws, codes and regulations relating to security, privacy and data protection. The MetricStream Cloud solution and services include robust capabilities for security, access controls, identity management, audit trails, electronic signatures, encryption, authorization and authentication. These cloud capabilities ensure compliance with various international, national and regional regulations on record keeping, privacy, and protection of the quality and integrity of data (such as HIPAA, PCI and 21 CFR Part 11). MetricStream partners with SSAE 16 Type II Audited Tier IV data centers with state-of-the-art infrastructure and services for serving our clients in North and South America, Europe, Asia and Africa. Beyond being widely adopted by small and medium enterprises, even some of the world s largest companies are using the MetricStream Cloud after rigorously testing the security and reliability of our infrastructure. In addition, MetricStream is SSAE 16 SOC 2 Type I compliant for its internal processes and hosting operations. 1.5 What is MetricStream s HIPAA compliance statement. MetricStream offers its GRC solutions on a Hosted or Cloud basis. When we provide our GRC solutions from the cloud, each customer is assigned dedicated hardware for all of their tiers, and each customer s environment is physically separated from other customers. Our datacenters are SSAE 16 Type II compliant. MetricStream understands and appreciates that our customers who are covered entities must enter into business associate agreements with companies that perform functions or activities or provide certain services that involve access to protected health information. 2

3 In accordance with 45 CFR : (a) Such functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing; and (b)such services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. MetricStream does not perform such functions and activities or provide such services when a customer opts to use our GRC hosted solutions. MetricStream does not access or use any protected health information that the customer may upload to the MetricStream cloud. The customer is in control of all protected health information. MetricStream does not perform any of the listed functions and activities (and is not engaged in providing any of such services), on behalf of our customers. We provide the software and infrastructure to enable our customers to perform their own functions and activities such as data analysis in an environment dedicated solely to their use. 1.6 Describe the physical controls in place for delivering a secured environment, network, and data center. MetricStream s partner facilities are secured by four layers of physical security: Entry to the data centers is limited to authorized personnel (carrying identification badges) requiring PIN for access. Biometric hand scanners govern access to the offices and data center. The computer data center takes a separate electronic key fob to enter, and servers can be configured in an optional locking rack cabinet. Customer personnel have access to their servers 24 X 7, but must be escorted at all times unless a colocation suite with separate security precautions is established. All visits are logged. Video surveillance of all ingress and egress, as well as rack activity is conducted 24 X 7. All logs are reviewed periodically. 1.7 Describe the power redundancy setup to support the cloud infrastructure. Data center environmental security includes redundant cooling, power, and fire suppression systems. The data centers are covered by a redundant UPS system and power distribution grid that includes UPS batteries and a gas-powered generator farm that has a 3 day supply of gas and can be refueled during operations. The facilities will never lose power. Air handling systems for the facilities are augmented by N+2 air-conditioning systems to keep over 1000 servers on the floor cool. The data centers are regularly cleaned and maintained to ensure a safe and dust-free environment. 1.8 Has the data center ever had any major power failures and how did the emergency systems perform? MetricStream s data center partners have never reported any major power failures. All emergency systems are periodically tested. 1.9 Describe the network controls in place to maximize system uptime. MetricStream s partner data centers maintain multi-homed internet access to reduce single points of failure. They have rich fiber connections to all major carriers, with scalable bandwidth capacity from OC3 to OC192. 3

4 1.10 What is the average or expected up time for the system in %? MetricStream can support 99.5% system availability. 1.11Who (employees or contractors of the site) has physical and/or login access to the servers and applications that hold customer data? MetricStream does not employ contractors. While MetricStream employees manage the Cloud environment, Application data cannot be altered, deleted, or retrieved by anyone other than users with appropriate privileges What industry standards has MetricStream adopted for securing application(s) and infrastructure (e.g. OWASP, NIST, ISO, etc) MetricStream applies its software security assurance process as part of its Software Development Life Cycle, to design and develop applications. The SDLC helps to ensure that communication and collaboration services are highly secure - even at the foundation level. MetricStream has adopted the OWASP Standard for Web applications Please describe MetricStream s vulnerability assessment process. AppSec Consulting, Inc., an independent information security firm, is periodically engaged to conduct extensive penetration testing of the application based on PCI standards. The penetration tests are conducted with the following primary objectives: Identify and assess the controls in place to protect against both external and internal threats Identify Web application and server configuration vulnerabilities that put sensitive information at risk and impact PCI compliance Test the application from the standpoint of unauthorized users attempting to gain access as well as authorized users trying to escalate access Provide a detailed risk analysis and remediation advice for each vulnerability identified Detect any vulnerability after MetricStream has per formed remediation In addition, in-house penetration testing is also conducted for every major release of the Platform using the Burp Suite (an integrated platform for performing security testing of web applications). During MetricStream s scans, following key areas are covered: Cross Site Scripting SQL Injection Session cookie management Reliance on client side input validation Excessive privileges for database account Unsafe attachments may be uploaded Complete Stack Trace error provided to user 4

5 1.14 How does MetricStream update security against emerging cyber security threats? At MetricStream, security is considered as an important aspect throughout the SDLC. The following measures are currently part of the development lifecycle: Regular design/architecture review meetings to identify vulnerabilities around user permissions, logins, data privacy and unauthorized accesses Multi-level Code reviews peer code review, lead code review and a review by the technical architect(if required) Detailed documentation/tech notes are maintained on any findings On every major release MetricStream ensures that it carries out a security upgrade of all the 3rd party systems and the OS. For every major release of the platform, Penetration tests are performed using the Burp tool and any vulnerability found is addressed in the subsequent release: SQL Injection Cross-Site Scripting (XSS) Path Traversal HTTP Response Splitting Password returned in later response Open redirection Cleartext submission of password Cookie without HttpsOnly flag set TRACE method is enabled Directory listing addresses disclosed Private IP addresses disclosed Credit card numbers disclosed HTML does not specify charset Content type incorrectly stated Request impersonalization 1.15 Does MetricStream track and report on attempts (both successful and unsuccessful to access hosted systems)? The MetricStream application tracks the number of attempts at accessing a user account. If desired, a configurable option allows for disabling an account after X number of unsuccessful login attempts What access controls are in place to prevent improper use (such as deleting data, altering data)? System Administrators can configure Access Controls as follows: Feature Access Controls: Features such as digital dashboards, reports, and input forms have access controls and rights that are allocated based on the user. Application Access Controls: The application modules (for example, Audits, Document Control, CAPA, Non- Conformance Management) have access controls and rights that are allocated based on user. Data Access Controls: These include Row Level Security and Column Level Security. Additionally, the MetricStream solution maintains a complete track record of changes, version history, and a detailed audit trail of all activities and changes. The MetricStream solution records all data modifications within the system, including user and system data: Any data field changes results in an auditable record of who, when, the old value and the new value. 5

6 Data is never deleted from the database, so a full and complete audit trail/history is always available. Since this feature is a part of the MetricStream Platform, the system ensures integrity that all data changes at the application level are recorded and available for audit purposes. Reports can then be generated to display this audit history data in the appropriate views. The system provides accurate time stamped audit trails with what, who, when and why information for task creation, editing, modification, deletion Can MetricStream restrict user access (data and services) to certain IP addresses? MetricStream can implement a rule in the firewall to only allow traffic from a pre-defined set of IP address subnets (thereby limiting access to only those users from the customer s internal networks), although this would prevent legitimate users from accessing the services from the internet How is the authentication process controlled and protected? The MetricStream platform provides multi-layered authentication capabilities such as electronic signatures, passwords, system access via defined IP network rangers, automatic logging off after a period of inactivity, and disabling of user accounts after repeated failures to log in. All MetricStream applications have configurable rules for passwords, password complexity and expiry, as well as authentication and signoffs at major transactional steps of business process workflows. The minimal security is to store or transmit passwords in a one-way hashed format. When integrated with an LDAP server, the MetricStream platform authenticates user identity against the LDAP server, and does not keep a copy of user passwords in its repository. All user profile information is maintained only on the LDAP server. That way, users do not need to remember multiple passwords and e-signatures. They can also import authorization information from the LDAP server, if required. The platform supports integration with Single Sign-On (SSO) infrastructure. For instance, for SAML 2.0 (Security Assertion Markup Language) based infrastructure in Oracle s Identity Federation System, users can authenticate against a Single- Sign-On infrastructure. Password entered by end user is authenticated on customer s Active Directory server or other LDAP servers /user repositories (depending on SSO implementation & standard) and gains access to all systems without being prompted to log in again at each of them. Organizations can also implement Active Directory Federated Services (ADFS) to use Single Sign-On (SSO) infrastructure that enables users to authenticate to multiple web applications across multiple organizations or domains over a single online session. Thus, users can use a single password to log in to MetricStream applications as well as other corporate applications What audit trails and logs are created? MetricStream s platform records all data modifications within the system, including user and system data. Any data field changes results in an auditable record of user, timestamp, the old value and the new value. Data is never deleted from the database, so a full and complete audit trail/history is always available. Since this a feature a part of the MetricStream platform, the system ensures integrity that all data changes at the application level are recorded and available for audit purposes. Reports can then be generated to display this audit history data in the appropriate views. 6

7 1.20 Can a customer start with the SaaS solution and migrate to on-premise at a later date? The MetricStream Cloud is the industry s most robust offering. The solution enables companies to get their operations up and running quickly, without requiring extensive internal IT resources. With MetricStream, the transition from ondemand to in-house deployment and vice versa is uniquely seamless, virtually eliminating risk in the solution acquisition process. The entire migration can be completed over a weekend when planned with appropriate systems & software over the two end points What practices are followed to keep the applications safe? Following are the some of the software in place for prevention against Malicious code: Ossec Host based intrusion detection system which generates alerts based on the events in servers. Nessus Vulnerability Scanner Alertbot - URL monitoring system. Cacti Network monitoring tool. Symantec Endpoint Protection Anti Malware Cyberoam Firewall & Network Security Penetration tests are performed on every major release of the MetricStream platform, using industry standard tools such as Burp. The platform is tested for a wide range of security attacks including Common web application vulnerabilities such as SQL injection, cross-site scripting, path traversal, HTTP response splitting, request impersonalization and password returned in later response, Brute force attacks against authentication schemes, Parameter manipulation, trawling for hidden content and functionality, Session token sequencing and session hijacking Data mining, Concurrency attacks and application-layer denial of-service attacks. Apart from that, MetricStream performs a third party application penetration testing and vulnerability assessment test annually. 7

8 2.0 Service Level Agreement 2.1 Does MetricStream monitor the entire solution 24x7x365? MetricStream works closely with its data center partners to provide 24x7x365 support and monitoring services. Typically, automated monitoring tools poll the system on a periodic basis (usually every 5 minutes) and test such connections as the web server, the J2EE server, the Oracle database, and various parts of the application layer as well. HTTP requests are sent to various parts of the application and the response is monitored. If one of these connections fails, an automated alert message is sent over and/or pager to the data center s help desk and/or the MetricStream help desk. 2.2 Describe the service level agreement around response time and problem resolution time. MetricStream provides a Service Level Agreement (SLA) around uptime, problem resolution time and can include response time of the system (although there will be some dependencies on the customer s network that has to be factored into the contract). 2.3 Does MetricStream provide complete and regular reports on the interaction with the customer, including types of calls, status of issues, and resolution times? MetricStream offers a web-based customer support portal that is powered by MetricStream GRC Platform, where customers can log issues, view the status of their open issues, and the current resolution status to those issues. All issues, whether reported via phone, or the customer support portal, are logged to the same TAR (Technical Action Request) system and are viewable online via customer-specific reports and dashboards. MetricStream can also provide these reports manually via preset customer meetings, as well as have these reports automatically ed to selected users if desired. 2.4 What is the average response and resolution time for problems encountered with the infrastructure; network, operating systems, or data center? The MetricStream Cloud SLA includes a response time of less than two (2) hours for critical and severe errors. For critical errors, MetricStream will use commercially reasonable efforts, on a twenty-four (24) hour, seven (7) days per week basis, to provide a workaround or error correction for such critical error. For other types of issues, MetricStream generally resolves within four (4) hours. 2.5 Describe how technical issues are resolved. MetricStream proposes three levels of support. Level 1 is typically provided by the customer. MetricStream s technical staff on its help desk area provides Level 2 support. If the help desk is unable to resolve an issue quickly, it is escalated to Level 3 (the development staff and/or the original professional services staff that worked on the solution), based on the type of issue. If further escalation is required, our CTO is the next path of escalation. If a data center issue is determined to be the cause of the problem, they will contact the data center s help desk, which is 24x7 as well and has a similar escalation process. 8

9 2.6 Describe MetricStream s escalation procedure. Are there tiered response layers? What happens at each stage? MetricStream has a defined escalation procedure. In addition to escalating based on the type of issue, the help desk will escalate issues based on if a problem remains unresolved for a specific duration. This duration is different based on the severity of the issues, which are classified as critical, severe, moderate and minor. For additional information on our support policies and procedures, please contact us for our support policies and procedures manual. 2.7 Does the MetricStream SLA include provisions for a disaster recovery plan? MetricStream has included provisions in our SLA for a disaster recovery plan and timeframe. The specifics around the disaster recovery plan are created as part of the SLA contract and are dependent on customer requirements such as standard backups and recovery, hot backup systems, redundant systems, etc. 2.8 Does MetricStream have documented change management procedures in place? MetricStream s Quality process includes a change management procedure that minimizes the impact to a customer system while it ensures that a customer is aware of any changes being made to the system. As part of the change management procedure, MetricStream can optionally offer and implement a staging system that emulates the production system. This allows MetricStream s support and QA staff as well as our customers to test and verify the software change before any change is applied to the production environment. As part of the SLA contract, scheduled maintenance windows are also defined. MetricStream works with its customers to define the maintenance window to match individual customers system downtime window for the other systems they use. 2.9 How often are MetricStream customers scheduled down for routine maintenance? For how long? Typically, maintenance of the system such as patches/upgrades and backups are performed in less than a couple of hours How often are customers down for unscheduled maintenance? For what period of time? MetricStream strives to minimize downtime as much as possible. Patches can often be applied in a hot-fix mode supported by our architecture. If the system has been down outside the scheduled maintenance window, the system is usually restored within 5 minutes on average after the call is reported to MetricStream s help desk. Our standard SLA provides for credit if the downtime exceeds 4 hours in a month. Note: MetricStream has never encountered a downtime of this duration How does the customer retain access to its data and systems should MetricStream cease to operate? To provide assurance to customers that they will still be able to use their system and access their data should MetricStream cease to operate, contracts can been created between all parties involved specifically stating that the customer owns the data. If desired, backups of the data and system files can also be provided to the customer on a periodic basis. In addition, the source code for our software can be provided in an escrow account at the customer s costs so that our customers would have access to the complete system and software should MetricStream cease to operate. 9

10 2.12 What are the procedures for creating user accounts? The MetricStream Solution includes an administrative interface that will provide the customer and any other party it may designate, the capability to add and delete user accounts and associated passwords, as well as define roles, permissions and access rules for each such user account. Such roles, permissions, and access rules may be assigned to individual user accounts or to a customer-defined group of user accounts. The customer can issue and administer Authorized User access and passwords, including additions, deletions and changes in access levels of Authorized Users How are upgrades, patches, releases handled? What is the frequency? Typically, a release is targeted for every six months, with a major release targeted every 18 months. Service Patches may be released on an as-needed basis depending on the severity of any reported issues. Major release (X.0)» Significant new functionality, data model changes, app impact» Potential upgrade impact» One major release every year Stabilization Minor Release (X.1)» Few significant new features based on X.0 customers needs» Minor upgrade impact» Six months after major release Intermediate Minor Release (X.5)» Some new features for analyst visibility, customer needs & differentiators» Minor upgrade impact» Six months after 1 minor release Upgrades are provided at no additional cost beyond the annual support charge, although professional services may be required to implement the upgrade in the customer environment. Changes in a new release are made at the Platform level, and configuration changes made by the customer to their application are usually preserved across releases and/or migration scripts are provided. While the upgrade time may vary based on the particular release and the particular solution implementation, MetricStream typically estimates 1-2 weeks to perform the major upgrades, with the majority of the time spent testing the application to ensure that nothing broke during the upgrade process. All releases and patches come with comprehensive documentation describing the change(s), its impact, the steps to apply it, and detailed test cases for the issues addressed in the release or patch. The MetricStream Platform consists of several JAR files as well as platform metadata. The MetricStream application consists of resource files (templates, properties files etc.) and application metadata. Upgrading the MetricStream Platform does not affect the application resource files and application metadata, thus preserving all customizations. Upgrades of the application are performed by using the IUP (Install Upgrade Patch) tool that migrate resource files as well as application metadata. 10

11 The steps involved in upgrading and promoting the application into production include: Installation and/or upgrade of the new MetricStream Platform in the test instance Installation and/or upgrade of the application module in the test instance Installation of any patches specifically required Perform User Acceptance Testing and Validation (if required) of the application module on the test instance Transition from the test/staging instance to the production instance using the IUP 2.14 How does the customer participate in the upgrade/enhancement process? As part of any upgrade/enhancement process, the customer usually participates at a minimum by performing the User Acceptance Testing (UAT). This is usually conducted on a separate staging system that emulates the production system and allows our support and QA staff as well as our customers to test and verify the software change before any change is applied to the production environment. Upgrades and enhancements are applied to the production environment only after the UAT has been completed and approved by the customer. When an upgrade/enhancement is targeted, the customer is involved in the installation planning, what will be accomplished, the potential impact to any areas of the software, and what will be required from the customer. 11

12 3.0 High Availability & Scalability 3.1 Does MetricStream provide high-availability systems? MetricStream s solution is a web-based, J2EE n-tier application, using a database, application and web server architecture. Our solutions can run on any hardware and operating systems. High-availability deployment architecture is supported by MetricStream and can be used to provide fail-over capabilities. At the presentation and application server layers, MetricStream can be configured in a redundant manner with a hot standby that automatically wakes up and starts accepting requests if the primary servers go down At the database layer, MetricStream recommends that it be configured using approaches outlined by Oracle for high availability 3.2 Does the application support load balancing? Load balancing mechanisms (static and dynamic, hardware and software) are supported by MetricStream. The solution provides both horizontal scalability and vertical scalability to meet growth in number of concurrent users and queries as well as to support growth in volume of data, record and document processing. The exact configuration and setup is jointly determined by customers IT department and MetricStream Solution Architects. The MetricStream solution can be configured to run in a clustered load-balanced configuration for scalability and highavailability. Multiple applications instances can be run on a single server to provide both application isolation and redundancy. Multiple web servers can also be configured with a load balancer. A typical load-balanced architecture is illustrated in the figure: Load Balanced / High Availability Architecture 12

13 3.3 Describe how website availability is monitored. Website availability is monitored as follows: Hosting provider pings for hardware availability MetricStream uses third party Alertbot to monitor application availability The report from Alertbot provides the uptime, response time, and cause of any failure. MetricStream can also setup a manual process to a periodic report to the Customer 3.4 Describe any contingency plans should the primary host become unavailable. All data on the MetricStream Cloud is backed up daily and weekly. All backups are encrypted on a per customer basis. Additionally, MetricStream also maintains a DR site. If primary servers become unavailable due to a hardware fault, MetricStream has SLAs in place to ensure components are replaced within 4 hours and then the application can be subsequently restored. The hard drives are RAID5 or better and such drive failures do not cause application outage. When a complete new server needs to be recreated (application or database), the downtime can be up to two business days. In such cases the RPO is < 24 hours. If the data center is struck by natural disaster, then MetricStream will restore the application from its DR backup. MetricStream s DR SLA is as follows: Recovery Time Objective (RTO): < 1 day Recovery Point Objective (RPO): < 6 hours The MetricStream Cloud can support mission-critical applications with RTO and RPO of 0 hours, if required. 13

14 4.0 Backup & Disaster Recovery 4.1 Is all the data and document stored at the hosting facility or through a third party storage area network? Under our default hosting SLA, the data and documents are stored at the hosting facility on the primary database and application servers, as well as the backup file servers (duplicate copies). In addition, tapes may be periodically made of the backup file servers and stored offsite. 4.2 Is MetricStream capable of archiving historical data that is no longer necessary for day-to-day operations? MetricStream Cloud has comprehensive data archive and restore capabilities. The MetricStream Cloud supports usage of database functions for archiving and retention of all records and data. It supports auto-archiving and manual archiving options. Using a Rules Engine users can setup rules / conditions to specify when, whose, which, what type of artifacts / data (full system, partial system, specified system data or file areas) should be archived. IT administrators can specify what type of compressed file formats should be used and the storage location as well. Archiving and purging can be scheduled at desired frequency and time intervals. In addition, customers can archive data such as attachments, but will leave a subset of the data on the system permanently so that they can be used for analysis purposes. Typically, MetricStream s customers store between 5-7 years worth of data on the server at a minimum before archiving the data and they have not reported any performance degradation so far. Reports can also be set up to analyze the archived data in a separate repository if that is desired. 4.3 What are MetricStream s data retention and destruction policies? MetricStream ensures full weekly and daily incremental backups of the database and file systems are backed up to a dedicated backup file server. Additional backup options include backing up to a duplicate backup file server at a second backup data center, hot backup servers for the database and application servers, redundant failover servers for instant recovery, and redundant systems at different data centers. Backup data can also be stored to tape on a frequency as often as every day and stored at an offsite storage center such as Iron Mountain. All of these options are additional services that can be offered by MetricStream. On discontinuing the hosting contract with MetricStream, no data is retained on our infrastructure. MetricStream can shred to meet specs ranging from simple one pass to DoD M to Guttman algorithm with 35 passes. 4.4 Does MetricStream have a Disaster Recovery plan and facility? Our Disaster Recovery plan depends on the customer s choice of hosting architecture. Broadly, DR sites range from storage on the AWS Cloud for the basic offering, to a dedicated offsite data center for the premium and enterprise offerings. 14

15 4.5 Describe MetricStream s backup and recovery procedures. This can vary based on specific customer requirements and selected options. By default, full weekly and daily incremental backups of the database and file systems are backed up to a dedicated backup file server. Periodically, a copy of this backup file server is recorded to tape and stored at an off-site location. If a MetricStream System crashes, the hardware will be typically replaced within two hours. After this, the operating system, databases and applications are reloaded, and the database restored to recover the system. Replacement of the hardware and restoration of the data is expected to consume six hours. If desired, Oracle transaction logs can also be enabled as an optional service that would allow up-to-minute recovery of the system in cases of system failures. Additional backup options include backing up to a duplicate backup file server at a second backup data center, hot backup servers for the database and application servers, redundant failover servers for instant recovery, and redundant systems at different data centers. Backup data can also be stored to tape. The frequency of storage to an offsite storage center such as Iron Mountain can be as often as every day. All of these options are additional services offered by MetricStream. 4.6 Can MetricStream roll back the entire database (or specific data) to a prior save point? MetricStream schedules daily backups. The restore can be whole or partial. 4.7 Does MetricStream have separate backup & disaster recovery locations? How frequently is the recovery procedures tested? MetricStream maintains multiple co-location providers to provide backup hosting and disaster recovery. By default, MetricStream tests the disaster recovery plan once a quarter to ensure that the backup policies and data are being properly backed up. 4.8 Are backup tapes stored offsite in a secure facility? Offsite Tape backup is offered optionally. If this option is chosen, the tapes would likely be stored by Iron Mountain, a leading provider of tape storage facilities. 4.9 Are backup tapes encrypted? Backup tapes can be provided and encrypted at additional cost Is the fail-over active/passive or active/active? This depends on the type of cloud architecture implemented. For the Enterprise OnDemand Offering, fail-over is Active/ Passive 4.11 How is the fail-over implemented? MetricStream implements a manual fail-over to the DR site. 15

16 4.12 Customer requires service providers to comply with all aspects of the FFIEC Examination Handbook on Business Continuity Planning and the US Federal Reserve Sound Practices White Paper on systemic risk within the financial industry. This will include the following: Identify all business critical activities; Demonstrate the ability to recover Customer operations from any eventuality within a two hour timescale [I understand a different recovery SLA has been agreed]. Note: the solution must address the ability to survive an incident that may affect people, technology, utilities and buildings; for each the service provider must demonstrate out of region full functionality. Maintain geographically dispersed resources [Assets and Personnel] to meet recovery timescales Conduct robust and regular testing to demonstrate a high level of confidence in continuity plans. MetricStream provides dedicated DR setup in a different datacenter as a standard feature in its Premium Hosting option. This option provides for a Real time Data replication to the DR site and if production is down, DR site kicks in automatically. The Recovery point objective (RPO) is less than or equal to 6 hours and Recovery time objective (RTO) for the services is less than or equal to 1 day. It s also noteworthy that beyond the datacenters, their staff and MetricStream staff there is no other operational dependency to execute DR protocols. As a SSAE 16 Type IV data enter, the standard business continuity protocols followed by BAIS are in compliance with the FFIEC examination handbook on Business continuity planning and US Federal Reserve Sound Practices White Paper on systemic risk within the financial industry. MetricStream and BAIS can work with Customer to enable the DR site with data and Application to test and validate the business continuity plan before going live with the application What is the cost for additional storage? For additional storage, 4 $ is charged per GB Enter any additional details: Following are some of the additional features of the BAIS datacenter to ensure the business continuity and physical & environmental protection: Tier IV Datacenter Carrier neutral Fully Redundant, N+1 83,000 square foot facility 30,000 square foot datacenter (expandable to 45,000 sqft) 30 inch raised floor 1.25 Seismic Importance Rating Comprehensive Mechanical and Electrical Building Monitoring 16

17 Over 1000 High Density Cabinets 47U (82 high) 43 deep, 19 wide 4-point door locking mechanism Combination lock system Perforated doors allowing for up to 83% airflow Prewired to 3 independent power sources to support up to 12 KW 4.15 List how Datacenter storage specific monitoring is performed. SSAE 16 Datacenter teams proactively monitors key system components, up to and including the Fiber Channel switches and storage array, 24 hours a day, seven days a week. The datacenter utilizes a state-of-the-art Enterprise System Management (ESM) monitoring solution that includes monitoring tools that track critical storage-infrastructure components. These tools include: Host-based SNMP software. Windows Management Instrumentation (WMI). Hardware agents from the storage and SAN switch vendors. Purpose-built monitoring platform called Collaborative Application Management (CAM). These tools enable Datacenters to perform threshold-based, proactive monitoring and to respond to events quickly. The tools often provide notification before a real problem occurs. By monitoring critical parameters, Datacenters can proactively notify the appropriate responsible party about detected or potential problems List the compliances of MetricStream partner datacenters. Datacenter: Name of the Datacenter Compliances Primary/ Secondary Primary VxChnge SOC2 Primary QTS SOC2, HIPAA Primary Telehouse ISO, PCI, etc. Primary Etisalat, JADC ISO Secondary Cybercon SOC2 Secondary Amazon Web Services (AWS) SOC3, HIPAA, ISO 17

18 5.0 Data Security 5.1 If Mobile devices are supported, describe the access restrictions. The MetricStream Solution is 100% web-enabled and can be accessed from any internet-enabled web-browser. The system can therefore be accessed from a Mobile device s browser. No mobile access restrictions apply. 5.2 What types and levels of data encryption are supported? If encryption is used, what type and what key length? The MetricStream platform protects data through advanced encryption functionalities based on encryption algorithms such as AES with 256-bit keys and transport layer protocols including SSL and HTTPS. It also enables companies to build their own specific encryption and decryption plug-ins using industry-standard algorithms such as RSA and PKCS. Data encryption is enabled for both data at rest (database/ files) and data in transit: Data-at-rest encryption: A key feature in the security foundation within the Platform is the provision to encrypt file attachments uploaded to the MetricStream application. Once this functionality has been enabled, the MetricStream Platform provides transparent attachment file encryption while uploading. Subject to role based authorization controls, when a user downloads the attachment, the file contents will be decrypted as well. File attachment encryption is a critical piece of Data-At-Rest security requirements especially important for Internet facing application. A complete solution for Data-At-Rest security also entails Oracle database encryption leveraging Oracle TDE options available with Oracle Enterprise edition. SSL in combination with file/database encryption ensures that Data in motion (network) and at rest (filesystem/database) is encrypted thereby safeguarding any sensitive information that flows through the MetricStream application and addressing one of the most important security vulnerabilities with any Internet facing application. Data-in-transit encryption: For data in motion, the platform leverages SSL or HTTPS technology for encryption. Therefore, any sensitive information flowing through a MetricStream application is safeguarded, even if the application is Web-based. The MetricStream application proxy server can be specially configured to address regional data security requirements in a distributed setup. It enables file attachments to be flagged as confidential or Client Identifying Data (CID), and stored only in the regional proxy server not in the distributed or central server. That means that users outside the region will not be able to access the attachments. 5.3 Describe how MetricStream provides Data-encryption-at-rest. In the MetricStream solution, application data is stored in two places. Each has a separate mechanism for Dataencryption-at-rest: File attachments uploaded through the application are stored as raw files on the server. These are encrypted using 3DES or a better algorithm when storing on the server. Oracle database is enabled with a feature called Transparent Data Encryption (TDE). Using this, all database columns that need encryption are appropriately enabled during implementation phase. This requires Oracle Enterprise Edition. 18

19 5.4 Is authentication information encrypted (e.g. passwords)? For data in motion, the platform leverages SSL or HTTPS technology for encryption. 5.5 Describe the teams and roles that have access (physical/ logical) to systems holding customer data. MetricStream will have no access either to server-side components or to the client data of the production environment. However, access to development and testing environment is usually maintained or provided as needed for any support requirements. It is not possible for Customer application data to be altered / deleted or retrieved by anyone other than authorized users. 5.6 How is data segregation managed? Specifically address segregating third parties from seeing internal Customer data and other third parties data. Each customer s data is on their own server(s). Physical, Application, and network security schemes prevent customers from accessing data other than their own. MetricStream employs a number of documented controls to ensure the security and segregation of customer data. These controls provide defense in depth and include data at rest encryption, method filtering at the application tier, and data access enforcement at the database tier. This ensures segregating third parties from seeing internal Customer data and other third parties data. 19

20 6.0 Network Security 6.1 What interfaces does customer data have to the outside world (IP addresses, ports, and protocols. For example, HTTPS, XML, upload or download to financial systems)? The MetricStream platform s data integration services consists of powerful and flexible adapters called Infolets that execute periodic (scheduled or on-demand) queries and functions on external systems to extract relevant data. Infolets enable the platform to seamlessly connect to external applications and communicate through appropriate technologies such as SQL, APIs, executable programs, text files, Web Services and XML. MetricStream supports integration with external systems in a configurable fashion, with no source code changes made to the MetricStream GRC Platform. All relevant data can be pushed or pulled in real-time or on a scheduled-basis between the MetricStream repository and an external system. Customers can also use Secure FTP for batch uploads. 6.2 Which network access methods are employed? MetricStream provides access to its servers over HTTP or HTTPS (SSL 128-bit protocol), based on customer requirements. Access from the application to the database server may be on a separate network, and access to the file backup servers is usually on a separate network. 6.3 What program(s) need to be installed on a user s computer in order to use the MetricStream Application? None. MetricStream s Solution is 100% web-based and can be accessed from any internet-enabled web-browser 6.4 Can the end customer monitor bandwidth usage to the data center. If a customer opts for a dedicated server / database as part of the installation then bandwidth usage charts can be provided through a secure login to the customer. 6.5 Are firewalls shared across several customers or does each customer have its own firewall? Each customer is provided with a dedicated software firewall. 6.6 Describe the intrusion detection systems in place. MetricStream maintains Intrusion Detection (IDS) at the firewall and software based Intrusion Detection on the server. Intrusion detection is typically alerted over . A dedicated IDS is optional. 6.7 Describe the mitigation strategies for Distributed Denial of Service Attacks (DDoS). A firewall is configured to protect against intrusions and security attacks. If necessary, the upstream router from the data center can also be configured to protect against DDoS attacks. We have 2 layers of protection. One layer is in the perimeter layer, which is managed and monitored by Data Center team. Another layer is network layer, managed and monitored by MetricStream CloudOps team. 20

SaaS Security for the Confirmit CustomerSat Software

SaaS Security for the Confirmit CustomerSat Software SaaS Security for the Confirmit CustomerSat Software July 2015 Arnt Feruglio Chief Operating Officer The Confirmit CustomerSat Software Designed for The Web. From its inception in 1997, the architecture

More information

Projectplace: A Secure Project Collaboration Solution

Projectplace: A Secure Project Collaboration Solution Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the

More information

Autodesk PLM 360 Security Whitepaper

Autodesk PLM 360 Security Whitepaper Autodesk PLM 360 Autodesk PLM 360 Security Whitepaper May 1, 2015 trust.autodesk.com Contents Introduction... 1 Document Purpose... 1 Cloud Operations... 1 High Availability... 1 Physical Infrastructure

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Adobe Systems Incorporated

Adobe Systems Incorporated Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...

More information

Security Controls for the Autodesk 360 Managed Services

Security Controls for the Autodesk 360 Managed Services Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices

More information

FormFire Application and IT Security. White Paper

FormFire Application and IT Security. White Paper FormFire Application and IT Security White Paper Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

Enterprise Architecture Review Checklist

Enterprise Architecture Review Checklist Enterprise Architecture Review Checklist Software as a Service (SaaS) Solutions Overview This document serves as Informatica s Enterprise Architecture (EA) Review checklist for Cloud vendors that wish

More information

Collaborate on your projects in a secure environment. Physical security. World-class datacenters. Uptime over 99%

Collaborate on your projects in a secure environment. Physical security. World-class datacenters. Uptime over 99% Security overview Collaborate on your projects in a secure environment Thousands of businesses, including Fortune 500 corporations, trust Wrike for managing their projects through collaboration in the

More information

GiftWrap 4.0 Security FAQ

GiftWrap 4.0 Security FAQ GiftWrap 4.0 Security FAQ The information presented here is current as of the date of this document, and may change from time-to-time, in order to reflect s ongoing efforts to maintain the highest levels

More information

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

Woodcock-Johnson and Woodcock-Muñoz Language Survey Revised Normative Update Technical and Data Security Overview

Woodcock-Johnson and Woodcock-Muñoz Language Survey Revised Normative Update Technical and Data Security Overview Houghton Mifflin Harcourt - Riverside (HMH - Riverside) is pleased to offer online scoring and reporting for Woodcock-Johnson IV (WJ IV) and Woodcock-Muñoz Language Survey Revised Normative Update (WMLS-R

More information

SECURITY DOCUMENT. BetterTranslationTechnology

SECURITY DOCUMENT. BetterTranslationTechnology SECURITY DOCUMENT BetterTranslationTechnology XTM Security Document Documentation for XTM Version 6.2 Published by XTM International Ltd. Copyright XTM International Ltd. All rights reserved. No part of

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Secure, Scalable and Reliable Cloud Analytics from FusionOps White Paper Secure, Scalable and Reliable Cloud Analytics from FusionOps A FusionOps White Paper FusionOps 265 Santa Ana Court Sunnyvale, CA 94085 www.fusionops.com World-class security... 4 Physical Security...

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

KeyLock Solutions Security and Privacy Protection Practices

KeyLock Solutions Security and Privacy Protection Practices KeyLock Solutions Overview KeyLock Solutions hosts its infrastructure at Heroku. Heroku is a cloud application platform used by organizations of all sizes to deploy and operate applications throughout

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Vendor Questionnaire

Vendor Questionnaire Instructions: This questionnaire was developed to assess the vendor s information security practices and standards. Please complete this form as completely as possible, answering yes or no, and explaining

More information

CONTENTS. Security Policy

CONTENTS. Security Policy CONTENTS PHYSICAL SECURITY (UK) PHYSICAL SECURITY (CHICAGO) PHYSICAL SECURITY (PHOENIX) PHYSICAL SECURITY (SINGAPORE) SYSTEM SECURITY INFRASTRUCTURE Vendor software updates Security first policy CUSTOMER

More information

ProjectManager.com Security White Paper

ProjectManager.com Security White Paper ProjectManager.com Security White Paper Standards & Practices www.projectmanager.com Introduction ProjectManager.com (PM) developed its Security Framework to continue to provide a level of security for

More information

Hosted SharePoint: Questions every provider should answer

Hosted SharePoint: Questions every provider should answer Hosted SharePoint: Questions every provider should answer Deciding to host your SharePoint environment in the Cloud is a game-changer for your company. The potential savings surrounding your time and money

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

SHARPCLOUD SECURITY STATEMENT

SHARPCLOUD SECURITY STATEMENT SHARPCLOUD SECURITY STATEMENT Summary Provides details of the SharpCloud Security Architecture Authors: Russell Johnson and Andrew Sinclair v1.8 (December 2014) Contents Overview... 2 1. The SharpCloud

More information

Blackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security

Blackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security Overview Blackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security Blackboard Collaborate web conferencing is available in a hosted environment and this document

More information

QuickBooks Online: Security & Infrastructure

QuickBooks Online: Security & Infrastructure QuickBooks Online: Security & Infrastructure May 2014 Contents Introduction: QuickBooks Online Security and Infrastructure... 3 Security of Your Data... 3 Access Control... 3 Privacy... 4 Availability...

More information

FileCloud Security FAQ

FileCloud Security FAQ is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file

More information

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM Las Vegas Datacenter Overview Product Overview and Data Sheet Product Data Sheet Maintaining a Software as a Service (SaaS) environment with market leading availability and security is something that Active

More information

MIGRATIONWIZ SECURITY OVERVIEW

MIGRATIONWIZ SECURITY OVERVIEW MIGRATIONWIZ SECURITY OVERVIEW Table of Contents Introduction... 2 Shared Security Approach... 2 Customer Best Practices... 2 Application Security... 4 Database Level Security... 4 Network Security...

More information

GoodData Corporation Security White Paper

GoodData Corporation Security White Paper GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share

More information

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room MAXIMUM DATA SECURITY with ideals TM Virtual Data Room WWW.IDEALSCORP.COM ISO 27001 Certified Account Settings and Controls Administrators control users settings and can easily configure privileges for

More information

BMC s Security Strategy for ITSM in the SaaS Environment

BMC s Security Strategy for ITSM in the SaaS Environment BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...

More information

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such

More information

Hosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com

Hosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com Security Overview Learn More: Call us at 877.634.2728. www.megapath.com Secure and Reliable Hosted Exchange Our Hosted Exchange service is delivered across an advanced network infrastructure, built on

More information

BOWMAN SYSTEMS SECURING CLIENT DATA

BOWMAN SYSTEMS SECURING CLIENT DATA BOWMAN SYSTEMS SECURING CLIENT DATA 2012 Bowman Systems L.L.C. All Rights Reserved. This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered

More information

Security Policy JUNE 1, 2012. SalesNOW. Security Policy v.1.4 2012-06-01. v.1.4 2012-06-01 1

Security Policy JUNE 1, 2012. SalesNOW. Security Policy v.1.4 2012-06-01. v.1.4 2012-06-01 1 JUNE 1, 2012 SalesNOW Security Policy v.1.4 2012-06-01 v.1.4 2012-06-01 1 Overview Interchange Solutions Inc. (Interchange) is the proud maker of SalesNOW. Interchange understands that your trust in us

More information

Security Whitepaper: ivvy Products

Security Whitepaper: ivvy Products Security Whitepaper: ivvy Products Security Whitepaper ivvy Products Table of Contents Introduction Overview Security Policies Internal Protocol and Employee Education Physical and Environmental Security

More information

Guideline on Auditing and Log Management

Guideline on Auditing and Log Management CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius

More information

Security Overview Enterprise-Class Secure Mobile File Sharing

Security Overview Enterprise-Class Secure Mobile File Sharing Security Overview Enterprise-Class Secure Mobile File Sharing Accellion, Inc. 1 Overview 3 End to End Security 4 File Sharing Security Features 5 Storage 7 Encryption 8 Audit Trail 9 Accellion Public Cloud

More information

Securing the Service Desk in the Cloud

Securing the Service Desk in the Cloud TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment Introduction Faced with a growing number of regulatory, corporate, and industry requirements,

More information

Security and Managed Services

Security and Managed Services iconnect Cloud Archive System Overview Security and Managed Services iconnect Cloud Archive (formerly known as Merge Honeycomb ) iconnect Cloud Archive offers cloud-based storage for medical images. Images

More information

Storage Guardian Remote Backup Restore and Archive Services

Storage Guardian Remote Backup Restore and Archive Services Storage Guardian Remote Backup Restore and Archive Services Storage Guardian is the unique alternative to traditional backup methods, replacing conventional tapebased backup systems with a fully automated,

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

Altus UC Security Overview

Altus UC Security Overview Altus UC Security Overview Description Document Version D2.3 TABLE OF CONTENTS Network and Services Security 1. OVERVIEW... 1 2. PHYSICAL SECURITY... 1 2.1 FACILITY... 1 ENVIRONMENTAL SAFEGUARDS... 1 ACCESS...

More information

by New Media Solutions 37 Walnut Street Wellesley, MA 02481 p 781-235-0128 f 781-235-9408 www.avitage.com Avitage IT Infrastructure Security Document

by New Media Solutions 37 Walnut Street Wellesley, MA 02481 p 781-235-0128 f 781-235-9408 www.avitage.com Avitage IT Infrastructure Security Document Avitage IT Infrastructure Security Document The purpose of this document is to detail the IT infrastructure security policies that are in place for the software and services that are hosted by Avitage.

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM 800.820.5855 1

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM 800.820.5855 1 UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM 800.820.5855 1 As organizations unlock the true potential of meeting over the web as an alternative to costly and timeconsuming travel,

More information

Privacy + Security + Integrity

Privacy + Security + Integrity Privacy + Security + Integrity Docufree Corporation Data Security Checklist Security by Design Docufree is very proud of our security record and our staff works diligently to maintain the greatest levels

More information

ITAR Compliant Data Exchange

ITAR Compliant Data Exchange ITAR Compliant Data Exchange Managing ITAR Data Across Collaborative Project Teams WebSpace Customers Aerospace & Defense Manufacturing High Tech & Contract Manufacturing Automotive Manufacturing Medical/

More information

Technical specifications

Technical specifications Technical specifications PhD Manager is built on the Haplo open source platform. The Haplo platform provides a flexible database tailored to storing information about the activities in complex organisations.

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM Policy Compliancy Checklist September 2014 The server management responsibilities described within are required to be performed per University, Agency or State

More information

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)? SaaS vs. COTS Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)? Unlike COTS solutions, SIMCO s CERDAAC is software that is offered as a service (SaaS). This offers several

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

SERENA SOFTWARE Serena Service Manager Security

SERENA SOFTWARE Serena Service Manager Security SERENA SOFTWARE Serena Service Manager Security 2014-09-08 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software Operational Security (On-Demand

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

Tableau Online Security in the Cloud

Tableau Online Security in the Cloud Tableau Online Security in the Cloud Author: Ellie Fields Senior Director, Product Marketing, Tableau Software June 2013 p2 Tableau Software understands that data is among the most strategic and important

More information

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version 2.2.6 and higher

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version 2.2.6 and higher A Nemaris Company Formal Privacy & Security Assessment For Surgimap version 2.2.6 and higher 306 East 15 th Street Suite 1R, New York, New York 10003 Application Name Surgimap Vendor Nemaris Inc. Version

More information

White Paper. Prepared by: Neil Shah Director, Product Management March, 2014 Version: 1. Copyright 2014, ezdi, LLC.

White Paper. Prepared by: Neil Shah Director, Product Management March, 2014 Version: 1. Copyright 2014, ezdi, LLC. White Paper ezcac: HIPAA Compliant Cloud Solution Prepared by: Neil Shah Director, Product Management March, 2014 Version: 1 Copyright 2014, ezdi, LLC. TECHNICAL SAFEGUARDS Access Control 164.312 (a) (1)

More information

At a Glance. Key Benefits. Data sheet. A la carte User Module. Administration. Integrations. Enterprise SaaS

At a Glance. Key Benefits. Data sheet. A la carte User Module. Administration. Integrations. Enterprise SaaS HP Application Lifecycle Management on Software-as-a-Service Dedicated HP ALM/QC Offering Data sheet At a Glance The Dedicated HP ALM/QC offering is an on-demand Software-as-a-Service (SaaS) solution for

More information

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific

More information

Splunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF

Splunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF Splunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF Businesses around the world have adopted the information security standard ISO 27002 as part of their overall risk

More information

Injazat s Managed Services Portfolio

Injazat s Managed Services Portfolio Injazat s Managed Services Portfolio Overview Premium Managed Services to Transform Your IT Environment Injazat s Premier Tier IV Data Center is built to offer the highest level of security and reliability.

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

ClickTale Security Standards and Practices: Delivering Peace of Mind in Digital Optimization

ClickTale Security Standards and Practices: Delivering Peace of Mind in Digital Optimization Delivering Peace of Mind in Digital Optimization TABLE OF CONTENTS INTRODUCTION 2 PRIVACY AND ANONYMITY 3 ISO 27001 COMPLIANCE 5 APPLICATION-LEVEL SECURITY 6 PENETRATION TESTING AND SECURITY AUDITS 7 GENERAL

More information

MicroStrategy Cloud Enterprise User Guide Version 2

MicroStrategy Cloud Enterprise User Guide Version 2 MicroStrategy Cloud Enterprise User Guide Version 2 Service Definition and Policies February 26, 2014 Copyright 2014 MicroStrategy, Inc. All Rights Reserved. TABLE OF CONTENTS MicroStrategy Cloud Platform

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

Famly ApS: Overview of Security Processes

Famly ApS: Overview of Security Processes Famly ApS: Overview of Security Processes October 2015 Please consult http://famly.co for the latest version of this paper Page 1 of 10 Table of Contents 1. INTRODUCTION TO SECURITY AT FAMLY... 3 2. PHYSICAL

More information

Flexible Identity Federation

Flexible Identity Federation Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services

More information

Payment Card Industry Self-Assessment Questionnaire

Payment Card Industry Self-Assessment Questionnaire How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.

More information

Cloud Management. Overview. Cloud Managed Networks

Cloud Management. Overview. Cloud Managed Networks Datasheet Cloud Management Cloud Management Overview Meraki s cloud based management provides centralized visibility & control over Meraki s wired & wireless networking hardware, without the cost and complexity

More information

Xerox DocuShare Private Cloud Service. Security White Paper

Xerox DocuShare Private Cloud Service. Security White Paper Xerox DocuShare Private Cloud Service Security White Paper Table of Contents Overview 3 Adherence to Proven Security Practices 3 Highly Secure Data Centers 4 Three-Tier Architecture 4 Security Layers Safeguard

More information

Security Information & Policies

Security Information & Policies Security Information & Policies 01 Table of Contents OVERVIEW CHAPTER 1 : CHAPTER 2: CHAPTER 3: CHAPTER 4: CHAPTER 5: CHAPTER 6: CHAPTER 7: CHAPTER 8: CHAPTER 9: CHAPTER 10: CHAPTER 11: CHAPTER 12: CHAPTER

More information

IBM Connections Cloud Security

IBM Connections Cloud Security IBM Connections White Paper September 2014 IBM Connections Cloud Security 2 IBM Connections Cloud Security Contents 3 Introduction 4 Security-rich Infrastructure 6 Policy Enforcement Points Provide Application

More information

Secure Hosting Environment Secure Hosting Environment Partnerships Virtualization Security OS and Application Patching Remote Connectivity

Secure Hosting Environment Secure Hosting Environment Partnerships Virtualization Security OS and Application Patching Remote Connectivity Secure Hosting Environment Partnerships In order to provide advanced levels of infrastructure security, Armstrong has partnered with two entities. Logicalis Inc. is recognized as a Channel Company s 2015

More information

Apteligent White Paper. Security and Information Polices

Apteligent White Paper. Security and Information Polices Apteligent White Paper Security and Information Polices Data and Security Policies for 2016 Overview Apteligent s Mobile App Intelligence delivers real-time user experience insight based on behavioral

More information

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD PROTECTING YOUR VOICE SYSTEM IN THE CLOUD Every enterprise deserves to know what its vendors are doing to protect the data and systems entrusted to them. Leading IVR vendors in the cloud, like Angel, consider

More information

CSC BizCloud VPE Service Offering Summary. CSC i

CSC BizCloud VPE Service Offering Summary. CSC i Table of Contents OVERVIEW... 1 BIZCLOUD VPE SOLUTION SUMMARY... 1 BIZCLOUD VPE INFRASTRUCTURE... 1 Hardware and Virtualization Layer... 2 Compute Components... 2 Storage 2 CSC SUPPORT FOR THE BIZCLOUD

More information

Appendix E to DIR Contract Number DIR-TSO-2736 CLOUD SERVICES CONTENT (ENTERPRISE CLOUD & PRIVATE CLOUD)

Appendix E to DIR Contract Number DIR-TSO-2736 CLOUD SERVICES CONTENT (ENTERPRISE CLOUD & PRIVATE CLOUD) Appendix E to DIR Contract Number DIR-TSO-2736 CLOUD SERVICES CONTENT (ENTERPRISE CLOUD & PRIVATE CLOUD) Enterprise Cloud Resource Pool Services Features Sungard AS will provide the following in connection

More information

Clarizen Security White Paper

Clarizen Security White Paper WHITE PAPER Clarizen Security White Paper Standards and Practices UNITED STATES 1.866.502.9813 UNITED KINGDOM +44.0.20.3411.2345 ISRAEL +972.9.794.4300 FRANCE +33.18.28839.66 www.clarizen.com Table of

More information

Security, trust and assurance

Security, trust and assurance Data sheet Security, trust and assurance A closer look at Projectplace safeguards Security: Projectplace protects every bit of your data Trust: Privacy is not dead at Projectplace, your data is yours Assurance:

More information

Managed Security Services for Data

Managed Security Services for Data A v a y a G l o b a l S e r v i c e s Managed Security Services for Data P r o a c t i v e l y M a n a g i n g Y o u r N e t w o r k S e c u r i t y 2 4 x 7 x 3 6 5 IP Telephony Contact Centers Unified

More information

Exhibit to Data Center Services Service Component Provider Master Services Agreement

Exhibit to Data Center Services Service Component Provider Master Services Agreement Exhibit to Data Center Services Service Component Provider Master Services Agreement DIR Contract No. DIR-DCS-SCP-MSA-002 Between The State of Texas, acting by and through the Texas Department of Information

More information

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1 TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1 Table of Contents 1. Operational Security 2. Physical Security 3. Network

More information

Table of Contents. CSC CloudCompute Service Description Summary CSC 1

Table of Contents. CSC CloudCompute Service Description Summary CSC 1 Table of Contents Overview... 2 CSC CloudCompute Infrastructure... 2 Virtual Environment... 2 Compute Capacity... 2 Networks... 3 CSC Cloud Store Overview... 3 Service Tier Choices... 3 CloudCompute Storage...

More information

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things. Privacy and Security FAQ Privacy 1. Who owns the data that organizations put into Google Apps? 2. When can Google employees access my account? 3. Who can gain access to my Google Apps administrative account?

More information

Media Shuttle s Defense-in- Depth Security Strategy

Media Shuttle s Defense-in- Depth Security Strategy Media Shuttle s Defense-in- Depth Security Strategy Introduction When you are in the midst of the creative flow and tedious editorial process of a big project, the security of your files as they pass among

More information

Table of Contents. Page 1 of 6 (Last updated 30 July 2015)

Table of Contents. Page 1 of 6 (Last updated 30 July 2015) Table of Contents What is Connect?... 2 Physical Access Controls... 2 User Access Controls... 3 Systems Architecture... 4 Application Development... 5 Business Continuity Management... 5 Other Operational

More information

UCS Level 2 Report Issued to

UCS Level 2 Report Issued to UCS Level 2 Report Issued to MSPAlliance Unified Certification Standard (UCS) Report Copyright 2014 www.mspalliance.com/ucs info@mspalliance.com Welcome to the UCS report which stands for Unified Certification

More information

SaaS Security for Confirmit Horizons

SaaS Security for Confirmit Horizons SaaS Security for Confirmit Horizons January 2015 Confirmit Horizons v18.5 Arnt Feruglio Chief Operating Officer The Confirmit Horizons Software From its inception in 1997, the architecture and code of

More information

GE Measurement & Control. Cyber Security for NEI 08-09

GE Measurement & Control. Cyber Security for NEI 08-09 GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information